Minor improvement on the Postgres docs changing a warning to a tip

misc: re-added EST to PKI templates

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -354,11 +354,17 @@ export const accessApprovalRequestServiceFactory = ({
       status === ApprovalStatus.APPROVED;
 
     const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-    // If user is (not an approver OR cant self approve) AND can't bypass policy
-    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
+
+    const isSelfRejection = isSelfApproval && status === ApprovalStatus.REJECTED;
+
+    // users can always reject (cancel) their own requests
+    if (!isSelfRejection) {
+      // If user is (not an approver OR cant self approve) AND can't bypass policy
+      if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
+        throw new BadRequestError({
+          message: "Failed to review access approval request. Users are not authorized to review their own request."
+        });
+      }
     }
 
     if (
@@ -414,7 +420,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       // Only throw if actor is not the approver and not bypassing
-      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt) {
+      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt && !isSelfRejection) {
         throw new BadRequestError({ message: "You are not a reviewer in this step" });
       }
     }

backend/src/lib/api-docs/constants.ts

@@ -2282,6 +2282,9 @@ export const AppConnections = {
     },
     RAILWAY: {
       apiToken: "The API token used to authenticate with Railway."
+    },
+    CHECKLY: {
+      apiKey: "The API key used to authenticate with Checkly."
     }
   }
 };
@@ -2488,6 +2491,9 @@ export const SecretSyncs = {
       environmentName: "The Railway environment to sync secrets to.",
       serviceId: "The Railway service that secrets should be synced to.",
       serviceName: "The Railway service that secrets should be synced to."
+    },
+    CHECKLY: {
+      accountId: "The ID of the Checkly account to sync secrets to."
     }
   }
 };

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -39,6 +39,10 @@ import {
   CamundaConnectionListItemSchema,
   SanitizedCamundaConnectionSchema
 } from "@app/services/app-connection/camunda";
+import {
+  ChecklyConnectionListItemSchema,
+  SanitizedChecklyConnectionSchema
+} from "@app/services/app-connection/checkly";
 import {
   CloudflareConnectionListItemSchema,
   SanitizedCloudflareConnectionSchema
@@ -128,7 +132,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedCloudflareConnectionSchema.options,
   ...SanitizedBitbucketConnectionSchema.options,
   ...SanitizedZabbixConnectionSchema.options,
-  ...SanitizedRailwayConnectionSchema.options
+  ...SanitizedRailwayConnectionSchema.options,
+  ...SanitizedChecklyConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -163,7 +168,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   CloudflareConnectionListItemSchema,
   BitbucketConnectionListItemSchema,
   ZabbixConnectionListItemSchema,
-  RailwayConnectionListItemSchema
+  RailwayConnectionListItemSchema,
+  ChecklyConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/checkly-connection-router.ts

@@ -0,0 +1,56 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateChecklyConnectionSchema,
+  SanitizedChecklyConnectionSchema,
+  UpdateChecklyConnectionSchema
+} from "@app/services/app-connection/checkly";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerChecklyConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Checkly,
+    server,
+    sanitizedResponseSchema: SanitizedChecklyConnectionSchema,
+    createSchema: CreateChecklyConnectionSchema,
+    updateSchema: UpdateChecklyConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/accounts`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          accounts: z
+            .object({
+              name: z.string(),
+              id: z.string(),
+              runtimeId: z.string()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const accounts = await server.services.appConnection.checkly.listAccounts(connectionId, req.permission);
+
+      return { accounts };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -11,6 +11,7 @@ import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-r
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerBitbucketConnectionRouter } from "./bitbucket-connection-router";
 import { registerCamundaConnectionRouter } from "./camunda-connection-router";
+import { registerChecklyConnectionRouter } from "./checkly-connection-router";
 import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
@@ -68,5 +69,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Cloudflare]: registerCloudflareConnectionRouter,
     [AppConnection.Bitbucket]: registerBitbucketConnectionRouter,
     [AppConnection.Zabbix]: registerZabbixConnectionRouter,
-    [AppConnection.Railway]: registerRailwayConnectionRouter
+    [AppConnection.Railway]: registerRailwayConnectionRouter,
+    [AppConnection.Checkly]: registerChecklyConnectionRouter
   };

backend/src/server/routes/v1/secret-sync-routers/checkly-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  ChecklySyncSchema,
+  CreateChecklySyncSchema,
+  UpdateChecklySyncSchema
+} from "@app/services/secret-sync/checkly/checkly-sync-schemas";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerChecklySyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Checkly,
+    server,
+    responseSchema: ChecklySyncSchema,
+    createSchema: CreateChecklySyncSchema,
+    updateSchema: UpdateChecklySyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -8,6 +8,7 @@ import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configurati
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
+import { registerChecklySyncRouter } from "./checkly-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
@@ -54,5 +55,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.CloudflareWorkers]: registerCloudflareWorkersSyncRouter,
 
   [SecretSync.Zabbix]: registerZabbixSyncRouter,
-  [SecretSync.Railway]: registerRailwaySyncRouter
+  [SecretSync.Railway]: registerRailwaySyncRouter,
+  [SecretSync.Checkly]: registerChecklySyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -22,6 +22,7 @@ import {
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
+import { ChecklySyncListItemSchema, ChecklySyncSchema } from "@app/services/secret-sync/checkly/checkly-sync-schemas";
 import {
   CloudflarePagesSyncListItemSchema,
   CloudflarePagesSyncSchema
@@ -72,7 +73,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   CloudflareWorkersSyncSchema,
 
   ZabbixSyncSchema,
-  RailwaySyncSchema
+  RailwaySyncSchema,
+  ChecklySyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -101,7 +103,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   CloudflareWorkersSyncListItemSchema,
 
   ZabbixSyncListItemSchema,
-  RailwaySyncListItemSchema
+  RailwaySyncListItemSchema,
+  ChecklySyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -30,7 +30,8 @@ export enum AppConnection {
   Cloudflare = "cloudflare",
   Zabbix = "zabbix",
   Railway = "railway",
-  Bitbucket = "bitbucket"
+  Bitbucket = "bitbucket",
+  Checkly = "checkly"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -56,6 +56,7 @@ import {
   validateBitbucketConnectionCredentials
 } from "./bitbucket";
 import { CamundaConnectionMethod, getCamundaConnectionListItem, validateCamundaConnectionCredentials } from "./camunda";
+import { ChecklyConnectionMethod, getChecklyConnectionListItem, validateChecklyConnectionCredentials } from "./checkly";
 import { CloudflareConnectionMethod } from "./cloudflare/cloudflare-connection-enum";
 import {
   getCloudflareConnectionListItem,
@@ -146,7 +147,8 @@ export const listAppConnectionOptions = () => {
     getCloudflareConnectionListItem(),
     getZabbixConnectionListItem(),
     getRailwayConnectionListItem(),
-    getBitbucketConnectionListItem()
+    getBitbucketConnectionListItem(),
+    getChecklyConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -229,7 +231,8 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Railway]: validateRailwayConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Checkly]: validateChecklyConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -287,6 +290,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case LdapConnectionMethod.SimpleBind:
       return "Simple Bind";
     case RenderConnectionMethod.ApiKey:
+    case ChecklyConnectionMethod.ApiKey:
       return "API Key";
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -350,7 +354,8 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported,
   [AppConnection.Zabbix]: platformManagedCredentialsNotSupported,
   [AppConnection.Railway]: platformManagedCredentialsNotSupported,
-  [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported
+  [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
+  [AppConnection.Checkly]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -32,7 +32,8 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Cloudflare]: "Cloudflare",
   [AppConnection.Zabbix]: "Zabbix",
   [AppConnection.Railway]: "Railway",
-  [AppConnection.Bitbucket]: "Bitbucket"
+  [AppConnection.Bitbucket]: "Bitbucket",
+  [AppConnection.Checkly]: "Checkly"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -67,5 +68,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Cloudflare]: AppConnectionPlanType.Regular,
   [AppConnection.Zabbix]: AppConnectionPlanType.Regular,
   [AppConnection.Railway]: AppConnectionPlanType.Regular,
-  [AppConnection.Bitbucket]: AppConnectionPlanType.Regular
+  [AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
+  [AppConnection.Checkly]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -49,6 +49,8 @@ import { ValidateBitbucketConnectionCredentialsSchema } from "./bitbucket";
 import { bitbucketConnectionService } from "./bitbucket/bitbucket-connection-service";
 import { ValidateCamundaConnectionCredentialsSchema } from "./camunda";
 import { camundaConnectionService } from "./camunda/camunda-connection-service";
+import { ValidateChecklyConnectionCredentialsSchema } from "./checkly";
+import { checklyConnectionService } from "./checkly/checkly-connection-service";
 import { ValidateCloudflareConnectionCredentialsSchema } from "./cloudflare/cloudflare-connection-schema";
 import { cloudflareConnectionService } from "./cloudflare/cloudflare-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
@@ -128,7 +130,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema,
   [AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema,
   [AppConnection.Railway]: ValidateRailwayConnectionCredentialsSchema,
-  [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema
+  [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
+  [AppConnection.Checkly]: ValidateChecklyConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -541,6 +544,7 @@ export const appConnectionServiceFactory = ({
     cloudflare: cloudflareConnectionService(connectAppConnectionById),
     zabbix: zabbixConnectionService(connectAppConnectionById),
     railway: railwayConnectionService(connectAppConnectionById),
-    bitbucket: bitbucketConnectionService(connectAppConnectionById)
+    bitbucket: bitbucketConnectionService(connectAppConnectionById),
+    checkly: checklyConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -68,6 +68,12 @@ import {
   TCamundaConnectionInput,
   TValidateCamundaConnectionCredentialsSchema
 } from "./camunda";
+import {
+  TChecklyConnection,
+  TChecklyConnectionConfig,
+  TChecklyConnectionInput,
+  TValidateChecklyConnectionCredentialsSchema
+} from "./checkly";
 import {
   TCloudflareConnection,
   TCloudflareConnectionConfig,
@@ -217,6 +223,7 @@ export type TAppConnection = { id: string } & (
   | TBitbucketConnection
   | TZabbixConnection
   | TRailwayConnection
+  | TChecklyConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -256,6 +263,7 @@ export type TAppConnectionInput = { id: string } & (
   | TBitbucketConnectionInput
   | TZabbixConnectionInput
   | TRailwayConnectionInput
+  | TChecklyConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -302,7 +310,8 @@ export type TAppConnectionConfig =
   | TCloudflareConnectionConfig
   | TBitbucketConnectionConfig
   | TZabbixConnectionConfig
-  | TRailwayConnectionConfig;
+  | TRailwayConnectionConfig
+  | TChecklyConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -336,7 +345,8 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateCloudflareConnectionCredentialsSchema
   | TValidateBitbucketConnectionCredentialsSchema
   | TValidateZabbixConnectionCredentialsSchema
-  | TValidateRailwayConnectionCredentialsSchema;
+  | TValidateRailwayConnectionCredentialsSchema
+  | TValidateChecklyConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/checkly/checkly-connection-constants.ts

