Main

Address SAML CVE in https://workos.com/blog/samlstorm

.gitignore

@@ -1,3 +1,5 @@
+.direnv/
+
 # backend
 node_modules
 .env
@@ -26,8 +28,6 @@ node_modules
 /.pnp
 .pnp.js
 
-.env
-
 # testing
 coverage
 reports
@@ -63,10 +63,12 @@ yarn-error.log*
 
 # Editor specific
 .vscode/*
-.idea/*
+**/.idea/*
 
 frontend-build
 
+# cli
+.go/
 *.tgz
 cli/infisical-merge
 cli/test/infisical-merge

backend/package-lock.json

@@ -31,7 +31,7 @@
         "@fastify/swagger-ui": "^2.1.0",
         "@google-cloud/kms": "^4.5.0",
         "@infisical/quic": "^1.0.8",
-        "@node-saml/passport-saml": "^4.0.4",
+        "@node-saml/passport-saml": "^5.0.1",
         "@octokit/auth-app": "^7.1.1",
         "@octokit/plugin-retry": "^5.0.5",
         "@octokit/rest": "^20.0.2",
@@ -6747,32 +6747,35 @@
       }
     },
     "node_modules/@node-saml/node-saml": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-4.0.5.tgz",
-      "integrity": "sha512-J5DglElbY1tjOuaR1NPtjOXkXY5bpUhDoKVoeucYN98A3w4fwgjIOPqIGcb6cQsqFq2zZ6vTCeKn5C/hvefSaw==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.0.1.tgz",
+      "integrity": "sha512-YQzFPEC+CnsfO9AFYnwfYZKIzOLx3kITaC1HrjHVLTo6hxcQhc+LgHODOMvW4VCV95Gwrz1MshRUWCPzkDqmnA==",
+      "license": "MIT",
       "dependencies": {
-        "@types/debug": "^4.1.7",
-        "@types/passport": "^1.0.11",
-        "@types/xml-crypto": "^1.4.2",
-        "@types/xml-encryption": "^1.2.1",
-        "@types/xml2js": "^0.4.11",
-        "@xmldom/xmldom": "^0.8.6",
+        "@types/debug": "^4.1.12",
+        "@types/qs": "^6.9.11",
+        "@types/xml-encryption": "^1.2.4",
+        "@types/xml2js": "^0.4.14",
+        "@xmldom/is-dom-node": "^1.0.1",
+        "@xmldom/xmldom": "^0.8.10",
         "debug": "^4.3.4",
-        "xml-crypto": "^3.0.1",
+        "xml-crypto": "^6.0.1",
         "xml-encryption": "^3.0.2",
-        "xml2js": "^0.5.0",
-        "xmlbuilder": "^15.1.1"
+        "xml2js": "^0.6.2",
+        "xmlbuilder": "^15.1.1",
+        "xpath": "^0.0.34"
       },
       "engines": {
-        "node": ">= 14"
+        "node": ">= 18"
       }
     },
     "node_modules/@node-saml/node-saml/node_modules/debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
+      "license": "MIT",
       "dependencies": {
-        "ms": "2.1.2"
+        "ms": "^2.1.3"
       },
       "engines": {
         "node": ">=6.0"
@@ -6783,25 +6786,43 @@
         }
       }
     },
-    "node_modules/@node-saml/node-saml/node_modules/ms": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    "node_modules/@node-saml/node-saml/node_modules/xml2js": {
+      "version": "0.6.2",
+      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz",
+      "integrity": "sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA==",
+      "license": "MIT",
+      "dependencies": {
+        "sax": ">=0.6.0",
+        "xmlbuilder": "~11.0.0"
+      },
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/@node-saml/node-saml/node_modules/xml2js/node_modules/xmlbuilder": {
+      "version": "11.0.1",
+      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-11.0.1.tgz",
+      "integrity": "sha512-fDlsI/kFEx7gLvbecc0/ohLG50fugQp8ryHzMTuW9vSa1GJ0XYWKnhsUx7oie3G98+r56aTQIUB4kht42R3JvA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      }
     },
     "node_modules/@node-saml/passport-saml": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-4.0.4.tgz",
-      "integrity": "sha512-xFw3gw0yo+K1mzlkW15NeBF7cVpRHN/4vpjmBKzov5YFImCWh/G0LcTZ8krH3yk2/eRPc3Or8LRPudVJBjmYaw==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.0.1.tgz",
+      "integrity": "sha512-fMztg3zfSnjLEgxvpl6HaDMNeh0xeQX4QHiF9e2Lsie2dc4qFE37XYbQZhVmn8XJ2awPpSWLQ736UskYgGU8lQ==",
+      "license": "MIT",
       "dependencies": {
-        "@node-saml/node-saml": "^4.0.4",
-        "@types/express": "^4.17.14",
-        "@types/passport": "^1.0.11",
-        "@types/passport-strategy": "^0.2.35",
-        "passport": "^0.6.0",
+        "@node-saml/node-saml": "^5.0.1",
+        "@types/express": "^4.17.21",
+        "@types/passport": "^1.0.16",
+        "@types/passport-strategy": "^0.2.38",
+        "passport": "^0.7.0",
         "passport-strategy": "^1.0.0"
       },
       "engines": {
-        "node": ">= 14"
+        "node": ">= 18"
       }
     },
     "node_modules/@nodelib/fs.scandir": {
@@ -9606,6 +9627,7 @@
       "version": "4.1.12",
       "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
       "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
+      "license": "MIT",
       "dependencies": {
         "@types/ms": "*"
       }
@@ -9725,9 +9747,10 @@
       "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w=="
     },
     "node_modules/@types/ms": {
-      "version": "0.7.34",
-      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-0.7.34.tgz",
-      "integrity": "sha512-nG96G3Wp6acyAgJqGasjODb+acrI7KltPiRxzHPXnP3NgI28bpQDRv53olbqGXbfcgF5aiiHmO3xpwEpS5Ld9g=="
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
+      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
+      "license": "MIT"
     },
     "node_modules/@types/node": {
       "version": "20.9.5",
@@ -9907,9 +9930,10 @@
       "dev": true
     },
     "node_modules/@types/qs": {
-      "version": "6.9.10",
-      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.10.tgz",
-      "integrity": "sha512-3Gnx08Ns1sEoCrWssEgTSJs/rsT2vhGP+Ja9cnnk9k4ALxinORlQneLXFeFKOTJMOeZUFD1s7w+w2AphTpvzZw=="
+      "version": "6.9.18",
+      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.18.tgz",
+      "integrity": "sha512-kK7dgTYDyGqS+e2Q4aK9X3D7q234CIZ1Bv0q/7Z5IwRDoADNU81xXJK/YVyLbLTZCoIwUoDoffFeF+p/eIklAA==",
+      "license": "MIT"
     },
     "node_modules/@types/range-parser": {
       "version": "1.2.7",
@@ -10058,19 +10082,11 @@
         "@types/webidl-conversions": "*"
       }
     },
-    "node_modules/@types/xml-crypto": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/@types/xml-crypto/-/xml-crypto-1.4.6.tgz",
-      "integrity": "sha512-A6jEW2FxLZo1CXsRWnZHUX2wzR3uDju2Bozt6rDbSmU/W8gkilaVbwFEVN0/NhnUdMVzwYobWtM6bU1QJJFb7Q==",
-      "dependencies": {
-        "@types/node": "*",
-        "xpath": "0.0.27"
-      }
-    },
     "node_modules/@types/xml-encryption": {
       "version": "1.2.4",
       "resolved": "https://registry.npmjs.org/@types/xml-encryption/-/xml-encryption-1.2.4.tgz",
       "integrity": "sha512-I69K/WW1Dv7j6O3jh13z0X8sLWJRXbu5xnHDl9yHzUNDUBtUoBY058eb5s+x/WG6yZC1h8aKdI2EoyEPjyEh+Q==",
+      "license": "MIT",
       "dependencies": {
         "@types/node": "*"
       }
@@ -10079,6 +10095,7 @@
       "version": "0.4.14",
       "resolved": "https://registry.npmjs.org/@types/xml2js/-/xml2js-0.4.14.tgz",
       "integrity": "sha512-4YnrRemBShWRO2QjvUin8ESA41rH+9nQGLUGZV/1IDhi3SL9OhdpNC/MrulTWuptXKwhx/aDxE7toV0f/ypIXQ==",
+      "license": "MIT",
       "dependencies": {
         "@types/node": "*"
       }
@@ -10522,10 +10539,20 @@
         "url": "https://opencollective.com/vitest"
       }
     },
+    "node_modules/@xmldom/is-dom-node": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@xmldom/is-dom-node/-/is-dom-node-1.0.1.tgz",
+      "integrity": "sha512-CJDxIgE5I0FH+ttq/Fxy6nRpxP70+e2O048EPe85J2use3XKdatVM7dDVvFNjQudd9B49NPoZ+8PG49zj4Er8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      }
+    },
     "node_modules/@xmldom/xmldom": {
       "version": "0.8.10",
       "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.10.tgz",
       "integrity": "sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw==",
+      "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
       }
@@ -18222,9 +18249,10 @@
       }
     },
     "node_modules/passport": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/passport/-/passport-0.6.0.tgz",
-      "integrity": "sha512-0fe+p3ZnrWRW74fe8+SvCyf4a3Pb2/h7gFkQ8yTJpAO50gDzlfjZUZTO1k5Eg9kUct22OxHLqDZoKUWRHOh9ug==",
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/passport/-/passport-0.7.0.tgz",
+      "integrity": "sha512-cPLl+qZpSc+ireUvt+IzqbED1cHHkDoVYMo30jbJIdOOjQ1MQYZBPiNvmi8UM6lJuOpTPXJGZQk0DtC4y61MYQ==",
+      "license": "MIT",
       "dependencies": {
         "passport-strategy": "1.x.x",
         "pause": "0.0.1",
@@ -23692,42 +23720,44 @@
       }
     },
     "node_modules/xml-crypto": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-3.2.0.tgz",
-      "integrity": "sha512-qVurBUOQrmvlgmZqIVBqmb06TD2a/PpEUfFPgD7BuBfjmoH4zgkqaWSIJrnymlCvM2GGt9x+XtJFA+ttoAufqg==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
+      "integrity": "sha512-v05aU7NS03z4jlZ0iZGRFeZsuKO1UfEbbYiaeRMiATBFs6Jq9+wqKquEMTn4UTrYZ9iGD8yz3KT4L9o2iF682w==",
+      "license": "MIT",
       "dependencies": {
-        "@xmldom/xmldom": "^0.8.8",
-        "xpath": "0.0.32"
+        "@xmldom/is-dom-node": "^1.0.1",
+        "@xmldom/xmldom": "^0.8.10",
+        "xpath": "^0.0.33"
       },
       "engines": {
-        "node": ">=4.0.0"
+        "node": ">=16"
       }
     },
     "node_modules/xml-crypto/node_modules/xpath": {
-      "version": "0.0.32",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz",
-      "integrity": "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==",
+      "version": "0.0.33",
+      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.33.tgz",
+      "integrity": "sha512-NNXnzrkDrAzalLhIUc01jO2mOzXGXh1JwPgkihcLLzw98c0WgYDmmjSh1Kl3wzaxSVWMuA+fe0WTWOBDWCBmNA==",
+      "license": "MIT",
       "engines": {
         "node": ">=0.6.0"
       }
     },
     "node_modules/xml-encryption": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/xml-encryption/-/xml-encryption-3.0.2.tgz",
-      "integrity": "sha512-VxYXPvsWB01/aqVLd6ZMPWZ+qaj0aIdF+cStrVJMcFj3iymwZeI0ABzB3VqMYv48DkSpRhnrXqTUkR34j+UDyg==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/xml-encryption/-/xml-encryption-3.1.0.tgz",
+      "integrity": "sha512-PV7qnYpoAMXbf1kvQkqMScLeQpjCMixddAKq9PtqVrho8HnYbBOWNfG0kA4R7zxQDo7w9kiYAyzS/ullAyO55Q==",
+      "license": "MIT",
       "dependencies": {
         "@xmldom/xmldom": "^0.8.5",
         "escape-html": "^1.0.3",
         "xpath": "0.0.32"
-      },
-      "engines": {
-        "node": ">=12"
       }
     },
     "node_modules/xml-encryption/node_modules/xpath": {
       "version": "0.0.32",
       "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz",
       "integrity": "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==",
+      "license": "MIT",
       "engines": {
         "node": ">=0.6.0"
       }
@@ -23764,6 +23794,7 @@
       "version": "15.1.1",
       "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-15.1.1.tgz",
       "integrity": "sha512-yMqGBqtXyeN1e3TGYvgNgDVZ3j84W4cwkOXQswghol6APgZWaff9lnbvN7MHYJOiXsvGPXtjTYJEiC9J2wv9Eg==",
+      "license": "MIT",
       "engines": {
         "node": ">=8.0"
       }
@@ -23774,9 +23805,10 @@
       "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw=="
     },
     "node_modules/xpath": {
-      "version": "0.0.27",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.27.tgz",
-      "integrity": "sha512-fg03WRxtkCV6ohClePNAECYsmpKKTv5L8y/X3Dn1hQrec3POx2jHZ/0P2qQ6HvsrU1BmeqXcof3NGGueG6LxwQ==",
+      "version": "0.0.34",
+      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.34.tgz",
+      "integrity": "sha512-FxF6+rkr1rNSQrhUNYrAFJpRXNzlDoMxeXN5qI84939ylEv3qqPFKa85Oxr6tDaJKqwW6KKyo2v26TSv3k6LeA==",
+      "license": "MIT",
       "engines": {
         "node": ">=0.6.0"
       }

