Merge pull request #3211 from Infisical/add-systemmd-service

add system md service for gateway
Merge pull request #3201 from Infisical/feat/addMoreVisibilityToServerAdmins
2025-04-06 22:14:48 +00:00 · 2025-03-10 14:07:18 -04:00 · 2025-03-10 14:06:08 -04:00 · 2025-03-10 13:02:34 -04:00 · 2025-03-10 22:22:58 +05:30 · 2025-03-10 11:57:15 -03:00
2817 changed files with 136097 additions and 61893 deletions
--- a/.env.example
+++ b/.env.example
@ -26,7 +26,8 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_NAME=
+SMTP_FROM_ADDRESS=
+SMTP_FROM_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=

@ -74,9 +75,48 @@ CAPTCHA_SECRET=

 NEXT_PUBLIC_CAPTCHA_SITE_KEY=

+OTEL_TELEMETRY_COLLECTION_ENABLED=false
+OTEL_EXPORT_TYPE=prometheus
+OTEL_EXPORT_OTLP_ENDPOINT=
+OTEL_OTLP_PUSH_INTERVAL=
+
+OTEL_COLLECTOR_BASIC_AUTH_USERNAME=
+OTEL_COLLECTOR_BASIC_AUTH_PASSWORD=
+
 PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=

 SSL_CLIENT_CERTIFICATE_HEADER_KEY=

 ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
+
+# App Connections
+
+# aws assume-role connection
+INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
+INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
+
+# github oauth connection
+INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
+
+#github app connection
+INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
+INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
+INF_APP_CONNECTION_GITHUB_APP_SLUG=
+INF_APP_CONNECTION_GITHUB_APP_ID=
+
+#gcp app connection
+INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
+
+# azure app connection
+INF_APP_CONNECTION_AZURE_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+
+# datadog
+SHOULD_USE_DATADOG_TRACER=
+DATADOG_PROFILING_ENABLED=
+DATADOG_ENV=
+DATADOG_SERVICE=
+DATADOG_HOSTNAME=
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@ -32,10 +32,23 @@ jobs:
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
      - name: Start the server
        run: |
-            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
-            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
-            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
+          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
+          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
+          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
+
+          echo "Examining built image:"
+          docker image inspect infisical-api | grep -A 5 "Entrypoint"
+          
+          docker run --name infisical-api -d -p 4000:4000 \
+            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
+            -e REDIS_URL=$REDIS_URL \
+            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
+            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
+            --env-file .env \
+            infisical-api
+          
+          echo "Container status right after creation:"
+          docker ps -a | grep infisical-api
        env:
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@ -43,35 +56,48 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - uses: actions/setup-go@v5
        with:
-          go-version: '1.21.5'
+          go-version: "1.21.5"
      - name: Wait for container to be stable and check logs
        run: |
          SECONDS=0
          HEALTHY=0
          while [ $SECONDS -lt 60 ]; do
-            if docker ps | grep infisical-api | grep -q healthy; then
-              echo "Container is healthy."
-              HEALTHY=1
+            # Check if container is running
+            if docker ps | grep infisical-api; then
+              # Try to access the API endpoint
+              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
+                echo "API endpoint is responding. Container seems healthy."
+                HEALTHY=1
+                break
+              fi
+            else
+              echo "Container is not running!"
+              docker ps -a | grep infisical-api
              break
            fi
+            
            echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-
-            docker logs infisical-api
-
-            sleep 2
-            SECONDS=$((SECONDS+2))
+            sleep 5
+            SECONDS=$((SECONDS+5))
          done
-      
+          
          if [ $HEALTHY -ne 1 ]; then
            echo "Container did not become healthy in time"
+            echo "Container status:"
+            docker ps -a | grep infisical-api
+            echo "Container logs (if any):"
+            docker logs infisical-api || echo "No logs available"
+            echo "Container inspection:"
+            docker inspect infisical-api | grep -A 5 "State"
            exit 1
          fi
      - name: Install openapi-diff
-        run: go install github.com/tufin/oasdiff@latest
+        run: go install github.com/oasdiff/oasdiff@latest
      - name: Running OpenAPI Spec diff action
        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
      - name: cleanup
+        if: always()
        run: |
          docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api
-          docker remove infisical-api
+          docker stop infisical-api || true
+          docker rm infisical-api || true
--- a/.github/workflows/check-fe-ts-and-lint.yml
+++ b/.github/workflows/check-fe-ts-and-lint.yml
@ -18,18 +18,18 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 20
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
+          node-version: "20"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: 📦 Install dependencies
        run: npm install
        working-directory: frontend
      - name: 🏗️ Run Type check
-        run: npm run type:check 
+        run: npm run type:check
        working-directory: frontend
      - name: 🏗️ Run Link check
-        run: npm run lint:fix 
+        run: npm run lint:fix
        working-directory: frontend
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@ -1,212 +0,0 @@
-name: Deployment pipeline
-on: [workflow_dispatch]
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  infisical-tests:
-    name: Integration tests
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
-    
-  infisical-image:
-    name: Build
-    runs-on: ubuntu-latest
-    needs: [infisical-tests]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build backend and push to docker hub
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
-    
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    environment:
-      name: Gamma
-    steps:
-      - uses: twingate/github-action@v1
-        with:
-          # The Twingate Service Key used to connect Twingate to the proper service
-          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
-          #
-          # Required
-          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-core
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-gamma-stage
-          cluster: infisical-gamma-stage
-          wait-for-service-stability: true
-
-  production-us:
-    name: US production deploy 
-    runs-on: ubuntu-latest
-    needs: [gamma-deployment]
-    environment:
-      name: Production
-    steps:
-      - uses: twingate/github-action@v1
-        with:
-        # The Twingate Service Key used to connect Twingate to the proper service
-        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
-        #
-        # Required
-          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-core-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
-          wait-for-service-stability: true
-
-  production-eu:
-      name: EU production deploy
-      runs-on: ubuntu-latest
-      needs: [production-us]
-      environment:
-        name: production-eu
-      steps:
-        - uses: twingate/github-action@v1
-          with:
-            service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-        - name: Configure AWS Credentials 
-          uses: aws-actions/configure-aws-credentials@v4
-          with:
-            audience: sts.amazonaws.com
-            aws-region: eu-central-1
-            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
-        - name: Checkout code
-          uses: actions/checkout@v2
-        - name: Setup Node.js environment
-          uses: actions/setup-node@v2
-          with:
-            node-version: "20"
-        - name: Change directory to backend and install dependencies
-          env:
-            DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-          run: |
-            cd backend
-            npm install
-            npm run migration:latest
-        - name: Save commit hashes for tag
-          id: commit
-          uses: pr-mpt/actions-commit-hash@v2
-        - name: Download task definition
-          run: |
-            aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
-        - name: Render Amazon ECS task definition
-          id: render-web-container
-          uses: aws-actions/amazon-ecs-render-task-definition@v1
-          with:
-            task-definition: task-definition.json
-            container-name: infisical-core-platform
-            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            environment-variables: "LOG_LEVEL=info"
-        - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-          with:
-            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-            service: infisical-core-platform
-            cluster: infisical-core-platform
-            wait-for-service-stability: true
--- a/.github/workflows/helm-release-infisical-core.yml
+++ b/.github/workflows/helm-release-infisical-core.yml
@ -1,4 +1,4 @@
-name: Release Helm Charts
+name: Release Infisical Core Helm chart

 on: [workflow_dispatch]

@ -17,6 +17,6 @@ jobs:
      - name: Install Cloudsmith CLI
        run: pip install --upgrade cloudsmith-cli
      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-to-cloudsmith.sh
+        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -10,8 +10,7 @@ on:

 permissions:
    contents: write
-    # packages: write
-    # issues: write
+
 jobs:
    cli-integration-tests:
        name: Run tests before deployment
@ -26,8 +25,65 @@ jobs:
            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

+    npm-release:
+        runs-on: ubuntu-latest
+        env:
+            working-directory: ./npm
+        needs:
+            - cli-integration-tests
+            - goreleaser
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+
+            - name: Extract version
+              run: |
+                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+                  echo "Version extracted: $VERSION"
+                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+            - name: Print version
+              run: echo ${{ env.CLI_VERSION }}
+
+            - name: Setup Node
+              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+              with:
+                  node-version: 20
+                  cache: "npm"
+                  cache-dependency-path: ./npm/package-lock.json
+            - name: Install dependencies
+              working-directory: ${{ env.working-directory }}
+              run: npm install --ignore-scripts
+
+            - name: Set NPM version
+              working-directory: ${{ env.working-directory }}
+              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+            - name: Setup NPM
+              working-directory: ${{ env.working-directory }}
+              run: |
+                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+            - name: Pack NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm pack
+
+            - name: Publish NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
    goreleaser:
-        runs-on: ubuntu-20.04
+        runs-on: ubuntu-latest
        needs: [cli-integration-tests]
        steps:
            - uses: actions/checkout@v3
@ -47,11 +103,12 @@ jobs:
                  go-version: ">=1.19.3"
                  cache: true
                  cache-dependency-path: cli/go.sum
-            - name: libssl1.1 => libssl1.0-dev for OSXCross
+            - name: Setup for libssl1.0-dev
              run: |
                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt update && apt-cache policy libssl1.0-dev
-                  sudo apt-get install libssl1.0-dev
+                  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+                  sudo apt update
+                  sudo apt-get install -y libssl1.0-dev
            - name: OSXCross for CGO Support
              run: |
                  mkdir ../../osxcross
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@ -1,4 +1,4 @@
-name: Release Docker image for K8 operator
+name: Release image + Helm chart K8s Operator
 on:
  push:
    tags:
@ -35,3 +35,18 @@ jobs:
          tags: |
            infisical/kubernetes-operator:latest
            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install python
+        uses: actions/setup-python@v4
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+      - name: Build and push helm package to Cloudsmith
+        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@ -34,7 +34,10 @@ jobs:
        working-directory: backend
      - name: Start postgres and redis
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Start integration test
+      - name: Run unit test
+        run: npm run test:unit
+        working-directory: backend
+      - name: Run integration test
        run: npm run test:e2e
        working-directory: backend
        env:
@ -44,4 +47,5 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - name: cleanup
        run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down
+
--- a/.gitignore
+++ b/.gitignore
@ -71,3 +71,5 @@ frontend-build
 cli/infisical-merge
 cli/test/infisical-merge
 /backend/binary
+
+/npm/bin
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -1,6 +1,12 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

+# Check if infisical is installed
+if ! command -v infisical >/dev/null 2>&1; then
+    echo "\nError: Infisical CLI is not installed. Please install the Infisical CLI before comitting.\n You can refer to the documentation at https://infisical.com/docs/cli/overview\n\n"
+    exit 1
+fi
+
 npx lint-staged

 infisical scan git-changes --staged -v
--- a/.infisicalignore
+++ b/.infisicalignore
@ -7,3 +7,4 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
+docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -23,17 +23,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -44,20 +43,10 @@ WORKDIR /app

 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user

-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./

 USER non-root-user

-ENV NEXT_TELEMETRY_DISABLED 1
-
 ##
 ## BACKEND
 ##
@ -69,13 +58,21 @@ RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user

 WORKDIR /app

-# Required for pkcs11js
+# Required for pkcs11js and ODBC
 RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
    && rm -rf /var/lib/apt/lists/*

+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 COPY backend/package*.json ./
 RUN npm ci --only-production

@ -91,13 +88,21 @@ ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/

 WORKDIR /app

-# Required for pkcs11js
+# Required for pkcs11js and ODBC
 RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
    && rm -rf /var/lib/apt/lists/*

+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 COPY backend/package*.json ./
 RUN npm ci --only-production

@ -108,13 +113,25 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production

-# Install necessary packages
+# Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
    ca-certificates \
    curl \
    git \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
+    openssh-client \
    && rm -rf /var/lib/apt/lists/*

+# Configure ODBC in production
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 # Install Infisical CLI
 RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
    && apt-get update && apt-get install -y infisical=0.31.1 \
@ -132,14 +149,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

 WORKDIR / 

@ -147,6 +161,9 @@ COPY --from=backend-runner /app /backend

 COPY --from=frontend-runner /app ./backend/frontend-build

+ARG INFISICAL_PLATFORM_VERSION
+ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+
 ENV PORT 8080
 ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 
@ -164,4 +181,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -3,16 +3,13 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key

-FROM  node:20-alpine AS base
+FROM node:20-slim AS base

 FROM base AS frontend-dependencies

-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
-
 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -27,17 +24,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -46,34 +42,34 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app

-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user

-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./

 USER non-root-user

-ENV NEXT_TELEMETRY_DISABLED 1
-
 ##
 ## BACKEND
 ##
 FROM base AS backend-build
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user

 WORKDIR /app

-# Required for pkcs11js
-RUN apk add --no-cache python3 make g++ 
+# Install all required dependencies for build
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds-bin \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user

 COPY backend/package*.json ./
 RUN npm ci --only-production
@ -88,8 +84,20 @@ FROM base AS backend-runner

 WORKDIR /app

-# Required for pkcs11js
-RUN apk add --no-cache python3 make g++ 
+# Install all required dependencies for runtime
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds-bin \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini

 COPY backend/package*.json ./
 RUN npm ci --only-production
@ -100,13 +108,37 @@ RUN mkdir frontend-build

 # Production stage
 FROM base AS production
-RUN apk add --upgrade --no-cache ca-certificates
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.31.1 && apk add --no-cache git

-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    bash \
+    curl \
+    git \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds-bin \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev \
+		wget \
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
+
+# Configure ODBC in production
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Setup user permissions
+RUN groupadd --system --gid 1001 nodejs \
+  && useradd --system --uid 1001 --gid nodejs non-root-user

 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@ -118,21 +150,17 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
+ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
-
-WORKDIR / 
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

 COPY --from=backend-runner /app /backend
-
 COPY --from=frontend-runner /app ./backend/frontend-build

+ARG INFISICAL_PLATFORM_VERSION
+ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

 ENV PORT 8080
 ENV HOST=0.0.0.0
@ -140,6 +168,7 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
+
 WORKDIR /backend

 ENV TELEMETRY_ENABLED true
--- a/5
+++ b/5
@ -10,6 +10,9 @@ up-dev:
 up-dev-ldap:
 	docker compose -f docker-compose.dev.yml --profile ldap up --build

+up-dev-metrics:
+	docker compose -f docker-compose.dev.yml --profile metrics up --build
+
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build

@ -28,3 +31,5 @@ reviewable-api:

 reviewable: reviewable-ui reviewable-api

+up-dev-sso:
+	docker compose -f docker-compose.dev.yml --profile sso up --build
--- a/README.md
+++ b/README.md
@ -14,15 +14,6 @@
  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>

-<p align="center">
-  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
-    <img src=".github/images/deploy-to-aws.png" width="137" />
-  </a>
-  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
-     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
-  </a>
-</p>
-
 <h4 align="center">
  <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
    <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@ -65,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.

-### Internal PKI:
+### Infisical (Internal) PKI:

 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@ -73,12 +64,17 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.

-### Key Management (KMS):
+### Infisical Key Management System (KMS):

- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.