@@ -0,0 +1,3 @@
+export enum ChecklyConnectionMethod {
+  ApiKey = "api-key"
+}

backend/src/services/app-connection/checkly/checkly-connection-fns.ts

@@ -0,0 +1,35 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
+import { BadRequestError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { ChecklyConnectionMethod } from "./checkly-connection-constants";
+import { ChecklyPublicAPI } from "./checkly-connection-public-client";
+import { TChecklyConnectionConfig } from "./checkly-connection-types";
+
+export const getChecklyConnectionListItem = () => {
+  return {
+    name: "Checkly" as const,
+    app: AppConnection.Checkly as const,
+    methods: Object.values(ChecklyConnectionMethod)
+  };
+};
+
+export const validateChecklyConnectionCredentials = async (config: TChecklyConnectionConfig) => {
+  try {
+    await ChecklyPublicAPI.healthcheck(config);
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+
+    throw new BadRequestError({
+      message: "Unable to validate connection - verify credentials"
+    });
+  }
+
+  return config.credentials;
+};

backend/src/services/app-connection/checkly/checkly-connection-public-client.ts

@@ -0,0 +1,186 @@
+/* eslint-disable no-await-in-loop */
+/* eslint-disable class-methods-use-this */
+import { AxiosInstance, AxiosRequestConfig, AxiosResponse, HttpStatusCode, isAxiosError } from "axios";
+
+import { createRequestClient } from "@app/lib/config/request";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { ChecklyConnectionMethod } from "./checkly-connection-constants";
+import { TChecklyAccount, TChecklyConnectionConfig, TChecklyVariable } from "./checkly-connection-types";
+
+export function getChecklyAuthHeaders(
+  connection: TChecklyConnectionConfig,
+  accountId?: string
+): Record<string, string> {
+  switch (connection.method) {
+    case ChecklyConnectionMethod.ApiKey:
+      return {
+        Authorization: `Bearer ${connection.credentials.apiKey}`,
+        ...(accountId && { "X-Checkly-Account": accountId })
+      };
+    default:
+      throw new Error(`Unsupported Checkly connection method`);
+  }
+}
+
+export function getChecklyRatelimiter(response: AxiosResponse): {
+  maxAttempts: number;
+  isRatelimited: boolean;
+  wait: () => Promise<void>;
+} {
+  const wait = () => {
+    return new Promise<void>((res) => {
+      setTimeout(res, 60 * 1000); // Wait for 60 seconds
+    });
+  };
+
+  return {
+    isRatelimited: response.status === HttpStatusCode.TooManyRequests,
+    wait,
+    maxAttempts: 3
+  };
+}
+
+class ChecklyPublicClient {
+  private client: AxiosInstance;
+
+  constructor() {
+    this.client = createRequestClient({
+      baseURL: IntegrationUrls.CHECKLY_API_URL,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+
+  async send<T>(
+    connection: TChecklyConnectionConfig,
+    config: AxiosRequestConfig & { accountId?: string },
+    retryAttempt = 0
+  ): Promise<T | undefined> {
+    const response = await this.client.request<T>({
+      ...config,
+      timeout: 1000 * 60, // 60 seconds timeout
+      validateStatus: (status) => (status >= 200 && status < 300) || status === HttpStatusCode.TooManyRequests,
+      headers: getChecklyAuthHeaders(connection, config.accountId)
+    });
+    const limiter = getChecklyRatelimiter(response);
+
+    if (limiter.isRatelimited && retryAttempt <= limiter.maxAttempts) {
+      await limiter.wait();
+      return this.send(connection, config, retryAttempt + 1);
+    }
+
+    return response.data;
+  }
+
+  healthcheck(connection: TChecklyConnectionConfig) {
+    switch (connection.method) {
+      case ChecklyConnectionMethod.ApiKey:
+        return this.getChecklyAccounts(connection);
+      default:
+        throw new Error(`Unsupported Checkly connection method`);
+    }
+  }
+
+  async getVariables(connection: TChecklyConnectionConfig, accountId: string, limit: number = 50, page: number = 1) {
+    const res = await this.send<TChecklyVariable[]>(connection, {
+      accountId,
+      method: "GET",
+      url: `/v1/variables`,
+      params: {
+        limit,
+        page
+      }
+    });
+
+    return res;
+  }
+
+  async createVariable(connection: TChecklyConnectionConfig, accountId: string, variable: TChecklyVariable) {
+    const res = await this.send<TChecklyVariable>(connection, {
+      accountId,
+      method: "POST",
+      url: `/v1/variables`,
+      data: variable
+    });
+
+    return res;
+  }
+
+  async updateVariable(connection: TChecklyConnectionConfig, accountId: string, variable: TChecklyVariable) {
+    const res = await this.send<TChecklyVariable>(connection, {
+      accountId,
+      method: "PUT",
+      url: `/v1/variables/${variable.key}`,
+      data: variable
+    });
+
+    return res;
+  }
+
+  async getVariable(connection: TChecklyConnectionConfig, accountId: string, variable: Pick<TChecklyVariable, "key">) {
+    try {
+      const res = await this.send<TChecklyVariable>(connection, {
+        accountId,
+        method: "GET",
+        url: `/v1/variables/${variable.key}`
+      });
+
+      return res;
+    } catch (error) {
+      if (isAxiosError(error) && error.response?.status === HttpStatusCode.NotFound) {
+        return null;
+      }
+
+      throw error;
+    }
+  }
+
+  async upsertVariable(connection: TChecklyConnectionConfig, accountId: string, variable: TChecklyVariable) {
+    const res = await this.getVariable(connection, accountId, variable);
+
+    if (!res) {
+      return this.createVariable(connection, accountId, variable);
+    }
+
+    await this.updateVariable(connection, accountId, variable);
+
+    return res;
+  }
+
+  async deleteVariable(
+    connection: TChecklyConnectionConfig,
+    accountId: string,
+    variable: Pick<TChecklyVariable, "key">
+  ) {
+    try {
+      const res = await this.send<TChecklyVariable>(connection, {
+        accountId,
+        method: "DELETE",
+        url: `/v1/variables/${variable.key}`
+      });
+
+      return res;
+    } catch (error) {
+      if (isAxiosError(error) && error.response?.status === HttpStatusCode.NotFound) {
+        return null;
+      }
+
+      throw error;
+    }
+  }
+
+  async getChecklyAccounts(connection: TChecklyConnectionConfig) {
+    // This endpoint is in beta and might be subject to changes
+    // Refer: https://developers.checklyhq.com/reference/getv1accounts
+    const res = await this.send<TChecklyAccount[]>(connection, {
+      method: "GET",
+      url: `/v1/accounts`
+    });
+
+    return res;
+  }
+}
+
+export const ChecklyPublicAPI = new ChecklyPublicClient();