backend/package.json

@@ -148,7 +148,7 @@
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^4.0.4",
+    "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",

backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+
+    if (!hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+    if (hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.dropColumn("allowSecretSharingOutsideOrganization");
+      });
+    }
+  }
+}

backend/src/db/schemas/organizations.ts

@@ -22,7 +22,8 @@ export const OrganizationsSchema = z.object({
   kmsEncryptedDataKey: zodBuffer.nullable().optional(),
   defaultMembershipRole: z.string().default("member"),
   enforceMfa: z.boolean().default(false),
-  selectedMfaMethod: z.string().nullable().optional()
+  selectedMfaMethod: z.string().nullable().optional(),
+  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/ee/services/permission/org-permission.ts

@@ -32,6 +32,10 @@ export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
 
+export enum OrgPermissionSecretShareAction {
+  ManageSettings = "manage-settings"
+}
+
 export enum OrgPermissionGatewayActions {
   // is there a better word for this. This mean can an identity be a gateway
   CreateGateways = "create-gateways",
@@ -59,7 +63,8 @@ export enum OrgPermissionSubjects {
   ProjectTemplates = "project-templates",
   AppConnections = "app-connections",
   Kmip = "kmip",
-  Gateway = "gateway"
+  Gateway = "gateway",
+  SecretShare = "secret-share"
 }
 
 export type AppConnectionSubjectFields = {
@@ -91,7 +96,8 @@ export type OrgPermissionSet =
       )
     ]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
-  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
+  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];
 
 const AppConnectionConditionSchema = z
   .object({
@@ -185,6 +191,12 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
       "Describe what action an entity can take."
     )
   }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.SecretShare).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionSecretShareAction).describe(
+      "Describe what action an entity can take."
+    )
+  }),
   z.object({
     subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
@@ -292,6 +304,8 @@ const buildAdminPermission = () => {
   // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
   can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);
 
+  can(OrgPermissionSecretShareAction.ManageSettings, OrgPermissionSubjects.SecretShare);
+
   return rules;
 };
 

backend/src/lib/api-docs/constants.ts

@@ -1771,6 +1771,12 @@ export const SecretSyncs = {
     },
     DATABRICKS: {
       scope: "The Databricks secret scope that secrets should be synced to."
+    },
+    HUMANITEC: {
+      app: "The ID of the Humanitec app to sync secrets to.",
+      org: "The ID of the Humanitec org to sync secrets to.",
+      env: "The ID of the Humanitec environment to sync secrets to.",
+      scope: "The Humanitec scope that secrets should be synced to."
     }
   }
 };

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -18,6 +18,10 @@ import {
 } from "@app/services/app-connection/databricks";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
+import {
+  HumanitecConnectionListItemSchema,
+  SanitizedHumanitecConnectionSchema
+} from "@app/services/app-connection/humanitec";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
@@ -27,7 +31,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedGcpConnectionSchema.options,
   ...SanitizedAzureKeyVaultConnectionSchema.options,
   ...SanitizedAzureAppConfigurationConnectionSchema.options,
-  ...SanitizedDatabricksConnectionSchema.options
+  ...SanitizedDatabricksConnectionSchema.options,
+  ...SanitizedHumanitecConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -36,7 +41,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   GcpConnectionListItemSchema,
   AzureKeyVaultConnectionListItemSchema,
   AzureAppConfigurationConnectionListItemSchema,
-  DatabricksConnectionListItemSchema
+  DatabricksConnectionListItemSchema,
+  HumanitecConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/humanitec-connection-router.ts

@@ -0,0 +1,69 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateHumanitecConnectionSchema,
+  HumanitecOrgWithApps,
+  SanitizedHumanitecConnectionSchema,
+  UpdateHumanitecConnectionSchema
+} from "@app/services/app-connection/humanitec";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerHumanitecConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Humanitec,
+    server,
+    sanitizedResponseSchema: SanitizedHumanitecConnectionSchema,
+    createSchema: CreateHumanitecConnectionSchema,
+    updateSchema: UpdateHumanitecConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/organizations`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string(),
+            apps: z
+              .object({
+                id: z.string(),
+                name: z.string(),
+                envs: z
+                  .object({
+                    id: z.string(),
+                    name: z.string()
+                  })
+                  .array()
+              })
+              .array()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const organizations: HumanitecOrgWithApps[] = await server.services.appConnection.humanitec.listOrganizations(
+        connectionId,
+        req.permission
+      );
+
+      return organizations;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -6,6 +6,7 @@ import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connect
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
+import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 
 export * from "./app-connection-router";
 
@@ -16,5 +17,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.GCP]: registerGcpConnectionRouter,
     [AppConnection.AzureKeyVault]: registerAzureKeyVaultConnectionRouter,
     [AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter,
-    [AppConnection.Databricks]: registerDatabricksConnectionRouter
+    [AppConnection.Databricks]: registerDatabricksConnectionRouter,
+    [AppConnection.Humanitec]: registerHumanitecConnectionRouter
   };

backend/src/server/routes/v1/organization-router.ts

@@ -257,7 +257,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         scimEnabled: z.boolean().optional(),
         defaultMembershipRoleSlug: slugSchema({ max: 64, field: "Default Membership Role" }).optional(),
         enforceMfa: z.boolean().optional(),
-        selectedMfaMethod: z.nativeEnum(MfaMethod).optional()
+        selectedMfaMethod: z.nativeEnum(MfaMethod).optional(),
+        allowSecretSharingOutsideOrganization: z.boolean().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-sync-routers/humanitec-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateHumanitecSyncSchema,
+  HumanitecSyncSchema,
+  UpdateHumanitecSyncSchema
+} from "@app/services/secret-sync/humanitec";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerHumanitecSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Humanitec,
+    server,
+    responseSchema: HumanitecSyncSchema,
+    createSchema: CreateHumanitecSyncSchema,
+    updateSchema: UpdateHumanitecSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -7,6 +7,7 @@ import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
+import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
 
 export * from "./secret-sync-router";
 