+### Infisical SSH
+
+- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
+
 ### General Platform:
+
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
@ -129,7 +125,7 @@ Install pre commit hook to scan each commit before you push to your repository
 infisical scan install --pre-commit-hook
 ```

-Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
+Learn about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)

 ## Open-source vs. paid

--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -1,13 +1,22 @@
 # Build stage
-FROM node:20-alpine AS build
+FROM node:20-slim AS build

 WORKDIR /app

 # Required for pkcs11js
-RUN apk --update add \
-        python3 \
-        make \
-        g++
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    openssh-client
+
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
+    unixodbc \
+    freetds-bin \
+    freetds-dev \
+    unixodbc-dev \
+    libc-dev

 COPY package*.json ./
 RUN npm ci --only-production
@ -16,25 +25,36 @@ COPY . .
 RUN npm run build

 # Production stage
-FROM node:20-alpine
+FROM node:20-slim
 WORKDIR /app

 ENV npm_config_cache /home/node/.npm

 COPY package*.json ./

-RUN apk --update add \
-        python3 \
-        make \
-        g++
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++
+
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
+    unixodbc \
+    freetds-bin \
+    freetds-dev \
+    unixodbc-dev \
+    libc-dev
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini

 RUN npm ci --only-production && npm cache clean --force

 COPY --from=build /app .

-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN apt-get install -y curl bash && \
+    curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && apt-get install -y infisical=0.8.1 git

 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:20-slim

 # ? Setup a test SoftHSM module. In production a real HSM is used.

@ -7,19 +7,32 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
    SOFTHSM2_SOURCES=/tmp/softhsm2

-# install build dependencies including python3
-RUN apk --update add \
-        alpine-sdk \
-        autoconf \
-        automake \
-        git \
-        libtool \
-        openssl-dev \
-        python3 \
-        make \
-        g++
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config

-# build and install SoftHSM2
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Build and install SoftHSM2
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}

@ -32,16 +45,18 @@ RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}

-# install pkcs11-tool
-RUN apk --update add opensc
+# Install pkcs11-tool
+RUN apt-get install -y opensc

-RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000

 # ? App setup

-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1

 WORKDIR /app

--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -10,17 +10,22 @@ export const mockQueue = (): TQueueServiceFactory => {
    queue: async (name, jobData) => {
      job[name] = jobData;
    },
+    queuePg: async () => {},
+    initialize: async () => {},
    shutdown: async () => undefined,
    stopRepeatableJob: async () => true,
    start: (name, jobFn) => {
      queues[name] = jobFn;
      workers[name] = jobFn;
    },
+    startPg: async () => {},
    listen: (name, event) => {
      events[name] = event;
    },
+    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true
+    stopRepeatableJobByJobId: async () => true,
+    stopRepeatableJobByKey: async () => true
  };
 };
--- a/backend/e2e-test/mocks/smtp.ts
+++ b/backend/e2e-test/mocks/smtp.ts
@ -5,6 +5,9 @@ export const mockSmtpServer = (): TSmtpService => {
  return {
    sendMail: async (data) => {
      storage.push(data);
+    },
+    verify: async () => {
+      return true;
    }
  };
 };
--- a/backend/e2e-test/routes/v3/secret-recursive.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-recursive.spec.ts
@ -0,0 +1,86 @@
+import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
+import { createSecretV2, deleteSecretV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
+
+import { seedData1 } from "@app/db/seed-data";
+
+describe("Secret Recursive Testing", async () => {
+  const projectId = seedData1.projectV3.id;
+  const folderAndSecretNames = [
+    { name: "deep1", path: "/", expectedSecretCount: 4 },
+    { name: "deep21", path: "/deep1", expectedSecretCount: 2 },
+    { name: "deep3", path: "/deep1/deep2", expectedSecretCount: 1 },
+    { name: "deep22", path: "/deep2", expectedSecretCount: 1 }
+  ];
+
+  beforeAll(async () => {
+    const rootFolderIds: string[] = [];
+    for (const folder of folderAndSecretNames) {
+      // eslint-disable-next-line no-await-in-loop
+      const createdFolder = await createFolder({
+        authToken: jwtAuthToken,
+        environmentSlug: "prod",
+        workspaceId: projectId,
+        secretPath: folder.path,
+        name: folder.name
+      });
+
+      if (folder.path === "/") {
+        rootFolderIds.push(createdFolder.id);
+      }
+      // eslint-disable-next-line no-await-in-loop
+      await createSecretV2({
+        secretPath: folder.path,
+        authToken: jwtAuthToken,
+        environmentSlug: "prod",
+        workspaceId: projectId,
+        key: folder.name,
+        value: folder.name
+      });
+    }
+
+    return async () => {
+      await Promise.all(
+        rootFolderIds.map((id) =>
+          deleteFolder({
+            authToken: jwtAuthToken,
+            secretPath: "/",
+            id,
+            workspaceId: projectId,
+            environmentSlug: "prod"
+          })
+        )
+      );
+
+      await deleteSecretV2({
+        authToken: jwtAuthToken,
+        secretPath: "/",
+        workspaceId: projectId,
+        environmentSlug: "prod",
+        key: folderAndSecretNames[0].name
+      });
+    };
+  });
+
+  test.each(folderAndSecretNames)("$path recursive secret fetching", async ({ path, expectedSecretCount }) => {
+    const secrets = await getSecretsV2({
+      authToken: jwtAuthToken,
+      secretPath: path,
+      workspaceId: projectId,
+      environmentSlug: "prod",
+      recursive: true
+    });
+
+    expect(secrets.secrets.length).toEqual(expectedSecretCount);
+    expect(secrets.secrets.sort((a, b) => a.secretKey.localeCompare(b.secretKey))).toEqual(
+      folderAndSecretNames
+        .filter((el) => el.path.startsWith(path))
+        .sort((a, b) => a.name.localeCompare(b.name))
+        .map((el) =>
+          expect.objectContaining({
+            secretKey: el.name,
+            secretValue: el.name
+          })
+        )
+    );
+  });
+});
--- a/backend/e2e-test/routes/v3/secrets-v2.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets-v2.spec.ts
@ -535,6 +535,107 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
      );
    });

+    test.each(secretTestCases)("Bulk upsert secrets in path $path", async ({ secret, path }) => {
+      const updateSharedSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          secretPath: path,
+          mode: "upsert",
+          secrets: Array.from(Array(5)).map((_e, i) => ({
+            secretKey: `BULK-${secret.key}-${i + 1}`,
+            secretValue: "update-value",
+            secretComment: secret.comment
+          }))
+        }
+      });
+      expect(updateSharedSecRes.statusCode).toBe(200);
+      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
+      expect(updateSharedSecPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining(
+          Array.from(Array(5)).map((_e, i) =>
+            expect.objectContaining({
+              secretKey: `BULK-${secret.key}-${i + 1}`,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      await Promise.all(
+        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
+      );
+    });
+
+    test("Bulk upsert secrets in path multiple paths", async () => {
+      const firstBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
+        secretKey: `BULK-KEY-${secretTestCases[0].secret.key}-${i + 1}`,
+        secretValue: "update-value",
+        secretComment: "comment",
+        secretPath: secretTestCases[0].path
+      }));
+      const secondBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
+        secretKey: `BULK-KEY-${secretTestCases[1].secret.key}-${i + 1}`,
+        secretValue: "update-value",
+        secretComment: "comment",
+        secretPath: secretTestCases[1].path
+      }));
+      const testSecrets = [...firstBatchSecrets, ...secondBatchSecrets];
+
+      const updateSharedSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          mode: "upsert",
+          secrets: testSecrets
+        }
+      });
+      expect(updateSharedSecRes.statusCode).toBe(200);
+      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
+      expect(updateSharedSecPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const firstBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[0].path);
+      expect(firstBatchSecretsOnInfisical).toEqual(
+        expect.arrayContaining(
+          firstBatchSecrets.map((el) =>
+            expect.objectContaining({
+              secretKey: el.secretKey,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      const secondBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[1].path);
+      expect(secondBatchSecretsOnInfisical).toEqual(
+        expect.arrayContaining(
+          secondBatchSecrets.map((el) =>
+            expect.objectContaining({
+              secretKey: el.secretKey,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      await Promise.all(testSecrets.map((el) => deleteSecret({ path: el.secretPath, key: el.secretKey })));
+    });
+
    test.each(secretTestCases)("Bulk delete secrets in path $path", async ({ secret, path }) => {
      await Promise.all(
        Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))
--- a/backend/e2e-test/testUtils/secrets.ts
+++ b/backend/e2e-test/testUtils/secrets.ts
@ -97,6 +97,7 @@ export const getSecretsV2 = async (dto: {
  environmentSlug: string;
  secretPath: string;
  authToken: string;
+  recursive?: boolean;
 }) => {
  const getSecretsResponse = await testServer.inject({
    method: "GET",
@ -109,7 +110,8 @@ export const getSecretsV2 = async (dto: {
      environment: dto.environmentSlug,
      secretPath: dto.secretPath,
      expandSecretReferences: "true",
-      include_imports: "true"
+      include_imports: "true",
+      recursive: String(dto.recursive || false)
    }
  });
  expect(getSecretsResponse.statusCode).toBe(200);
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -23,14 +23,14 @@ export default {
  name: "knex-env",
  transformMode: "ssr",
  async setup() {
-    const logger = await initLogger();
-    const cfg = initEnvConfig(logger);
+    const logger = initLogger();
+    const envConfig = initEnvConfig(logger);
    const db = initDbConnection({
-      dbConnectionUri: cfg.DB_CONNECTION_URI,
-      dbRootCert: cfg.DB_ROOT_CERT
+      dbConnectionUri: envConfig.DB_CONNECTION_URI,
+      dbRootCert: envConfig.DB_ROOT_CERT
    });

-    const redis = new Redis(cfg.REDIS_URL);
+    const redis = new Redis(envConfig.REDIS_URL);
    await redis.flushdb("SYNC");

    try {
@ -42,6 +42,7 @@ export default {
        },
        true
      );
+
      await db.migrate.latest({
        directory: path.join(__dirname, "../src/db/migrations"),
        extension: "ts",
@ -52,14 +53,24 @@ export default {
        directory: path.join(__dirname, "../src/db/seeds"),
        extension: "ts"
      });
-      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL);
-      const keyStore = keyStoreFactory(cfg.REDIS_URL);

-      const hsmModule = initializeHsmModule();
+      const smtp = mockSmtpServer();
+      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+
+      const hsmModule = initializeHsmModule(envConfig);
      hsmModule.initialize();

-      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule() });
+      const server = await main({
+        db,
+        smtp,
+        logger,
+        queue,
+        keyStore,
+        hsmModule: hsmModule.getModule(),
+        redis,
+        envConfig
+      });

      // @ts-expect-error type
      globalThis.testServer = server;
@ -73,8 +84,8 @@ export default {
          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
-        cfg.AUTH_SECRET,
-        { expiresIn: cfg.JWT_AUTH_LIFETIME }
+        envConfig.AUTH_SECRET,
+        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
      );
    } catch (error) {
      // eslint-disable-next-line
@ -109,3 +120,4 @@ export default {
    };
  }
 };
+
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -40,27 +40,37 @@
    "type:check": "tsc --noEmit",
    "lint:fix": "eslint --fix --ext js,ts ./src",
    "lint": "eslint 'src/**/*.ts'",
+    "test:unit": "vitest run -c vitest.unit.config.ts",
    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
    "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
-    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
-    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
-    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
-    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
-    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
-    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
+    "auditlog-migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:latest",
+    "auditlog-migration:up": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:up",
+    "auditlog-migration:down": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:down",
+    "auditlog-migration:list": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:list",
+    "auditlog-migration:status": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:status",
+    "auditlog-migration:unlock": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:unlock",
+    "auditlog-migration:rollback": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:rollback",
    "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:up",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:down",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:list",
+    "migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && npm run auditlog-migration:latest && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:latest",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:status",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./dist/db/knexfile.mjs migrate:rollback",
+    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./dist/db/knexfile.mjs migrate:unlock",
+    "migration:up-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback-dev": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock-dev": "knex --knexfile ./src/db/knexfile.ts migrate:unlock",
    "migrate:org": "tsx ./scripts/migrate-organization.ts",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
-    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
+    "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
  },
  "keywords": [],
@ -127,24 +137,36 @@
    "@fastify/etag": "^5.1.0",
    "@fastify/formbody": "^7.4.0",
    "@fastify/helmet": "^11.1.1",
-    "@fastify/multipart": "8.3.0",
+    "@fastify/multipart": "8.3.1",
    "@fastify/passport": "^2.4.0",
    "@fastify/rate-limit": "^9.0.0",
+    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
+    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
+    "@google-cloud/kms": "^4.5.0",
+    "@infisical/quic": "^1.0.8",
    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
+    "@octopusdeploy/api-client": "^3.4.1",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
+    "@opentelemetry/exporter-prometheus": "^0.55.0",
+    "@opentelemetry/instrumentation": "^0.55.0",
+    "@opentelemetry/instrumentation-http": "^0.57.2",
+    "@opentelemetry/resources": "^1.28.0",
+    "@opentelemetry/sdk-metrics": "^1.28.0",
+    "@opentelemetry/semantic-conventions": "^1.27.0",
    "@peculiar/asn1-schema": "^2.3.8",
    "@peculiar/x509": "^1.12.1",
    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
    "@sindresorhus/slugify": "1.1.0",
-    "@slack/oauth": "^3.0.1",
-    "@slack/web-api": "^7.3.4",
-    "@team-plain/typescript-sdk": "^4.6.1",
+    "@slack/oauth": "^3.0.2",
+    "@slack/web-api": "^7.8.0",
    "@ucast/mongo2js": "^1.3.4",
    "ajv": "^8.12.0",
    "argon2": "^0.31.2",
@ -156,6 +178,7 @@
    "cassandra-driver": "^4.7.2",
    "connect-redis": "^7.1.1",
    "cron": "^3.1.7",
+    "dd-trace": "^5.40.0",
    "dotenv": "^16.4.1",
    "fastify": "^4.28.1",
    "fastify-plugin": "^4.5.1",
@ -164,6 +187,7 @@
    "handlebars": "^4.7.8",
    "hdb": "^0.19.10",
    "ioredis": "^5.3.2",
+    "isomorphic-dompurify": "^2.22.0",
    "jmespath": "^0.16.0",
    "jsonwebtoken": "^9.0.2",
    "jsrp": "^0.2.4",
@ -176,16 +200,19 @@
    "mongodb": "^6.8.1",
    "ms": "^2.1.3",
    "mysql2": "^3.9.8",
-    "nanoid": "^3.3.4",
+    "nanoid": "^3.3.8",
    "nodemailer": "^6.9.9",
+    "odbc": "^2.4.9",
    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
    "oracledb": "^6.4.0",
+    "otplib": "^12.0.1",
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
+    "pg-boss": "^10.1.5",
    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
--- a/backend/scripts/migrate-organization.ts
+++ b/backend/scripts/migrate-organization.ts
@ -8,61 +8,80 @@ const prompt = promptSync({
  sigint: true
 });

+const sanitizeInputParam = (value: string) => {
+  // Escape double quotes and wrap the entire value in double quotes
+  if (value) {
+    return `"${value.replace(/"/g, '\\"')}"`;
+  }
+  return '""';
+};
+
 const exportDb = () => {
-  const exportHost = prompt("Enter your Postgres Host to migrate from: ");
-  const exportPort = prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432";
-  const exportUser = prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical";
-  const exportPassword = prompt("Enter your Postgres Password to migrate from: ");
-  const exportDatabase = prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical";
+  const exportHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate from: "));
+  const exportPort = sanitizeInputParam(
+    prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432"
+  );
+  const exportUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical"
+  );
+  const exportPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate from: "));
+  const exportDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical"
+  );

  // we do not include the audit_log and secret_sharing entries
  execSync(
-    `PGDATABASE="${exportDatabase}" PGPASSWORD="${exportPassword}" PGHOST="${exportHost}" PGPORT=${exportPort} PGUSER=${exportUser} pg_dump infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
+    `PGDATABASE=${exportDatabase} PGPASSWORD=${exportPassword} PGHOST=${exportHost} PGPORT=${exportPort} PGUSER=${exportUser} pg_dump -Fc infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
      __dirname,
-      "../src/db/dump.sql"
+      "../src/db/backup.dump"
    )}`,
    { stdio: "inherit" }
  );
 };

 const importDbForOrg = () => {
-  const importHost = prompt("Enter your Postgres Host to migrate to: ");
-  const importPort = prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432";
-  const importUser = prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical";
-  const importPassword = prompt("Enter your Postgres Password to migrate to: ");
-  const importDatabase = prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical";
-  const orgId = prompt("Enter the organization ID to migrate: ");
+  const importHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate to: "));
+  const importPort = sanitizeInputParam(prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432");
+  const importUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical"
+  );
+  const importPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate to: "));
