fix: correct tw styling

Use non root user for docs Dockerfile

.env.example

@@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP 
+# Mail/SMTP
 SMTP_HOST=
 SMTP_PORT=
 SMTP_FROM_ADDRESS=
@@ -132,3 +132,6 @@ DATADOG_PROFILING_ENABLED=
 DATADOG_ENV=
 DATADOG_SERVICE=
 DATADOG_HOSTNAME=
+
+# kubernetes
+KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

Dockerfile.standalone-infisical

@@ -34,6 +34,7 @@ ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
+ENV NODE_OPTIONS="--max-old-space-size=8192"
 
 # Build
 RUN npm run build
@@ -77,6 +78,7 @@ RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
+ENV NODE_OPTIONS="--max-old-space-size=8192"
 RUN npm run build
 
 # Production stage

backend/src/db/migrations/20250710022434_add-index-for-access-token.ts

@@ -13,12 +13,12 @@ export async function up(knex: Knex): Promise<void> {
 
     // iat means IdentityAccessToken
     await knex.raw(`
-          CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_iat_identity_id 
+          CREATE INDEX IF NOT EXISTS idx_iat_identity_id 
           ON ${TableName.IdentityAccessToken} ("identityId")
         `);
 
     await knex.raw(`
-          CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_iat_ua_client_secret_id 
+          CREATE INDEX IF NOT EXISTS idx_iat_ua_client_secret_id 
           ON ${TableName.IdentityAccessToken} ("identityUAClientSecretId")
         `);
   } finally {
@@ -44,5 +44,3 @@ export async function down(knex: Knex): Promise<void> {
     await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
   }
 }
-
-export const config = { transaction: false };

backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts

@@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  // update all the secret approval policies secretPath to be "/**"
+  if (existingSecretApprovalPolicies.length) {
+    await knex(TableName.SecretApprovalPolicy)
+      .whereIn(
+        "id",
+        existingSecretApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  // update all the access approval policies secretPath to be "/**"
+  if (existingAccessApprovalPolicies.length) {
+    await knex(TableName.AccessApprovalPolicy)
+      .whereIn(
+        "id",
+        existingAccessApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+}

backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
+
+  if (hasCommitterCol) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      tb.uuid("committerUserId").nullable().alter();
+    });
+  }
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // can't undo committer nullable
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+  }
+}

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -0,0 +1,66 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+export async function up(knex: Knex) {
+  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
+    .select(selectAllTableCols(TableName.SuperAdmin))
+    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
+
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+  const decryptor = kmsService.decryptWithRootKey();
+  const encryptor = kmsService.encryptWithRootKey();
+
+  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
+    const overrides = (
+      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
+    ) as Record<string, string>;
+
+    if (admin.encryptedGitHubAppConnectionClientId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
+        admin.encryptedGitHubAppConnectionClientId
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionClientSecret) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
+        admin.encryptedGitHubAppConnectionClientSecret
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionPrivateKey) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
+        admin.encryptedGitHubAppConnectionPrivateKey
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionSlug) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
+    }
+
+    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
+
+    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
+      encryptedEnvOverrides
+    });
+  });
+
+  await Promise.all(tasks);
+}
+
+export async function down() {
+  // No down migration needed as this migration is only for data transformation
+  // and does not change the schema.
+}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -14,8 +14,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   updatedAt: z.date(),
   approverUserId: z.string().uuid().nullable().optional(),
   approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(0).nullable().optional(),
-  approvalsRequired: z.number().default(1).nullable().optional()
+  sequence: z.number().default(1).nullable().optional(),
+  approvalsRequired: z.number().nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/access-approval-policies.ts

@@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),

backend/src/db/schemas/certificate-authorities.ts

@@ -12,8 +12,8 @@ export const CertificateAuthoritiesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   projectId: z.string(),
-  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   name: z.string()
 });
 

backend/src/db/schemas/certificates.ts

@@ -25,8 +25,8 @@ export const CertificatesSchema = z.object({
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional(),
-  projectId: z.string()
+  projectId: z.string(),
+  pkiSubscriberId: z.string().uuid().nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),

backend/src/db/schemas/secret-approval-requests.ts

@@ -18,7 +18,7 @@ export const SecretApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
-  committerUserId: z.string().uuid(),
+  committerUserId: z.string().uuid().nullable().optional(),
   statusChangedByUserId: z.string().uuid().nullable().optional(),
   bypassReason: z.string().nullable().optional()
 });

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -2,6 +2,7 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -19,7 +20,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z.object({
         projectSlug: z.string().trim(),
         name: z.string().optional(),
-        secretPath: z.string().trim().default("/"),
+        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
         environment: z.string(),
         approvers: z
           .discriminatedUnion("type", [
@@ -174,8 +175,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         secretPath: z
           .string()
           .trim()
+          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -23,10 +23,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         environment: z.string(),
         secretPath: z
           .string()
-          .optional()
-          .nullable()
-          .default("/")
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          .min(1, { message: "Secret path cannot be empty" })
+          .transform((val) => removeTrailingSlash(val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
@@ -100,10 +98,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
+          .trim()
+          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .nullable()
-          .transform((val) => (val ? removeTrailingSlash(val) : val))
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
         allowedSelfApprovals: z.boolean().default(true)
       }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -58,7 +58,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               deletedAt: z.date().nullish(),
               allowedSelfApprovals: z.boolean()
             }),
-            committerUser: approvalRequestUser,
+            committerUser: approvalRequestUser.nullish(),
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
             environment: z.string(),
             reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
@@ -308,7 +308,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
-              committerUser: approvalRequestUser,
+              committerUser: approvalRequestUser.nullish(),
               reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -53,7 +53,7 @@ export interface TAccessApprovalPolicyDALFactory
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -93,7 +93,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
         deletedAt?: Date | null | undefined;
         environment: {
           id: string;
@@ -116,7 +116,7 @@ export interface TAccessApprovalPolicyDALFactory
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   findLastValidPolicy: (
@@ -138,7 +138,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
         deletedAt?: Date | null | undefined;
       }
     | undefined
@@ -190,7 +190,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -214,7 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -252,7 +252,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
@@ -286,7 +286,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -337,7 +337,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -60,6 +60,26 @@ export const accessApprovalPolicyServiceFactory = ({
   accessApprovalRequestReviewerDAL,
   orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await accessApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
   const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
     name,
     actor,
@@ -106,6 +126,12 @@ export const accessApprovalPolicyServiceFactory = ({
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
     if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
+
     let approverUserIds = userApprovers;
     if (userApproverNames.length) {
       const approverUsersInDB = await userDAL.find({
@@ -279,7 +305,11 @@ export const accessApprovalPolicyServiceFactory = ({
     ) as { username: string; sequence?: number }[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({
+        message: `Access approval policy with ID '${policyId}' not found`
+      });
+    }
 