@@ -17,5 +18,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.GCPSecretManager]: registerGcpSyncRouter,
   [SecretSync.AzureKeyVault]: registerAzureKeyVaultSyncRouter,
   [SecretSync.AzureAppConfiguration]: registerAzureAppConfigurationSyncRouter,
-  [SecretSync.Databricks]: registerDatabricksSyncRouter
+  [SecretSync.Databricks]: registerDatabricksSyncRouter,
+  [SecretSync.Humanitec]: registerHumanitecSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -21,6 +21,7 @@ import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/s
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
+import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
 
 const SecretSyncSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncSchema,
@@ -29,7 +30,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   GcpSyncSchema,
   AzureKeyVaultSyncSchema,
   AzureAppConfigurationSyncSchema,
-  DatabricksSyncSchema
+  DatabricksSyncSchema,
+  HumanitecSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -39,7 +41,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   GcpSyncListItemSchema,
   AzureKeyVaultSyncListItemSchema,
   AzureAppConfigurationSyncListItemSchema,
-  DatabricksSyncListItemSchema
+  DatabricksSyncListItemSchema,
+  HumanitecSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -4,7 +4,8 @@ export enum AppConnection {
   Databricks = "databricks",
   GCP = "gcp",
   AzureKeyVault = "azure-key-vault",
-  AzureAppConfiguration = "azure-app-configuration"
+  AzureAppConfiguration = "azure-app-configuration",
+  Humanitec = "humanitec"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -35,6 +35,11 @@ import {
   getAzureKeyVaultConnectionListItem,
   validateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
+import {
+  getHumanitecConnectionListItem,
+  HumanitecConnectionMethod,
+  validateHumanitecConnectionCredentials
+} from "./humanitec";
 
 export const listAppConnectionOptions = () => {
   return [
@@ -43,7 +48,8 @@ export const listAppConnectionOptions = () => {
     getGcpConnectionListItem(),
     getAzureKeyVaultConnectionListItem(),
     getAzureAppConfigurationConnectionListItem(),
-    getDatabricksConnectionListItem()
+    getDatabricksConnectionListItem(),
+    getHumanitecConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -106,6 +112,8 @@ export const validateAppConnectionCredentials = async (
       return validateAzureKeyVaultConnectionCredentials(appConnection);
     case AppConnection.AzureAppConfiguration:
       return validateAzureAppConfigurationConnectionCredentials(appConnection);
+    case AppConnection.Humanitec:
+      return validateHumanitecConnectionCredentials(appConnection);
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection ${app}`);
@@ -128,6 +136,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       return "Service Account Impersonation";
     case DatabricksConnectionMethod.ServicePrincipal:
       return "Service Principal";
+    case HumanitecConnectionMethod.API_TOKEN:
+      return "API Token";
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection Method: ${method}`);

backend/src/services/app-connection/app-connection-maps.ts

@@ -6,5 +6,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.GCP]: "GCP",
   [AppConnection.AzureKeyVault]: "Azure Key Vault",
   [AppConnection.AzureAppConfiguration]: "Azure App Configuration",
-  [AppConnection.Databricks]: "Databricks"
+  [AppConnection.Databricks]: "Databricks",
+  [AppConnection.Humanitec]: "Humanitec"
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -35,6 +35,8 @@ import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
 import { gcpConnectionService } from "./gcp/gcp-connection-service";
 import { ValidateGitHubConnectionCredentialsSchema } from "./github";
 import { githubConnectionService } from "./github/github-connection-service";
+import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
+import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -50,7 +52,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.GCP]: ValidateGcpConnectionCredentialsSchema,
   [AppConnection.AzureKeyVault]: ValidateAzureKeyVaultConnectionCredentialsSchema,
   [AppConnection.AzureAppConfiguration]: ValidateAzureAppConfigurationConnectionCredentialsSchema,
-  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema
+  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema,
+  [AppConnection.Humanitec]: ValidateHumanitecConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -371,6 +374,7 @@ export const appConnectionServiceFactory = ({
     github: githubConnectionService(connectAppConnectionById),
     gcp: gcpConnectionService(connectAppConnectionById),
     databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    aws: awsConnectionService(connectAppConnectionById)
+    aws: awsConnectionService(connectAppConnectionById),
+    humanitec: humanitecConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -32,6 +32,12 @@ import {
   TValidateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
 import { TGcpConnection, TGcpConnectionConfig, TGcpConnectionInput, TValidateGcpConnectionCredentials } from "./gcp";
+import {
+  THumanitecConnection,
+  THumanitecConnectionConfig,
+  THumanitecConnectionInput,
+  TValidateHumanitecConnectionCredentials
+} from "./humanitec";
 
 export type TAppConnection = { id: string } & (
   | TAwsConnection
@@ -40,6 +46,7 @@ export type TAppConnection = { id: string } & (
   | TAzureKeyVaultConnection
   | TAzureAppConfigurationConnection
   | TDatabricksConnection
+  | THumanitecConnection
 );
 
 export type TAppConnectionInput = { id: string } & (
@@ -49,6 +56,7 @@ export type TAppConnectionInput = { id: string } & (
   | TAzureKeyVaultConnectionInput
   | TAzureAppConfigurationConnectionInput
   | TDatabricksConnectionInput
+  | THumanitecConnectionInput
 );
 
 export type TCreateAppConnectionDTO = Pick<
@@ -66,7 +74,8 @@ export type TAppConnectionConfig =
   | TGcpConnectionConfig
   | TAzureKeyVaultConnectionConfig
   | TAzureAppConfigurationConnectionConfig
-  | TDatabricksConnectionConfig;
+  | TDatabricksConnectionConfig
+  | THumanitecConnectionConfig;
 
 export type TValidateAppConnectionCredentials =
   | TValidateAwsConnectionCredentials
@@ -74,7 +83,8 @@ export type TValidateAppConnectionCredentials =
   | TValidateGcpConnectionCredentials
   | TValidateAzureKeyVaultConnectionCredentials
   | TValidateAzureAppConfigurationConnectionCredentials
-  | TValidateDatabricksConnectionCredentials;
+  | TValidateDatabricksConnectionCredentials
+  | TValidateHumanitecConnectionCredentials;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/humanitec/humanitec-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum HumanitecConnectionMethod {
+  API_TOKEN = "api-token"
+}

backend/src/services/app-connection/humanitec/humanitec-connection-fns.ts

@@ -0,0 +1,95 @@
+import { AxiosError, AxiosResponse } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
+import {
+  HumanitecApp,
+  HumanitecOrg,
+  HumanitecOrgWithApps,
+  THumanitecConnection,
+  THumanitecConnectionConfig
+} from "./humanitec-connection-types";
+
+export const getHumanitecConnectionListItem = () => {
+  return {
+    name: "Humanitec" as const,
+    app: AppConnection.Humanitec as const,
+    methods: Object.values(HumanitecConnectionMethod) as [HumanitecConnectionMethod.API_TOKEN]
+  };
+};
+
+export const validateHumanitecConnectionCredentials = async (config: THumanitecConnectionConfig) => {
+  const { credentials: inputCredentials } = config;
+
+  let response: AxiosResponse<HumanitecOrg[]> | null = null;
+
+  try {
+    response = await request.get<HumanitecOrg[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs`, {
+      headers: {
+        Authorization: `Bearer ${inputCredentials.apiToken}`
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection - verify credentials"
+    });
+  }
+
+  if (!response?.data) {
+    throw new InternalServerError({
+      message: "Failed to get organizations: Response was empty"
+    });
+  }
+
+  return inputCredentials;
+};
+
+export const listOrganizations = async (appConnection: THumanitecConnection): Promise<HumanitecOrgWithApps[]> => {
+  const {
+    credentials: { apiToken }
+  } = appConnection;
+  const response = await request.get<HumanitecOrg[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs`, {
+    headers: {
+      Authorization: `Bearer ${apiToken}`
+    }
+  });
+
+  if (!response.data) {
+    throw new InternalServerError({
+      message: "Failed to get organizations: Response was empty"
+    });
+  }
+  const orgs = response.data;
+  const orgsWithApps: HumanitecOrgWithApps[] = [];
+
+  for (const org of orgs) {
+    // eslint-disable-next-line no-await-in-loop
+    const appsResponse = await request.get<HumanitecApp[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs/${org.id}/apps`, {
+      headers: {
+        Authorization: `Bearer ${apiToken}`
+      }
+    });
+
+    if (appsResponse.data) {
+      const apps = appsResponse.data;
+      orgsWithApps.push({
+        ...org,
+        apps: apps.map((app) => ({
+          name: app.name,
+          id: app.id,
+          envs: app.envs
+        }))
+      });
+    }
+  }
+  return orgsWithApps;
+};

backend/src/services/app-connection/humanitec/humanitec-connection-schemas.ts

@@ -0,0 +1,58 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
+
+export const HumanitecConnectionAccessTokenCredentialsSchema = z.object({
+  apiToken: z.string().trim().min(1, "API Token required")
+});
+
+const BaseHumanitecConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Humanitec) });
+
+export const HumanitecConnectionSchema = BaseHumanitecConnectionSchema.extend({
+  method: z.literal(HumanitecConnectionMethod.API_TOKEN),
+  credentials: HumanitecConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedHumanitecConnectionSchema = z.discriminatedUnion("method", [
+  BaseHumanitecConnectionSchema.extend({
+    method: z.literal(HumanitecConnectionMethod.API_TOKEN),
+    credentials: HumanitecConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateHumanitecConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(HumanitecConnectionMethod.API_TOKEN)
+      .describe(AppConnections?.CREATE(AppConnection.Humanitec).method),
+    credentials: HumanitecConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Humanitec).credentials
+    )
+  })
+]);
+
+export const CreateHumanitecConnectionSchema = ValidateHumanitecConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Humanitec)
+);
+
+export const UpdateHumanitecConnectionSchema = z
+  .object({
+    credentials: HumanitecConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Humanitec).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Humanitec));
+
+export const HumanitecConnectionListItemSchema = z.object({
+  name: z.literal("Humanitec"),
+  app: z.literal(AppConnection.Humanitec),
+  methods: z.nativeEnum(HumanitecConnectionMethod).array()
+});