+  const importDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical"
+  );
+  const orgId = sanitizeInputParam(prompt("Enter the organization ID to migrate: "));

-  if (!existsSync(path.join(__dirname, "../src/db/dump.sql"))) {
+  if (!existsSync(path.join(__dirname, "../src/db/backup.dump"))) {
    console.log("File not found, please export the database first.");
    return;
  }

  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -f ${path.join(
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} pg_restore -d ${importDatabase} --verbose ${path.join(
      __dirname,
-      "../src/db/dump.sql"
-    )}`
+      "../src/db/backup.dump"
+    )}`,
+    { maxBuffer: 1024 * 1024 * 4096 }
  );

  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
  );

  // delete global/instance-level resources not relevant to the organization to migrate
  // users
  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
  );

  // identities
  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
  );

  // reset slack configuration in superAdmin
  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
  );

  console.log("Organization migrated successfully.");
--- a/backend/src/@types/fastify-request-context.d.ts
+++ b/backend/src/@types/fastify-request-context.d.ts
@ -0,0 +1,7 @@
+import "@fastify/request-context";
+
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    reqId: string;
+  }
+}
--- a/backend/src/@types/fastify-zod.d.ts
+++ b/backend/src/@types/fastify-zod.d.ts
@ -1,6 +1,6 @@
 import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression, RawServerDefault } from "fastify";
-import { Logger } from "pino";

+import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";

 declare global {
@ -8,7 +8,7 @@ declare global {
    RawServerDefault,
    RawRequestDefaultExpression<RawServerDefault>,
    RawReplyDefaultExpression<RawServerDefault>,
-    Readonly<Logger>,
+    Readonly<CustomLogger>,
    ZodTypeProvider
  >;

--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -1,5 +1,7 @@
 import "fastify";

+import { Redis } from "ioredis";
+
 import { TUsers } from "@app/db/schemas";
 import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
@ -11,9 +13,13 @@ import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
+import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
+import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
+import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@ -29,9 +35,12 @@ import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-ap
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
+import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
+import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
+import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
@ -50,6 +59,7 @@ import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-acces
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@ -74,18 +84,30 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
+import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
+import { TTotpServiceFactory } from "@app/services/totp/totp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
 import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";

+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    reqId: string;
+  }
+}
+
 declare module "fastify" {
+  interface Session {
+    callbackPort: string;
+  }
+
  interface FastifyRequest {
    realIp: string;
    // used for mfa session authentication
@ -108,12 +130,18 @@ declare module "fastify" {
      isUserCompleted: string;
      providerAuthToken: string;
    };
+    kmipUser: {
+      projectId: string;
+      clientId: string;
+      name: string;
+    };
    auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
    ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
  }

  interface FastifyInstance {
+    redis: Redis;
    services: {
      login: TAuthLoginFactory;
      password: TAuthPasswordFactory;
@ -154,6 +182,7 @@ declare module "fastify" {
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      identityOidcAuth: TIdentityOidcAuthServiceFactory;
+      identityJwtAuth: TIdentityJwtAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@ -167,6 +196,8 @@ declare module "fastify" {
      auditLogStream: TAuditLogStreamServiceFactory;
      certificate: TCertificateServiceFactory;
      certificateTemplate: TCertificateTemplateServiceFactory;
+      sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
+      sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
@ -193,11 +224,18 @@ declare module "fastify" {
      migration: TExternalMigrationServiceFactory;
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
      projectTemplate: TProjectTemplateServiceFactory;
+      totp: TTotpServiceFactory;
+      appConnection: TAppConnectionServiceFactory;
+      secretSync: TSecretSyncServiceFactory;
+      kmip: TKmipServiceFactory;
+      kmipOperation: TKmipOperationServiceFactory;
+      gateway: TGatewayServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
    store: {
      user: Pick<TUserDALFactory, "findById">;
+      kmipClient: Pick<TKmipClientDALFactory, "findByProjectAndClientId">;
    };
  }
 }
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -68,6 +68,9 @@ import {
  TExternalKms,
  TExternalKmsInsert,
  TExternalKmsUpdate,
+  TGateways,
+  TGatewaysInsert,
+  TGatewaysUpdate,
  TGitAppInstallSessions,
  TGitAppInstallSessionsInsert,
  TGitAppInstallSessionsUpdate,
@ -98,6 +101,9 @@ import {
  TIdentityGcpAuths,
  TIdentityGcpAuthsInsert,
  TIdentityGcpAuthsUpdate,
+  TIdentityJwtAuths,
+  TIdentityJwtAuthsInsert,
+  TIdentityJwtAuthsUpdate,
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
@ -140,6 +146,18 @@ import {
  TInternalKms,
  TInternalKmsInsert,
  TInternalKmsUpdate,
+  TKmipClientCertificates,
+  TKmipClientCertificatesInsert,
+  TKmipClientCertificatesUpdate,
+  TKmipClients,
+  TKmipClientsInsert,
+  TKmipClientsUpdate,
+  TKmipOrgConfigs,
+  TKmipOrgConfigsInsert,
+  TKmipOrgConfigsUpdate,
+  TKmipOrgServerCertificates,
+  TKmipOrgServerCertificatesInsert,
+  TKmipOrgServerCertificatesUpdate,
  TKmsKeys,
  TKmsKeysInsert,
  TKmsKeysUpdate,
@ -164,6 +182,9 @@ import {
  TOrgBots,
  TOrgBotsInsert,
  TOrgBotsUpdate,
+  TOrgGatewayConfig,
+  TOrgGatewayConfigInsert,
+  TOrgGatewayConfigUpdate,
  TOrgMemberships,
  TOrgMembershipsInsert,
  TOrgMembershipsUpdate,
@ -185,6 +206,9 @@ import {
  TProjectEnvironments,
  TProjectEnvironmentsInsert,
  TProjectEnvironmentsUpdate,
+  TProjectGateways,
+  TProjectGatewaysInsert,
+  TProjectGatewaysUpdate,
  TProjectKeys,
  TProjectKeysInsert,
  TProjectKeysUpdate,
@ -199,6 +223,9 @@ import {
  TProjectSlackConfigs,
  TProjectSlackConfigsInsert,
  TProjectSlackConfigsUpdate,
+  TProjectSplitBackfillIds,
+  TProjectSplitBackfillIdsInsert,
+  TProjectSplitBackfillIdsUpdate,
  TProjectsUpdate,
  TProjectTemplates,
  TProjectTemplatesInsert,
@ -212,6 +239,9 @@ import {
  TRateLimit,
  TRateLimitInsert,
  TRateLimitUpdate,
+  TResourceMetadata,
+  TResourceMetadataInsert,
+  TResourceMetadataUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -311,9 +341,27 @@ import {
  TSlackIntegrations,
  TSlackIntegrationsInsert,
  TSlackIntegrationsUpdate,
+  TSshCertificateAuthorities,
+  TSshCertificateAuthoritiesInsert,
+  TSshCertificateAuthoritiesUpdate,
+  TSshCertificateAuthoritySecrets,
+  TSshCertificateAuthoritySecretsInsert,
+  TSshCertificateAuthoritySecretsUpdate,
+  TSshCertificateBodies,
+  TSshCertificateBodiesInsert,
+  TSshCertificateBodiesUpdate,
+  TSshCertificates,
+  TSshCertificatesInsert,
+  TSshCertificatesUpdate,
+  TSshCertificateTemplates,
+  TSshCertificateTemplatesInsert,
+  TSshCertificateTemplatesUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
+  TTotpConfigs,
+  TTotpConfigsInsert,
+  TTotpConfigsUpdate,
  TTrustedIps,
  TTrustedIpsInsert,
  TTrustedIpsUpdate,
@ -339,11 +387,13 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
+import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
 import {
  TExternalGroupOrgRoleMappings,
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
+import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@ -369,6 +419,31 @@ declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
+    [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TSshCertificateAuthorities,
+      TSshCertificateAuthoritiesInsert,
+      TSshCertificateAuthoritiesUpdate
+    >;
+    [TableName.SshCertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
+      TSshCertificateAuthoritySecrets,
+      TSshCertificateAuthoritySecretsInsert,
+      TSshCertificateAuthoritySecretsUpdate
+    >;
+    [TableName.SshCertificateTemplate]: KnexOriginal.CompositeTableType<
+      TSshCertificateTemplates,
+      TSshCertificateTemplatesInsert,
+      TSshCertificateTemplatesUpdate
+    >;
+    [TableName.SshCertificate]: KnexOriginal.CompositeTableType<
+      TSshCertificates,
+      TSshCertificatesInsert,
+      TSshCertificatesUpdate
+    >;
+    [TableName.SshCertificateBody]: KnexOriginal.CompositeTableType<
+      TSshCertificateBodies,
+      TSshCertificateBodiesInsert,
+      TSshCertificateBodiesUpdate
+    >;
    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
      TCertificateAuthorities,
      TCertificateAuthoritiesInsert,
@ -587,6 +662,11 @@ declare module "knex/types/tables" {
      TIdentityOidcAuthsInsert,
      TIdentityOidcAuthsUpdate
    >;
+    [TableName.IdentityJwtAuth]: KnexOriginal.CompositeTableType<
+      TIdentityJwtAuths,
+      TIdentityJwtAuthsInsert,
+      TIdentityJwtAuthsUpdate
+    >;
    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
@ -826,5 +906,49 @@ declare module "knex/types/tables" {
      TProjectTemplatesInsert,
      TProjectTemplatesUpdate
    >;
+    [TableName.TotpConfig]: KnexOriginal.CompositeTableType<TTotpConfigs, TTotpConfigsInsert, TTotpConfigsUpdate>;
+    [TableName.ProjectSplitBackfillIds]: KnexOriginal.CompositeTableType<
+      TProjectSplitBackfillIds,
+      TProjectSplitBackfillIdsInsert,
+      TProjectSplitBackfillIdsUpdate
+    >;
+    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
+      TResourceMetadata,
+      TResourceMetadataInsert,
+      TResourceMetadataUpdate
+    >;
+    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
+      TAppConnections,
+      TAppConnectionsInsert,
+      TAppConnectionsUpdate
+    >;
+    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
+    [TableName.KmipClient]: KnexOriginal.CompositeTableType<TKmipClients, TKmipClientsInsert, TKmipClientsUpdate>;
+    [TableName.KmipOrgConfig]: KnexOriginal.CompositeTableType<
+      TKmipOrgConfigs,
+      TKmipOrgConfigsInsert,
+      TKmipOrgConfigsUpdate
+    >;
+    [TableName.KmipOrgServerCertificates]: KnexOriginal.CompositeTableType<
+      TKmipOrgServerCertificates,
+      TKmipOrgServerCertificatesInsert,
+      TKmipOrgServerCertificatesUpdate
+    >;
+    [TableName.KmipClientCertificates]: KnexOriginal.CompositeTableType<
+      TKmipClientCertificates,
+      TKmipClientCertificatesInsert,
+      TKmipClientCertificatesUpdate
+    >;
+    [TableName.Gateway]: KnexOriginal.CompositeTableType<TGateways, TGatewaysInsert, TGatewaysUpdate>;
+    [TableName.ProjectGateway]: KnexOriginal.CompositeTableType<
+      TProjectGateways,
+      TProjectGatewaysInsert,
+      TProjectGatewaysUpdate
+    >;
+    [TableName.OrgGatewayConfig]: KnexOriginal.CompositeTableType<
+      TOrgGatewayConfig,
+      TOrgGatewayConfigInsert,
+      TOrgGatewayConfigUpdate
+    >;
  }
 }
--- a/backend/src/auto-start-migrations.ts
+++ b/backend/src/auto-start-migrations.ts
@ -0,0 +1,105 @@
+import path from "node:path";
+
+import dotenv from "dotenv";
+import { Knex } from "knex";
+import { Logger } from "pino";
+
+import { PgSqlLock } from "./keystore/keystore";
+
+dotenv.config();
+
+type TArgs = {
+  auditLogDb?: Knex;
+  applicationDb: Knex;
+  logger: Logger;
+};
+
+const isProduction = process.env.NODE_ENV === "production";
+const migrationConfig = {
+  directory: path.join(__dirname, "./db/migrations"),
+  loadExtensions: [".mjs", ".ts"],
+  tableName: "infisical_migrations"
+};
+
+const migrationStatusCheckErrorHandler = (err: Error) => {
+  // happens for first time  in which the migration table itself is not created yet
+  //    error: select * from "infisical_migrations" - relation "infisical_migrations" does not exist
+  if (err?.message?.includes("does not exist")) {
+    return true;
+  }
+  throw err;
+};
+
+export const runMigrations = async ({ applicationDb, auditLogDb, logger }: TArgs) => {
+  try {
+    // akhilmhdh(Feb 10 2025): 2 years  from now remove this
+    if (isProduction) {
+      const migrationTable = migrationConfig.tableName;
+      const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
+      if (hasMigrationTable) {
+        const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
+        if (firstFile?.name?.includes(".ts")) {
+          await applicationDb(migrationTable).update({
+            name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
+          });
+        }
+      }
+      if (auditLogDb) {
+        const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
+        if (hasMigrationTableInAuditLog) {
+          const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
+          if (firstFile?.name?.includes(".ts")) {
+            await auditLogDb(migrationTable).update({
+              name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
+            });
+          }
+        }
+      }
+    }
+
+    const shouldRunMigration = Boolean(
+      await applicationDb.migrate.status(migrationConfig).catch(migrationStatusCheckErrorHandler)
+    ); // db.length - code.length
+    if (!shouldRunMigration) {
+      logger.info("No migrations pending: Skipping migration process.");
+      return;
+    }
+
+    if (auditLogDb) {
+      await auditLogDb.transaction(async (tx) => {
+        await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
+        logger.info("Running audit log migrations.");
+
+        const didPreviousInstanceRunMigration = !(await auditLogDb.migrate
+          .status(migrationConfig)
+          .catch(migrationStatusCheckErrorHandler));
+        if (didPreviousInstanceRunMigration) {
+          logger.info("No audit log migrations pending: Applied by previous instance. Skipping migration process.");
+          return;
+        }
+
+        await auditLogDb.migrate.latest(migrationConfig);
+        logger.info("Finished audit log migrations.");
+      });
+    }
+
+    await applicationDb.transaction(async (tx) => {
+      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
+      logger.info("Running application migrations.");
+
+      const didPreviousInstanceRunMigration = !(await applicationDb.migrate
+        .status(migrationConfig)
+        .catch(migrationStatusCheckErrorHandler));
+      if (didPreviousInstanceRunMigration) {
+        logger.info("No application migrations pending: Applied by previous instance. Skipping migration process.");
+        return;
+      }
+
+      await applicationDb.migrate.latest(migrationConfig);
+      logger.info("Finished application migrations.");
+    });
+  } catch (err) {
+    logger.error(err, "Boot up migration failed");
+    process.exit(1);
+  }
+};
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -49,6 +49,9 @@ export const initDbConnection = ({
            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
          }
        : false
+    },
+    migrations: {
+      tableName: "infisical_migrations"
    }
  });

@ -64,6 +67,9 @@ export const initDbConnection = ({
              ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii")
            }
          : false
+      },
+      migrations: {
+        tableName: "infisical_migrations"
      }
    });
  });
@ -98,6 +104,9 @@ export const initAuditLogDbConnection = ({
            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
          }
        : false
+    },
+    migrations: {
+      tableName: "infisical_migrations"
    }
  });

--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@ -38,7 +38,8 @@ export default {
      directory: "./seeds"
    },
    migrations: {
-      tableName: "infisical_migrations"
+      tableName: "infisical_migrations",
+      loadExtensions: [".mjs", ".ts"]
    }
  },
  production: {
@ -62,7 +63,8 @@ export default {
      max: 10
    },
    migrations: {
-      tableName: "infisical_migrations"
+      tableName: "infisical_migrations",
+      loadExtensions: [".mjs", ".ts"]
    }
  }
 } as Knex.Config;
--- a/backend/src/db/migrations/20240802181855_ca-cert-version.ts
+++ b/backend/src/db/migrations/20240802181855_ca-cert-version.ts
@ -64,23 +64,25 @@ export async function up(knex: Knex): Promise<void> {
  }

  if (await knex.schema.hasTable(TableName.Certificate)) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").nullable();
-      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-    });
+    const hasCaCertIdColumn = await knex.schema.hasColumn(TableName.Certificate, "caCertId");
+    if (!hasCaCertIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.uuid("caCertId").nullable();
+        t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+      });

-    await knex.raw(`
+      await knex.raw(`
        UPDATE "${TableName.Certificate}" cert
        SET "caCertId" = (
          SELECT caCert.id
          FROM "${TableName.CertificateAuthorityCert}" caCert
          WHERE caCert."caId" = cert."caId"
-        )
-      `);
+        )`);

-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").notNullable().alter();
-    });
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.uuid("caCertId").notNullable().alter();
+      });
+    }
  }
 }

--- a/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
+++ b/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
@ -2,7 +2,7 @@ import { Knex } from "knex";

 import { TableName } from "../schemas";

-const BATCH_SIZE = 30_000;
+const BATCH_SIZE = 10_000;

 export async function up(knex: Knex): Promise<void> {
  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
@ -12,7 +12,18 @@ export async function up(knex: Knex): Promise<void> {
      t.string("authMethod").nullable();
    });

-    let nullableAccessTokens = await knex(TableName.IdentityAccessToken).whereNull("authMethod").limit(BATCH_SIZE);
+    // first we remove identities without auth method that is unused
+    // ! We delete all access tokens where the identity has no auth method set!
+    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
+    await knex(TableName.IdentityAccessToken)
+      .leftJoin(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
+      .whereNull(`${TableName.Identity}.authMethod`)
+      .delete();
+
+    let nullableAccessTokens = await knex(TableName.IdentityAccessToken)
+      .whereNull("authMethod")
+      .limit(BATCH_SIZE)
+      .select("id");
    let totalUpdated = 0;

    do {
@ -33,24 +44,15 @@ export async function up(knex: Knex): Promise<void> {
        });

      // eslint-disable-next-line no-await-in-loop
-      nullableAccessTokens = await knex(TableName.IdentityAccessToken).whereNull("authMethod").limit(BATCH_SIZE);
+      nullableAccessTokens = await knex(TableName.IdentityAccessToken)
+        .whereNull("authMethod")
+        .limit(BATCH_SIZE)
+        .select("id");

      totalUpdated += batchIds.length;
      console.log(`Updated ${batchIds.length} access tokens in batch <> Total updated: ${totalUpdated}`);
    } while (nullableAccessTokens.length > 0);

-    // ! We delete all access tokens where the identity has no auth method set!
-    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
-    await knex(TableName.IdentityAccessToken)
-      .whereNotExists((queryBuilder) => {
-        void queryBuilder
-          .select("id")
-          .from(TableName.Identity)
-          .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