     const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
@@ -290,9 +320,18 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    if (!accessApprovalPolicy) {
-      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
+    if (
+      await $policyExists({
+        envId: accessApprovalPolicy.envId,
+        secretPath: secretPath || accessApprovalPolicy.secretPath,
+        policyId: accessApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
+      });
     }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -122,7 +122,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -146,7 +146,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -218,7 +218,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -269,7 +269,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1711,7 +1711,7 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
   type: EventType.SECRET_APPROVAL_REQUEST;
   metadata: {
-    committedBy: string;
+    committedBy?: string | null;
     secretApprovalRequestSlug: string;
     secretApprovalRequestId: string;
     eventType: SecretApprovalEvent;

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -21,7 +21,7 @@ import { randomUUID } from "crypto";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -81,6 +81,21 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       return client;
     }
 
+    if (providerInputs.method === AwsIamAuthType.IRSA) {
+      // Allow instances to disable automatic service account token fetching (e.g. for shared cloud)
+      if (!appCfg.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN) {
+        throw new UnauthorizedError({
+          message: "Failed to get AWS credentials via IRSA: KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN is not enabled."
+        });
+      }
+
+      // The SDK will automatically pick up credentials from the environment
+      const client = new IAMClient({
+        region: providerInputs.region
+      });
+      return client;
+    }
+
     const client = new IAMClient({
       region: providerInputs.region,
       credentials: {
@@ -101,7 +116,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       .catch((err) => {
         const message = (err as Error)?.message;
         if (
-          providerInputs.method === AwsIamAuthType.AssumeRole &&
+          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
           // assume role will throw an error asking to provider username, but if so this has access in aws correctly
           message.includes("Must specify userName when calling with non-User credentials")
         ) {

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -28,7 +28,8 @@ export enum SqlProviders {
 
 export enum AwsIamAuthType {
   AssumeRole = "assume-role",
-  AccessKey = "access-key"
+  AccessKey = "access-key",
+  IRSA = "irsa"
 }
 
 export enum ElasticSearchAuthTypes {
@@ -221,6 +222,16 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
       userGroups: z.string().trim().optional(),
       policyArns: z.string().trim().optional(),
       tags: ResourceMetadataSchema.optional()
+    }),
+    z.object({
+      method: z.literal(AwsIamAuthType.IRSA),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
     })
   ])
 );

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -361,13 +361,6 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({

backend/src/ee/services/license/licence-enums.ts

@@ -1,5 +1,4 @@
 export const BillingPlanRows = {
-  MemberLimit: { name: "Organization member limit", field: "memberLimit" },
   IdentityLimit: { name: "Organization identity limit", field: "identityLimit" },
   WorkspaceLimit: { name: "Project limit", field: "workspaceLimit" },
   EnvironmentLimit: { name: "Environment limit", field: "environmentLimit" },

backend/src/ee/services/license/license-service.ts

@@ -442,9 +442,7 @@ export const licenseServiceFactory = ({
         rows: data.rows.map((el) => {
           let used = "-";
 
-          if (el.name === BillingPlanRows.MemberLimit.name) {
-            used = orgMembersUsed.toString();
-          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+          if (el.name === BillingPlanRows.WorkspaceLimit.name) {
             used = projectCount.toString();
           } else if (el.name === BillingPlanRows.IdentityLimit.name) {
             used = (identityUsed + orgMembersUsed).toString();
@@ -464,12 +462,10 @@ export const licenseServiceFactory = ({
         const allowed = onPremFeatures[field as keyof TFeatureSet];
         let used = "-";
 
-        if (field === BillingPlanRows.MemberLimit.field) {
-          used = orgMembersUsed.toString();
-        } else if (field === BillingPlanRows.WorkspaceLimit.field) {
+        if (field === BillingPlanRows.WorkspaceLimit.field) {
           used = projectCount.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          used = identityUsed.toString();
+          used = (identityUsed + orgMembersUsed).toString();
         }
 
         return {

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -311,13 +311,6 @@ export const samlConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -55,6 +55,26 @@ export const secretApprovalPolicyServiceFactory = ({
   licenseService,
   secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await secretApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
   const createSecretApprovalPolicy = async ({
     name,
     actor,
@@ -106,10 +126,17 @@ export const secretApprovalPolicyServiceFactory = ({
     }
 
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env)
+    if (!env) {
       throw new NotFoundError({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
+    }
+
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
 
     let groupBypassers: string[] = [];
     let bypasserUserIds: string[] = [];
@@ -260,6 +287,18 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
+    if (
+      await $policyExists({
+        envId: secretApprovalPolicy.envId,
+        secretPath: secretPath || secretApprovalPolicy.secretPath,
+        policyId: secretApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -4,7 +4,7 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app
 
 export type TCreateSapDTO = {
   approvals: number;
-  secretPath?: string | null;
+  secretPath: string;
   environment: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
@@ -20,7 +20,7 @@ export type TCreateSapDTO = {
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
-  secretPath?: string | null;
+  secretPath?: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
     | { type: BypasserType.Group; id: string }