backend/src/services/app-connection/humanitec/humanitec-connection-service.ts

@@ -0,0 +1,29 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listOrganizations as getHumanitecOrganizations } from "./humanitec-connection-fns";
+import { THumanitecConnection } from "./humanitec-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<THumanitecConnection>;
+
+export const humanitecConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listOrganizations = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Humanitec, connectionId, actor);
+    try {
+      const organizations = await getHumanitecOrganizations(appConnection);
+      return organizations;
+    } catch (error) {
+      logger.error(error, "Failed to establish connection with Humanitec");
+      return [];
+    }
+  };
+
+  return {
+    listOrganizations
+  };
+};

backend/src/services/app-connection/humanitec/humanitec-connection-types.ts

@@ -0,0 +1,40 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateHumanitecConnectionSchema,
+  HumanitecConnectionSchema,
+  ValidateHumanitecConnectionCredentialsSchema
+} from "./humanitec-connection-schemas";
+
+export type THumanitecConnection = z.infer<typeof HumanitecConnectionSchema>;
+
+export type THumanitecConnectionInput = z.infer<typeof CreateHumanitecConnectionSchema> & {
+  app: AppConnection.Humanitec;
+};
+
+export type TValidateHumanitecConnectionCredentials = typeof ValidateHumanitecConnectionCredentialsSchema;
+
+export type THumanitecConnectionConfig = DiscriminativePick<
+  THumanitecConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type HumanitecOrg = {
+  id: string;
+  name: string;
+};
+
+export type HumanitecApp = {
+  name: string;
+  id: string;
+  envs: { name: string; id: string }[];
+};
+
+export type HumanitecOrgWithApps = HumanitecOrg & {
+  apps: HumanitecApp[];
+};

backend/src/services/app-connection/humanitec/index.ts

@@ -0,0 +1,4 @@
+export * from "./humanitec-connection-enums";
+export * from "./humanitec-connection-fns";
+export * from "./humanitec-connection-schemas";
+export * from "./humanitec-connection-types";

backend/src/services/integration-auth/integration-list.ts

@@ -93,6 +93,7 @@ export enum IntegrationUrls {
   NORTHFLANK_API_URL = "https://api.northflank.com",
   HASURA_CLOUD_API_URL = "https://data.pro.hasura.io/v1/graphql",
   AZURE_DEVOPS_API_URL = "https://dev.azure.com",
+  HUMANITEC_API_URL = "https://api.humanitec.io",
 
   GCP_SECRET_MANAGER_SERVICE_NAME = "secretmanager.googleapis.com",
   GCP_SECRET_MANAGER_URL = `https://${GCP_SECRET_MANAGER_SERVICE_NAME}`,

backend/src/services/org/org-service.ts

@@ -19,7 +19,11 @@ import {
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  OrgPermissionActions,
+  OrgPermissionSecretShareAction,
+  OrgPermissionSubjects
+} from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
@@ -286,12 +290,27 @@ export const orgServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     orgId,
-    data: { name, slug, authEnforced, scimEnabled, defaultMembershipRoleSlug, enforceMfa, selectedMfaMethod }
+    data: {
+      name,
+      slug,
+      authEnforced,
+      scimEnabled,
+      defaultMembershipRoleSlug,
+      enforceMfa,
+      selectedMfaMethod,
+      allowSecretSharingOutsideOrganization
+    }
   }: TUpdateOrgDTO) => {
     const appCfg = getConfig();
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
 
+    if (allowSecretSharingOutsideOrganization !== undefined) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionSecretShareAction.ManageSettings,
+        OrgPermissionSubjects.SecretShare
+      );
+    }
     const plan = await licenseService.getPlan(orgId);
     const currentOrg = await orgDAL.findOrgById(actorOrgId);
 
@@ -358,7 +377,8 @@ export const orgServiceFactory = ({
       scimEnabled,
       defaultMembershipRole,
       enforceMfa,
-      selectedMfaMethod
+      selectedMfaMethod,
+      allowSecretSharingOutsideOrganization
     });
     if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
     return org;

backend/src/services/org/org-types.ts

@@ -72,6 +72,7 @@ export type TUpdateOrgDTO = {
     defaultMembershipRoleSlug: string;
     enforceMfa: boolean;
     selectedMfaMethod: MfaMethod;
+    allowSecretSharingOutsideOrganization: boolean;
   }>;
 } & TOrgPermission;
 

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -82,6 +82,13 @@ export const secretSharingServiceFactory = ({
     if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
     $validateSharedSecretExpiry(expiresAt);
 
+    const org = await orgDAL.findOrgById(orgId);
+    if (!org.allowSecretSharingOutsideOrganization && accessType === SecretSharingAccessType.Anyone) {
+      throw new BadRequestError({
+        message: "Organization does not allow sharing secrets to members outside of this organization"
+      });
+    }
+
     if (secretValue.length > 10_000) {
       throw new BadRequestError({ message: "Shared secret value too long" });
     }

backend/src/services/secret-sync/humanitec/humanitec-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const HUMANITEC_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Humanitec",
+  destination: SecretSync.Humanitec,
+  connection: AppConnection.Humanitec,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/humanitec/humanitec-sync-enums.ts

@@ -0,0 +1,4 @@
+export enum HumanitecSyncScope {
+  Application = "application",
+  Environment = "environment"
+}

backend/src/services/secret-sync/humanitec/humanitec-sync-fns.ts

@@ -0,0 +1,218 @@
+import { request } from "@app/lib/config/request";
+import { logger } from "@app/lib/logger";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { HumanitecSyncScope } from "./humanitec-sync-enums";
+import { HumanitecSecret, THumanitecSyncWithCredentials } from "./humanitec-sync-types";
+
+const getHumanitecSecrets = async (secretSync: THumanitecSyncWithCredentials) => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiToken }
+    }
+  } = secretSync;
+
+  let url = `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}`;
+  if (destinationConfig.scope === HumanitecSyncScope.Environment) {
+    url += `/envs/${destinationConfig.env}`;
+  }
+  url += "/values";
+
+  const { data } = await request.get<HumanitecSecret[]>(url, {
+    headers: {
+      Authorization: `Bearer ${apiToken}`,
+      Accept: "application/json"
+    }
+  });
+
+  return data;
+};
+
+const deleteSecret = async (secretSync: THumanitecSyncWithCredentials, encryptedSecret: HumanitecSecret) => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiToken }
+    }
+  } = secretSync;
+
+  if (destinationConfig.scope === HumanitecSyncScope.Environment && encryptedSecret.source === "app") {
+    logger.info(
+      `Humanitec secret ${encryptedSecret.key} on app ${destinationConfig.app} has no environment override, not deleted as it is an app-level secret`
+    );
+    return;
+  }
+
+  try {
+    let url = `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}`;
+    if (destinationConfig.scope === HumanitecSyncScope.Environment) {
+      url += `/envs/${destinationConfig.env}`;
+    }
+    url += `/values/${encryptedSecret.key}`;
+
+    await request.delete(url, {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    });
+  } catch (error) {
+    throw new SecretSyncError({
+      error,
+      secretKey: encryptedSecret.key
+    });
+  }
+};
+
+const createSecret = async (secretSync: THumanitecSyncWithCredentials, secretMap: TSecretMap, key: string) => {
+  try {
+    const {
+      destinationConfig,
+      connection: {
+        credentials: { apiToken }
+      }
+    } = secretSync;
+
+    const appLevelSecret = destinationConfig.scope === HumanitecSyncScope.Application ? secretMap[key].value : "";
+    await request.post(
+      `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}/values`,
+      {
+        key,
+        value: appLevelSecret,
+        description: secretMap[key].comment || "",
+        is_secret: true
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${apiToken}`,
+          Accept: "application/json"
+        }
+      }
+    );
+    if (destinationConfig.scope === HumanitecSyncScope.Environment) {
+      await request.patch(
+        `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}/envs/${destinationConfig.env}/values/${key}`,
+        {
+          value: secretMap[key].value,
+          description: secretMap[key].comment || ""
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${apiToken}`,
+            Accept: "application/json"
+          }
+        }
+      );
+    }
+  } catch (error) {
+    throw new SecretSyncError({
+      error,
+      secretKey: key
+    });
+  }
+};
+
+const updateSecret = async (
+  secretSync: THumanitecSyncWithCredentials,
+  secretMap: TSecretMap,
+  encryptedSecret: HumanitecSecret
+) => {
+  try {
+    const {
+      destinationConfig,
+      connection: {
+        credentials: { apiToken }
+      }
+    } = secretSync;
+    if (destinationConfig.scope === HumanitecSyncScope.Application) {
+      await request.patch(
+        `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}/values/${encryptedSecret.key}`,
+        {
+          value: secretMap[encryptedSecret.key].value,
+          description: secretMap[encryptedSecret.key].comment || ""
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${apiToken}`,
+            Accept: "application/json"
+          }
+        }
+      );
+    } else if (encryptedSecret.source === "app") {
+      await request.post(
+        `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}/envs/${destinationConfig.env}/values`,
+        {
+          value: secretMap[encryptedSecret.key].value,
+          description: secretMap[encryptedSecret.key].comment || "",
+          key: encryptedSecret.key,
+          is_secret: true
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${apiToken}`,
+            Accept: "application/json"
+          }
+        }
+      );
+    } else {
+      await request.patch(
+        `${IntegrationUrls.HUMANITEC_API_URL}/orgs/${destinationConfig.org}/apps/${destinationConfig.app}/envs/${destinationConfig.env}/values/${encryptedSecret.key}`,
+        {
+          value: secretMap[encryptedSecret.key].value,
+          description: secretMap[encryptedSecret.key].comment || ""
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${apiToken}`,
+            Accept: "application/json"
+          }
+        }
+      );
+    }
+  } catch (error) {
+    throw new SecretSyncError({
+      error,
+      secretKey: encryptedSecret.key
+    });
+  }
+};
+
+export const HumanitecSyncFns = {
+  syncSecrets: async (secretSync: THumanitecSyncWithCredentials, secretMap: TSecretMap) => {
+    const humanitecSecrets = await getHumanitecSecrets(secretSync);
+    const humanitecSecretsKeys = new Map(humanitecSecrets.map((s) => [s.key, s]));
+
+    for await (const key of Object.keys(secretMap)) {
+      const existingSecret = humanitecSecretsKeys.get(key);
+
+      if (!existingSecret) {
+        await createSecret(secretSync, secretMap, key);
+      } else {
+        await updateSecret(secretSync, secretMap, existingSecret);
+      }
+    }
+
+    for await (const humanitecSecret of humanitecSecrets) {
+      if (!secretMap[humanitecSecret.key]) {
+        await deleteSecret(secretSync, humanitecSecret);
+      }
+    }
+  },
+  getSecrets: async (secretSync: THumanitecSyncWithCredentials): Promise<TSecretMap> => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  },
+
+  removeSecrets: async (secretSync: THumanitecSyncWithCredentials, secretMap: TSecretMap) => {
+    const encryptedSecrets = await getHumanitecSecrets(secretSync);
+
+    for await (const encryptedSecret of encryptedSecrets) {
+      if (encryptedSecret.key in secretMap) {
+        await deleteSecret(secretSync, encryptedSecret);
+      }
+    }
+  }
+};