-          .whereNotNull("authMethod");
-      })
-      .delete();
-
    // Finally we set the authMethod to notNullable after populating the column.
    // This will fail if the data is not populated correctly, so it's safe.
    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
--- a/backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts
+++ b/backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts
@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
+    TableName.CertificateTemplateEstConfig,
+    "disableBootstrapCertValidation"
+  );
+
+  const hasCaChainCol = await knex.schema.hasColumn(TableName.CertificateTemplateEstConfig, "encryptedCaChain");
+
+  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
+    if (!hasDisableBootstrapCertValidationCol) {
+      t.boolean("disableBootstrapCertValidation").defaultTo(false).notNullable();
+    }
+
+    if (hasCaChainCol) {
+      t.binary("encryptedCaChain").nullable().alter();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
+    TableName.CertificateTemplateEstConfig,
+    "disableBootstrapCertValidation"
+  );
+
+  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
+    if (hasDisableBootstrapCertValidationCol) {
+      t.dropColumn("disableBootstrapCertValidation");
+    }
+  });
+}
--- a/backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts
+++ b/backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+}
--- a/backend/src/db/migrations/20241112082701_add-totp-support.ts
+++ b/backend/src/db/migrations/20241112082701_add-totp-support.ts
@ -0,0 +1,54 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.TotpConfig))) {
+    await knex.schema.createTable(TableName.TotpConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.boolean("isVerified").defaultTo(false).notNullable();
+      t.binary("encryptedRecoveryCodes").notNullable();
+      t.binary("encryptedSecret").notNullable();
+      t.timestamps(true, true, true);
+      t.unique("userId");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.TotpConfig);
+  }
+
+  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!doesOrgMfaMethodColExist) {
+      t.string("selectedMfaMethod");
+    }
+  });
+
+  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (!doesUserSelectedMfaMethodColExist) {
+      t.string("selectedMfaMethod");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.TotpConfig);
+  await knex.schema.dropTableIfExists(TableName.TotpConfig);
+
+  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (doesOrgMfaMethodColExist) {
+      t.dropColumn("selectedMfaMethod");
+    }
+  });
+
+  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (doesUserSelectedMfaMethodColExist) {
+      t.dropColumn("selectedMfaMethod");
+    }
+  });
+}
--- a/backend/src/db/migrations/20241119143026_add-project-descripton.ts
+++ b/backend/src/db/migrations/20241119143026_add-project-descripton.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}
--- a/backend/src/db/migrations/20241121131344_make-identity-metadata-not-nullable-again.ts
+++ b/backend/src/db/migrations/20241121131344_make-identity-metadata-not-nullable-again.ts
@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex(TableName.IdentityMetadata).whereNull("value").delete();
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
+++ b/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
@ -0,0 +1,59 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicy,
+    "deletedAt"
+  );
+  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicy,
+    "deletedAt"
+  );
+
+  if (!hasAccessApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.timestamp("deletedAt");
+    });
+  }
+  if (!hasSecretApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.timestamp("deletedAt");
+    });
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+    t.dropForeign(["privilegeId"]);
+
+    // Add the new foreign key constraint with ON DELETE SET NULL
+    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("SET NULL");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicy,
+    "deletedAt"
+  );
+  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicy,
+    "deletedAt"
+  );
+
+  if (hasAccessApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("deletedAt");
+    });
+  }
+  if (hasSecretApprovalPolicyDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("deletedAt");
+    });
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+    t.dropForeign(["privilegeId"]);
+    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
+  });
+}
--- a/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
+++ b/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityJwtAuth))) {
+    await knex.schema.createTable(TableName.IdentityJwtAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("configurationType").notNullable();
+      t.string("jwksUrl").notNullable();
+      t.binary("encryptedJwksCaCert").notNullable();
+      t.binary("encryptedPublicKeys").notNullable();
+      t.string("boundIssuer").notNullable();
+      t.string("boundAudiences").notNullable();
+      t.jsonb("boundClaims").notNullable();
+      t.string("boundSubject").notNullable();
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityJwtAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
+}
--- a/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
+++ b/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      t.index("folderId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      t.dropIndex("folderId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20241213122350_project-split-to-products.ts
+++ b/backend/src/db/migrations/20241213122350_project-split-to-products.ts
@ -0,0 +1,297 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+import { v4 as uuidV4 } from "uuid";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { ProjectType, TableName } from "../schemas";
+
+/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
+const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
+  const newProjectId = uuidV4();
+  const project = await knex(TableName.Project).where("id", projectId).first();
+  await knex(TableName.Project).insert({
+    ...project,
+    type: projectType,
+    // @ts-ignore id is required
+    id: newProjectId,
+    slug: slugify(`${project?.name}-${alphaNumericNanoId(4)}`)
+  });
+
+  const customRoleMapping: Record<string, string> = {};
+  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
+  if (projectCustomRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectRoles,
+      projectCustomRoles.map((el) => {
+        const id = uuidV4();
+        customRoleMapping[el.id] = id;
+        return {
+          ...el,
+          id,
+          projectId: newProjectId,
+          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
+        };
+      })
+    );
+  }
+  const groupMembershipMapping: Record<string, string> = {};
+  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
+  if (groupMemberships.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembership,
+      groupMemberships.map((el) => {
+        const id = uuidV4();
+        groupMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    groupMemberships.map((el) => el.id)
+  );
+  if (groupMembershipRoles.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembershipRole,
+      groupMembershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const identityProjectMembershipMapping: Record<string, string> = {};
+  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
+  if (identities.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembership,
+      identities.map((el) => {
+        const id = uuidV4();
+        identityProjectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    identities.map((el) => el.id)
+  );
+  if (identitiesRoles.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identitiesRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const projectMembershipMapping: Record<string, string> = {};
+  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
+  if (projectUserMembers.length) {
+    await knex.batchInsert(
+      TableName.ProjectMembership,
+      projectUserMembers.map((el) => {
+        const id = uuidV4();
+        projectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
+    "projectMembershipId",
+    projectUserMembers.map((el) => el.id)
+  );
+  if (membershipRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      membershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
+  if (kmsKeys.length) {
+    await knex.batchInsert(
+      TableName.KmsKey,
+      kmsKeys.map((el) => {
+        const id = uuidV4();
+        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
+        return { ...el, id, slug, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
+  if (projectBot) {
+    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
+    await knex(TableName.ProjectBot).insert(newProjectBot);
+  }
+
+  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
+  if (projectKeys.length) {
+    await knex.batchInsert(
+      TableName.ProjectKeys,
+      projectKeys.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  return newProjectId;
+};
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
+  if (!hasSplitMappingTable) {
+    await knex.schema.createTable(TableName.ProjectSplitBackfillIds, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("sourceProjectId", 36).notNullable();
+      t.foreign("sourceProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("destinationProjectType").notNullable();
+      t.string("destinationProjectId", 36).notNullable();
+      t.foreign("destinationProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+    });
+  }
+
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  if (!hasTypeColumn) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type");
+    });
+
+    let projectsToBeTyped;
+    do {
+      // eslint-disable-next-line no-await-in-loop
+      projectsToBeTyped = await knex(TableName.Project).whereNull("type").limit(BATCH_SIZE).select("id");
+      if (projectsToBeTyped.length) {
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.Project)
+          .whereIn(
+            "id",
+            projectsToBeTyped.map((el) => el.id)
+          )
+          .update({ type: ProjectType.SecretManager });
+      }
+    } while (projectsToBeTyped.length > 0);
+
+    const projectsWithCertificates = await knex(TableName.CertificateAuthority)
+      .distinct("projectId")
+      .select("projectId");
+    /* eslint-disable no-await-in-loop,no-param-reassign */
+    for (const { projectId } of projectsWithCertificates) {
+      const newProjectId = await newProject(knex, projectId, ProjectType.CertificateManager);
+      await knex(TableName.CertificateAuthority).where("projectId", projectId).update({ projectId: newProjectId });
+      await knex(TableName.PkiAlert).where("projectId", projectId).update({ projectId: newProjectId });
+      await knex(TableName.PkiCollection).where("projectId", projectId).update({ projectId: newProjectId });
+      await knex(TableName.ProjectSplitBackfillIds).insert({
+        sourceProjectId: projectId,
+        destinationProjectType: ProjectType.CertificateManager,
+        destinationProjectId: newProjectId
+      });
+    }
+
+    const projectsWithCmek = await knex(TableName.KmsKey)
+      .where("isReserved", false)
+      .whereNotNull("projectId")
+      .distinct("projectId")
+      .select("projectId");
+    for (const { projectId } of projectsWithCmek) {
+      if (projectId) {
+        const newProjectId = await newProject(knex, projectId, ProjectType.KMS);
+        await knex(TableName.KmsKey)
+          .where({
+            isReserved: false,
+            projectId
+          })
+          .update({ projectId: newProjectId });
+        await knex(TableName.ProjectSplitBackfillIds).insert({
+          sourceProjectId: projectId,
+          destinationProjectType: ProjectType.KMS,
+          destinationProjectId: newProjectId
+        });
+      }
+    }
+
+    /* eslint-enable */
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
+
+  if (hasTypeColumn && hasSplitMappingTable) {
+    const splitProjectMappings = await knex(TableName.ProjectSplitBackfillIds).where({});
+    const certMapping = splitProjectMappings.filter(
+      (el) => el.destinationProjectType === ProjectType.CertificateManager
+    );
+    /* eslint-disable no-await-in-loop */
+    for (const project of certMapping) {
+      await knex(TableName.CertificateAuthority)
+        .where("projectId", project.destinationProjectId)
+        .update({ projectId: project.sourceProjectId });
+      await knex(TableName.PkiAlert)
+        .where("projectId", project.destinationProjectId)
+        .update({ projectId: project.sourceProjectId });
+      await knex(TableName.PkiCollection)
+        .where("projectId", project.destinationProjectId)
+        .update({ projectId: project.sourceProjectId });
+    }
+
+    /* eslint-enable */
+    const kmsMapping = splitProjectMappings.filter((el) => el.destinationProjectType === ProjectType.KMS);
+    /* eslint-disable no-await-in-loop */
+    for (const project of kmsMapping) {
+      await knex(TableName.KmsKey)
+        .where({
+          isReserved: false,
+          projectId: project.destinationProjectId
+        })
+        .update({ projectId: project.sourceProjectId });
+    }
+    /* eslint-enable */
+    await knex(TableName.ProjectMembership)
+      .whereIn(
+        "projectId",
+        splitProjectMappings.map((el) => el.destinationProjectId)
+      )
+      .delete();
+    await knex(TableName.ProjectRoles)
+      .whereIn(
+        "projectId",
+        splitProjectMappings.map((el) => el.destinationProjectId)
+      )
+      .delete();
+    await knex(TableName.Project)
+      .whereIn(
+        "id",
+        splitProjectMappings.map((el) => el.destinationProjectId)
+      )
+      .delete();
+
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("type");
+    });
+  }
+
+  if (hasSplitMappingTable) {
+    await knex.schema.dropTableIfExists(TableName.ProjectSplitBackfillIds);
+  }
+}
--- a/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
+++ b/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
@ -0,0 +1,99 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthority))) {
+    await knex.schema.createTable(TableName.SshCertificateAuthority, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("status").notNullable(); // active / disabled
+      t.string("friendlyName").notNullable();
+      t.string("keyAlgorithm").notNullable();
+    });
+    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthoritySecret))) {
+    await knex.schema.createTable(TableName.SshCertificateAuthoritySecret, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshCaId").notNullable().unique();
+      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.binary("encryptedPrivateKey").notNullable();
+    });
+    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshCertificateTemplate))) {
+    await knex.schema.createTable(TableName.SshCertificateTemplate, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshCaId").notNullable();
+      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.string("status").notNullable(); // active / disabled
+      t.string("name").notNullable();
+      t.string("ttl").notNullable();
+      t.string("maxTTL").notNullable();
+      t.specificType("allowedUsers", "text[]").notNullable();
+      t.specificType("allowedHosts", "text[]").notNullable();
+      t.boolean("allowUserCertificates").notNullable();
+      t.boolean("allowHostCertificates").notNullable();
+      t.boolean("allowCustomKeyIds").notNullable();
+    });
+    await createOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshCertificate))) {
+    await knex.schema.createTable(TableName.SshCertificate, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshCaId").notNullable();
+      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
+      t.uuid("sshCertificateTemplateId");
+      t.foreign("sshCertificateTemplateId")
+        .references("id")
+        .inTable(TableName.SshCertificateTemplate)
+        .onDelete("SET NULL");
+      t.string("serialNumber").notNullable().unique();
+      t.string("certType").notNullable(); // user or host
+      t.specificType("principals", "text[]").notNullable();
+      t.string("keyId").notNullable();
+      t.datetime("notBefore").notNullable();
+      t.datetime("notAfter").notNullable();
+    });
+    await createOnUpdateTrigger(knex, TableName.SshCertificate);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshCertificateBody))) {
+    await knex.schema.createTable(TableName.SshCertificateBody, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshCertId").notNullable().unique();
+      t.foreign("sshCertId").references("id").inTable(TableName.SshCertificate).onDelete("CASCADE");
+      t.binary("encryptedCertificate").notNullable();
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SshCertificateBody);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SshCertificateBody);
+  await dropOnUpdateTrigger(knex, TableName.SshCertificateBody);
+
+  await knex.schema.dropTableIfExists(TableName.SshCertificate);
+  await dropOnUpdateTrigger(knex, TableName.SshCertificate);
+
+  await knex.schema.dropTableIfExists(TableName.SshCertificateTemplate);
+  await dropOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
+
+  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthoritySecret);
+  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
+
+  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthority);
+  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
+}
--- a/backend/src/db/migrations/20241218165837_resource-metadata.ts
+++ b/backend/src/db/migrations/20241218165837_resource-metadata.ts
@ -0,0 +1,40 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
+    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("key").notNullable();
+      tb.string("value", 1020).notNullable();
+      tb.uuid("orgId").notNullable();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      tb.uuid("userId");
+      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      tb.uuid("identityId");
+      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      tb.uuid("secretId");
+      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      tb.timestamps(true, true, true);
+    });
+  }
+
+  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
+  if (!hasSecretMetadataField) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      t.jsonb("secretMetadata");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
+
+  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
+  if (hasSecretMetadataField) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      t.dropColumn("secretMetadata");
+    });
+  }
+}
--- a/backend/src/db/migrations/20241218181018_app-connection.ts
+++ b/backend/src/db/migrations/20241218181018_app-connection.ts
@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AppConnection))) {
+    await knex.schema.createTable(TableName.AppConnection, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("app").notNullable();
+      t.string("method").notNullable();
+      t.binary("encryptedCredentials").notNullable();
+      t.integer("version").defaultTo(1).notNullable();
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.AppConnection);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.AppConnection);
+  await dropOnUpdateTrigger(knex, TableName.AppConnection);
+}
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // find any duplicate group names within organizations
+  const duplicates = await knex(TableName.Groups)
+    .select("orgId", "name")
+    .count("* as count")
+    .groupBy("orgId", "name")
+    .having(knex.raw("count(*) > 1"));
+
+  // for each set of duplicates, update all but one with a numbered suffix