backend/src/services/app-connection/checkly/checkly-connection-schemas.ts

@@ -0,0 +1,62 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { ChecklyConnectionMethod } from "./checkly-connection-constants";
+
+export const ChecklyConnectionMethodSchema = z
+  .nativeEnum(ChecklyConnectionMethod)
+  .describe(AppConnections.CREATE(AppConnection.Checkly).method);
+
+export const ChecklyConnectionAccessTokenCredentialsSchema = z.object({
+  apiKey: z.string().trim().min(1, "API Key required").max(255).describe(AppConnections.CREDENTIALS.CHECKLY.apiKey)
+});
+
+const BaseChecklyConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.Checkly)
+});
+
+export const ChecklyConnectionSchema = BaseChecklyConnectionSchema.extend({
+  method: ChecklyConnectionMethodSchema,
+  credentials: ChecklyConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedChecklyConnectionSchema = z.discriminatedUnion("method", [
+  BaseChecklyConnectionSchema.extend({
+    method: ChecklyConnectionMethodSchema,
+    credentials: ChecklyConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateChecklyConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: ChecklyConnectionMethodSchema,
+    credentials: ChecklyConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Checkly).credentials
+    )
+  })
+]);
+
+export const CreateChecklyConnectionSchema = ValidateChecklyConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Checkly)
+);
+
+export const UpdateChecklyConnectionSchema = z
+  .object({
+    credentials: ChecklyConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Checkly).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Checkly));
+
+export const ChecklyConnectionListItemSchema = z.object({
+  name: z.literal("Checkly"),
+  app: z.literal(AppConnection.Checkly),
+  methods: z.nativeEnum(ChecklyConnectionMethod).array()
+});

backend/src/services/app-connection/checkly/checkly-connection-service.ts

@@ -0,0 +1,30 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { ChecklyPublicAPI } from "./checkly-connection-public-client";
+import { TChecklyConnection } from "./checkly-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TChecklyConnection>;
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export const checklyConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listAccounts = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Checkly, connectionId, actor);
+    try {
+      const accounts = await ChecklyPublicAPI.getChecklyAccounts(appConnection);
+      return accounts!;
+    } catch (error) {
+      logger.error(error, "Failed to list accounts on Checkly");
+      return [];
+    }
+  };
+
+  return {
+    listAccounts
+  };
+};

backend/src/services/app-connection/checkly/checkly-connection-types.ts

@@ -0,0 +1,35 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  ChecklyConnectionSchema,
+  CreateChecklyConnectionSchema,
+  ValidateChecklyConnectionCredentialsSchema
+} from "./checkly-connection-schemas";
+
+export type TChecklyConnection = z.infer<typeof ChecklyConnectionSchema>;
+
+export type TChecklyConnectionInput = z.infer<typeof CreateChecklyConnectionSchema> & {
+  app: AppConnection.Checkly;
+};
+
+export type TValidateChecklyConnectionCredentialsSchema = typeof ValidateChecklyConnectionCredentialsSchema;
+
+export type TChecklyConnectionConfig = DiscriminativePick<TChecklyConnection, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TChecklyVariable = {
+  key: string;
+  value: string;
+  locked: boolean;
+  secret: boolean;
+};
+
+export type TChecklyAccount = {
+  id: string;
+  name: string;
+  runtimeId: string;
+};

backend/src/services/app-connection/checkly/index.ts

@@ -0,0 +1,4 @@
+export * from "./checkly-connection-constants";
+export * from "./checkly-connection-fns";
+export * from "./checkly-connection-schemas";
+export * from "./checkly-connection-types";

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -30,10 +30,17 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
   const removeExpiredTokens = async (tx?: Knex) => {
     logger.info(`${QueueName.DailyResourceCleanUp}: remove expired access token started`);
 
+    const BATCH_SIZE = 10000;
+    const MAX_RETRY_ON_FAILURE = 3;
+    const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
     const MAX_TTL = 315_360_000; // Maximum TTL value in seconds (10 years)
 
-    try {
-      const docs = (tx || db)(TableName.IdentityAccessToken)
+    let deletedTokenIds: { id: string }[] = [];
+    let numberOfRetryOnFailure = 0;
+    let isRetrying = false;
+
+    const getExpiredTokensQuery = (dbClient: Knex | Knex.Transaction) =>
+      dbClient(TableName.IdentityAccessToken)
         .where({
           isAccessTokenRevoked: true
         })
@@ -47,34 +54,64 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
             );
         })
         .orWhere((qb) => {
-          void qb.where("accessTokenTTL", ">", 0).andWhere((qb2) => {
-            void qb2
-              .where((qb3) => {
-                void qb3
-                  .whereNotNull("accessTokenLastRenewedAt")
-                  // accessTokenLastRenewedAt + convert_integer_to_seconds(accessTokenTTL) < present_date
-                  .andWhereRaw(
-                    `"${TableName.IdentityAccessToken}"."accessTokenLastRenewedAt" + make_interval(secs => LEAST("${TableName.IdentityAccessToken}"."accessTokenTTL", ?)) < NOW()`,
-                    [MAX_TTL]
-                  );
-              })
-              .orWhere((qb3) => {
-                void qb3
-                  .whereNull("accessTokenLastRenewedAt")
-                  // created + convert_integer_to_seconds(accessTokenTTL) < present_date
-                  .andWhereRaw(
-                    `"${TableName.IdentityAccessToken}"."createdAt" + make_interval(secs => LEAST("${TableName.IdentityAccessToken}"."accessTokenTTL", ?)) < NOW()`,
-                    [MAX_TTL]
-                  );
-              });
+          void qb.where("accessTokenTTL", ">", 0).andWhereRaw(
+            `
+              -- Check if the token's effective expiration time has passed.
+              -- The expiration time is calculated by adding its TTL to its last renewal/creation time.
+              COALESCE(
+                "${TableName.IdentityAccessToken}"."accessTokenLastRenewedAt", -- Use last renewal time if available
+                "${TableName.IdentityAccessToken}"."createdAt"                 -- Otherwise, use creation time
+              )
+              + make_interval(
+                  secs => LEAST(
+                    "${TableName.IdentityAccessToken}"."accessTokenTTL",      -- Token's specified TTL
+                    ?                                                         -- Capped by MAX_TTL (parameterized value)
+                  )
+                )
+              < NOW()                                                         -- Check if the calculated time is before now
+              `,
+            [MAX_TTL]
+          );
+        });
+
+    do {
+      try {
+        const deleteBatch = async (dbClient: Knex | Knex.Transaction) => {
+          const idsToDeleteQuery = getExpiredTokensQuery(dbClient).select("id").limit(BATCH_SIZE);
+          return dbClient(TableName.IdentityAccessToken).whereIn("id", idsToDeleteQuery).del().returning("id");
+        };
+
+        if (tx) {
+          // eslint-disable-next-line no-await-in-loop
+          deletedTokenIds = await deleteBatch(tx);
+        } else {
+          // eslint-disable-next-line no-await-in-loop
+          deletedTokenIds = await db.transaction(async (trx) => {
+            await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);
+            return deleteBatch(trx);
           });
-        })
-        .delete();
-      await docs;
-      logger.info(`${QueueName.DailyResourceCleanUp}: remove expired access token completed`);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "IdentityAccessTokenPrune" });
+        }
+
+        numberOfRetryOnFailure = 0; // reset
+      } catch (error) {
+        numberOfRetryOnFailure += 1;
+        logger.error(error, "Failed to delete a batch of expired identity access tokens on pruning");
+      } finally {
+        // eslint-disable-next-line no-await-in-loop
+        await new Promise((resolve) => {
+          setTimeout(resolve, 10); // time to breathe for db
+        });
+      }
+      isRetrying = numberOfRetryOnFailure > 0;
+    } while (deletedTokenIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
+
+    if (numberOfRetryOnFailure >= MAX_RETRY_ON_FAILURE) {
+      logger.error(
+        `IdentityAccessTokenPrune: Pruning failed and stopped after ${MAX_RETRY_ON_FAILURE} consecutive retries.`
+      );
     }
+
+    logger.info(`${QueueName.DailyResourceCleanUp}: remove expired access token completed`);
   };
 
   return { ...identityAccessTokenOrm, findOne, removeExpiredTokens };

backend/src/services/org/org-service.ts

@@ -1280,6 +1280,8 @@ export const orgServiceFactory = ({
         message: "No pending invitation found"
       });
 
+    const organization = await orgDAL.findById(orgId);
+
     await tokenService.validateTokenForUser({
       type: TokenType.TOKEN_EMAIL_ORG_INVITATION,
       userId: user.id,
@@ -1302,6 +1304,13 @@ export const orgServiceFactory = ({
       return { user };
     }
 
+    if (
+      organization.authEnforced &&
+      !(organization.bypassOrgAuthEnabled && orgMembership.role === OrgMembershipRole.Admin)
+    ) {
+      return { user };
+    }
+
     const appCfg = getConfig();
     const token = crypto.jwt().sign(
       {

backend/src/services/secret-sync/azure-devops/azure-devops-sync-schemas.ts

@@ -17,7 +17,7 @@ export const AzureDevOpsSyncDestinationConfigSchema = z.object({
     .describe(SecretSyncs.DESTINATION_CONFIG.AZURE_DEVOPS?.devopsProjectId || "Azure DevOps Project ID"),
   devopsProjectName: z
     .string()
-    .min(1, "Project name required")
+    .optional()
     .describe(SecretSyncs.DESTINATION_CONFIG.AZURE_DEVOPS?.devopsProjectName || "Azure DevOps Project Name")
 });
 

backend/src/services/secret-sync/checkly/checkly-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const CHECKLY_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Checkly",
+  destination: SecretSync.Checkly,
+  connection: AppConnection.Checkly,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/checkly/checkly-sync-fns.ts