backend/src/services/secret-sync/humanitec/humanitec-sync-schemas.ts

@@ -0,0 +1,54 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { HumanitecSyncScope } from "@app/services/secret-sync/humanitec/humanitec-sync-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const HumanitecSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
+  z.object({
+    scope: z.literal(HumanitecSyncScope.Application).describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.scope),
+    org: z.string().min(1, "Org ID is required").describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.org),
+    app: z.string().min(1, "App ID is required").describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.app)
+  }),
+  z.object({
+    scope: z.literal(HumanitecSyncScope.Environment).describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.scope),
+    org: z.string().min(1, "Org ID is required").describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.org),
+    app: z.string().min(1, "App ID is required").describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.app),
+    env: z.string().min(1, "Env ID is required").describe(SecretSyncs.DESTINATION_CONFIG.HUMANITEC.env)
+  })
+]);
+
+const HumanitecSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const HumanitecSyncSchema = BaseSecretSyncSchema(SecretSync.Humanitec, HumanitecSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Humanitec),
+  destinationConfig: HumanitecSyncDestinationConfigSchema
+});
+
+export const CreateHumanitecSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Humanitec,
+  HumanitecSyncOptionsConfig
+).extend({
+  destinationConfig: HumanitecSyncDestinationConfigSchema
+});
+
+export const UpdateHumanitecSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Humanitec,
+  HumanitecSyncOptionsConfig
+).extend({
+  destinationConfig: HumanitecSyncDestinationConfigSchema.optional()
+});
+
+export const HumanitecSyncListItemSchema = z.object({
+  name: z.literal("Humanitec"),
+  connection: z.literal(AppConnection.Humanitec),
+  destination: z.literal(SecretSync.Humanitec),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/humanitec/humanitec-sync-types.ts

@@ -0,0 +1,23 @@
+import z from "zod";
+
+import { THumanitecConnection } from "@app/services/app-connection/humanitec";
+
+import { CreateHumanitecSyncSchema, HumanitecSyncListItemSchema, HumanitecSyncSchema } from "./humanitec-sync-schemas";
+
+export type THumanitecSyncListItem = z.infer<typeof HumanitecSyncListItemSchema>;
+
+export type THumanitecSync = z.infer<typeof HumanitecSyncSchema>;
+
+export type THumanitecSyncInput = z.infer<typeof CreateHumanitecSyncSchema>;
+
+export type THumanitecSyncWithCredentials = THumanitecSync & {
+  connection: THumanitecConnection;
+};
+
+export type HumanitecSecret = {
+  description: string;
+  is_secret: boolean;
+  key: string;
+  source: "app" | "env";
+  value: string;
+};

backend/src/services/secret-sync/humanitec/index.ts

@@ -0,0 +1,5 @@
+export * from "./humanitec-sync-constants";
+export * from "./humanitec-sync-enums";
+export * from "./humanitec-sync-fns";
+export * from "./humanitec-sync-schemas";
+export * from "./humanitec-sync-types";

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -5,7 +5,8 @@ export enum SecretSync {
   GCPSecretManager = "gcp-secret-manager",
   AzureKeyVault = "azure-key-vault",
   AzureAppConfiguration = "azure-app-configuration",
-  Databricks = "databricks"
+  Databricks = "databricks",
+  Humanitec = "humanitec"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -24,6 +24,8 @@ import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFact
 import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
+import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
+import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
 
 const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
@@ -32,7 +34,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.GCPSecretManager]: GCP_SYNC_LIST_OPTION,
   [SecretSync.AzureKeyVault]: AZURE_KEY_VAULT_SYNC_LIST_OPTION,
   [SecretSync.AzureAppConfiguration]: AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION,
-  [SecretSync.Databricks]: DATABRICKS_SYNC_LIST_OPTION
+  [SecretSync.Databricks]: DATABRICKS_SYNC_LIST_OPTION,
+  [SecretSync.Humanitec]: HUMANITEC_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -116,6 +119,8 @@ export const SecretSyncFns = {
           appConnectionDAL,
           kmsService
         }).syncSecrets(secretSync, secretMap);
+      case SecretSync.Humanitec:
+        return HumanitecSyncFns.syncSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -157,6 +162,9 @@ export const SecretSyncFns = {
           appConnectionDAL,
           kmsService
         }).getSecrets(secretSync);
+      case SecretSync.Humanitec:
+        secretMap = await HumanitecSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -197,6 +205,8 @@ export const SecretSyncFns = {
           appConnectionDAL,
           kmsService
         }).removeSecrets(secretSync, secretMap);
+      case SecretSync.Humanitec:
+        return HumanitecSyncFns.removeSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -8,7 +8,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.GCPSecretManager]: "GCP Secret Manager",
   [SecretSync.AzureKeyVault]: "Azure Key Vault",
   [SecretSync.AzureAppConfiguration]: "Azure App Configuration",
-  [SecretSync.Databricks]: "Databricks"
+  [SecretSync.Databricks]: "Databricks",
+  [SecretSync.Humanitec]: "Humanitec"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -18,5 +19,6 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.GCPSecretManager]: AppConnection.GCP,
   [SecretSync.AzureKeyVault]: AppConnection.AzureKeyVault,
   [SecretSync.AzureAppConfiguration]: AppConnection.AzureAppConfiguration,
-  [SecretSync.Databricks]: AppConnection.Databricks
+  [SecretSync.Databricks]: AppConnection.Databricks,
+  [SecretSync.Humanitec]: AppConnection.Humanitec
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -43,6 +43,12 @@ import {
   TAzureKeyVaultSyncWithCredentials
 } from "./azure-key-vault";
 import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
+import {
+  THumanitecSync,
+  THumanitecSyncInput,
+  THumanitecSyncListItem,
+  THumanitecSyncWithCredentials
+} from "./humanitec";
 
 export type TSecretSync =
   | TAwsParameterStoreSync
@@ -51,7 +57,8 @@ export type TSecretSync =
   | TGcpSync
   | TAzureKeyVaultSync
   | TAzureAppConfigurationSync
-  | TDatabricksSync;
+  | TDatabricksSync
+  | THumanitecSync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -60,7 +67,8 @@ export type TSecretSyncWithCredentials =
   | TGcpSyncWithCredentials
   | TAzureKeyVaultSyncWithCredentials
   | TAzureAppConfigurationSyncWithCredentials
-  | TDatabricksSyncWithCredentials;
+  | TDatabricksSyncWithCredentials
+  | THumanitecSyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -69,7 +77,8 @@ export type TSecretSyncInput =
   | TGcpSyncInput
   | TAzureKeyVaultSyncInput
   | TAzureAppConfigurationSyncInput
-  | TDatabricksSyncInput;
+  | TDatabricksSyncInput
+  | THumanitecSyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -78,7 +87,8 @@ export type TSecretSyncListItem =
   | TGcpSyncListItem
   | TAzureKeyVaultSyncListItem
   | TAzureAppConfigurationSyncListItem
-  | TDatabricksSyncListItem;
+  | TDatabricksSyncListItem
+  | THumanitecSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

cli/packages/api/model.go

@@ -2,6 +2,12 @@ package api
 
 import "time"
 
+type Environment struct {
+	Name string `json:"name"`
+	Slug string `json:"slug"`
+	ID   string `json:"id"`
+}
+
 // Stores info for login one
 type LoginOneRequest struct {
 	Email           string `json:"email"`
@@ -14,7 +20,6 @@ type LoginOneResponse struct {
 }
 
 // Stores info for login two
-
 type LoginTwoRequest struct {
 	Email       string `json:"email"`
 	ClientProof string `json:"clientProof"`
@@ -168,9 +173,10 @@ type Secret struct {
 }
 
 type Project struct {
-	ID   string `json:"id"`
-	Name string `json:"name"`
-	Slug string `json:"slug"`
+	ID           string        `json:"id"`
+	Name         string        `json:"name"`
+	Slug         string        `json:"slug"`
+	Environments []Environment `json:"environments"`
 }
 
 type RawSecret struct {

cli/packages/cmd/run.go

@@ -15,6 +15,9 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/go-resty/resty/v2"
+
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/fatih/color"
@@ -59,11 +62,11 @@ var runCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		environmentName, _ := cmd.Flags().GetString("env")
+		environmentSlug, _ := cmd.Flags().GetString("env")
 		if !cmd.Flags().Changed("env") {
 			environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
 			if environmentFromWorkspace != "" {
-				environmentName = environmentFromWorkspace
+				environmentSlug = environmentFromWorkspace
 			}
 		}
 