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -45,7 +45,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
         `statusChangedByUser.id`
       )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
         db(TableName.Users).as("committerUser"),
         `${TableName.SecretApprovalRequest}.committerUserId`,
         `committerUser.id`
@@ -173,13 +173,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                 username: el.statusChangedByUserUsername
               }
             : undefined,
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          },
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null,
           policy: {
             id: el.policyId,
             name: el.policyName,
@@ -377,7 +379,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -488,13 +490,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
         }),
         childrenMapper: [
           {
@@ -581,7 +585,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -693,13 +697,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
         }),
         childrenMapper: [
           {

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1320,7 +1320,7 @@ export const secretApprovalRequestServiceFactory = ({
     });
 
     const env = await projectEnvDAL.findOne({ id: policy.envId });
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);
 
     await triggerWorkflowIntegrationNotification({
       input: {
@@ -1657,7 +1657,7 @@ export const secretApprovalRequestServiceFactory = ({
       return { ...doc, commits: approvalCommits };
     });
 
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });
 
     await triggerWorkflowIntegrationNotification({

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -37,7 +37,8 @@ import {
   TQueueSecretScanningDataSourceFullScan,
   TQueueSecretScanningResourceDiffScan,
   TQueueSecretScanningSendNotification,
-  TSecretScanningDataSourceWithConnection
+  TSecretScanningDataSourceWithConnection,
+  TSecretScanningFinding
 } from "./secret-scanning-v2-types";
 
 type TSecretRotationV2QueueServiceFactoryDep = {
@@ -459,13 +460,16 @@ export const secretScanningV2QueueServiceFactory = async ({
         const newFindings = allFindings.filter((finding) => finding.scanId === scanId);
 
         if (newFindings.length) {
+          const finding = newFindings[0] as TSecretScanningFinding;
           await queueService.queuePg(QueueJobs.SecretScanningV2SendNotification, {
             status: SecretScanningScanStatus.Completed,
             resourceName: resource.name,
             isDiffScan: true,
             dataSource,
             numberOfSecrets: newFindings.length,
-            scanId
+            scanId,
+            authorName: finding?.details?.author,
+            authorEmail: finding?.details?.email
           });
         }
 
@@ -582,8 +586,8 @@ export const secretScanningV2QueueServiceFactory = async ({
           substitutions:
             payload.status === SecretScanningScanStatus.Completed
               ? {
-                  authorName: "Jim",
-                  authorEmail: "jim@infisical.com",
+                  authorName: payload.authorName,
+                  authorEmail: payload.authorEmail,
                   resourceName,
                   numberOfSecrets: payload.numberOfSecrets,
                   isDiffScan: payload.isDiffScan,

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-types.ts

@@ -119,7 +119,14 @@ export type TQueueSecretScanningSendNotification = {
   resourceName: string;
 } & (
   | { status: SecretScanningScanStatus.Failed; errorMessage: string }
-  | { status: SecretScanningScanStatus.Completed; numberOfSecrets: number; scanId: string; isDiffScan: boolean }
+  | {
+      status: SecretScanningScanStatus.Completed;
+      numberOfSecrets: number;
+      scanId: string;
+      isDiffScan: boolean;
+      authorName?: string;
+      authorEmail?: string;
+    }
 );
 
 export type TCloneRepository = {

backend/src/lib/api-docs/constants.ts

@@ -2279,6 +2279,9 @@ export const AppConnections = {
     ZABBIX: {
       apiToken: "The API Token used to access Zabbix.",
       instanceUrl: "The Zabbix instance URL to connect with."
+    },
+    RAILWAY: {
+      apiToken: "The API token used to authenticate with Railway."
     }
   }
 };
@@ -2469,11 +2472,22 @@ export const SecretSyncs = {
       projectName: "The name of the Cloudflare Pages project to sync secrets to.",
       environment: "The environment of the Cloudflare Pages project to sync secrets to."
     },
+    CLOUDFLARE_WORKERS: {
+      scriptId: "The ID of the Cloudflare Workers script to sync secrets to."
+    },
     ZABBIX: {
       scope: "The Zabbix scope that secrets should be synced to.",
       hostId: "The ID of the Zabbix host to sync secrets to.",
       hostName: "The name of the Zabbix host to sync secrets to.",
       macroType: "The type of macro to sync secrets to. (0: Text, 1: Secret)"
+    },
+    RAILWAY: {
+      projectId: "The ID of the Railway project to sync secrets to.",
+      projectName: "The name of the Railway project to sync secrets to.",
+      environmentId: "The Railway environment to sync secrets to.",
+      environmentName: "The Railway environment to sync secrets to.",
+      serviceId: "The Railway service that secrets should be synced to.",
+      serviceName: "The Railway service that secrets should be synced to."
     }
   }
 };
@@ -2594,7 +2608,9 @@ export const SecretRotations = {
 
 export const SecretScanningDataSources = {
   LIST: (type?: SecretScanningDataSource) => ({
-    projectId: `The ID of the project to list ${type ? SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type] : "Scanning"} Data Sources from.`
+    projectId: `The ID of the project to list ${
+      type ? SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type] : "Scanning"
+    } Data Sources from.`
   }),
   GET_BY_ID: (type: SecretScanningDataSource) => ({
     dataSourceId: `The ID of the ${SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type]} Data Source to retrieve.`