@@ -0,0 +1,102 @@
+/* eslint-disable no-continue */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+
+import { ChecklyPublicAPI } from "@app/services/app-connection/checkly/checkly-connection-public-client";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+
+import { SecretSyncError } from "../secret-sync-errors";
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+import { TSecretMap } from "../secret-sync-types";
+import { TChecklySyncWithCredentials } from "./checkly-sync-types";
+
+export const ChecklySyncFns = {
+  async getSecrets(secretSync: TChecklySyncWithCredentials) {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  },
+
+  async syncSecrets(secretSync: TChecklySyncWithCredentials, secretMap: TSecretMap) {
+    const {
+      environment,
+      syncOptions: { disableSecretDeletion, keySchema }
+    } = secretSync;
+
+    const config = secretSync.destinationConfig;
+
+    const variables = await ChecklyPublicAPI.getVariables(secretSync.connection, config.accountId);
+
+    const checklySecrets = Object.fromEntries(variables!.map((variable) => [variable.key, variable]));
+
+    for await (const key of Object.keys(secretMap)) {
+      try {
+        const entry = secretMap[key];
+
+        // If value is empty, we skip the upsert - checkly does not allow empty values
+        if (entry.value.trim() === "") {
+          // Delete the secret from Checkly if its empty
+          if (!disableSecretDeletion) {
+            await ChecklyPublicAPI.deleteVariable(secretSync.connection, config.accountId, {
+              key
+            });
+          }
+          continue; // Skip empty values
+        }
+
+        await ChecklyPublicAPI.upsertVariable(secretSync.connection, config.accountId, {
+          key,
+          value: entry.value,
+          secret: true,
+          locked: true
+        });
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+
+    if (disableSecretDeletion) return;
+
+    for await (const key of Object.keys(checklySecrets)) {
+      try {
+        // eslint-disable-next-line no-continue
+        if (!matchesSchema(key, environment?.slug || "", keySchema)) continue;
+
+        if (!secretMap[key]) {
+          await ChecklyPublicAPI.deleteVariable(secretSync.connection, config.accountId, {
+            key
+          });
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+  },
+
+  async removeSecrets(secretSync: TChecklySyncWithCredentials, secretMap: TSecretMap) {
+    const config = secretSync.destinationConfig;
+
+    const variables = await ChecklyPublicAPI.getVariables(secretSync.connection, config.accountId);
+
+    const checklySecrets = Object.fromEntries(variables!.map((variable) => [variable.key, variable]));
+
+    for await (const secret of Object.keys(checklySecrets)) {
+      try {
+        if (secret in secretMap) {
+          await ChecklyPublicAPI.deleteVariable(secretSync.connection, config.accountId, {
+            key: secret
+          });
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: secret
+        });
+      }
+    }
+  }
+};

backend/src/services/secret-sync/checkly/checkly-sync-schemas.ts

@@ -0,0 +1,43 @@
+import { z } from "zod";
+
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const ChecklySyncDestinationConfigSchema = z.object({
+  accountId: z.string().min(1, "Account ID is required").max(255, "Account ID must be less than 255 characters"),
+  accountName: z.string().min(1, "Account Name is required").max(255, "Account ID must be less than 255 characters")
+});
+
+const ChecklySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const ChecklySyncSchema = BaseSecretSyncSchema(SecretSync.Checkly, ChecklySyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Checkly),
+  destinationConfig: ChecklySyncDestinationConfigSchema
+});
+
+export const CreateChecklySyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Checkly,
+  ChecklySyncOptionsConfig
+).extend({
+  destinationConfig: ChecklySyncDestinationConfigSchema
+});
+
+export const UpdateChecklySyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Checkly,
+  ChecklySyncOptionsConfig
+).extend({
+  destinationConfig: ChecklySyncDestinationConfigSchema.optional()
+});
+
+export const ChecklySyncListItemSchema = z.object({
+  name: z.literal("Checkly"),
+  connection: z.literal(AppConnection.Checkly),
+  destination: z.literal(SecretSync.Checkly),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/checkly/checkly-sync-types.ts

@@ -0,0 +1,23 @@
+import z from "zod";
+
+import { TChecklyConnection, TChecklyVariable } from "@app/services/app-connection/checkly";
+
+import { ChecklySyncListItemSchema, ChecklySyncSchema, CreateChecklySyncSchema } from "./checkly-sync-schemas";
+
+export type TChecklySyncListItem = z.infer<typeof ChecklySyncListItemSchema>;
+
+export type TChecklySync = z.infer<typeof ChecklySyncSchema>;
+
+export type TChecklySyncInput = z.infer<typeof CreateChecklySyncSchema>;
+
+export type TChecklySyncWithCredentials = TChecklySync & {
+  connection: TChecklyConnection;
+};
+
+export type TChecklySecret = TChecklyVariable;
+
+export type TChecklyVariablesGraphResponse = {
+  data: {
+    variables: Record<string, string>;
+  };
+};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -24,7 +24,8 @@ export enum SecretSync {
   CloudflareWorkers = "cloudflare-workers",
 
   Zabbix = "zabbix",
-  Railway = "railway"
+  Railway = "railway",
+  Checkly = "checkly"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -29,6 +29,8 @@ import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFact
 import { AZURE_DEVOPS_SYNC_LIST_OPTION, azureDevOpsSyncFactory } from "./azure-devops";
 import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
+import { CHECKLY_SYNC_LIST_OPTION } from "./checkly/checkly-sync-constants";
+import { ChecklySyncFns } from "./checkly/checkly-sync-fns";
 import { CLOUDFLARE_PAGES_SYNC_LIST_OPTION } from "./cloudflare-pages/cloudflare-pages-constants";
 import { CloudflarePagesSyncFns } from "./cloudflare-pages/cloudflare-pages-fns";
 import { CLOUDFLARE_WORKERS_SYNC_LIST_OPTION, CloudflareWorkersSyncFns } from "./cloudflare-workers";
@@ -76,7 +78,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.CloudflareWorkers]: CLOUDFLARE_WORKERS_SYNC_LIST_OPTION,
 
   [SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION,
-  [SecretSync.Railway]: RAILWAY_SYNC_LIST_OPTION
+  [SecretSync.Railway]: RAILWAY_SYNC_LIST_OPTION,
+  [SecretSync.Checkly]: CHECKLY_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -250,6 +253,8 @@ export const SecretSyncFns = {
         return ZabbixSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Railway:
         return RailwaySyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Checkly:
+        return ChecklySyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -351,6 +356,9 @@ export const SecretSyncFns = {
       case SecretSync.Railway:
         secretMap = await RailwaySyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.Checkly:
+        secretMap = await ChecklySyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -434,6 +442,8 @@ export const SecretSyncFns = {
         return ZabbixSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Railway:
         return RailwaySyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Checkly:
+        return ChecklySyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -27,7 +27,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.CloudflareWorkers]: "Cloudflare Workers",
 
   [SecretSync.Zabbix]: "Zabbix",
-  [SecretSync.Railway]: "Railway"
+  [SecretSync.Railway]: "Railway",
+  [SecretSync.Checkly]: "Checkly"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -56,7 +57,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.CloudflareWorkers]: AppConnection.Cloudflare,
 
   [SecretSync.Zabbix]: AppConnection.Zabbix,
-  [SecretSync.Railway]: AppConnection.Railway
+  [SecretSync.Railway]: AppConnection.Railway,
+  [SecretSync.Checkly]: AppConnection.Checkly
 };
 
 export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@@ -85,5 +87,6 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.CloudflareWorkers]: SecretSyncPlanType.Regular,
 