+  for await (const duplicate of duplicates) {
+    const groups = await knex(TableName.Groups)
+      .select("id", "name")
+      .where({
+        orgId: duplicate.orgId,
+        name: duplicate.name
+      })
+      .orderBy("createdAt", "asc"); // keep original name for oldest group
+
+    // skip the first (oldest) group, rename others with numbered suffix
+    for (let i = 1; i < groups.length; i += 1) {
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.Groups)
+        .where("id", groups[i].id)
+        .update({
+          name: `${groups[i].name} (${i})`,
+
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore TS doesn't know about Knex's timestamp types
+          updatedAt: new Date()
+        });
+    }
+  }
+
+  // add the unique constraint
+  await knex.schema.alterTable(TableName.Groups, (t) => {
+    t.unique(["orgId", "name"]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // Remove the unique constraint
+  await knex.schema.alterTable(TableName.Groups, (t) => {
+    t.dropUnique(["orgId", "name"]);
+  });
+}
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@ -0,0 +1,33 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
+  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
+
+  await knex.schema.alterTable(TableName.Project, (t) => {
+    if (!hasEnforceCapitalizationCol) {
+      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
+    }
+
+    if (hasAutoCapitalizationCol) {
+      t.boolean("autoCapitalization").defaultTo(false).alter();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
+  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
+
+  await knex.schema.alterTable(TableName.Project, (t) => {
+    if (hasEnforceCapitalizationCol) {
+      t.dropColumn("enforceCapitalization");
+    }
+
+    if (hasAutoCapitalizationCol) {
+      t.boolean("autoCapitalization").defaultTo(true).alter();
+    }
+  });
+}
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@ -0,0 +1,50 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
+    await knex.schema.createTable(TableName.SecretSync, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("destination").notNullable();
+      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
+      t.integer("version").defaultTo(1).notNullable();
+      t.jsonb("destinationConfig").notNullable();
+      t.jsonb("syncOptions").notNullable();
+      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
+      // is deleted), to preserve sync configuration
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("folderId");
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
+      t.uuid("connectionId").notNullable();
+      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
+      t.timestamps(true, true, true);
+      // sync secrets to destination
+      t.string("syncStatus");
+      t.string("lastSyncJobId");
+      t.string("lastSyncMessage");
+      t.datetime("lastSyncedAt");
+      // import secrets from destination
+      t.string("importStatus");
+      t.string("lastImportJobId");
+      t.string("lastImportMessage");
+      t.datetime("lastImportedAt");
+      // remove secrets from destination
+      t.string("removeStatus");
+      t.string("lastRemoveJobId");
+      t.string("lastRemoveMessage");
+      t.datetime("lastRemovedAt");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretSync);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretSync);
+  await dropOnUpdateTrigger(knex, TableName.SecretSync);
+}
--- a/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
+++ b/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
+
+  await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
+    if (!hasManageGroupMembershipsCol) {
+      tb.boolean("manageGroupMemberships").notNullable().defaultTo(false);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
+
+  await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+    if (hasManageGroupMembershipsCol) {
+      t.dropColumn("manageGroupMemberships");
+    }
+  });
+}
--- a/backend/src/db/migrations/20250203141127_add-kmip.ts
+++ b/backend/src/db/migrations/20250203141127_add-kmip.ts
@ -0,0 +1,108 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (!hasKmipClientTable) {
+    await knex.schema.createTable(TableName.KmipClient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.specificType("permissions", "text[]");
+      t.string("description");
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+    });
+  }
+
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (!hasKmipOrgPkiConfig) {
+    await knex.schema.createTable(TableName.KmipOrgConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.unique("orgId");
+
+      t.string("caKeyAlgorithm").notNullable();
+
+      t.datetime("rootCaIssuedAt").notNullable();
+      t.datetime("rootCaExpiration").notNullable();
+      t.string("rootCaSerialNumber").notNullable();
+      t.binary("encryptedRootCaCertificate").notNullable();
+      t.binary("encryptedRootCaPrivateKey").notNullable();
+
+      t.datetime("serverIntermediateCaIssuedAt").notNullable();
+      t.datetime("serverIntermediateCaExpiration").notNullable();
+      t.string("serverIntermediateCaSerialNumber");
+      t.binary("encryptedServerIntermediateCaCertificate").notNullable();
+      t.binary("encryptedServerIntermediateCaChain").notNullable();
+      t.binary("encryptedServerIntermediateCaPrivateKey").notNullable();
+
+      t.datetime("clientIntermediateCaIssuedAt").notNullable();
+      t.datetime("clientIntermediateCaExpiration").notNullable();
+      t.string("clientIntermediateCaSerialNumber").notNullable();
+      t.binary("encryptedClientIntermediateCaCertificate").notNullable();
+      t.binary("encryptedClientIntermediateCaChain").notNullable();
+      t.binary("encryptedClientIntermediateCaPrivateKey").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (!hasKmipOrgServerCertTable) {
+    await knex.schema.createTable(TableName.KmipOrgServerCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("commonName").notNullable();
+      t.string("altNames").notNullable();
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+      t.binary("encryptedCertificate").notNullable();
+      t.binary("encryptedChain").notNullable();
+    });
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (!hasKmipClientCertTable) {
+    await knex.schema.createTable(TableName.KmipClientCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("kmipClientId").notNullable();
+      t.foreign("kmipClientId").references("id").inTable(TableName.KmipClient).onDelete("CASCADE");
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (hasKmipOrgPkiConfig) {
+    await knex.schema.dropTable(TableName.KmipOrgConfig);
+    await dropOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (hasKmipOrgServerCertTable) {
+    await knex.schema.dropTable(TableName.KmipOrgServerCertificates);
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (hasKmipClientCertTable) {
+    await knex.schema.dropTable(TableName.KmipClientCertificates);
+  }
+
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (hasKmipClientTable) {
+    await knex.schema.dropTable(TableName.KmipClient);
+  }
+}
--- a/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
+++ b/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.unique(["orgId", "name"]);
+  });
+
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.unique(["projectId", "name"]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.dropUnique(["orgId", "name"]);
+  });
+
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.dropUnique(["projectId", "name"]);
+  });
+}
--- a/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
+++ b/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
@ -0,0 +1,37 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
+  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
+  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
+    TableName.IdentityGcpAuth,
+    "allowedServiceAccounts"
+  );
+  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
+  if (hasTable) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      if (hasAllowedProjectsColumn) t.string("allowedProjects", 2500).alter();
+      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts", 5000).alter();
+      if (hasAllowedZones) t.string("allowedZones", 2500).alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
+  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
+  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
+    TableName.IdentityGcpAuth,
+    "allowedServiceAccounts"
+  );
+  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
+  if (hasTable) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      if (hasAllowedProjectsColumn) t.string("allowedProjects").alter();
+      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts").alter();
+      if (hasAllowedZones) t.string("allowedZones").alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts
+++ b/backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts
@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (hasSlugCol) {
+      await knex.schema.alterTable(TableName.KmsKey, (t) => {
+        t.dropColumn("slug");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (!hasSlugCol) {
+      await knex.schema.alterTable(TableName.KmsKey, (t) => {
+        t.string("slug", 32);
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts
+++ b/backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts
@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSync)) {
+    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
+    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
+    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
+
+    await knex.schema.alterTable(TableName.SecretSync, (t) => {
+      if (hasLastSyncMessage) t.string("lastSyncMessage", 1024).alter();
+      if (hasLastImportMessage) t.string("lastImportMessage", 1024).alter();
+      if (hasLastRemoveMessage) t.string("lastRemoveMessage", 1024).alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSync)) {
+    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
+    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
+    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
+
+    await knex.schema.alterTable(TableName.SecretSync, (t) => {
+      if (hasLastSyncMessage) t.string("lastSyncMessage").alter();
+      if (hasLastImportMessage) t.string("lastImportMessage").alter();
+      if (hasLastRemoveMessage) t.string("lastRemoveMessage").alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20250210101840_webhook-to-kms.ts
+++ b/backend/src/db/migrations/20250210101840_webhook-to-kms.ts
@ -0,0 +1,130 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
+  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
+  const hasUrl = await knex.schema.hasColumn(TableName.Webhook, "url");
+
+  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
+  if (hasWebhookTable) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (!hasEncryptedKey) t.binary("encryptedPassKey");
+      if (!hasEncryptedUrl) t.binary("encryptedUrl");
+      if (hasUrl) t.string("url").nullable().alter();
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const projectEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+  const webhooks = await knex(TableName.Webhook)
+    .where({})
+    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.Webhook}.envId`)
+    .select(
+      "url",
+      "encryptedSecretKey",
+      "iv",
+      "tag",
+      "keyEncoding",
+      "urlCipherText",
+      "urlIV",
+      "urlTag",
+      knex.ref("id").withSchema(TableName.Webhook),
+      "envId"
+    )
+    .select(knex.ref("projectId").withSchema(TableName.Environment))
+    .orderBy(`${TableName.Environment}.projectId` as "projectId");
+
+  const updatedWebhooks = await Promise.all(
+    webhooks.map(async (el) => {
+      let projectKmsService = projectEncryptionRingBuffer.getItem(el.projectId);
+      if (!projectKmsService) {
+        projectKmsService = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId: el.projectId
+          },
+          knex
+        );
+        projectEncryptionRingBuffer.push(el.projectId, projectKmsService);
+      }
+
+      let encryptedSecretKey = null;
+      if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
+        const decyptedSecretKey = infisicalSymmetricDecrypt({
+          keyEncoding: el.keyEncoding as SecretKeyEncoding,
+          iv: el.iv,
+          tag: el.tag,
+          ciphertext: el.encryptedSecretKey
+        });
+        encryptedSecretKey = projectKmsService.encryptor({
+          plainText: Buffer.from(decyptedSecretKey, "utf8")
+        }).cipherTextBlob;
+      }
+
+      const decryptedUrl =
+        el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
+          ? infisicalSymmetricDecrypt({
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              iv: el.urlIV,
+              tag: el.urlTag,
+              ciphertext: el.urlCipherText
+            })
+          : null;
+
+      const encryptedUrl = projectKmsService.encryptor({
+        plainText: Buffer.from(decryptedUrl || el.url || "")
+      }).cipherTextBlob;
+      return { id: el.id, encryptedUrl, encryptedSecretKey, envId: el.envId };
+    })
+  );
+
+  for (let i = 0; i < updatedWebhooks.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.Webhook)
+      .insert(
+        updatedWebhooks.slice(i, i + BATCH_SIZE).map((el) => ({
+          id: el.id,
+          envId: el.envId,
+          url: "",
+          encryptedUrl: el.encryptedUrl,
+          encryptedPassKey: el.encryptedSecretKey
+        }))
+      )
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasWebhookTable) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (!hasEncryptedUrl) t.binary("encryptedUrl").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
+  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
+
+  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
+  if (hasWebhookTable) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (hasEncryptedKey) t.dropColumn("encryptedPassKey");
+      if (hasEncryptedUrl) t.dropColumn("encryptedUrl");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts
+++ b/backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts
@ -0,0 +1,111 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
+  const hasInputCiphertextColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputCiphertext");
+  const hasInputIVColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputIV");
+  const hasInputTagColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputTag");
+
+  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
+  if (hasDynamicSecretTable) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (!hasEncryptedInputColumn) t.binary("encryptedInput");
+      if (hasInputCiphertextColumn) t.text("inputCiphertext").nullable().alter();
+      if (hasInputIVColumn) t.string("inputIV").nullable().alter();
+      if (hasInputTagColumn) t.string("inputTag").nullable().alter();
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const projectEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const dynamicSecretRootCredentials = await knex(TableName.DynamicSecret)
+    .join(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
+    .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+    .select(selectAllTableCols(TableName.DynamicSecret))
+    .select(knex.ref("projectId").withSchema(TableName.Environment))
+    .orderBy(`${TableName.Environment}.projectId` as "projectId");
+
+  const updatedDynamicSecrets = await Promise.all(
+    dynamicSecretRootCredentials.map(async ({ projectId, ...el }) => {
+      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
+      if (!projectKmsService) {
+        projectKmsService = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId
+          },
+          knex
+        );
+        projectEncryptionRingBuffer.push(projectId, projectKmsService);
+      }
+
+      const decryptedInputData =
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+        el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
+          ? infisicalSymmetricDecrypt({
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              iv: el.inputIV,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              tag: el.inputTag,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              ciphertext: el.inputCiphertext
+            })
+          : "";
+
+      const encryptedInput = projectKmsService.encryptor({
+        plainText: Buffer.from(decryptedInputData)
+      }).cipherTextBlob;
+
+      return { ...el, encryptedInput };
+    })
+  );
+
+  for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.DynamicSecret)
+      .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasDynamicSecretTable) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (!hasEncryptedInputColumn) t.binary("encryptedInput").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
+
+  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
+  if (hasDynamicSecretTable) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (hasEncryptedInputColumn) t.dropColumn("encryptedInput");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
+++ b/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
@ -0,0 +1,103 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
+
+  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
+  if (hasRotationTable) {
+    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+      if (!hasEncryptedRotationData) t.binary("encryptedRotationData");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const projectEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const secretRotations = await knex(TableName.SecretRotation)
+    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretRotation}.envId`)
+    .select(selectAllTableCols(TableName.SecretRotation))
+    .select(knex.ref("projectId").withSchema(TableName.Environment))
+    .orderBy(`${TableName.Environment}.projectId` as "projectId");
+
+  const updatedRotationData = await Promise.all(
+    secretRotations.map(async ({ projectId, ...el }) => {
+      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
+      if (!projectKmsService) {
+        projectKmsService = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId
+          },
+          knex
+        );
+        projectEncryptionRingBuffer.push(projectId, projectKmsService);
+      }
+
+      const decryptedRotationData =
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+        el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
+          ? infisicalSymmetricDecrypt({
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              iv: el.encryptedDataIV,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              tag: el.encryptedDataTag,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              ciphertext: el.encryptedData
+            })
+          : "";
+
+      const encryptedRotationData = projectKmsService.encryptor({
+        plainText: Buffer.from(decryptedRotationData)
+      }).cipherTextBlob;
+      return { ...el, encryptedRotationData };
+    })
+  );
+
+  for (let i = 0; i < updatedRotationData.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.SecretRotation)
+      .insert(updatedRotationData.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasRotationTable) {
+    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+      if (!hasEncryptedRotationData) t.binary("encryptedRotationData").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
+
+  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
+  if (hasRotationTable) {
+    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+      if (hasEncryptedRotationData) t.dropColumn("encryptedRotationData");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts
+++ b/backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts
@ -0,0 +1,200 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+const reencryptIdentityK8sAuth = async (knex: Knex) => {
+  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesCaCertificate"
+  );
+  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
+
+  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "encryptedCaCert");
+  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertIV");
+  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertTag");
+  const hasEncryptedTokenReviewerJwtColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedTokenReviewerJwt"
+  );
+  const hasTokenReviewerJwtIVColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "tokenReviewerJwtIV"
+  );
+  const hasTokenReviewerJwtTagColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "tokenReviewerJwtTag"
+  );
+
+  if (hasidentityKubernetesAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
+      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
+      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
+      if (hasEncryptedTokenReviewerJwtColumn) t.text("encryptedTokenReviewerJwt").nullable().alter();
+      if (hasTokenReviewerJwtIVColumn) t.string("tokenReviewerJwtIV").nullable().alter();
+      if (hasTokenReviewerJwtTagColumn) t.string("tokenReviewerJwtTag").nullable().alter();
+
+      if (!hasEncryptedKubernetesTokenReviewerJwt) t.binary("encryptedKubernetesTokenReviewerJwt");
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedKubernetesCaCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+  const identityKubernetesConfigs = await knex(TableName.IdentityKubernetesAuth)
+    .join(
+      TableName.IdentityOrgMembership,
+      `${TableName.IdentityOrgMembership}.identityId`,
+      `${TableName.IdentityKubernetesAuth}.identityId`
+    )
+    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
+    .select(selectAllTableCols(TableName.IdentityKubernetesAuth))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
+      knex.ref("orgId").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedIdentityKubernetesConfigs = [];
+
+  for await (const {
+    encryptedSymmetricKey,
+    symmetricKeyKeyEncoding,
+    symmetricKeyTag,
+    symmetricKeyIV,
+    orgId,
+    ...el
+  } of identityKubernetesConfigs) {
+    let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
+
+    if (!orgKmsService) {
+      orgKmsService = await kmsService.createCipherPairWithDataKey(
+        {
+          type: KmsDataKey.Organization,
+          orgId
+        },
+        knex
+      );
+      orgEncryptionRingBuffer.push(orgId, orgKmsService);
+    }
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: encryptedSymmetricKey,
+      iv: symmetricKeyIV,
+      tag: symmetricKeyTag,
+      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const decryptedTokenReviewerJwt =
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+      el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
+        ? decryptSymmetric({
+            key,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            iv: el.tokenReviewerJwtIV,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            tag: el.tokenReviewerJwtTag,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            ciphertext: el.encryptedTokenReviewerJwt
+          })
+        : "";
+
+    const decryptedCertificate =
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+      el.encryptedCaCert && el.caCertIV && el.caCertTag
+        ? decryptSymmetric({
+            key,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            iv: el.caCertIV,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            tag: el.caCertTag,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            ciphertext: el.encryptedCaCert
+          })
+        : "";
+
+    const encryptedKubernetesTokenReviewerJwt = orgKmsService.encryptor({
+      plainText: Buffer.from(decryptedTokenReviewerJwt)
+    }).cipherTextBlob;
+    const encryptedKubernetesCaCertificate = orgKmsService.encryptor({
+      plainText: Buffer.from(decryptedCertificate)
+    }).cipherTextBlob;
+
+    updatedIdentityKubernetesConfigs.push({
+      ...el,
+      accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
+      encryptedKubernetesCaCertificate,
+      encryptedKubernetesTokenReviewerJwt
+    });
+  }
+
+  for (let i = 0; i < updatedIdentityKubernetesConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.IdentityKubernetesAuth)
+      .insert(updatedIdentityKubernetesConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+  if (hasidentityKubernetesAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      if (!hasEncryptedKubernetesTokenReviewerJwt)
+        t.binary("encryptedKubernetesTokenReviewerJwt").notNullable().alter();
+    });
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  await reencryptIdentityK8sAuth(knex);
+}
+
+const dropIdentityK8sColumns = async (knex: Knex) => {
+  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesCaCertificate"
+  );
+  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
+
+  if (hasidentityKubernetesAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      if (hasEncryptedKubernetesTokenReviewerJwt) t.dropColumn("encryptedKubernetesTokenReviewerJwt");
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedKubernetesCaCertificate");
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  await dropIdentityK8sColumns(knex);
+}
--- a/backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts
+++ b/backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts
@ -0,0 +1,141 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+const reencryptIdentityOidcAuth = async (knex: Knex) => {
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityOidcAuth,
+    "encryptedCaCertificate"
+  );
+  const hasidentityOidcAuthTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
+
+  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "encryptedCaCert");
+  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertIV");
+  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertTag");
+
+  if (hasidentityOidcAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
+      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
+      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
+
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedCaCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const identityOidcConfig = await knex(TableName.IdentityOidcAuth)
+    .join(
+      TableName.IdentityOrgMembership,
+      `${TableName.IdentityOrgMembership}.identityId`,
+      `${TableName.IdentityOidcAuth}.identityId`
+    )
+    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
+    .select(selectAllTableCols(TableName.IdentityOidcAuth))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
+      knex.ref("orgId").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedIdentityOidcConfigs = await Promise.all(
+    identityOidcConfig.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, orgId, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedCertificate =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedCaCert && el.caCertIV && el.caCertTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.caCertIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.caCertTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedCaCert
+              })
+            : "";
+
+        const encryptedCaCertificate = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedCertificate)
+        }).cipherTextBlob;
+
+        return {
+          ...el,
+          accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
+          encryptedCaCertificate
+        };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedIdentityOidcConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.IdentityOidcAuth)
+      .insert(updatedIdentityOidcConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  await reencryptIdentityOidcAuth(knex);
+}
+
+const dropIdentityOidcColumns = async (knex: Knex) => {
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityOidcAuth,
+    "encryptedCaCertificate"
+  );
+  const hasidentityOidcTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
+
+  if (hasidentityOidcTable) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedCaCertificate");
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  await dropIdentityOidcColumns(knex);
+}
--- a/backend/src/db/migrations/20250210101845_directory-config-to-kms.ts
+++ b/backend/src/db/migrations/20250210101845_directory-config-to-kms.ts
@ -0,0 +1,493 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+const reencryptSamlConfig = async (knex: Knex) => {
+  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
+  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
+  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
+
+  if (hasSamlConfigTable) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint");
+      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer");
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const samlConfigs = await knex(TableName.SamlConfig)
+    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.SamlConfig}.orgId`)
+    .select(selectAllTableCols(TableName.SamlConfig))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedSamlConfigs = await Promise.all(
+    samlConfigs.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId: el.orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedEntryPoint =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.entryPointIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.entryPointTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedEntryPoint
+              })
+            : "";
+
+        const decryptedIssuer =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedIssuer && el.issuerIV && el.issuerTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.issuerIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.issuerTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedIssuer
+              })
+            : "";
+
+        const decryptedCertificate =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedCert && el.certIV && el.certTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.certIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.certTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedCert
+              })
+            : "";
+
+        const encryptedSamlIssuer = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedIssuer)
+        }).cipherTextBlob;
+        const encryptedSamlCertificate = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedCertificate)
+        }).cipherTextBlob;
+        const encryptedSamlEntryPoint = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedEntryPoint)
+        }).cipherTextBlob;
+        return { ...el, encryptedSamlCertificate, encryptedSamlEntryPoint, encryptedSamlIssuer };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedSamlConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.SamlConfig)
+      .insert(updatedSamlConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasSamlConfigTable) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint").notNullable().alter();
+      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer").notNullable().alter();
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate").notNullable().alter();
+    });
+  }
+};
+
+const reencryptLdapConfig = async (knex: Knex) => {
+  const hasEncryptedLdapBindDNColum = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
+  const hasEncryptedLdapBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
+  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
+
+  const hasEncryptedCACertColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedCACert");
+  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertIV");
+  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertTag");
+  const hasEncryptedBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindPass");
+  const hasBindPassIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassIV");
+  const hasBindPassTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassTag");
+  const hasEncryptedBindDNColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindDN");
+  const hasBindDNIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNIV");
+  const hasBindDNTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNTag");
+
+  if (hasLdapConfigTable) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      if (hasEncryptedCACertColumn) t.text("encryptedCACert").nullable().alter();
+      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
+      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
+      if (hasEncryptedBindPassColumn) t.string("encryptedBindPass").nullable().alter();
+      if (hasBindPassIVColumn) t.string("bindPassIV").nullable().alter();
+      if (hasBindPassTagColumn) t.string("bindPassTag").nullable().alter();
+      if (hasEncryptedBindDNColumn) t.string("encryptedBindDN").nullable().alter();
+      if (hasBindDNIVColumn) t.string("bindDNIV").nullable().alter();
+      if (hasBindDNTagColumn) t.string("bindDNTag").nullable().alter();
+
+      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN");
+      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass");
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedLdapCaCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const ldapConfigs = await knex(TableName.LdapConfig)
+    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.LdapConfig}.orgId`)
+    .select(selectAllTableCols(TableName.LdapConfig))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedLdapConfigs = await Promise.all(
+    ldapConfigs.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId: el.orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedBindDN =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedBindDN && el.bindDNIV && el.bindDNTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.bindDNIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.bindDNTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedBindDN
+              })
+            : "";
+
+        const decryptedBindPass =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedBindPass && el.bindPassIV && el.bindPassTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.bindPassIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.bindPassTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedBindPass
+              })
+            : "";
+
+        const decryptedCertificate =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedCACert && el.caCertIV && el.caCertTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.caCertIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.caCertTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedCACert
+              })
+            : "";
+
+        const encryptedLdapBindDN = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedBindDN)
+        }).cipherTextBlob;
+        const encryptedLdapBindPass = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedBindPass)
+        }).cipherTextBlob;
+        const encryptedLdapCaCertificate = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedCertificate)
+        }).cipherTextBlob;
+        return { ...el, encryptedLdapBindPass, encryptedLdapBindDN, encryptedLdapCaCertificate };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedLdapConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.LdapConfig)
+      .insert(updatedLdapConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+  if (hasLdapConfigTable) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass").notNullable().alter();
+      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN").notNullable().alter();
+    });
+  }
+};
+
+const reencryptOidcConfig = async (knex: Knex) => {
+  const hasEncryptedOidcClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
+  const hasEncryptedOidcClientSecretColumn = await knex.schema.hasColumn(
+    TableName.OidcConfig,
+    "encryptedOidcClientSecret"
+  );
+
+  const hasEncryptedClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientId");
+  const hasClientIdIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdIV");
+  const hasClientIdTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdTag");
+  const hasEncryptedClientSecretColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientSecret");
+  const hasClientSecretIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretIV");
+  const hasClientSecretTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretTag");
+
+  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
+
+  if (hasOidcConfigTable) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      if (hasEncryptedClientIdColumn) t.text("encryptedClientId").nullable().alter();
+      if (hasClientIdIVColumn) t.string("clientIdIV").nullable().alter();
+      if (hasClientIdTagColumn) t.string("clientIdTag").nullable().alter();
+      if (hasEncryptedClientSecretColumn) t.text("encryptedClientSecret").nullable().alter();
+      if (hasClientSecretIVColumn) t.string("clientSecretIV").nullable().alter();
+      if (hasClientSecretTagColumn) t.string("clientSecretTag").nullable().alter();
+
+      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId");
+      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const oidcConfigs = await knex(TableName.OidcConfig)
+    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.OidcConfig}.orgId`)
+    .select(selectAllTableCols(TableName.OidcConfig))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedOidcConfigs = await Promise.all(
+    oidcConfigs.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId: el.orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedClientId =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedClientId && el.clientIdIV && el.clientIdTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.clientIdIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.clientIdTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedClientId
+              })
+            : "";
+
+        const decryptedClientSecret =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.clientSecretIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.clientSecretTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedClientSecret
+              })
+            : "";
+
+        const encryptedOidcClientId = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedClientId)
+        }).cipherTextBlob;
+        const encryptedOidcClientSecret = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedClientSecret)
+        }).cipherTextBlob;
+        return { ...el, encryptedOidcClientId, encryptedOidcClientSecret };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedOidcConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.OidcConfig)
+      .insert(updatedOidcConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+  if (hasOidcConfigTable) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId").notNullable().alter();
+      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret").notNullable().alter();
+    });
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  await reencryptSamlConfig(knex);
+  await reencryptLdapConfig(knex);
+  await reencryptOidcConfig(knex);
+}
+
+const dropSamlConfigColumns = async (knex: Knex) => {
+  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
+  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
+  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
+
+  if (hasSamlConfigTable) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      if (hasEncryptedEntrypointColumn) t.dropColumn("encryptedSamlEntryPoint");
+      if (hasEncryptedIssuerColumn) t.dropColumn("encryptedSamlIssuer");
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedSamlCertificate");
+    });
+  }
+};
+
+const dropLdapConfigColumns = async (knex: Knex) => {
+  const hasEncryptedBindDN = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