backend/src/lib/config/env.ts

@@ -28,6 +28,7 @@ const databaseReadReplicaSchema = z
 const envSchema = z
   .object({
     INFISICAL_PLATFORM_VERSION: zpStr(z.string().optional()),
+    KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN: zodStrBool.default("false"),
     PORT: z.coerce.number().default(IS_PACKAGED ? 8080 : 4000),
     DISABLE_SECRET_SCANNING: z
       .enum(["true", "false"])
@@ -373,6 +374,19 @@ export const overwriteSchema: {
     fields: { key: keyof TEnvConfig; description?: string }[];
   };
 } = {
+  aws: {
+    name: "AWS",
+    fields: [
+      {
+        key: "INF_APP_CONNECTION_AWS_ACCESS_KEY_ID",
+        description: "The Access Key ID of your AWS account."
+      },
+      {
+        key: "INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY",
+        description: "The Client Secret of your AWS application."
+      }
+    ]
+  },
   azure: {
     name: "Azure",
     fields: [
@@ -386,16 +400,79 @@ export const overwriteSchema: {
       }
     ]
   },
-  google_sso: {
-    name: "Google SSO",
+  gcp: {
+    name: "GCP",
     fields: [
       {
-        key: "CLIENT_ID_GOOGLE_LOGIN",
-        description: "The Client ID of your GCP OAuth2 application."
+        key: "INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL",
+        description: "The GCP Service Account JSON credentials."
+      }
+    ]
+  },
+  github_app: {
+    name: "GitHub App",
+    fields: [
+      {
+        key: "INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID",
+        description: "The Client ID of your GitHub application."
       },
       {
-        key: "CLIENT_SECRET_GOOGLE_LOGIN",
-        description: "The Client Secret of your GCP OAuth2 application."
+        key: "INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET",
+        description: "The Client Secret of your GitHub application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_APP_SLUG",
+        description: "The Slug of your GitHub application. This is the one found in the URL."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_APP_ID",
+        description: "The App ID of your GitHub application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY",
+        description: "The Private Key of your GitHub application."
+      }
+    ]
+  },
+  github_oauth: {
+    name: "GitHub OAuth",
+    fields: [
+      {
+        key: "INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID",
+        description: "The Client ID of your GitHub OAuth application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET",
+        description: "The Client Secret of your GitHub OAuth application."
+      }
+    ]
+  },
+  github_radar_app: {
+    name: "GitHub Radar App",
+    fields: [
+      {
+        key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID",
+        description: "The Client ID of your GitHub application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET",
+        description: "The Client Secret of your GitHub application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG",
+        description: "The Slug of your GitHub application. This is the one found in the URL."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_ID",
+        description: "The App ID of your GitHub application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY",
+        description: "The Private Key of your GitHub application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET",
+        description: "The Webhook Secret of your GitHub application."
       }
     ]
   },
@@ -412,6 +489,19 @@ export const overwriteSchema: {
       }
     ]
   },
+  gitlab_oauth: {
+    name: "GitLab OAuth",
+    fields: [
+      {
+        key: "INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID",
+        description: "The Client ID of your GitLab OAuth application."
+      },
+      {
+        key: "INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET",
+        description: "The Client Secret of your GitLab OAuth application."
+      }
+    ]
+  },
   gitlab_sso: {
     name: "GitLab SSO",
     fields: [
@@ -429,6 +519,19 @@ export const overwriteSchema: {
           "The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to https://gitlab.com."
       }
     ]
+  },
+  google_sso: {
+    name: "Google SSO",
+    fields: [
+      {
+        key: "CLIENT_ID_GOOGLE_LOGIN",
+        description: "The Client ID of your GCP OAuth2 application."
+      },
+      {
+        key: "CLIENT_SECRET_GOOGLE_LOGIN",
+        description: "The Client Secret of your GCP OAuth2 application."
+      }
+    ]
   }
 };
 

backend/src/lib/config/request.ts

@@ -1,11 +1,18 @@
-import axios from "axios";
-import axiosRetry from "axios-retry";
+import axios, { AxiosInstance, CreateAxiosDefaults } from "axios";
+import axiosRetry, { IAxiosRetryConfig } from "axios-retry";
 
-export const request = axios.create();
+export function createRequestClient(defaults: CreateAxiosDefaults = {}, retry: IAxiosRetryConfig = {}): AxiosInstance {
+  const client = axios.create(defaults);
 
-axiosRetry(request, {
-  retries: 3,
-  // eslint-disable-next-line
-  retryDelay: axiosRetry.exponentialDelay,
-  retryCondition: (err) => axiosRetry.isNetworkError(err) || axiosRetry.isRetryableError(err)
-});
+  axiosRetry(client, {
+    retries: 3,
+    // eslint-disable-next-line
+    retryDelay: axiosRetry.exponentialDelay,
+    retryCondition: (err) => axiosRetry.isNetworkError(err) || axiosRetry.isRetryableError(err),
+    ...retry
+  });
+
+  return client;
+}
+
+export const request = createRequestClient();

backend/src/server/routes/v1/admin-router.ts

@@ -49,7 +49,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             defaultAuthOrgSlug: z.string().nullable(),
             defaultAuthOrgAuthEnforced: z.boolean().nullish(),
             defaultAuthOrgAuthMethod: z.string().nullish(),
-            isSecretScanningDisabled: z.boolean()
+            isSecretScanningDisabled: z.boolean(),
+            kubernetesAutoFetchServiceAccountToken: z.boolean()
           })
         })
       }
@@ -61,7 +62,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         config: {
           ...config,
           isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
-          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
+          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
+          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN
         }
       };
     }

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -71,6 +71,10 @@ import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
 } from "@app/services/app-connection/postgres";
+import {
+  RailwayConnectionListItemSchema,
+  SanitizedRailwayConnectionSchema
+} from "@app/services/app-connection/railway";
 import {
   RenderConnectionListItemSchema,
   SanitizedRenderConnectionSchema
@@ -123,7 +127,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedGitLabConnectionSchema.options,
   ...SanitizedCloudflareConnectionSchema.options,
   ...SanitizedBitbucketConnectionSchema.options,
-  ...SanitizedZabbixConnectionSchema.options
+  ...SanitizedZabbixConnectionSchema.options,
+  ...SanitizedRailwayConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -157,7 +162,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   GitLabConnectionListItemSchema,
   CloudflareConnectionListItemSchema,
   BitbucketConnectionListItemSchema,
-  ZabbixConnectionListItemSchema
+  ZabbixConnectionListItemSchema,
+  RailwayConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/cloudflare-connection-router.ts