   [SecretSync.Zabbix]: SecretSyncPlanType.Regular,
-  [SecretSync.Railway]: SecretSyncPlanType.Regular
+  [SecretSync.Railway]: SecretSyncPlanType.Regular,
+  [SecretSync.Checkly]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -72,6 +72,12 @@ import {
   TAzureKeyVaultSyncListItem,
   TAzureKeyVaultSyncWithCredentials
 } from "./azure-key-vault";
+import {
+  TChecklySync,
+  TChecklySyncInput,
+  TChecklySyncListItem,
+  TChecklySyncWithCredentials
+} from "./checkly/checkly-sync-types";
 import {
   TCloudflarePagesSync,
   TCloudflarePagesSyncInput,
@@ -152,7 +158,8 @@ export type TSecretSync =
   | TCloudflarePagesSync
   | TCloudflareWorkersSync
   | TZabbixSync
-  | TRailwaySync;
+  | TRailwaySync
+  | TChecklySync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -179,7 +186,8 @@ export type TSecretSyncWithCredentials =
   | TCloudflarePagesSyncWithCredentials
   | TCloudflareWorkersSyncWithCredentials
   | TZabbixSyncWithCredentials
-  | TRailwaySyncWithCredentials;
+  | TRailwaySyncWithCredentials
+  | TChecklySyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -206,7 +214,8 @@ export type TSecretSyncInput =
   | TCloudflarePagesSyncInput
   | TCloudflareWorkersSyncInput
   | TZabbixSyncInput
-  | TRailwaySyncInput;
+  | TRailwaySyncInput
+  | TChecklySyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -233,7 +242,8 @@ export type TSecretSyncListItem =
   | TCloudflarePagesSyncListItem
   | TCloudflareWorkersSyncListItem
   | TZabbixSyncListItem
-  | TRailwaySyncListItem;
+  | TRailwaySyncListItem
+  | TChecklySyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

cli/packages/util/check-for-update.go

@@ -20,7 +20,7 @@ func CheckForUpdate() {
 	if checkEnv := os.Getenv("INFISICAL_DISABLE_UPDATE_CHECK"); checkEnv != "" {
 		return
 	}
-	latestVersion, _, err := getLatestTag("Infisical", "infisical")
+	latestVersion, _, err := getLatestTag("Infisical", "cli")
 	if err != nil {
 		log.Debug().Err(err)
 		// do nothing and continue
@@ -98,7 +98,7 @@ func getLatestTag(repoOwner string, repoName string) (string, string, error) {
 		return "", "", fmt.Errorf("failed to unmarshal github response: %w", err)
 	}
 
-	tag_prefix := "infisical-cli/v"
+	tag_prefix := "v"
 
 	// Extract the version from the first valid tag
 	version := strings.TrimPrefix(releaseDetails.TagName, tag_prefix)

docs/api-reference/endpoints/app-connections/checkly/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/checkly/available"
+---

docs/api-reference/endpoints/app-connections/checkly/create.mdx

@@ -0,0 +1,8 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/checkly"
+---
+
+<Note>
+    Check out the configuration docs for [Checkly Connections](/integrations/app-connections/checkly) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/checkly/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/checkly/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/checkly/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/checkly/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/checkly/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/checkly/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/checkly/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/checkly"
+---

docs/api-reference/endpoints/app-connections/checkly/update.mdx

@@ -0,0 +1,8 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/checkly/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Checkly Connections](/integrations/app-connections/checkly) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/secret-syncs/checkly/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/checkly"
+---

docs/api-reference/endpoints/secret-syncs/checkly/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/checkly/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/checkly/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/checkly/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/checkly/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/checkly/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/checkly/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/checkly"
+---

docs/api-reference/endpoints/secret-syncs/checkly/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/checkly/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/checkly/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/checkly/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/checkly/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/checkly/{syncId}"
+---

docs/docs.json

@@ -472,6 +472,7 @@
                   "integrations/app-connections/azure-key-vault",
                   "integrations/app-connections/bitbucket",
                   "integrations/app-connections/camunda",
+                  "integrations/app-connections/checkly",
                   "integrations/app-connections/cloudflare",
                   "integrations/app-connections/databricks",
                   "integrations/app-connections/flyio",
@@ -513,6 +514,7 @@
                   "integrations/secret-syncs/azure-devops",
                   "integrations/secret-syncs/azure-key-vault",
                   "integrations/secret-syncs/camunda",
+                  "integrations/secret-syncs/checkly",
                   "integrations/secret-syncs/cloudflare-pages",
                   "integrations/secret-syncs/cloudflare-workers",
                   "integrations/secret-syncs/databricks",
@@ -1328,6 +1330,17 @@
                       "api-reference/endpoints/app-connections/camunda/delete"
                     ]
                   },
+                  {
+                    "group": "Checkly",
+                    "pages": [
+                      "api-reference/endpoints/app-connections/checkly/list",
+                      "api-reference/endpoints/app-connections/checkly/get-by-id",
+                      "api-reference/endpoints/app-connections/checkly/get-by-name",
+                      "api-reference/endpoints/app-connections/checkly/create",
+                      "api-reference/endpoints/app-connections/checkly/update",
+                      "api-reference/endpoints/app-connections/checkly/delete"
+                    ]
+                  },
                   {
                     "group": "Cloudflare",
                     "pages": [
@@ -1708,6 +1721,19 @@
                       "api-reference/endpoints/secret-syncs/camunda/remove-secrets"
                     ]
                   },
+                  {
+                    "group": "Checkly",
+                    "pages": [
+                      "api-reference/endpoints/secret-syncs/checkly/list",
+                      "api-reference/endpoints/secret-syncs/checkly/get-by-id",
+                      "api-reference/endpoints/secret-syncs/checkly/get-by-name",
+                      "api-reference/endpoints/secret-syncs/checkly/create",
+                      "api-reference/endpoints/secret-syncs/checkly/update",
+                      "api-reference/endpoints/secret-syncs/checkly/delete",
+                      "api-reference/endpoints/secret-syncs/checkly/sync-secrets",
+                      "api-reference/endpoints/secret-syncs/checkly/remove-secrets"
+                    ]
+                  },
                   {
                     "group": "Cloudflare Pages",
                     "pages": [

docs/integrations/app-connections/checkly.mdx

@@ -0,0 +1,106 @@
+---
+title: "Checkly Connection"
+description: "Learn how to configure a Checkly Connection for Infisical."
+---
+
+Infisical supports the use of [API Keys](https://app.checklyhq.com/settings/user/api-keys) to connect with Checkly.
+<Note>
+  Checkly requires the account user to have Read/Write or Admin permissions
+</Note>
+
+## Create a Checkly API Token
+
+<Steps>
+  <Step title="Click the profile image in the top-right corner and select 'User Settings'">
+    ![Dashboard Page](/images/app-connections/checkly/checkly-app-connection-profile.png)
+  </Step>
+  <Step title="In the user settings sidebar, select 'API Keys'">
+    ![User Settings Page](/images/app-connections/checkly/checkly-app-connection-api-keys.png)
+  </Step>
+   <Step title="In the api keys page, click on 'Create API Key'">
+    ![Api Keys Page](/images/app-connections/checkly/checkly-app-connection-create-api-key.png)
+  </Step>
+  <Step title="Enter a token name and click on 'Create API Key'">
+    Provide a descriptive name for the token.
+
+    ![Enter Name](/images/app-connections/checkly/checkly-app-connection-create-form.png)
+
+  </Step>
+  <Step title="Copy the generated key and save it">
+    ![Create Token](/images/app-connections/checkly/checkly-app-connection-key-generated.png)
+  </Step>
+</Steps>
+
+## Create a Checkly Connection in Infisical
+
+<Tabs>
+  <Tab title="Infisical UI">
+    <Steps>
+      <Step title="Navigate to App Connections">
+        In your Infisical dashboard, go to **Organization Settings** and open the [**App Connections**](https://app.infisical.com/organization/app-connections) tab.
+
+        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+      </Step>
+      <Step title="Select Checkly Connection">
+        Click **+ Add Connection** and choose **Checkly Connection** from the list of integrations.
+
+        ![Select Checkly Connection](/images/app-connections/checkly/checkly-app-connection-option.png)
+      </Step>
+      <Step title="Fill out the Checkly Connection form">
+        Complete the form by providing:
+        - A descriptive name for the connection
+        - An optional description
+        - The API Key value from the previous step
+
+        ![Checkly Connection Modal](/images/app-connections/checkly/checkly-app-connection-form.png)
+      </Step>
+      <Step title="Connection created">
+        After submitting the form, your **Checkly Connection** will be successfully created and ready to use with your Infisical projects.
+
+        ![Checkly Connection Created](/images/app-connections/checkly/checkly-app-connection-generated.png)
+      </Step>
+    </Steps>
+
+  </Tab>
+
+  <Tab title="API">
+    To create a Checkly Connection via API, send a request to the [Create Checkly Connection](/api-reference/endpoints/app-connections/checkly/create) endpoint.
+
+    ### Sample request
+
+    ```bash Request
+    curl    --request POST \
+            --url https://app.infisical.com/api/v1/app-connections/checkly \
+            --header 'Content-Type: application/json' \
+            --data '{
+                "name": "my-checkly-connection",
+                "method": "api-key",
+                "credentials": {
+                    "apiKey": "[API KEY]"
+                }
+            }'
+    ```
+
+    ### Sample response
+
+    ```bash Response
+    {
+      "appConnection": {
+          "id": "e5d18aca-86f7-4026-a95e-efb8aeb0d8e6",
+          "name": "my-checkly-connection",
+          "description": null,
+          "version": 1,
+          "orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
+          "createdAt": "2025-04-23T19:46:34.831Z",
+          "updatedAt": "2025-04-23T19:46:34.831Z",
+          "isPlatformManagedCredentials": false,
+          "credentialsHash": "7c2d371dec195f82a6a0d5b41c970a229cfcaf88e894a5b6395e2dbd0280661f",
+          "app": "checkly",
+          "method": "api-key",
+          "credentials": {}
+      }
+    }
+    ```
+
+  </Tab>
+</Tabs>