@@ -136,8 +139,20 @@ var runCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
+		log.Debug().Msgf("Confirming selected environment is valid: %s", environmentSlug)
+
+		hasEnvironment, err := confirmProjectHasEnvironment(environmentSlug, projectId, token)
+		if err != nil {
+			util.HandleError(err, "Could not confirm project has environment")
+		}
+		if !hasEnvironment {
+			util.HandleError(fmt.Errorf("project does not have environment '%s'", environmentSlug))
+		}
+
+		log.Debug().Msgf("Project '%s' has environment '%s'", projectId, environmentSlug)
+
 		request := models.GetAllSecretsParameters{
-			Environment:            environmentName,
+			Environment:            environmentSlug,
 			WorkspaceId:            projectId,
 			TagSlugs:               tagSlugs,
 			SecretsPath:            secretsPath,
@@ -308,7 +323,6 @@ func waitForExitCommand(cmd *exec.Cmd) (int, error) {
 }
 
 func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInterval int, request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) {
-
 	var cmd *exec.Cmd
 	var err error
 	var lastSecretsFetch time.Time
@@ -439,8 +453,53 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 	}
 }
 
-func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) (models.InjectableEnvironmentResult, error) {
+func confirmProjectHasEnvironment(environmentSlug, projectId string, token *models.TokenDetails) (bool, error) {
+	var accessToken string
 
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		accessToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		accessToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	httpClient := resty.New()
+	httpClient.SetAuthToken(accessToken).
+		SetHeader("Accept", "application/json")
+
+	project, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		return false, err
+	}
+
+	for _, env := range project.Environments {
+		if env.Slug == environmentSlug {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) (models.InjectableEnvironmentResult, error) {
 	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
 		request.InfisicalToken = token.Token
 	} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {

cli/packages/util/secrets.go

@@ -232,7 +232,6 @@ func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tag
 
 func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
 	var secretsToReturn []models.SingleEnvironmentVariable
-	// var serviceTokenDetails api.GetServiceTokenDetailsResponse
 	var errorToReturn error
 
 	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {

cli/test/secrets_test.go

@@ -76,7 +76,6 @@ func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
 	if err != nil {
 		t.Fatalf("snapshot failed: %v", err)
 	}
-
 }
 
 func TestUserAuth_SecretsGetAll(t *testing.T) {

docs/api-reference/endpoints/app-connections/humanitec/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/humanitec/available"
+---

docs/api-reference/endpoints/app-connections/humanitec/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/humanitec"
+---

docs/api-reference/endpoints/app-connections/humanitec/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/humanitec/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/humanitec/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/humanitec/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/humanitec/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/humanitec/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/humanitec/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/humanitec"
+---

docs/api-reference/endpoints/app-connections/humanitec/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/humanitec/{connectionId}"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/humanitec"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/humanitec/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/humanitec/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/humanitec/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/humanitec"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/humanitec/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/humanitec/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/humanitec/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/humanitec/{syncId}"
+---

docs/integrations/app-connections/humanitec.mdx

@@ -0,0 +1,71 @@
+---
+title: "Humanitec Connection"
+description: "Learn how to configure a Humanitec Connection for Infisical."
+---
+
+Infisical supports connecting to Humanitec using a service user.
+
+## Setup Humanitec Connection in Infisical
+
+<Steps>
+    <Step title="Move to Service Users on Humanitec">
+        Navigate to the Humanitec **Service Users** tab.
+        ![Humanitec Service Users Tab](/images/app-connections/humanitec/humanitec-service-users.png)
+    </Step>
+    <Step title="Create a Service User">
+        Create a new service user. Take into account that the role set here will affect the permissions of the API Token so be sure to set it so the Service User has access permissions to the App you want to integrate to Infisical.
+        ![Humanitec Create New Service User](/images/app-connections/humanitec/humanitec-create-new-user.png)
+    </Step>
+    <Step title="Add API Token for the Service User">
+        Add a new API token for the service user.
+        ![Humanitec Add API Token](/images/app-connections/humanitec/humanitec-add-api-token.png)
+    </Step>
+    <Step title="Create the API Token for the Service User">
+        Create the API token for the service user.
+        This token's permission will be limited to the **Service User** role.
+        <Note>
+            If you configure an expiry date for your API token you will need to manually rotate to a new token prior to expiration to avoid integration downtime.
+        </Note>
+        ![Humanitec Create API Token](/images/app-connections/humanitec/humanitec-create-api-token.png)
+    </Step>
+    <Step title="Copy the API Token">
+        A modal with the API token will be displayed. Save the token in a secure location for later use in the following steps.
+        ![Humanitec Copy API Token](/images/app-connections/humanitec/humanitec-copy-api-token.png)
+    </Step>
+    <Step title="Service User has been successfully created">
+        After following the previous steps the Service User has been successfully created, and now should be visible on the Service Users tab.
+        ![Humanitec Service User Created](/images/app-connections/humanitec/humanitec-service-account-filled.png)
+    </Step>
+    <Step title="Add Service User to Application">
+        Move to the **Applications** tab and add the Service User to the Application you want to sync with Infisical.
+        Clicking on the App Title will open the App details page.
+        ![Humanitec Applications Tab](/images/app-connections/humanitec/humanitec-applications-tab.png)
+    </Step>
+    <Step title="Add new member to this Application">
+        Move to the **People** tab and add a new member to this Application. The recently created User Service should be visible on the dropdown shown.
+        Make sure to assign at least Developer role as Write permissions are required.
+        ![Humanitec Add User to Application](/images/app-connections/humanitec/humanitec-add-user.png)
+        ![Humanitec Add User Options](/images/app-connections/humanitec/humanitec-add-user-options.png)
+        ![Humanitec Add User Role](/images/app-connections/humanitec/humanitec-add-user-role.png)
+    </Step>
+    <Step title="Connection Created">
+        Your **Humanitec Connection** is now available for use.
+        ![Humanitec Connection Created](/images/app-connections/humanitec/humanitec-user-added.png)
+    </Step>
+    <Step title="Navigate to App Connections">
+        Navigate to the **App Connections** tab on the **Organization Settings** page.
+        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+    </Step>
+    <Step title="Add Connection">
+        Select the **Humanitec Connection** option from the connection options modal.
+        ![Select Humanitec Connection](/images/app-connections/humanitec/humanitec-app-connection-option.png)
+    </Step>
+    <Step title="Fill the Humanitec Connection Modal">
+        Fill the Humanitec Connection modal, here you will need to provide the User Service API Token generated in the previous step.
+        ![Humanitec Connection Modal](/images/app-connections/humanitec/humanitec-app-connection-modal.png)
+    </Step>
+    <Step title="Connection Created">
+        Your **Humanitec Connection** is now available for use.
+        ![Humanitec Connection Created](/images/app-connections/humanitec/humanitec-app-connection-created.png)
+    </Step>
+</Steps>

docs/integrations/secret-syncs/humanitec.mdx

@@ -0,0 +1,156 @@
+---
+title: "Humanitec Sync"
+description: "Learn how to configure a Humanitec Sync for Infisical."
+---
+
+**Prerequisites:**
+
+        - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+        - Create a [Humanitec Connection](/integrations/app-connections/humanitec)
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+        ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+        2. Select the **Humanitec** option.
+        ![Select Humanitec](/images/secret-syncs/humanitec/select-humanitec-option.png)
+
+        3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+        ![Configure Source](/images/secret-syncs/humanitec/humanitec-source.png)
+
+            - **Environment**: The project environment to retrieve secrets from.
+            - **Secret Path**: The folder path to retrieve secrets from.
+
+        <Tip>
+            If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+        </Tip>
+
+        4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+        ![Configure Destination](/images/secret-syncs/humanitec/humanitec-destination.png)
+
+            - **Humanitec Connection**: The Humanitec Connection to authenticate with.
+            - **Scope**: The Humanitec secret scope to sync secrets to.
+                - **Application**: Sync secrets to a specific application.
+                - **Environment**: Sync secrets to a specific environment of an application.
+            <p class="height:1px"  />
+            The remaining fields are determined by the selected **Scope**:
+            <AccordionGroup>
+                <Accordion title="Application">
+                    - **Organization**: The organization to deploy secrets to.
+                    - **App**: The application to deploy secrets to.
+                </Accordion>
+                <Accordion title="Environment">
+                    - **Organization**: The organization to deploy secrets to.
+                    - **App**: The application to deploy secrets to.
+                    - **Environment**: The environment to deploy secrets to.
+                </Accordion>
+            </AccordionGroup>
+
+        5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+        ![Configure Options](/images/secret-syncs/humanitec/humanitec-options.png)
+
+            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                <Note>
+                    Humanitec does not support importing secrets.
+                </Note>
+            - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+
+        6. Configure the **Details** of your Humanitec Sync, then click **Next**.
+        ![Configure Details](/images/secret-syncs/humanitec/humanitec-details.png)
+
+            - **Name**: The name of your sync. Must be slug-friendly.
+            - **Description**: An optional description for your sync.
+
+        7. Review your Humanitec Sync configuration, then click **Create Sync**.
+        ![Confirm Configuration](/images/secret-syncs/humanitec/humanitec-review.png)
+
+        8. If enabled, your Humanitec Sync will begin syncing your secrets to the destination endpoint.
+        ![Sync Secrets](/images/secret-syncs/humanitec/humanitec-created.png)
+
+    </Tab>
+    <Tab title="API">
+        To create an **Humanitec Sync**, make an API request to the [Create Humanitec Sync](/api-reference/endpoints/secret-syncs/humanitec/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+        --url https://app.infisical.com/api/v1/secret-syncs/humanitec \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-humanitec-sync",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "an example sync",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/my-secrets",
+            "isEnabled": true,
+            "syncOptions": {
+                "initialSyncBehavior": "overwrite-destination"
+            },
+            "destinationConfig": {
+                "scope": "application",
+                "app": "my-app",
+                "environment": "development"
+            }
+        }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-humanitec-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination"
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "humanitec",
+                    "name": "my-humanitec-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "humanitec",
+                "destinationConfig": {
+                    "scope": "application",
+                    "org": "my-organization",
+                    "app": "my-app",
+                    "env": "development"
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>