@@ -50,4 +50,32 @@ export const registerCloudflareConnectionRouter = async (server: FastifyZodProvi
       return projects;
     }
   });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/cloudflare-workers-scripts`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects = await server.services.appConnection.cloudflare.listWorkersScripts(connectionId, req.permission);
+
+      return projects;
+    }
+  });
 };

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -25,6 +25,7 @@ import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerMySqlConnectionRouter } from "./mysql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
+import { registerRailwayConnectionRouter } from "./railway-connection-router";
 import { registerRenderConnectionRouter } from "./render-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@@ -66,5 +67,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.GitLab]: registerGitLabConnectionRouter,
     [AppConnection.Cloudflare]: registerCloudflareConnectionRouter,
     [AppConnection.Bitbucket]: registerBitbucketConnectionRouter,
-    [AppConnection.Zabbix]: registerZabbixConnectionRouter
+    [AppConnection.Zabbix]: registerZabbixConnectionRouter,
+    [AppConnection.Railway]: registerRailwayConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/railway-connection-router.ts

@@ -0,0 +1,67 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateRailwayConnectionSchema,
+  SanitizedRailwayConnectionSchema,
+  UpdateRailwayConnectionSchema
+} from "@app/services/app-connection/railway";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerRailwayConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Railway,
+    server,
+    sanitizedResponseSchema: SanitizedRailwayConnectionSchema,
+    createSchema: CreateRailwayConnectionSchema,
+    updateSchema: UpdateRailwayConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          projects: z
+            .object({
+              name: z.string(),
+              id: z.string(),
+              services: z.array(
+                z.object({
+                  name: z.string(),
+                  id: z.string()
+                })
+              ),
+              environments: z.array(
+                z.object({
+                  name: z.string(),
+                  id: z.string()
+                })
+              )
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects = await server.services.appConnection.railway.listProjects(connectionId, req.permission);
+
+      return { projects };
+    }
+  });
+};