docs/integrations/app-connections/postgres.mdx

@@ -30,6 +30,14 @@ Infisical supports connecting to PostgreSQL using a database role.
                 -- enable permissions to alter login credentials
                 ALTER ROLE infisical_role WITH CREATEROLE;
                 ```
+                <Tip>
+                    In some configurations, the role performing the rotation must be explicitly granted access to manage each user. To do this, grant the user's role to the rotation role with:
+                    ```SQL
+                    -- grant each user role to admin user for password rotation
+                    GRANT <secret_rotation_user> TO <infisical_role> WITH ADMIN OPTION;
+                    ```
+                    Replace `<secret_rotation_user>` with each specific username whose credentials will be rotated, and `<infisical_role>` with the role that will perform the rotation.
+                </Tip>
             </Tab>
         </Tabs>
     </Step>

docs/integrations/secret-syncs/checkly.mdx

@@ -0,0 +1,163 @@
+---
+title: "Checkly Sync"
+description: "Learn how to configure a Checkly Sync for Infisical."
+---
+
+**Prerequisites:**
+
+- Create a [Checkly Connection](/integrations/app-connections/checkly)
+
+<Tabs>
+    <Tab title="Infisical UI">
+        <Steps>
+            <Step title="Add Sync">
+                Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+
+                ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+            </Step>
+            <Step title="Select 'Checkly'">
+                ![Select Checkly](/images/secret-syncs/checkly/select-option.png)
+            </Step>
+            <Step title="Configure source">
+                Configure the **Source** from where secrets should be retrieved, then click **Next**.
+
+                ![Configure Source](/images/secret-syncs/checkly/checkly-sync-source.png)
+
+                - **Environment**: The project environment to retrieve secrets from.
+                - **Secret Path**: The folder path to retrieve secrets from.
+
+                <Tip>
+                    If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+                </Tip>
+            </Step>
+            <Step title="Configure destination">
+                Configure the **Destination** to where secrets should be deployed, then click **Next**.
+
+                ![Configure Destination](/images/secret-syncs/checkly/checkly-sync-destination.png)
+
+                - **Checkly Connection**: The Checkly Connection to authenticate with.
+                - **Account**: The Checkly account to sync secrets to.
+            </Step>
+            <Step title="Configure Sync Options">
+                Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+
+                ![Configure Options](/images/secret-syncs/checkly/checkly-sync-options.png)
+
+                - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                    - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                    <Note>
+                        Checkly does not support importing secrets.
+                    </Note>
+                - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
+                <Note>
+                    We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+                </Note>
+                - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+                - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
+            </Step>
+            <Step title="Configure details">
+                Configure the **Details** of your Checkly Sync, then click **Next**.
+
+                ![Configure Details](/images/secret-syncs/checkly/checkly-sync-details.png)
+
+                - **Name**: The name of your sync. Must be slug-friendly.
+                - **Description**: An optional description for your sync.
+            </Step>
+            <Step title="Review configuration">
+                Review your Checkly Sync configuration, then click **Create Sync**.
+
+                ![Review Configuration](/images/secret-syncs/checkly/checkly-sync-review.png)
+            </Step>
+            <Step title="Sync created">
+                If enabled, your Checkly Sync will begin syncing your secrets to the destination endpoint.
+
+                ![Sync Created](/images/secret-syncs/checkly/checkly-sync-created.png)
+            </Step>
+        </Steps>
+    </Tab>
+    <Tab title="API">
+        To create a **Checkly Sync**, make an API request to the [Create Checkly Sync](/api-reference/endpoints/secret-syncs/checkly/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+                --url https://app.infisical.com/api/v1/secret-syncs/checkly \
+                --header 'Content-Type: application/json' \
+                --data '{
+                    "name": "my-checkly-sync",
+                    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "description": "an example sync",
+                    "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "environment": "dev",
+                    "secretPath": "/my-secrets",
+                    "isEnabled": true,
+                    "syncOptions": {
+                        "initialSyncBehavior": "overwrite-destination",
+                        "autoSyncEnabled": true,
+                        "disableSecretDeletion": false
+                    },
+                    "destinationConfig": {
+                        "accountId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                        "accountName": "Example Company"
+                    }
+                }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-checkly-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination",
+                    "autoSyncEnabled": true,
+                    "disableSecretDeletion": false
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "checkly",
+                    "name": "my-checkly-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "checkly",
+                "destinationConfig": {
+                    "accountId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "accountName": "Example Company",
+                }
+            }
+        }
+        ```
+    </Tab>
+
+</Tabs>

frontend/src/components/navigation/NavHeader.tsx

@@ -151,7 +151,7 @@ export default function NavHeader({
                 <div className="flex items-center space-x-2">
                   <span
                     className={twMerge(
-                      "text-sm font-semibold transition-all",
+                      "text-sm transition-all",
                       isHoveringCopyButton ? "text-bunker-200" : "text-bunker-300"
                     )}
                   >
@@ -198,7 +198,7 @@ export default function NavHeader({
                   }}
                   search={(query) => ({ ...query, secretPath: newSecretPath })}
                   className={twMerge(
-                    "text-sm font-semibold transition-all hover:text-primary",
+                    "text-sm transition-all hover:text-primary",
                     isHoveringCopyButton ? "text-primary" : "text-primary/80"
                   )}
                 >

frontend/src/components/navigation/SecretDashboardPathBreadcrumb.tsx

@@ -38,7 +38,7 @@ export const SecretDashboardPathBreadcrumb = ({
         <div className="group flex items-center space-x-2">
           <span
             className={twMerge(
-              "text-sm font-semibold transition-all",
+              "text-sm transition-all",
               isCopying ? "text-bunker-200" : "text-bunker-300"
             )}
           >
@@ -77,7 +77,7 @@ export const SecretDashboardPathBreadcrumb = ({
           }}
           search={(query) => ({ ...query, secretPath: newSecretPath })}
           className={twMerge(
-            "text-sm font-semibold transition-all hover:text-primary",
+            "text-sm transition-all hover:text-primary",
             isCopying && "text-primary"
           )}
         >

frontend/src/components/secret-syncs/SecretSyncSelect.tsx

@@ -63,6 +63,7 @@ export const SecretSyncSelect = ({ onSelect }: Props) => {
           const { image, name } = SECRET_SYNC_MAP[destination];
           return (
             <button
+              key={name}
               type="button"
               onClick={() =>
                 enterprise && !subscription.enterpriseSecretSyncs

frontend/src/components/secret-syncs/forms/CreateSecretSyncForm.tsx

@@ -60,7 +60,7 @@ export const CreateSecretSyncForm = ({ destination, onComplete, onCancel }: Prop
           ? undefined
           : SecretSyncInitialSyncBehavior.OverwriteDestination
       }
-    },
+    } as Partial<TSecretSyncForm>,
     reValidateMode: "onChange"
   });
 

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/ChecklySyncFields.tsx

@@ -0,0 +1,65 @@
+import { Controller, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+
+import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
+import { FilterableSelect, FormControl } from "@app/components/v2";
+import {
+  TChecklyAccount,
+  useChecklyConnectionListAccounts
+} from "@app/hooks/api/appConnections/checkly";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const ChecklySyncFields = () => {
+  const { control, setValue } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.Checkly }
+  >();
+
+  const connectionId = useWatch({ name: "connection.id", control });
+