+  const hasEncryptedBindPass = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
+  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
+
+  if (hasLdapConfigTable) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      if (hasEncryptedBindDN) t.dropColumn("encryptedLdapBindDN");
+      if (hasEncryptedBindPass) t.dropColumn("encryptedLdapBindPass");
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedLdapCaCertificate");
+    });
+  }
+};
+
+const dropOidcConfigColumns = async (knex: Knex) => {
+  const hasEncryptedClientId = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
+  const hasEncryptedClientSecret = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientSecret");
+  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
+
+  if (hasOidcConfigTable) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      if (hasEncryptedClientId) t.dropColumn("encryptedOidcClientId");
+      if (hasEncryptedClientSecret) t.dropColumn("encryptedOidcClientSecret");
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  await dropSamlConfigColumns(knex);
+  await dropLdapConfigColumns(knex);
+  await dropOidcConfigColumns(knex);
+}
--- a/backend/src/db/migrations/20250212191958_create-gateway.ts
+++ b/backend/src/db/migrations/20250212191958_create-gateway.ts
@ -0,0 +1,115 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.OrgGatewayConfig))) {
+    await knex.schema.createTable(TableName.OrgGatewayConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("rootCaKeyAlgorithm").notNullable();
+
+      t.datetime("rootCaIssuedAt").notNullable();
+      t.datetime("rootCaExpiration").notNullable();
+      t.string("rootCaSerialNumber").notNullable();
+      t.binary("encryptedRootCaCertificate").notNullable();
+      t.binary("encryptedRootCaPrivateKey").notNullable();
+
+      t.datetime("clientCaIssuedAt").notNullable();
+      t.datetime("clientCaExpiration").notNullable();
+      t.string("clientCaSerialNumber");
+      t.binary("encryptedClientCaCertificate").notNullable();
+      t.binary("encryptedClientCaPrivateKey").notNullable();
+
+      t.string("clientCertSerialNumber").notNullable();
+      t.string("clientCertKeyAlgorithm").notNullable();
+      t.datetime("clientCertIssuedAt").notNullable();
+      t.datetime("clientCertExpiration").notNullable();
+      t.binary("encryptedClientCertificate").notNullable();
+      t.binary("encryptedClientPrivateKey").notNullable();
+
+      t.datetime("gatewayCaIssuedAt").notNullable();
+      t.datetime("gatewayCaExpiration").notNullable();
+      t.string("gatewayCaSerialNumber").notNullable();
+      t.binary("encryptedGatewayCaCertificate").notNullable();
+      t.binary("encryptedGatewayCaPrivateKey").notNullable();
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.unique("orgId");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.Gateway))) {
+    await knex.schema.createTable(TableName.Gateway, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.string("name").notNullable();
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+      t.datetime("heartbeat");
+
+      t.binary("relayAddress").notNullable();
+
+      t.uuid("orgGatewayRootCaId").notNullable();
+      t.foreign("orgGatewayRootCaId").references("id").inTable(TableName.OrgGatewayConfig).onDelete("CASCADE");
+
+      t.uuid("identityId").notNullable();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.Gateway);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ProjectGateway))) {
+    await knex.schema.createTable(TableName.ProjectGateway, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+
+      t.uuid("gatewayId").notNullable();
+      t.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("CASCADE");
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.ProjectGateway);
+  }
+
+  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId");
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      // not setting a foreign constraint so that cascade effects are not triggered
+      if (!doesGatewayColExist) {
+        t.uuid("projectGatewayId");
+        t.foreign("projectGatewayId").references("id").inTable(TableName.ProjectGateway);
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (doesGatewayColExist) t.dropColumn("projectGatewayId");
+    });
+  }
+
+  await knex.schema.dropTableIfExists(TableName.ProjectGateway);
+  await dropOnUpdateTrigger(knex, TableName.ProjectGateway);
+
+  await knex.schema.dropTableIfExists(TableName.Gateway);
+  await dropOnUpdateTrigger(knex, TableName.Gateway);
+
+  await knex.schema.dropTableIfExists(TableName.OrgGatewayConfig);
+  await dropOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
+}
--- a/backend/src/db/migrations/20250226021631_secret-requests.ts
+++ b/backend/src/db/migrations/20250226021631_secret-requests.ts
@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (!hasSharingTypeColumn) {
+      table.string("type", 32).defaultTo(SecretSharingType.Share).notNullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (hasSharingTypeColumn) {
+      table.dropColumn("type");
+    }
+  });
+}
--- a/backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts
+++ b/backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts
@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
+  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      if (!hasAuthConsentContentCol) {
+        t.text("authConsentContent");
+      }
+      if (!hasPageFrameContentCol) {
+        t.text("pageFrameContent");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
+  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasAuthConsentContentCol) {
+      t.dropColumn("authConsentContent");
+    }
+    if (hasPageFrameContentCol) {
+      t.dropColumn("pageFrameContent");
+    }
+  });
+}
--- a/backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts
+++ b/backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts
@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  for await (const tableName of [
+    TableName.SecretV2,
+    TableName.SecretVersionV2,
+    TableName.SecretApprovalRequestSecretV2
+  ]) {
+    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
+
+    if (hasReminderNoteCol) {
+      await knex.schema.alterTable(tableName, (t) => {
+        t.string("reminderNote", 1024).alter();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  for await (const tableName of [
+    TableName.SecretV2,
+    TableName.SecretVersionV2,
+    TableName.SecretApprovalRequestSecretV2
+  ]) {
+    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
+
+    if (hasReminderNoteCol) {
+      await knex.schema.alterTable(tableName, (t) => {
+        t.string("reminderNote").alter();
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20250303213350_add-folder-description.ts
+++ b/backend/src/db/migrations/20250303213350_add-folder-description.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250305080145_add-secret-review-comment.ts
+++ b/backend/src/db/migrations/20250305080145_add-secret-review-comment.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.string("comment");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment")) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.dropColumn("comment");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
+++ b/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
@ -0,0 +1,45 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (!hasSecretVersionV2UserActorId) {
+        t.uuid("userActorId");
+        t.foreign("userActorId").references("id").inTable(TableName.Users);
+      }
+      if (!hasSecretVersionV2IdentityActorId) {
+        t.uuid("identityActorId");
+        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
+      }
+      if (!hasSecretVersionV2ActorType) {
+        t.string("actorType");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (hasSecretVersionV2UserActorId) {
+        t.dropColumn("userActorId");
+      }
+      if (hasSecretVersionV2IdentityActorId) {
+        t.dropColumn("identityActorId");
+      }
+      if (hasSecretVersionV2ActorType) {
+        t.dropColumn("actorType");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/utils/env-config.ts
+++ b/backend/src/db/migrations/utils/env-config.ts
@ -0,0 +1,53 @@
+import { z } from "zod";
+
+import { zpStr } from "@app/lib/zod";
+
+const envSchema = z
+  .object({
+    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
+      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
+    ),
+    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
+    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
+    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
+    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
+    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
+    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
+    // TODO(akhilmhdh): will be changed to one
+    ENCRYPTION_KEY: zpStr(z.string().optional()),
+    ROOT_ENCRYPTION_KEY: zpStr(z.string().optional()),
+    // HSM
+    HSM_LIB_PATH: zpStr(z.string().optional()),
+    HSM_PIN: zpStr(z.string().optional()),
+    HSM_KEY_LABEL: zpStr(z.string().optional()),
+    HSM_SLOT: z.coerce.number().optional().default(0)
+  })
+  // To ensure that basic encryption is always possible.
+  .refine(
+    (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
+    "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
+  )
+  .transform((data) => ({
+    ...data,
+    isHsmConfigured:
+      Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined
+  }));
+
+export type TMigrationEnvConfig = z.infer<typeof envSchema>;
+
+export const getMigrationEnvConfig = () => {
+  const parsedEnv = envSchema.safeParse(process.env);
+  if (!parsedEnv.success) {
+    // eslint-disable-next-line no-console
+    console.error("Invalid environment variables. Check the error below");
+    // eslint-disable-next-line no-console
+    console.error(
+      "Infisical now automatically runs database migrations during boot up, so you no longer need to run them separately."
+    );
+    // eslint-disable-next-line no-console
+    console.error(parsedEnv.error.issues);
+    process.exit(-1);
+  }
+
+  return Object.freeze(parsedEnv.data);
+};
--- a/backend/src/db/migrations/utils/kms.ts
+++ b/backend/src/db/migrations/utils/kms.ts
@ -1,105 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { randomSecureBytes } from "@app/lib/crypto";
-import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-const getInstanceRootKey = async (knex: Knex) => {
-  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
-  // if root key its base64 encoded
-  const isBase64 = !process.env.ENCRYPTION_KEY;
-  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
-  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
-  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  if (kmsRootConfig) {
-    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-    // set the flag so that other instancen nodes can start
-    return decryptedRootKey;
-  }
-
-  const newRootKey = randomSecureBytes(32);
-  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
-  await knex(TableName.KmsServerRootConfig).insert({
-    encryptedRootKey,
-    // eslint-disable-next-line
-    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
-    id: KMS_ROOT_CONFIG_UUID
-  });
-  return encryptedRootKey;
-};
-
-export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
-  const KMS_VERSION = "v01";
-  const KMS_VERSION_BLOB_LENGTH = 3;
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  const project = await knex(TableName.Project).where({ id: projectId }).first();
-  if (!project) throw new Error("Missing project id");
-
-  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
-
-  let secretManagerKmsKey;
-  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
-  if (projectSecretManagerKmsId) {
-    const kmsDoc = await knex(TableName.KmsKey)
-      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
-      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
-      .first();
-    if (!kmsDoc) throw new Error("missing kms");
-    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
-  } else {
-    const [kmsDoc] = await knex(TableName.KmsKey)
-      .insert({
-        name: slugify(alphaNumericNanoId(8).toLowerCase()),
-        orgId: project.orgId,
-        isReserved: false
-      })
-      .returning("*");
-
-    secretManagerKmsKey = randomSecureBytes(32);
-    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
-    await knex(TableName.InternalKms).insert({
-      version: 1,
-      encryptedKey: encryptedKeyMaterial,
-      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
-      kmsKeyId: kmsDoc.id
-    });
-  }
-
-  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
-  let dataKey: Buffer;
-  if (!encryptedSecretManagerDataKey) {
-    dataKey = randomSecureBytes();
-    // the below versioning we do it automatically in kms service
-    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
-    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-    await knex(TableName.Project)
-      .where({ id: projectId })
-      .update({
-        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
-      });
-  } else {
-    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
-  }
-
-  return {
-    encryptor: ({ plainText }: { plainText: Buffer }) => {
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
-
-      // Buffer#1 encrypted text + Buffer#2 version number
-      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-      return { cipherTextBlob };
-    },
-    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
-      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
-      return decryptedBlob;
-    }
-  };
-};
--- a/backend/src/db/migrations/utils/ring-buffer.ts
+++ b/backend/src/db/migrations/utils/ring-buffer.ts
@ -0,0 +1,19 @@
+export const createCircularCache = <T>(bufferSize = 10) => {
+  const bufferItems: { id: string; item: T }[] = [];
+  let bufferIndex = 0;
+
+  const push = (id: string, item: T) => {
+    if (bufferItems.length < bufferSize) {
+      bufferItems.push({ id, item });
+    } else {
+      bufferItems[bufferIndex] = { id, item };
+    }
+    bufferIndex = (bufferIndex + 1) % bufferSize;
+  };
+
+  const getItem = (id: string) => {
+    return bufferItems.find((i) => i.id === id)?.item;
+  };
+
+  return { push, getItem };
+};
--- a/backend/src/db/migrations/utils/services.ts
+++ b/backend/src/db/migrations/utils/services.ts
@ -0,0 +1,52 @@
+import { Knex } from "knex";
+
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
+import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
+import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
+import { kmsServiceFactory } from "@app/services/kms/kms-service";
+import { orgDALFactory } from "@app/services/org/org-dal";
+import { projectDALFactory } from "@app/services/project/project-dal";
+
+import { TMigrationEnvConfig } from "./env-config";
+
+type TDependencies = {
+  envConfig: TMigrationEnvConfig;
+  db: Knex;
+  keyStore: TKeyStoreFactory;
+};
+
+export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }: TDependencies) => {
+  // eslint-disable-next-line no-param-reassign
+  const hsmModule = initializeHsmModule(envConfig);
+  hsmModule.initialize();
+
+  const hsmService = hsmServiceFactory({
+    hsmModule: hsmModule.getModule(),
+    envConfig
+  });
+
+  const orgDAL = orgDALFactory(db);
+  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const projectDAL = projectDALFactory(db);
+
+  const kmsService = kmsServiceFactory({
+    kmsRootConfigDAL,
+    keyStore,
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL,
+    hsmService,
+    envConfig
+  });
+
+  await hsmService.startService();
+  await kmsService.startService();
+
+  return { kmsService };
+};
--- a/backend/src/db/rename-migrations-to-mjs.ts
+++ b/backend/src/db/rename-migrations-to-mjs.ts
@ -0,0 +1,56 @@
+import path from "node:path";
+
+import dotenv from "dotenv";
+
+import { initAuditLogDbConnection, initDbConnection } from "./instance";
+
+const isProduction = process.env.NODE_ENV === "production";
+
+// Update with your config settings. .
+dotenv.config({
+  path: path.join(__dirname, "../../../.env.migration")
+});
+dotenv.config({
+  path: path.join(__dirname, "../../../.env")
+});
+
+const runRename = async () => {
+  if (!isProduction) return;
+  const migrationTable = "infisical_migrations";
+  const applicationDb = initDbConnection({
+    dbConnectionUri: process.env.DB_CONNECTION_URI as string,
+    dbRootCert: process.env.DB_ROOT_CERT
+  });
+
+  const auditLogDb = process.env.AUDIT_LOGS_DB_CONNECTION_URI
+    ? initAuditLogDbConnection({
+        dbConnectionUri: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
+        dbRootCert: process.env.AUDIT_LOGS_DB_ROOT_CERT
+      })
+    : undefined;
+
+  const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
+  if (hasMigrationTable) {
+    const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
+    if (firstFile?.name?.includes(".ts")) {
+      await applicationDb(migrationTable).update({
+        name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
+      });
+    }
+  }
+  if (auditLogDb) {
+    const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
+    if (hasMigrationTableInAuditLog) {
+      const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
+      if (firstFile?.name?.includes(".ts")) {
+        await auditLogDb(migrationTable).update({
+          name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
+        });
+      }
+    }
+  }
+  await applicationDb.destroy();
+  await auditLogDb?.destroy();
+};
+
+void runRename();
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -15,7 +15,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard")
+  enforcementLevel: z.string().default("hard"),
+  deletedAt: z.date().nullable().optional()
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/app-connections.ts
+++ b/backend/src/db/schemas/app-connections.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AppConnectionsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  app: z.string(),
+  method: z.string(),
+  encryptedCredentials: zodBuffer,
+  version: z.number().default(1),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAppConnections = z.infer<typeof AppConnectionsSchema>;
+export type TAppConnectionsInsert = Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>;
+export type TAppConnectionsUpdate = Partial<Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/certificate-template-est-configs.ts
+++ b/backend/src/db/schemas/certificate-template-est-configs.ts
@ -12,11 +12,12 @@ import { TImmutableDBKeys } from "./models";
 export const CertificateTemplateEstConfigsSchema = z.object({
  id: z.string().uuid(),
  certificateTemplateId: z.string().uuid(),
-  encryptedCaChain: zodBuffer,
+  encryptedCaChain: zodBuffer.nullable().optional(),
  hashedPassphrase: z.string(),
  isEnabled: z.boolean(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  disableBootstrapCertValidation: z.boolean().default(false)
 });

 export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;
--- a/backend/src/db/schemas/dynamic-secrets.ts
+++ b/backend/src/db/schemas/dynamic-secrets.ts
@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const DynamicSecretsSchema = z.object({
@ -14,16 +16,18 @@ export const DynamicSecretsSchema = z.object({
  type: z.string(),
  defaultTTL: z.string(),
  maxTTL: z.string().nullable().optional(),
-  inputIV: z.string(),
-  inputCiphertext: z.string(),
-  inputTag: z.string(),
+  inputIV: z.string().nullable().optional(),
+  inputCiphertext: z.string().nullable().optional(),
+  inputTag: z.string().nullable().optional(),
  algorithm: z.string().default("aes-256-gcm"),
  keyEncoding: z.string().default("utf8"),
  folderId: z.string().uuid(),
  status: z.string().nullable().optional(),
  statusDetails: z.string().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  encryptedInput: zodBuffer,