backend/src/server/routes/v1/secret-sync-routers/cloudflare-workers-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CloudflareWorkersSyncSchema,
+  CreateCloudflareWorkersSyncSchema,
+  UpdateCloudflareWorkersSyncSchema
+} from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerCloudflareWorkersSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.CloudflareWorkers,
+    server,
+    responseSchema: CloudflareWorkersSyncSchema,
+    createSchema: CreateCloudflareWorkersSyncSchema,
+    updateSchema: UpdateCloudflareWorkersSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -9,6 +9,7 @@ import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
+import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
@@ -17,6 +18,7 @@ import { registerGitLabSyncRouter } from "./gitlab-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
+import { registerRailwaySyncRouter } from "./railway-sync-router";
 import { registerRenderSyncRouter } from "./render-sync-router";
 import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
@@ -49,5 +51,8 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Flyio]: registerFlyioSyncRouter,
   [SecretSync.GitLab]: registerGitLabSyncRouter,
   [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter,
-  [SecretSync.Zabbix]: registerZabbixSyncRouter
+  [SecretSync.CloudflareWorkers]: registerCloudflareWorkersSyncRouter,
+
+  [SecretSync.Zabbix]: registerZabbixSyncRouter,
+  [SecretSync.Railway]: registerRailwaySyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/railway-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateRailwaySyncSchema,
+  RailwaySyncSchema,
+  UpdateRailwaySyncSchema
+} from "@app/services/secret-sync/railway/railway-sync-schemas";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerRailwaySyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Railway,
+    server,
+    responseSchema: RailwaySyncSchema,
+    createSchema: CreateRailwaySyncSchema,
+    updateSchema: UpdateRailwaySyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -26,6 +26,10 @@ import {
   CloudflarePagesSyncListItemSchema,
   CloudflarePagesSyncSchema
 } from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
+import {
+  CloudflareWorkersSyncListItemSchema,
+  CloudflareWorkersSyncSchema
+} from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
@@ -34,6 +38,7 @@ import { GitLabSyncListItemSchema, GitLabSyncSchema } from "@app/services/secret
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
+import { RailwaySyncListItemSchema, RailwaySyncSchema } from "@app/services/secret-sync/railway/railway-sync-schemas";
 import { RenderSyncListItemSchema, RenderSyncSchema } from "@app/services/secret-sync/render/render-sync-schemas";
 import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
@@ -64,7 +69,10 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   FlyioSyncSchema,
   GitLabSyncSchema,
   CloudflarePagesSyncSchema,
-  ZabbixSyncSchema
+  CloudflareWorkersSyncSchema,
+
+  ZabbixSyncSchema,
+  RailwaySyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -90,7 +98,10 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   FlyioSyncListItemSchema,
   GitLabSyncListItemSchema,
   CloudflarePagesSyncListItemSchema,
-  ZabbixSyncListItemSchema
+  CloudflareWorkersSyncListItemSchema,
+
+  ZabbixSyncListItemSchema,
+  RailwaySyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -28,8 +28,9 @@ export enum AppConnection {
   Flyio = "flyio",
   GitLab = "gitlab",
   Cloudflare = "cloudflare",
-  Bitbucket = "bitbucket",
-  Zabbix = "zabbix"
+  Zabbix = "zabbix",
+  Railway = "railway",
+  Bitbucket = "bitbucket"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -91,6 +91,7 @@ import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
 import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
+import { getRailwayConnectionListItem, validateRailwayConnectionCredentials } from "./railway";
 import { RenderConnectionMethod } from "./render/render-connection-enums";
 import { getRenderConnectionListItem, validateRenderConnectionCredentials } from "./render/render-connection-fns";
 import {
@@ -143,8 +144,9 @@ export const listAppConnectionOptions = () => {
     getFlyioConnectionListItem(),
     getGitLabConnectionListItem(),
     getCloudflareConnectionListItem(),
-    getBitbucketConnectionListItem(),
-    getZabbixConnectionListItem()
+    getZabbixConnectionListItem(),
+    getRailwayConnectionListItem(),
+    getBitbucketConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -225,8 +227,9 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Railway]: validateRailwayConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -345,8 +348,9 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Flyio]: platformManagedCredentialsNotSupported,
   [AppConnection.GitLab]: platformManagedCredentialsNotSupported,
   [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported,
-  [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
-  [AppConnection.Zabbix]: platformManagedCredentialsNotSupported
+  [AppConnection.Zabbix]: platformManagedCredentialsNotSupported,
+  [AppConnection.Railway]: platformManagedCredentialsNotSupported,
+  [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -30,8 +30,9 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Flyio]: "Fly.io",
   [AppConnection.GitLab]: "GitLab",
   [AppConnection.Cloudflare]: "Cloudflare",
-  [AppConnection.Bitbucket]: "Bitbucket",
-  [AppConnection.Zabbix]: "Zabbix"
+  [AppConnection.Zabbix]: "Zabbix",
+  [AppConnection.Railway]: "Railway",
+  [AppConnection.Bitbucket]: "Bitbucket"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -64,6 +65,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Flyio]: AppConnectionPlanType.Regular,
   [AppConnection.GitLab]: AppConnectionPlanType.Regular,
   [AppConnection.Cloudflare]: AppConnectionPlanType.Regular,
-  [AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
-  [AppConnection.Zabbix]: AppConnectionPlanType.Regular
+  [AppConnection.Zabbix]: AppConnectionPlanType.Regular,
+  [AppConnection.Railway]: AppConnectionPlanType.Regular,
+  [AppConnection.Bitbucket]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -72,6 +72,8 @@ import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
+import { ValidateRailwayConnectionCredentialsSchema } from "./railway";
+import { railwayConnectionService } from "./railway/railway-connection-service";
 import { ValidateRenderConnectionCredentialsSchema } from "./render/render-connection-schema";
 import { renderConnectionService } from "./render/render-connection-service";
 import { ValidateTeamCityConnectionCredentialsSchema } from "./teamcity";
@@ -124,8 +126,9 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
   [AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema,
   [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema,
-  [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
-  [AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema
+  [AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema,
+  [AppConnection.Railway]: ValidateRailwayConnectionCredentialsSchema,
+  [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -536,7 +539,8 @@ export const appConnectionServiceFactory = ({
     flyio: flyioConnectionService(connectAppConnectionById),
     gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
     cloudflare: cloudflareConnectionService(connectAppConnectionById),
-    bitbucket: bitbucketConnectionService(connectAppConnectionById),
-    zabbix: zabbixConnectionService(connectAppConnectionById)
+    zabbix: zabbixConnectionService(connectAppConnectionById),
+    railway: railwayConnectionService(connectAppConnectionById),
+    bitbucket: bitbucketConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -141,6 +141,12 @@ import {
   TPostgresConnectionInput,
   TValidatePostgresConnectionCredentialsSchema
 } from "./postgres";
+import {
+  TRailwayConnection,
+  TRailwayConnectionConfig,
+  TRailwayConnectionInput,
+  TValidateRailwayConnectionCredentialsSchema
+} from "./railway";
 import {
   TRenderConnection,
   TRenderConnectionConfig,
@@ -210,6 +216,7 @@ export type TAppConnection = { id: string } & (
   | TCloudflareConnection
   | TBitbucketConnection
   | TZabbixConnection
+  | TRailwayConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -248,6 +255,7 @@ export type TAppConnectionInput = { id: string } & (
   | TCloudflareConnectionInput
   | TBitbucketConnectionInput
   | TZabbixConnectionInput
+  | TRailwayConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -293,7 +301,8 @@ export type TAppConnectionConfig =
   | TGitLabConnectionConfig
   | TCloudflareConnectionConfig
   | TBitbucketConnectionConfig
-  | TZabbixConnectionConfig;
+  | TZabbixConnectionConfig
+  | TRailwayConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -326,7 +335,8 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateGitLabConnectionCredentialsSchema
   | TValidateCloudflareConnectionCredentialsSchema
   | TValidateBitbucketConnectionCredentialsSchema
-  | TValidateZabbixConnectionCredentialsSchema;
+  | TValidateZabbixConnectionCredentialsSchema
+  | TValidateRailwayConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/cloudflare/cloudflare-connection-fns.ts

@@ -9,7 +9,8 @@ import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
 import {
   TCloudflareConnection,
   TCloudflareConnectionConfig,
-  TCloudflarePagesProject
+  TCloudflarePagesProject,
+  TCloudflareWorkersScript
 } from "./cloudflare-connection-types";
 
 export const getCloudflareConnectionListItem = () => {
@@ -43,6 +44,28 @@ export const listCloudflarePagesProjects = async (
   }));
 };
 