docs/mint.json

@@ -408,7 +408,8 @@
             "integrations/app-connections/azure-key-vault",
             "integrations/app-connections/databricks",
             "integrations/app-connections/gcp",
-            "integrations/app-connections/github"
+            "integrations/app-connections/github",
+            "integrations/app-connections/humanitec"
           ]
         }
       ]
@@ -426,7 +427,8 @@
             "integrations/secret-syncs/azure-key-vault",
             "integrations/secret-syncs/databricks",
             "integrations/secret-syncs/gcp-secret-manager",
-            "integrations/secret-syncs/github"
+            "integrations/secret-syncs/github",
+            "integrations/secret-syncs/humanitec"
           ]
         }
       ]
@@ -898,6 +900,18 @@
                 "api-reference/endpoints/app-connections/github/update",
                 "api-reference/endpoints/app-connections/github/delete"
               ]
+            },
+            {
+              "group": "Humanitec",
+              "pages": [
+                "api-reference/endpoints/app-connections/humanitec/list",
+                "api-reference/endpoints/app-connections/humanitec/available",
+                "api-reference/endpoints/app-connections/humanitec/get-by-id",
+                "api-reference/endpoints/app-connections/humanitec/get-by-name",
+                "api-reference/endpoints/app-connections/humanitec/create",
+                "api-reference/endpoints/app-connections/humanitec/update",
+                "api-reference/endpoints/app-connections/humanitec/delete"
+              ]
             }
           ]
         },
@@ -1001,6 +1015,19 @@
                 "api-reference/endpoints/secret-syncs/github/sync-secrets",
                 "api-reference/endpoints/secret-syncs/github/remove-secrets"
               ]
+            },
+            {
+              "group": "Humanitec",
+              "pages": [
+                "api-reference/endpoints/secret-syncs/humanitec/list",
+                "api-reference/endpoints/secret-syncs/humanitec/get-by-id",
+                "api-reference/endpoints/secret-syncs/humanitec/get-by-name",
+                "api-reference/endpoints/secret-syncs/humanitec/create",
+                "api-reference/endpoints/secret-syncs/humanitec/update",
+                "api-reference/endpoints/secret-syncs/humanitec/delete",
+                "api-reference/endpoints/secret-syncs/humanitec/sync-secrets",
+                "api-reference/endpoints/secret-syncs/humanitec/remove-secrets"
+              ]
             }
           ]
         },

flake.nix

@@ -14,11 +14,21 @@
           git
           lazygit
 
+          go
           python312Full
           nodejs_20
           nodePackages.prettier
           infisical
         ];
+
+        env = {
+          GOROOT = "${pkgs.go}/share/go";
+        };
+
+        shellHook = ''
+          export GOPATH="$(pwd)/.go"
+          mkdir -p "$GOPATH"
+        '';
       };
   };
 }

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/HumanitecSyncFields.tsx

@@ -0,0 +1,197 @@
+import { Controller, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+import { faCircleInfo } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
+import { FilterableSelect, FormControl, Select, SelectItem, Tooltip } from "@app/components/v2";
+import { HUMANITEC_SYNC_SCOPES } from "@app/helpers/secretSyncs";
+import {
+  THumanitecConnectionApp,
+  THumanitecConnectionEnvironment,
+  THumanitecConnectionOrganization,
+  useHumanitecConnectionListOrganizations
+} from "@app/hooks/api/appConnections/humanitec";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { HumanitecSyncScope } from "@app/hooks/api/secretSyncs/types/humanitec-sync";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const HumanitecSyncFields = () => {
+  const { control, watch, setValue } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.Humanitec }
+  >();
+
+  const connectionId = useWatch({ name: "connection.id", control });
+  const currentOrg = watch("destinationConfig.org");
+  const currentApp = watch("destinationConfig.app");
+  const currentScope = watch("destinationConfig.scope");
+
+  const { data: organizations = [], isPending: isOrganizationsPending } =
+    useHumanitecConnectionListOrganizations(connectionId, {
+      enabled: Boolean(connectionId)
+    });
+
+  const selectedOrg = organizations?.find((org) => org.id === currentOrg);
+  const selectedApp = selectedOrg?.apps?.find((app) => app.id === currentApp);
+  const environments = selectedApp?.envs || [];
+
+  return (
+    <>
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("destinationConfig.org", "");
+          setValue("destinationConfig.app", "");
+          setValue("destinationConfig.env", "");
+        }}
+      />
+      <Controller
+        name="destinationConfig.org"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            errorText={error?.message}
+            isError={Boolean(error?.message)}
+            label="Organization"
+          >
+            <FilterableSelect
+              isLoading={isOrganizationsPending && Boolean(connectionId)}
+              isDisabled={!connectionId}
+              value={organizations ? (organizations.find((org) => org.id === value) ?? []) : []}
+              onChange={(option) => {
+                onChange((option as SingleValue<THumanitecConnectionOrganization>)?.id ?? null);
+                setValue("destinationConfig.app", "");
+                setValue("destinationConfig.env", "");
+              }}
+              options={organizations}
+              placeholder="Select an organization..."
+              getOptionLabel={(option) => option.name}
+              getOptionValue={(option) => option.id.toString()}
+            />
+          </FormControl>
+        )}
+      />
+      <Controller
+        name="destinationConfig.app"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="App"
+            helperText={
+              <Tooltip
+                className="max-w-md"
+                content="Ensure that the app exists in the selected organization and the service account used on this connection has write permissions for the specified app."
+              >
+                <div>
+                  <span>Don&#39;t see the app you&#39;re looking for?</span>{" "}
+                  <FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
+                </div>
+              </Tooltip>
+            }
+          >
+            <FilterableSelect
+              menuPlacement="top"
+              isLoading={isOrganizationsPending && Boolean(connectionId) && Boolean(currentOrg)}
+              isDisabled={!connectionId || !currentOrg}
+              value={
+                organizations
+                  .find((org) => org.id === currentOrg)
+                  ?.apps?.find((app) => app.id === value) ?? null
+              }
+              onChange={(option) => {
+                onChange((option as SingleValue<THumanitecConnectionApp>)?.id ?? null);
+                setValue("destinationConfig.env", "");
+              }}
+              options={
+                currentOrg ? (organizations.find((org) => org.id === currentOrg)?.apps ?? []) : []
+              }
+              placeholder="Select an app..."
+              getOptionLabel={(option) => option.name}
+              getOptionValue={(option) => option.id.toString()}
+            />
+          </FormControl>
+        )}
+      />
+      <Controller
+        name="destinationConfig.scope"
+        control={control}
+        defaultValue={HumanitecSyncScope.Application}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            errorText={error?.message}
+            isError={Boolean(error?.message)}
+            label="Scope"
+            tooltipClassName="max-w-lg py-3"
+            tooltipText={
+              <div className="flex flex-col gap-3">
+                <p>
+                  Specify how Infisical should manage secrets from Humanitec. The following options
+                  are available:
+                </p>
+                <ul className="flex list-disc flex-col gap-3 pl-4">
+                  {Object.values(HUMANITEC_SYNC_SCOPES).map(({ name, description }) => {
+                    return (
+                      <li key={name}>
+                        <p className="text-mineshaft-300">
+                          <span className="font-medium text-bunker-200">{name}</span>: {description}
+                        </p>
+                      </li>
+                    );
+                  })}
+                </ul>
+              </div>
+            }
+          >
+            <Select
+              value={value}
+              onValueChange={(val) => {
+                onChange(val);
+                setValue("destinationConfig.env", "");
+              }}
+              className="w-full border border-mineshaft-500 capitalize"
+              position="popper"
+              placeholder="Select a scope..."
+              dropdownContainerClassName="max-w-none"
+            >
+              {Object.values(HumanitecSyncScope).map((scope) => (
+                <SelectItem className="capitalize" value={scope} key={scope}>
+                  {scope.replace("-", " ")}
+                </SelectItem>
+              ))}
+            </Select>
+          </FormControl>
+        )}
+      />
+      {currentScope === HumanitecSyncScope.Environment && (
+        <Controller
+          name="destinationConfig.env"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl isError={Boolean(error)} errorText={error?.message} label="Environment">
+              <FilterableSelect
+                menuPlacement="top"
+                isLoading={
+                  isOrganizationsPending &&
+                  Boolean(connectionId) &&
+                  Boolean(currentOrg) &&
+                  Boolean(currentApp)
+                }
+                isDisabled={!connectionId || !currentApp}
+                value={environments.find((env) => env.id === value) ?? null}
+                onChange={(option) =>
+                  onChange((option as SingleValue<THumanitecConnectionEnvironment>)?.id ?? null)
+                }
+                options={environments}
+                placeholder="Select an env..."
+                getOptionLabel={(option) => option.name}
+                getOptionValue={(option) => option.id.toString()}
+              />
+            </FormControl>
+          )}
+        />
+      )}
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx

@@ -10,6 +10,7 @@ import { AzureKeyVaultSyncFields } from "./AzureKeyVaultSyncFields";
 import { DatabricksSyncFields } from "./DatabricksSyncFields";
 import { GcpSyncFields } from "./GcpSyncFields";
 import { GitHubSyncFields } from "./GitHubSyncFields";
+import { HumanitecSyncFields } from "./HumanitecSyncFields";
 
 export const SecretSyncDestinationFields = () => {
   const { watch } = useFormContext<TSecretSyncForm>();
@@ -31,6 +32,8 @@ export const SecretSyncDestinationFields = () => {
       return <AzureAppConfigurationSyncFields />;
     case SecretSync.Databricks:
       return <DatabricksSyncFields />;
+    case SecretSync.Humanitec:
+      return <HumanitecSyncFields />;
     default:
       throw new Error(`Unhandled Destination Config Field: ${destination}`);
   }