+  projectGatewayId: z.string().uuid().nullable().optional()
 });

 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
--- a/backend/src/db/schemas/gateways.ts
+++ b/backend/src/db/schemas/gateways.ts
@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GatewaysSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date(),
+  heartbeat: z.date().nullable().optional(),
+  relayAddress: zodBuffer,
+  orgGatewayRootCaId: z.string().uuid(),
+  identityId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGateways = z.infer<typeof GatewaysSchema>;
+export type TGatewaysInsert = Omit<z.input<typeof GatewaysSchema>, TImmutableDBKeys>;
+export type TGatewaysUpdate = Partial<Omit<z.input<typeof GatewaysSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-gcp-auths.ts
+++ b/backend/src/db/schemas/identity-gcp-auths.ts
@ -17,9 +17,9 @@ export const IdentityGcpAuthsSchema = z.object({
  updatedAt: z.date(),
  identityId: z.string().uuid(),
  type: z.string(),
-  allowedServiceAccounts: z.string(),
-  allowedProjects: z.string(),
-  allowedZones: z.string()
+  allowedServiceAccounts: z.string().nullable().optional(),
+  allowedProjects: z.string().nullable().optional(),
+  allowedZones: z.string().nullable().optional()
 });

 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
--- a/backend/src/db/schemas/identity-jwt-auths.ts
+++ b/backend/src/db/schemas/identity-jwt-auths.ts
@ -0,0 +1,33 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityJwtAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  identityId: z.string().uuid(),
+  configurationType: z.string(),
+  jwksUrl: z.string(),
+  encryptedJwksCaCert: zodBuffer,
+  encryptedPublicKeys: zodBuffer,
+  boundIssuer: z.string(),
+  boundAudiences: z.string(),
+  boundClaims: z.unknown(),
+  boundSubject: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;
+export type TIdentityJwtAuthsInsert = Omit<z.input<typeof IdentityJwtAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityJwtAuthsUpdate = Partial<Omit<z.input<typeof IdentityJwtAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-kubernetes-auths.ts
+++ b/backend/src/db/schemas/identity-kubernetes-auths.ts
@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const IdentityKubernetesAuthsSchema = z.object({
@ -17,15 +19,17 @@ export const IdentityKubernetesAuthsSchema = z.object({
  updatedAt: z.date(),
  identityId: z.string().uuid(),
  kubernetesHost: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
-  encryptedTokenReviewerJwt: z.string(),
-  tokenReviewerJwtIV: z.string(),
-  tokenReviewerJwtTag: z.string(),
+  encryptedCaCert: z.string().nullable().optional(),
+  caCertIV: z.string().nullable().optional(),
+  caCertTag: z.string().nullable().optional(),
+  encryptedTokenReviewerJwt: z.string().nullable().optional(),
+  tokenReviewerJwtIV: z.string().nullable().optional(),
+  tokenReviewerJwtTag: z.string().nullable().optional(),
  allowedNamespaces: z.string(),
  allowedNames: z.string(),
-  allowedAudience: z.string()
+  allowedAudience: z.string(),
+  encryptedKubernetesTokenReviewerJwt: zodBuffer,
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
 });

 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
--- a/backend/src/db/schemas/identity-oidc-auths.ts
+++ b/backend/src/db/schemas/identity-oidc-auths.ts
@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const IdentityOidcAuthsSchema = z.object({
@ -15,15 +17,16 @@ export const IdentityOidcAuthsSchema = z.object({
  accessTokenTrustedIps: z.unknown(),
  identityId: z.string().uuid(),
  oidcDiscoveryUrl: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
+  encryptedCaCert: z.string().nullable().optional(),
+  caCertIV: z.string().nullable().optional(),
+  caCertTag: z.string().nullable().optional(),
  boundIssuer: z.string(),
  boundAudiences: z.string(),
  boundClaims: z.unknown(),
  boundSubject: z.string().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  encryptedCaCertificate: zodBuffer.nullable().optional()
 });

 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -20,6 +20,7 @@ export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
 export * from "./external-kms";
+export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
@ -30,6 +31,7 @@ export * from "./identity-access-tokens";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
+export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
@ -44,6 +46,10 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./internal-kms";
+export * from "./kmip-client-certificates";
+export * from "./kmip-clients";
+export * from "./kmip-org-configs";
+export * from "./kmip-org-server-certificates";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";
@ -52,6 +58,7 @@ export * from "./ldap-group-maps";
 export * from "./models";
 export * from "./oidc-configs";
 export * from "./org-bots";
+export * from "./org-gateway-config";
 export * from "./org-memberships";
 export * from "./org-roles";
 export * from "./organizations";
@ -60,15 +67,18 @@ export * from "./pki-collection-items";
 export * from "./pki-collections";
 export * from "./project-bots";
 export * from "./project-environments";
+export * from "./project-gateways";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
+export * from "./project-split-backfill-ids";
 export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
+export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
@ -105,7 +115,13 @@ export * from "./secrets";
 export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./slack-integrations";
+export * from "./ssh-certificate-authorities";
+export * from "./ssh-certificate-authority-secrets";
+export * from "./ssh-certificate-bodies";
+export * from "./ssh-certificate-templates";
+export * from "./ssh-certificates";
 export * from "./super-admin";
+export * from "./totp-configs";
 export * from "./trusted-ips";
 export * from "./user-actions";
 export * from "./user-aliases";
--- a/backend/src/db/schemas/kmip-client-certificates.ts
+++ b/backend/src/db/schemas/kmip-client-certificates.ts
@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  kmipClientId: z.string().uuid(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date()
+});
+
+export type TKmipClientCertificates = z.infer<typeof KmipClientCertificatesSchema>;
+export type TKmipClientCertificatesInsert = Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipClientCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/kmip-clients.ts
+++ b/backend/src/db/schemas/kmip-clients.ts
@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  permissions: z.string().array().nullable().optional(),
+  description: z.string().nullable().optional(),
+  projectId: z.string()
+});
+
+export type TKmipClients = z.infer<typeof KmipClientsSchema>;
+export type TKmipClientsInsert = Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>;
+export type TKmipClientsUpdate = Partial<Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/kmip-org-configs.ts
+++ b/backend/src/db/schemas/kmip-org-configs.ts
@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgConfigsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  caKeyAlgorithm: z.string(),
+  rootCaIssuedAt: z.date(),
+  rootCaExpiration: z.date(),
+  rootCaSerialNumber: z.string(),
+  encryptedRootCaCertificate: zodBuffer,
+  encryptedRootCaPrivateKey: zodBuffer,
+  serverIntermediateCaIssuedAt: z.date(),
+  serverIntermediateCaExpiration: z.date(),
+  serverIntermediateCaSerialNumber: z.string().nullable().optional(),
+  encryptedServerIntermediateCaCertificate: zodBuffer,
+  encryptedServerIntermediateCaChain: zodBuffer,
+  encryptedServerIntermediateCaPrivateKey: zodBuffer,
+  clientIntermediateCaIssuedAt: z.date(),
+  clientIntermediateCaExpiration: z.date(),
+  clientIntermediateCaSerialNumber: z.string(),
+  encryptedClientIntermediateCaCertificate: zodBuffer,
+  encryptedClientIntermediateCaChain: zodBuffer,
+  encryptedClientIntermediateCaPrivateKey: zodBuffer,
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TKmipOrgConfigs = z.infer<typeof KmipOrgConfigsSchema>;
+export type TKmipOrgConfigsInsert = Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>;
+export type TKmipOrgConfigsUpdate = Partial<Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/kmip-org-server-certificates.ts
+++ b/backend/src/db/schemas/kmip-org-server-certificates.ts
@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgServerCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  commonName: z.string(),
+  altNames: z.string(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date(),
+  encryptedCertificate: zodBuffer,
+  encryptedChain: zodBuffer
+});
+
+export type TKmipOrgServerCertificates = z.infer<typeof KmipOrgServerCertificatesSchema>;
+export type TKmipOrgServerCertificatesInsert = Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipOrgServerCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/kms-keys.ts
+++ b/backend/src/db/schemas/kms-keys.ts
@ -16,8 +16,7 @@ export const KmsKeysSchema = z.object({
  name: z.string(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  projectId: z.string().nullable().optional(),
-  slug: z.string().nullable().optional()
+  projectId: z.string().nullable().optional()
 });

 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;
--- a/backend/src/db/schemas/kms-root-config.ts
+++ b/backend/src/db/schemas/kms-root-config.ts
@ -12,7 +12,7 @@ import { TImmutableDBKeys } from "./models";
 export const KmsRootConfigSchema = z.object({
  id: z.string().uuid(),
  encryptedRootKey: zodBuffer,
-  encryptionStrategy: z.string(),
+  encryptionStrategy: z.string().default("SOFTWARE").nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
--- a/backend/src/db/schemas/ldap-configs.ts
+++ b/backend/src/db/schemas/ldap-configs.ts
@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const LdapConfigsSchema = z.object({
@ -12,22 +14,25 @@ export const LdapConfigsSchema = z.object({
  orgId: z.string().uuid(),
  isActive: z.boolean(),
  url: z.string(),
-  encryptedBindDN: z.string(),
-  bindDNIV: z.string(),
-  bindDNTag: z.string(),
-  encryptedBindPass: z.string(),
-  bindPassIV: z.string(),
-  bindPassTag: z.string(),
+  encryptedBindDN: z.string().nullable().optional(),
+  bindDNIV: z.string().nullable().optional(),
+  bindDNTag: z.string().nullable().optional(),
+  encryptedBindPass: z.string().nullable().optional(),
+  bindPassIV: z.string().nullable().optional(),
+  bindPassTag: z.string().nullable().optional(),
  searchBase: z.string(),
-  encryptedCACert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
+  encryptedCACert: z.string().nullable().optional(),
+  caCertIV: z.string().nullable().optional(),
+  caCertTag: z.string().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date(),
  groupSearchBase: z.string().default(""),
  groupSearchFilter: z.string().default(""),
  searchFilter: z.string().default(""),
-  uniqueUserAttribute: z.string().default("")
+  uniqueUserAttribute: z.string().default(""),
+  encryptedLdapBindDN: zodBuffer,
+  encryptedLdapBindPass: zodBuffer,
+  encryptedLdapCaCertificate: zodBuffer.nullable().optional()
 });

 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -2,6 +2,11 @@ import { z } from "zod";

 export enum TableName {
  Users = "users",
+  SshCertificateAuthority = "ssh_certificate_authorities",
+  SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
+  SshCertificateTemplate = "ssh_certificate_templates",
+  SshCertificate = "ssh_certificates",
+  SshCertificateBody = "ssh_certificate_bodies",
  CertificateAuthority = "certificate_authorities",
  CertificateTemplateEstConfig = "certificate_template_est_configs",
  CertificateAuthorityCert = "certificate_authority_certs",
@ -68,12 +73,14 @@ export enum TableName {
  IdentityUaClientSecret = "identity_ua_client_secrets",
  IdentityAwsAuth = "identity_aws_auths",
  IdentityOidcAuth = "identity_oidc_auths",
+  IdentityJwtAuth = "identity_jwt_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
+  ResourceMetadata = "resource_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@ -105,6 +112,11 @@ export enum TableName {
  SecretApprovalRequestSecretV2 = "secret_approval_requests_secrets_v2",
  SecretApprovalRequestSecretTagV2 = "secret_approval_request_secret_tags_v2",
  SnapshotSecretV2 = "secret_snapshot_secrets_v2",
+  ProjectSplitBackfillIds = "project_split_backfill_ids",
+  // Gateway
+  OrgGatewayConfig = "org_gateway_config",
+  Gateway = "gateways",
+  ProjectGateway = "project_gateways",
  // junction tables with tags
  SecretV2JnTag = "secret_v2_tag_junction",
  JnSecretTag = "secret_tag_junction",
@ -117,11 +129,18 @@ export enum TableName {
  ExternalKms = "external_kms",
  InternalKms = "internal_kms",
  InternalKmsKeyVersion = "internal_kms_key_version",
+  TotpConfig = "totp_configs",
  // @depreciated
  KmsKeyVersion = "kms_key_versions",
  WorkflowIntegrations = "workflow_integrations",
  SlackIntegrations = "slack_integrations",
-  ProjectSlackConfigs = "project_slack_configs"
+  ProjectSlackConfigs = "project_slack_configs",
+  AppConnection = "app_connections",
+  SecretSync = "secret_syncs",
+  KmipClient = "kmip_clients",
+  KmipOrgConfig = "kmip_org_configs",
+  KmipOrgServerCertificates = "kmip_org_server_certificates",
+  KmipClientCertificates = "kmip_client_certificates"
 }

 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@ -195,5 +214,22 @@ export enum IdentityAuthMethod {
  GCP_AUTH = "gcp-auth",
  AWS_AUTH = "aws-auth",
  AZURE_AUTH = "azure-auth",
-  OIDC_AUTH = "oidc-auth"
+  OIDC_AUTH = "oidc-auth",
+  JWT_AUTH = "jwt-auth"
+}
+
+export enum ProjectType {
+  SecretManager = "secret-manager",
+  CertificateManager = "cert-manager",
+  KMS = "kms",
+  SSH = "ssh"
+}
+
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  // project operations that happen on all types
+  Any = "any"
 }
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const OidcConfigsSchema = z.object({
@ -15,19 +17,22 @@ export const OidcConfigsSchema = z.object({
  jwksUri: z.string().nullable().optional(),
  tokenEndpoint: z.string().nullable().optional(),
  userinfoEndpoint: z.string().nullable().optional(),
-  encryptedClientId: z.string(),
+  encryptedClientId: z.string().nullable().optional(),
  configurationType: z.string(),
-  clientIdIV: z.string(),
-  clientIdTag: z.string(),
-  encryptedClientSecret: z.string(),
-  clientSecretIV: z.string(),
-  clientSecretTag: z.string(),
+  clientIdIV: z.string().nullable().optional(),
+  clientIdTag: z.string().nullable().optional(),
+  encryptedClientSecret: z.string().nullable().optional(),
+  clientSecretIV: z.string().nullable().optional(),
+  clientSecretTag: z.string().nullable().optional(),
  allowedEmailDomains: z.string().nullable().optional(),
  isActive: z.boolean(),
  createdAt: z.date(),
  updatedAt: z.date(),
  orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
+  manageGroupMemberships: z.boolean().default(false),
+  encryptedOidcClientId: zodBuffer,
+  encryptedOidcClientSecret: zodBuffer
 });

 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/org-gateway-config.ts
+++ b/backend/src/db/schemas/org-gateway-config.ts
@ -0,0 +1,43 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const OrgGatewayConfigSchema = z.object({
+  id: z.string().uuid(),
+  rootCaKeyAlgorithm: z.string(),
+  rootCaIssuedAt: z.date(),
+  rootCaExpiration: z.date(),
+  rootCaSerialNumber: z.string(),
+  encryptedRootCaCertificate: zodBuffer,
+  encryptedRootCaPrivateKey: zodBuffer,
+  clientCaIssuedAt: z.date(),
+  clientCaExpiration: z.date(),
+  clientCaSerialNumber: z.string().nullable().optional(),
+  encryptedClientCaCertificate: zodBuffer,
+  encryptedClientCaPrivateKey: zodBuffer,
+  clientCertSerialNumber: z.string(),
+  clientCertKeyAlgorithm: z.string(),
+  clientCertIssuedAt: z.date(),
+  clientCertExpiration: z.date(),
+  encryptedClientCertificate: zodBuffer,
+  encryptedClientPrivateKey: zodBuffer,
+  gatewayCaIssuedAt: z.date(),
+  gatewayCaExpiration: z.date(),
+  gatewayCaSerialNumber: z.string(),
+  encryptedGatewayCaCertificate: zodBuffer,
+  encryptedGatewayCaPrivateKey: zodBuffer,
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TOrgGatewayConfig = z.infer<typeof OrgGatewayConfigSchema>;
+export type TOrgGatewayConfigInsert = Omit<z.input<typeof OrgGatewayConfigSchema>, TImmutableDBKeys>;
+export type TOrgGatewayConfigUpdate = Partial<Omit<z.input<typeof OrgGatewayConfigSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@ -21,7 +21,8 @@ export const OrganizationsSchema = z.object({
  kmsDefaultKeyId: z.string().uuid().nullable().optional(),
  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
  defaultMembershipRole: z.string().default("member"),
-  enforceMfa: z.boolean().default(false)
+  enforceMfa: z.boolean().default(false),
+  selectedMfaMethod: z.string().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/project-gateways.ts
+++ b/backend/src/db/schemas/project-gateways.ts
@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectGatewaysSchema = z.object({
+  id: z.string().uuid(),
+  projectId: z.string(),
+  gatewayId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectGateways = z.infer<typeof ProjectGatewaysSchema>;
+export type TProjectGatewaysInsert = Omit<z.input<typeof ProjectGatewaysSchema>, TImmutableDBKeys>;
+export type TProjectGatewaysUpdate = Partial<Omit<z.input<typeof ProjectGatewaysSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/project-split-backfill-ids.ts
+++ b/backend/src/db/schemas/project-split-backfill-ids.ts
@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectSplitBackfillIdsSchema = z.object({
+  id: z.string().uuid(),
+  sourceProjectId: z.string(),
+  destinationProjectType: z.string(),
+  destinationProjectId: z.string()
+});
+
+export type TProjectSplitBackfillIds = z.infer<typeof ProjectSplitBackfillIdsSchema>;
+export type TProjectSplitBackfillIdsInsert = Omit<z.input<typeof ProjectSplitBackfillIdsSchema>, TImmutableDBKeys>;
+export type TProjectSplitBackfillIdsUpdate = Partial<
+  Omit<z.input<typeof ProjectSplitBackfillIdsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
  id: z.string(),
  name: z.string(),
  slug: z.string(),
-  autoCapitalization: z.boolean().default(true).nullable().optional(),
+  autoCapitalization: z.boolean().default(false).nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
@ -23,7 +23,10 @@ export const ProjectsSchema = z.object({
  kmsCertificateKeyId: z.string().uuid().nullable().optional(),
  auditLogsRetentionDays: z.number().nullable().optional(),
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
-  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
+  description: z.string().nullable().optional(),
+  type: z.string(),
+  enforceCapitalization: z.boolean().default(false)
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/resource-metadata.ts
+++ b/backend/src/db/schemas/resource-metadata.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ResourceMetadataSchema = z.object({
+  id: z.string().uuid(),
+  key: z.string(),
+  value: z.string(),
+  orgId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional(),
+  identityId: z.string().uuid().nullable().optional(),
+  secretId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
+export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
+export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/saml-configs.ts
+++ b/backend/src/db/schemas/saml-configs.ts
@ -5,6 +5,8 @@

 import { z } from "zod";

+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";

 export const SamlConfigsSchema = z.object({
@ -23,7 +25,10 @@ export const SamlConfigsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
+  encryptedSamlEntryPoint: zodBuffer,
+  encryptedSamlIssuer: zodBuffer,
+  encryptedSamlCertificate: zodBuffer
 });

 export type TSamlConfigs = z.infer<typeof SamlConfigsSchema>;
--- a/Show More
+++ b/Show More