+export const listCloudflareWorkersScripts = async (
+  appConnection: TCloudflareConnection
+): Promise<TCloudflareWorkersScript[]> => {
+  const {
+    credentials: { apiToken, accountId }
+  } = appConnection;
+
+  const { data } = await request.get<{ result: { id: string }[] }>(
+    `${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/accounts/${accountId}/workers/scripts`,
+    {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return data.result.map((a) => ({
+    id: a.id
+  }));
+};
+
 export const validateCloudflareConnectionCredentials = async (config: TCloudflareConnectionConfig) => {
   const { apiToken, accountId } = config.credentials;
 

backend/src/services/app-connection/cloudflare/cloudflare-connection-service.ts

@@ -2,7 +2,7 @@ import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
-import { listCloudflarePagesProjects } from "./cloudflare-connection-fns";
+import { listCloudflarePagesProjects, listCloudflareWorkersScripts } from "./cloudflare-connection-fns";
 import { TCloudflareConnection } from "./cloudflare-connection-types";
 
 type TGetAppConnectionFunc = (
@@ -19,12 +19,31 @@ export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionF
 
       return projects;
     } catch (error) {
-      logger.error(error, "Failed to list Cloudflare Pages projects for Cloudflare connection");
+      logger.error(
+        error,
+        `Failed to list Cloudflare Pages projects for Cloudflare connection [connectionId=${connectionId}]`
+      );
+      return [];
+    }
+  };
+
+  const listWorkersScripts = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
+    try {
+      const projects = await listCloudflareWorkersScripts(appConnection);
+
+      return projects;
+    } catch (error) {
+      logger.error(
+        error,
+        `Failed to list Cloudflare Workers scripts for Cloudflare connection [connectionId=${connectionId}]`
+      );
       return [];
     }
   };
 
   return {
-    listPagesProjects
+    listPagesProjects,
+    listWorkersScripts
   };
 };

backend/src/services/app-connection/cloudflare/cloudflare-connection-types.ts

@@ -28,3 +28,7 @@ export type TCloudflarePagesProject = {
   id: string;
   name: string;
 };
+
+export type TCloudflareWorkersScript = {
+  id: string;
+};

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -7,7 +7,6 @@ import { request } from "@app/lib/config/request";
 import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
 import { getAppConnectionMethodName } from "@app/services/app-connection/app-connection-fns";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
-import { getInstanceIntegrationsConfig } from "@app/services/super-admin/super-admin-service";
 
 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
@@ -15,14 +14,13 @@ import { TGitHubConnection, TGitHubConnectionConfig } from "./github-connection-
 
 export const getGitHubConnectionListItem = () => {
   const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
-  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
 
   return {
     name: "GitHub" as const,
     app: AppConnection.GitHub as const,
     methods: Object.values(GitHubConnectionMethod) as [GitHubConnectionMethod.App, GitHubConnectionMethod.OAuth],
     oauthClientId: INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
-    appClientSlug: gitHubAppConnection.appSlug || INF_APP_CONNECTION_GITHUB_APP_SLUG
+    appClientSlug: INF_APP_CONNECTION_GITHUB_APP_SLUG
   };
 };
 
@@ -32,10 +30,9 @@ export const getGitHubClient = (appConnection: TGitHubConnection) => {
   const { method, credentials } = appConnection;
 
   let client: Octokit;
-  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
 
-  const appId = gitHubAppConnection.appId || appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
-  const appPrivateKey = gitHubAppConnection.privateKey || appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
+  const appId = appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
+  const appPrivateKey = appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
 
   switch (method) {
     case GitHubConnectionMethod.App:
@@ -157,8 +154,6 @@ type TokenRespData = {
 export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
   const { credentials, method } = config;
 
-  const { gitHubAppConnection } = getInstanceIntegrationsConfig();
-
   const {
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID,
     INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET,
@@ -170,8 +165,8 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
   const { clientId, clientSecret } =
     method === GitHubConnectionMethod.App
       ? {
-          clientId: gitHubAppConnection.clientId || INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
-          clientSecret: gitHubAppConnection.clientSecret || INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
+          clientId: INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID,
+          clientSecret: INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET
         }
       : // oauth
         {

backend/src/services/app-connection/railway/index.ts

@@ -0,0 +1,4 @@
+export * from "./railway-connection-constants";
+export * from "./railway-connection-fns";
+export * from "./railway-connection-schemas";
+export * from "./railway-connection-types";

backend/src/services/app-connection/railway/railway-connection-constants.ts

@@ -0,0 +1,5 @@
+export enum RailwayConnectionMethod {
+  AccountToken = "account-token",
+  ProjectToken = "project-token",
+  TeamToken = "team-token"
+}

backend/src/services/app-connection/railway/railway-connection-fns.ts

@@ -0,0 +1,66 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
+import { BadRequestError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { RailwayConnectionMethod } from "./railway-connection-constants";
+import { RailwayPublicAPI } from "./railway-connection-public-client";
+import { TRailwayConnection, TRailwayConnectionConfig } from "./railway-connection-types";
+
+export const getRailwayConnectionListItem = () => {
+  return {
+    name: "Railway" as const,
+    app: AppConnection.Railway as const,
+    methods: Object.values(RailwayConnectionMethod)
+  };
+};
+
+export const validateRailwayConnectionCredentials = async (config: TRailwayConnectionConfig) => {
+  const { credentials, method } = config;
+
+  try {
+    await RailwayPublicAPI.healthcheck({
+      method,
+      credentials
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+
+    throw new BadRequestError({
+      message: "Unable to validate connection - verify credentials"
+    });
+  }
+
+  return credentials;
+};
+
+export const listProjects = async (appConnection: TRailwayConnection) => {
+  const { credentials, method } = appConnection;
+
+  try {
+    return await RailwayPublicAPI.listProjects({
+      method,
+      credentials
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to list projects: ${error.message || "Unknown error"}`
+      });
+    }
+
+    if (error instanceof BadRequestError) {
+      throw error;
+    }
+
+    throw new BadRequestError({
+      message: "Unable to list projects",
+      error
+    });
+  }
+};