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -38,6 +38,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
     case SecretSync.AzureKeyVault:
     case SecretSync.AzureAppConfiguration:
     case SecretSync.Databricks:
+    case SecretSync.Humanitec:
       AdditionalSyncOptionsFieldsComponent = null;
       break;
     default:

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/HumanitecSyncReviewFields.tsx

@@ -0,0 +1,24 @@
+import { useFormContext } from "react-hook-form";
+
+import { SecretSyncLabel } from "@app/components/secret-syncs";
+import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { HumanitecSyncScope } from "@app/hooks/api/secretSyncs/types/humanitec-sync";
+
+export const HumanitecSyncReviewFields = () => {
+  const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Humanitec }>();
+  const orgId = watch("destinationConfig.org");
+  const appId = watch("destinationConfig.app");
+  const envId = watch("destinationConfig.env");
+  const scope = watch("destinationConfig.scope");
+
+  return (
+    <>
+      <SecretSyncLabel label="Organization">{orgId}</SecretSyncLabel>
+      <SecretSyncLabel label="Application">{appId}</SecretSyncLabel>
+      {scope === HumanitecSyncScope.Environment && (
+        <SecretSyncLabel label="Environment">{envId}</SecretSyncLabel>
+      )}
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -20,6 +20,7 @@ import { AzureKeyVaultSyncReviewFields } from "./AzureKeyVaultSyncReviewFields";
 import { DatabricksSyncReviewFields } from "./DatabricksSyncReviewFields";
 import { GcpSyncReviewFields } from "./GcpSyncReviewFields";
 import { GitHubSyncReviewFields } from "./GitHubSyncReviewFields";
+import { HumanitecSyncReviewFields } from "./HumanitecSyncReviewFields";
 
 export const SecretSyncReviewFields = () => {
   const { watch } = useFormContext<TSecretSyncForm>();
@@ -67,6 +68,9 @@ export const SecretSyncReviewFields = () => {
     case SecretSync.Databricks:
       DestinationFieldsComponent = <DatabricksSyncReviewFields />;
       break;
+    case SecretSync.Humanitec:
+      DestinationFieldsComponent = <HumanitecSyncReviewFields />;
+      break;
     default:
       throw new Error(`Unhandled Destination Review Fields: ${destination}`);
   }

frontend/src/components/secret-syncs/forms/schemas/humanitec-sync-destination-schema.ts

@@ -0,0 +1,24 @@
+import { z } from "zod";
+
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { HumanitecSyncScope } from "@app/hooks/api/secretSyncs/types/humanitec-sync";
+
+export const HumanitecSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.Humanitec),
+    destinationConfig: z.discriminatedUnion("scope", [
+      z.object({
+        scope: z.literal(HumanitecSyncScope.Application),
+        org: z.string().trim().min(1, "Organization required"),
+        app: z.string().trim().min(1, "Application required")
+      }),
+      z.object({
+        scope: z.literal(HumanitecSyncScope.Environment),
+        org: z.string().trim().min(1, "Organization required"),
+        app: z.string().trim().min(1, "Application required"),
+        env: z.string().trim().min(1, "Environment required")
+      })
+    ])
+  })
+);

frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts

@@ -8,6 +8,7 @@ import { AwsParameterStoreSyncDestinationSchema } from "./aws-parameter-store-sy
 import { AzureAppConfigurationSyncDestinationSchema } from "./azure-app-configuration-sync-destination-schema";
 import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
 import { GcpSyncDestinationSchema } from "./gcp-sync-destination-schema";
+import { HumanitecSyncDestinationSchema } from "./humanitec-sync-destination-schema";
 
 const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncDestinationSchema,
@@ -16,7 +17,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   GcpSyncDestinationSchema,
   AzureKeyVaultSyncDestinationSchema,
   AzureAppConfigurationSyncDestinationSchema,
-  DatabricksSyncDestinationSchema
+  DatabricksSyncDestinationSchema,
+  HumanitecSyncDestinationSchema
 ]);
 
 export const SecretSyncFormSchema = SecretSyncUnionSchema;

frontend/src/const/routes.ts

@@ -23,7 +23,11 @@ export const ROUTE_PATHS = Object.freeze({
     ),
     SecretSharing: setRoute(
       "/organization/secret-sharing",
-      "/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing"
+      "/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing/"
+    ),
+    SecretSharingSettings: setRoute(
+      "/organization/secret-sharing/settings",
+      "/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing/settings"
     ),
     SettingsPage: setRoute(
       "/organization/settings",

frontend/src/context/OrgPermissionContext/types.ts

@@ -34,13 +34,18 @@ export enum OrgPermissionSubjects {
   ProjectTemplates = "project-templates",
   AppConnections = "app-connections",
   Kmip = "kmip",
-  Gateway = "gateway"
+  Gateway = "gateway",
+  SecretShare = "secret-share"
 }
 
 export enum OrgPermissionAdminConsoleAction {
   AccessAllProjects = "access-all-projects"
 }
 
+export enum OrgPermissionSecretShareAction {
+  ManageSettings = "manage-settings"
+}
+
 export enum OrgPermissionAppConnectionActions {
   Read = "read",
   Create = "create",
@@ -78,7 +83,8 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
   | [OrgPermissionAppConnectionActions, OrgPermissionSubjects.AppConnections]
   | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
-  | [OrgGatewayPermissionActions, OrgPermissionSubjects.Gateway];
+  | [OrgGatewayPermissionActions, OrgPermissionSubjects.Gateway]
+  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];
 // TODO(scott): add back once org UI refactored
 // | [
 //     OrgPermissionAppConnectionActions,

frontend/src/helpers/appConnections.ts

@@ -11,6 +11,7 @@ import {
   TAppConnection
 } from "@app/hooks/api/appConnections/types";
 import { DatabricksConnectionMethod } from "@app/hooks/api/appConnections/types/databricks-connection";
+import { HumanitecConnectionMethod } from "@app/hooks/api/appConnections/types/humanitec-connection";
 
 export const APP_CONNECTION_MAP: Record<AppConnection, { name: string; image: string }> = {
   [AppConnection.AWS]: { name: "AWS", image: "Amazon Web Services.png" },
@@ -24,7 +25,8 @@ export const APP_CONNECTION_MAP: Record<AppConnection, { name: string; image: st
     name: "Azure App Configuration",
     image: "Microsoft Azure.png"
   },
-  [AppConnection.Databricks]: { name: "Databricks", image: "Databricks.png" }
+  [AppConnection.Databricks]: { name: "Databricks", image: "Databricks.png" },
+  [AppConnection.Humanitec]: { name: "Humanitec", image: "Humanitec.png" }
 };
 
 export const getAppConnectionMethodDetails = (method: TAppConnection["method"]) => {
@@ -43,6 +45,8 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
       return { name: "Service Account Impersonation", icon: faUser };
     case DatabricksConnectionMethod.ServicePrincipal:
       return { name: "Service Principal", icon: faUser };
+    case HumanitecConnectionMethod.API_TOKEN:
+      return { name: "API Token", icon: faKey };
     default:
       throw new Error(`Unhandled App Connection Method: ${method}`);
   }

frontend/src/helpers/secretSyncs.ts

@@ -4,6 +4,7 @@ import {
   SecretSyncImportBehavior,
   SecretSyncInitialSyncBehavior
 } from "@app/hooks/api/secretSyncs";
+import { HumanitecSyncScope } from "@app/hooks/api/secretSyncs/types/humanitec-sync";
 
 export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }> = {
   [SecretSync.AWSParameterStore]: { name: "AWS Parameter Store", image: "Amazon Web Services.png" },
@@ -18,6 +19,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
   [SecretSync.Databricks]: {
     name: "Databricks",
     image: "Databricks.png"
+  },
+  [SecretSync.Humanitec]: {
+    name: "Humanitec",
+    image: "Humanitec.png"
   }
 };
 
@@ -28,7 +33,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.GCPSecretManager]: AppConnection.GCP,
   [SecretSync.AzureKeyVault]: AppConnection.AzureKeyVault,
   [SecretSync.AzureAppConfiguration]: AppConnection.AzureAppConfiguration,
-  [SecretSync.Databricks]: AppConnection.Databricks
+  [SecretSync.Databricks]: AppConnection.Databricks,
+  [SecretSync.Humanitec]: AppConnection.Humanitec
 };
 
 export const SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP: Record<
@@ -62,3 +68,19 @@ export const SECRET_SYNC_IMPORT_BEHAVIOR_MAP: Record<
     description: `Infisical will import any secrets present in the ${destinationName} destination, prioritizing values from ${destinationName} over Infisical when keys conflict.`
   })
 };
+
+export const HUMANITEC_SYNC_SCOPES: Record<
+  HumanitecSyncScope,
+  { name: string; description: string }
+> = {
+  [HumanitecSyncScope.Application]: {
+    name: "Application",
+    description:
+      "Infisical will sync secrets as application level shared values to the specified Humanitec application."
+  },
+  [HumanitecSyncScope.Environment]: {
+    name: "Environment",
+    description:
+      "Infisical will sync secrets as environment level shared values to the specified Humanitec application environment."
+  }
+};

frontend/src/hooks/api/appConnections/enums.ts

@@ -4,5 +4,6 @@ export enum AppConnection {
   GCP = "gcp",
   AzureKeyVault = "azure-key-vault",
   AzureAppConfiguration = "azure-app-configuration",
-  Databricks = "databricks"
+  Databricks = "databricks",
+  Humanitec = "humanitec"
 }

frontend/src/hooks/api/appConnections/humanitec/index.ts

@@ -0,0 +1,2 @@
+export * from "./queries";
+export * from "./types";