+  const { data: accounts = [], isPending: isAccountsLoading } = useChecklyConnectionListAccounts(
+    connectionId,
+    {
+      enabled: Boolean(connectionId)
+    }
+  );
+
+  return (
+    <>
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("destinationConfig.accountId", "");
+          setValue("destinationConfig.accountName", "");
+        }}
+      />
+      <Controller
+        name="destinationConfig.accountId"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="Select an account"
+            tooltipClassName="max-w-md"
+          >
+            <FilterableSelect
+              isLoading={isAccountsLoading && Boolean(connectionId)}
+              isDisabled={!connectionId}
+              value={accounts.find((p) => p.id === value) ?? null}
+              onChange={(option) => {
+                const v = option as SingleValue<TChecklyAccount>;
+                onChange(v?.id ?? null);
+                setValue("destinationConfig.accountName", v?.name ?? "");
+              }}
+              options={accounts}
+              placeholder="Select an account..."
+              getOptionLabel={(option) => option.name}
+              getOptionValue={(option) => option.id}
+            />
+          </FormControl>
+        )}
+      />
+    </>
+  );
+};

frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx

@@ -10,6 +10,7 @@ import { AzureAppConfigurationSyncFields } from "./AzureAppConfigurationSyncFiel
 import { AzureDevOpsSyncFields } from "./AzureDevOpsSyncFields";
 import { AzureKeyVaultSyncFields } from "./AzureKeyVaultSyncFields";
 import { CamundaSyncFields } from "./CamundaSyncFields";
+import { ChecklySyncFields } from "./ChecklySyncFields";
 import { CloudflarePagesSyncFields } from "./CloudflarePagesSyncFields";
 import { CloudflareWorkersSyncFields } from "./CloudflareWorkersSyncFields";
 import { DatabricksSyncFields } from "./DatabricksSyncFields";
@@ -85,6 +86,8 @@ export const SecretSyncDestinationFields = () => {
       return <ZabbixSyncFields />;
     case SecretSync.Railway:
       return <RailwaySyncFields />;
+    case SecretSync.Checkly:
+      return <ChecklySyncFields />;
     default:
       throw new Error(`Unhandled Destination Config Field: ${destination}`);
   }

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -61,6 +61,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
     case SecretSync.CloudflareWorkers:
     case SecretSync.Zabbix:
     case SecretSync.Railway:
+    case SecretSync.Checkly:
       AdditionalSyncOptionsFieldsComponent = null;
       break;
     default:

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/AzureDevOpsSyncReviewFields.tsx

@@ -11,7 +11,9 @@ export const AzureDevOpsSyncReviewFields = () => {
 
   return (
     <>
-      <GenericFieldLabel label="Project">{devopsProjectName}</GenericFieldLabel>
+      {devopsProjectName && (
+        <GenericFieldLabel label="Project">{devopsProjectName}</GenericFieldLabel>
+      )}
       <GenericFieldLabel label="Project ID">{devopsProjectId}</GenericFieldLabel>
     </>
   );

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/ChecklySyncReviewFields.tsx

@@ -0,0 +1,12 @@
+import { useFormContext } from "react-hook-form";
+
+import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
+import { GenericFieldLabel } from "@app/components/v2";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const ChecklySyncReviewFields = () => {
+  const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Checkly }>();
+  const accountName = watch("destinationConfig.accountName");
+
+  return <GenericFieldLabel label="Account">{accountName}</GenericFieldLabel>;
+};

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -19,6 +19,7 @@ import { AzureAppConfigurationSyncReviewFields } from "./AzureAppConfigurationSy
 import { AzureDevOpsSyncReviewFields } from "./AzureDevOpsSyncReviewFields";
 import { AzureKeyVaultSyncReviewFields } from "./AzureKeyVaultSyncReviewFields";
 import { CamundaSyncReviewFields } from "./CamundaSyncReviewFields";
+import { ChecklySyncReviewFields } from "./ChecklySyncReviewFields";
 import { CloudflarePagesSyncReviewFields } from "./CloudflarePagesReviewFields";
 import { CloudflareWorkersSyncReviewFields } from "./CloudflareWorkersReviewFields";
 import { DatabricksSyncReviewFields } from "./DatabricksSyncReviewFields";
@@ -136,6 +137,9 @@ export const SecretSyncReviewFields = () => {
     case SecretSync.Railway:
       DestinationFieldsComponent = <RailwaySyncReviewFields />;
       break;
+    case SecretSync.Checkly:
+      DestinationFieldsComponent = <ChecklySyncReviewFields />;
+      break;
     default:
       throw new Error(`Unhandled Destination Review Fields: ${destination}`);
   }

frontend/src/components/secret-syncs/forms/schemas/azure-devops-sync-destination-schema.ts

@@ -8,10 +8,7 @@ export const AzureDevOpsSyncDestinationSchema = BaseSecretSyncSchema().merge(
     destination: z.literal(SecretSync.AzureDevOps),
     destinationConfig: z.object({
       devopsProjectId: z.string().trim().min(1, { message: "Azure DevOps Project ID is required" }),
-      devopsProjectName: z
-        .string()
-        .trim()
-        .min(1, { message: "Azure DevOps Project Name is required" })
+      devopsProjectName: z.string().trim().optional()
     })
   })
 );

frontend/src/components/secret-syncs/forms/schemas/checkly-sync-destination-schema.ts

@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const ChecklySyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.Checkly),
+    destinationConfig: z.object({
+      accountId: z.string(),
+      accountName: z.string()
+    })
+  })
+);

frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts

@@ -7,6 +7,7 @@ import { AzureAppConfigurationSyncDestinationSchema } from "./azure-app-configur
 import { AzureDevOpsSyncDestinationSchema } from "./azure-devops-sync-destination-schema";
 import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
 import { CamundaSyncDestinationSchema } from "./camunda-sync-destination-schema";
+import { ChecklySyncDestinationSchema } from "./checkly-sync-destination-schema";
 import { CloudflarePagesSyncDestinationSchema } from "./cloudflare-pages-sync-destination-schema";
 import { CloudflareWorkersSyncDestinationSchema } from "./cloudflare-workers-sync-destination-schema";
 import { DatabricksSyncDestinationSchema } from "./databricks-sync-destination-schema";
@@ -52,7 +53,8 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
   CloudflareWorkersSyncDestinationSchema,
 
   ZabbixSyncDestinationSchema,
-  RailwaySyncDestinationSchema
+  RailwaySyncDestinationSchema,
+  ChecklySyncDestinationSchema
 ]);
 
 export const SecretSyncFormSchema = SecretSyncUnionSchema;

frontend/src/components/v2/Breadcrumb/Breadcrumb.tsx

@@ -1,6 +1,6 @@
 /* eslint-disable react/prop-types */
 import React from "react";
-import { faEllipsis, faSort } from "@fortawesome/free-solid-svg-icons";
+import { faCaretDown, faEllipsis } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Link, ReactNode } from "@tanstack/react-router";
 import { LinkComponentProps } from "node_modules/@tanstack/react-router/dist/esm/link";
@@ -27,7 +27,7 @@ const BreadcrumbList = React.forwardRef<HTMLOListElement, React.ComponentPropsWi
     <ol
       ref={ref}
       className={twMerge(
-        "flex flex-wrap items-center gap-1.5 break-words text-sm text-bunker-100 sm:gap-2.5",
+        "flex flex-wrap items-center break-words text-sm text-bunker-100",
         className
       )}
       {...props}
@@ -56,7 +56,7 @@ const BreadcrumbLink = React.forwardRef<
   return (
     <div
       ref={ref}
-      className={twMerge("transition-colors hover:text-primary-400", className)}
+      className={twMerge("transition-colors hover:text-primary", className)}
       {...props}
     />
   );
@@ -79,7 +79,7 @@ BreadcrumbPage.displayName = "BreadcrumbPage";
 
 const BreadcrumbSeparator = ({ children, className, ...props }: React.ComponentProps<"li">) => (
   <li role="presentation" aria-hidden="true" className={twMerge("", className)} {...props}>
-    {children ?? <p className="px-2 text-lg text-mineshaft-400/70">/</p>}
+    {children ?? <p className="px-3 text-lg text-mineshaft-400/70">/</p>}
   </li>
 );
 BreadcrumbSeparator.displayName = "BreadcrumbSeparator";
@@ -121,7 +121,7 @@ export type TBreadcrumbFormat =
     };
 
 const BreadcrumbContainer = ({ breadcrumbs }: { breadcrumbs: TBreadcrumbFormat[] }) => (
-  <div className="mx-auto max-w-7xl py-4 text-white">
+  <div className="mx-auto max-w-7xl text-white">
     <Breadcrumb>
       <BreadcrumbList>
         {(breadcrumbs as TBreadcrumbFormat[]).map((el, index) => {
@@ -134,12 +134,17 @@ const BreadcrumbContainer = ({ breadcrumbs }: { breadcrumbs: TBreadcrumbFormat[]
                 <DropdownMenu>
                   <DropdownMenuTrigger>
                     <BreadcrumbItem>
-                      <BreadcrumbSegment className="rounded-md px-2 py-1 py-2 hover:bg-mineshaft-600">
-                        {el.label} <FontAwesomeIcon icon={faSort} size="sm" />
+                      <BreadcrumbSegment className="rounded-md py-1 py-2">
+                        {el.label}{" "}
+                        <FontAwesomeIcon
+                          icon={faCaretDown}
+                          size="sm"
+                          className="ml-2 text-bunker-300"
+                        />
                       </BreadcrumbSegment>
                     </BreadcrumbItem>
                   </DropdownMenuTrigger>
-                  <DropdownMenuContent side="right" align="start">
+                  <DropdownMenuContent side="bottom" sideOffset={8} align="start">
                     {el?.dropdownTitle && <DropdownMenuLabel>{el.dropdownTitle}</DropdownMenuLabel>}
                     {el.links.map((i, dropIndex) => (
                       <Link

frontend/src/components/v2/Checkbox/Checkbox.tsx

@@ -42,7 +42,7 @@ export const Checkbox = ({
         className={twMerge(
           "flex h-4 w-4 flex-shrink-0 items-center justify-center rounded border border-mineshaft-400/50 bg-mineshaft-600 shadow transition-all hover:bg-mineshaft-500",
           isDisabled && "bg-bunker-400 hover:bg-bunker-400",
-          isChecked && "border-primary/30 bg-primary/10",
+          isChecked && "border-primary/50 bg-primary/30",
           Boolean(children) && "mr-3",
           className
         )}

frontend/src/helpers/appConnections.ts

@@ -41,6 +41,7 @@ import {
   ZabbixConnectionMethod
 } from "@app/hooks/api/appConnections/types";
 import { BitbucketConnectionMethod } from "@app/hooks/api/appConnections/types/bitbucket-connection";
+import { ChecklyConnectionMethod } from "@app/hooks/api/appConnections/types/checkly-connection";
 import { HerokuConnectionMethod } from "@app/hooks/api/appConnections/types/heroku-connection";
 import { OCIConnectionMethod } from "@app/hooks/api/appConnections/types/oci-connection";
 import { RailwayConnectionMethod } from "@app/hooks/api/appConnections/types/railway-connection";
@@ -94,7 +95,8 @@ export const APP_CONNECTION_MAP: Record<
   [AppConnection.Cloudflare]: { name: "Cloudflare", image: "Cloudflare.png" },
   [AppConnection.Zabbix]: { name: "Zabbix", image: "Zabbix.png" },
   [AppConnection.Railway]: { name: "Railway", image: "Railway.png" },
-  [AppConnection.Bitbucket]: { name: "Bitbucket", image: "Bitbucket.png" }
+  [AppConnection.Bitbucket]: { name: "Bitbucket", image: "Bitbucket.png" },
+  [AppConnection.Checkly]: { name: "Checkly", image: "Checkly.png" }
 };
 
 export const getAppConnectionMethodDetails = (method: TAppConnection["method"]) => {
@@ -155,7 +157,9 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
     case RailwayConnectionMethod.ProjectToken:
       return { name: "Project Token", icon: faKey };
     case RenderConnectionMethod.ApiKey:
+    case ChecklyConnectionMethod.ApiKey:
       return { name: "API Key", icon: faKey };
+
     default:
       throw new Error(`Unhandled App Connection Method: ${method}`);
   }

frontend/src/helpers/secretSyncs.ts

@@ -93,6 +93,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
   [SecretSync.Railway]: {
     name: "Railway",
     image: "Railway.png"
+  },
+  [SecretSync.Checkly]: {
+    name: "Checkly",
+    image: "Checkly.png"
   }
 };
 
@@ -122,7 +126,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.CloudflareWorkers]: AppConnection.Cloudflare,
 
   [SecretSync.Zabbix]: AppConnection.Zabbix,
-  [SecretSync.Railway]: AppConnection.Railway
+  [SecretSync.Railway]: AppConnection.Railway,
+  [SecretSync.Checkly]: AppConnection.Checkly
 };
 
 export const SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP: Record<

frontend/src/hooks/api/appConnections/checkly/index.ts

@@ -0,0 +1,2 @@
+export * from "./queries";
+export * from "./types";

frontend/src/hooks/api/appConnections/checkly/queries.tsx

@@ -0,0 +1,37 @@
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+import { appConnectionKeys } from "@app/hooks/api/appConnections";
+
+import { TChecklyAccount } from "./types";
+
+const checklyConnectionKeys = {
+  all: [...appConnectionKeys.all, "checkly"] as const,
+  listAccounts: (connectionId: string) =>
+    [...checklyConnectionKeys.all, "workspace-scopes", connectionId] as const
+};
+
+export const useChecklyConnectionListAccounts = (
+  connectionId: string,
+  options?: Omit<
+    UseQueryOptions<
+      TChecklyAccount[],
+      unknown,
+      TChecklyAccount[],
+      ReturnType<typeof checklyConnectionKeys.listAccounts>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: checklyConnectionKeys.listAccounts(connectionId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<{ accounts: TChecklyAccount[] }>(
+        `/api/v1/app-connections/checkly/${connectionId}/accounts`
+      );
+
+      return data.accounts;
+    },
+    ...options
+  });
+};

frontend/src/hooks/api/appConnections/checkly/types.ts

@@ -0,0 +1,5 @@
+export type TChecklyAccount = {
+  id: string;
+  name: string;
+  runtimeId: string;
+};

frontend/src/hooks/api/appConnections/enums.ts

@@ -30,5 +30,6 @@ export enum AppConnection {
   Cloudflare = "cloudflare",
   Bitbucket = "bitbucket",
   Zabbix = "zabbix",
-  Railway = "railway"
+  Railway = "railway",
+  Checkly = "checkly"
 }

frontend/src/hooks/api/appConnections/types/app-options.ts

@@ -144,6 +144,10 @@ export type TRailwayConnectionOption = TAppConnectionOptionBase & {
   app: AppConnection.Railway;
 };
 
+export type TChecklyConnectionOption = TAppConnectionOptionBase & {
+  app: AppConnection.Checkly;
+};
+
 export type TAppConnectionOption =
   | TAwsConnectionOption
   | TGitHubConnectionOption
@@ -174,7 +178,8 @@ export type TAppConnectionOption =
   | TCloudflareConnectionOption
   | TBitbucketConnectionOption
   | TZabbixConnectionOption
-  | TRailwayConnectionOption;
+  | TRailwayConnectionOption
+  | TChecklyConnectionOption;
 
 export type TAppConnectionOptionMap = {
   [AppConnection.AWS]: TAwsConnectionOption;
@@ -209,4 +214,5 @@ export type TAppConnectionOptionMap = {
   [AppConnection.Bitbucket]: TBitbucketConnectionOption;
   [AppConnection.Zabbix]: TZabbixConnectionOption;
   [AppConnection.Railway]: TRailwayConnectionOption;
+  [AppConnection.Checkly]: TChecklyConnectionOption;
 };

frontend/src/hooks/api/appConnections/types/checkly-connection.ts

@@ -0,0 +1,14 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
+
+export enum ChecklyConnectionMethod {
+  ApiKey = "api-key"
+}
+
+export type TChecklyConnection = TRootAppConnection & {
+  app: AppConnection.Checkly;
+  method: ChecklyConnectionMethod.ApiKey;
+  credentials: {
+    apiKey: string;
+  };
+};

frontend/src/hooks/api/appConnections/types/index.ts

@@ -9,6 +9,7 @@ import { TAzureDevOpsConnection } from "./azure-devops-connection";
 import { TAzureKeyVaultConnection } from "./azure-key-vault-connection";
 import { TBitbucketConnection } from "./bitbucket-connection";
 import { TCamundaConnection } from "./camunda-connection";
+import { TChecklyConnection } from "./checkly-connection";
 import { TCloudflareConnection } from "./cloudflare-connection";
 import { TDatabricksConnection } from "./databricks-connection";
 import { TFlyioConnection } from "./flyio-connection";
@@ -97,7 +98,8 @@ export type TAppConnection =
   | TCloudflareConnection
   | TBitbucketConnection
   | TZabbixConnection
-  | TRailwayConnection;
+  | TRailwayConnection
+  | TChecklyConnection;
 
 export type TAvailableAppConnection = Pick<TAppConnection, "name" | "id">;
 
@@ -157,4 +159,5 @@ export type TAppConnectionMap = {
   [AppConnection.Bitbucket]: TBitbucketConnection;
   [AppConnection.Zabbix]: TZabbixConnection;
   [AppConnection.Railway]: TRailwayConnection;
+  [AppConnection.Checkly]: TChecklyConnection;
 };

frontend/src/hooks/api/secretApprovalRequest/types.ts

@@ -43,6 +43,7 @@ export type TSecretApprovalRequest = {
   isReplicated?: boolean;
   slug: string;
   createdAt: string;
+  updatedAt: string;
   committerUserId: string;
   reviewers: {
     userId: string;

frontend/src/hooks/api/secretSyncs/enums.ts

@@ -24,7 +24,8 @@ export enum SecretSync {
   CloudflareWorkers = "cloudflare-workers",
 
   Zabbix = "zabbix",
-  Railway = "railway"
+  Railway = "railway",
+  Checkly = "checkly"
 }
 
 export enum SecretSyncStatus {

frontend/src/hooks/api/secretSyncs/types/azure-devops-sync.ts

@@ -6,7 +6,7 @@ export type TAzureDevOpsSync = TRootSecretSync & {
   destination: SecretSync.AzureDevOps;
   destinationConfig: {
     devopsProjectId: string;
-    devopsProjectName: string;
+    devopsProjectName?: string;
   };
   connection: {
     app: AppConnection.AzureDevOps;

frontend/src/hooks/api/secretSyncs/types/checkly-sync.ts

@@ -0,0 +1,17 @@
+/* eslint-disable @typescript-eslint/no-empty-object-type */
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
+
+export type TChecklySync = TRootSecretSync & {
+  destination: SecretSync.Checkly;
+  destinationConfig: {
+    accountId: string;
+    accountName: string;
+  };
+  connection: {
+    app: AppConnection.Checkly;
+    name: string;
+    id: string;
+  };
+};

frontend/src/hooks/api/secretSyncs/types/index.ts

@@ -9,6 +9,7 @@ import { TAzureAppConfigurationSync } from "./azure-app-configuration-sync";
 import { TAzureDevOpsSync } from "./azure-devops-sync";
 import { TAzureKeyVaultSync } from "./azure-key-vault-sync";
 import { TCamundaSync } from "./camunda-sync";
+import { TChecklySync } from "./checkly-sync";
 import { TCloudflarePagesSync } from "./cloudflare-pages-sync";
 import { TCloudflareWorkersSync } from "./cloudflare-workers-sync";
 import { TDatabricksSync } from "./databricks-sync";
@@ -59,7 +60,8 @@ export type TSecretSync =
   | TCloudflarePagesSync
   | TCloudflareWorkersSync
   | TZabbixSync
-  | TRailwaySync;
+  | TRailwaySync
+  | TChecklySync;
 
 export type TListSecretSyncs = { secretSyncs: TSecretSync[] };