backend/src/services/app-connection/railway/railway-connection-public-client.ts

@@ -0,0 +1,237 @@
+/* eslint-disable class-methods-use-this */
+import { AxiosError, AxiosInstance, AxiosResponse } from "axios";
+
+import { createRequestClient } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { RailwayConnectionMethod } from "./railway-connection-constants";
+import {
+  RailwayAccountWorkspaceListSchema,
+  RailwayGetProjectsByProjectTokenSchema,
+  RailwayGetSubscriptionTypeSchema,
+  RailwayProjectsListSchema
+} from "./railway-connection-schemas";
+import { RailwayProject, TRailwayConnectionConfig, TRailwayResponse } from "./railway-connection-types";
+
+type RailwaySendReqOptions = Pick<TRailwayConnectionConfig, "credentials" | "method">;
+
+export function getRailwayAuthHeaders(method: RailwayConnectionMethod, token: string): Record<string, string> {
+  switch (method) {
+    case RailwayConnectionMethod.AccountToken:
+    case RailwayConnectionMethod.TeamToken:
+      return {
+        Authorization: token
+      };
+    case RailwayConnectionMethod.ProjectToken:
+      return {
+        "Project-Access-Token": token
+      };
+    default:
+      throw new Error(`Unsupported Railway connection method`);
+  }
+}
+
+export function getRailwayRatelimiter(headers: AxiosResponse["headers"]): {
+  isRatelimited: boolean;
+  maxAttempts: number;
+  wait: () => Promise<void>;
+} {
+  const retryAfter: number | undefined = headers["Retry-After"] as number | undefined;
+  const requestsLeft = parseInt(headers["X-RateLimit-Remaining"] as string, 10);
+  const limitResetAt = headers["X-RateLimit-Reset"] as string;
+
+  const now = +new Date();
+  const nextReset = +new Date(limitResetAt);
+
+  const remaining = Math.min(0, nextReset - now);
+
+  const wait = () => {
+    return new Promise<void>((res) => {
+      setTimeout(res, remaining);
+    });
+  };
+
+  return {
+    isRatelimited: Boolean(retryAfter || requestsLeft === 0),
+    wait,
+    maxAttempts: 3
+  };
+}
+
+class RailwayPublicClient {
+  private client: AxiosInstance;
+
+  constructor() {
+    this.client = createRequestClient({
+      method: "POST",
+      baseURL: IntegrationUrls.RAILWAY_API_URL,
+      headers: {
+        "Content-Type": "application/json"
+      }
+    });
+  }
+
+  async send<T extends TRailwayResponse>(
+    query: string,
+    options: RailwaySendReqOptions,
+    variables: Record<string, string | Record<string, string>> = {},
+    retryAttempt: number = 0
+  ): Promise<T["data"] | undefined> {
+    const body = {
+      query,
+      variables
+    };
+
+    const response = await this.client.request<T>({
+      data: body,
+      headers: getRailwayAuthHeaders(options.method, options.credentials.apiToken)
+    });
+
+    const { errors } = response.data;
+
+    if (Array.isArray(errors) && errors.length > 0) {
+      throw new AxiosError(errors[0].message);
+    }
+
+    const limiter = getRailwayRatelimiter(response.headers);
+
+    if (limiter.isRatelimited && retryAttempt <= limiter.maxAttempts) {
+      await limiter.wait();
+      return this.send(query, options, variables, retryAttempt + 1);
+    }
+
+    return response.data.data;
+  }
+
+  healthcheck(config: RailwaySendReqOptions) {
+    switch (config.method) {
+      case RailwayConnectionMethod.AccountToken:
+        return this.send(`{ me { teams { edges { node { id } } } } }`, config);
+      case RailwayConnectionMethod.ProjectToken:
+        return this.send(`{ projectToken { projectId environmentId project { id } } }`, config);
+      case RailwayConnectionMethod.TeamToken:
+        return this.send(`{ projects { edges { node { id name team { id } } } } }`, config);
+      default:
+        throw new Error(`Unsupported Railway connection method`);
+    }
+  }
+
+  async getSubscriptionType(config: RailwaySendReqOptions & { projectId: string }) {
+    const res = await this.send(
+      `query project($projectId: String!) { project(id: $projectId) { subscriptionType }}`,
+      config,
+      {
+        projectId: config.projectId
+      }
+    );
+
+    const data = await RailwayGetSubscriptionTypeSchema.parseAsync(res);
+
+    return data.project.subscriptionType;
+  }
+
+  async listProjects(config: RailwaySendReqOptions): Promise<RailwayProject[]> {
+    switch (config.method) {
+      case RailwayConnectionMethod.TeamToken: {
+        const res = await this.send(
+          `{ projects { edges { node { id, name, services{ edges{ node { id, name } } } environments { edges { node { name, id } } } } } } }`,
+          config
+        );
+
+        const data = await RailwayProjectsListSchema.parseAsync(res);
+
+        return data.projects.edges.map((p) => ({
+          id: p.node.id,
+          name: p.node.name,
+          environments: p.node.environments.edges.map((e) => e.node),
+          services: p.node.services.edges.map((s) => s.node)
+        }));
+      }
+
+      case RailwayConnectionMethod.AccountToken: {
+        const res = await this.send(
+          `{ me { workspaces { id, name, team{ projects{ edges{ node{ id, name, services{ edges { node { name, id } } } environments { edges { node { name, id } } } } } } } } } }`,
+          config
+        );
+
+        const data = await RailwayAccountWorkspaceListSchema.parseAsync(res);
+
+        return data.me.workspaces.flatMap((w) =>
+          w.team.projects.edges.map((p) => ({
+            id: p.node.id,
+            name: p.node.name,
+            environments: p.node.environments.edges.map((e) => e.node),
+            services: p.node.services.edges.map((s) => s.node)
+          }))
+        );
+      }
+
+      case RailwayConnectionMethod.ProjectToken: {
+        const res = await this.send(
+          `query { projectToken { project { id, name, services { edges { node { name, id } } } environments { edges { node { name, id } } } } } }`,
+          config
+        );
+
+        const data = await RailwayGetProjectsByProjectTokenSchema.parseAsync(res);
+
+        const p = data.projectToken.project;
+
+        return [
+          {
+            id: p.id,
+            name: p.name,
+            environments: p.environments.edges.map((e) => e.node),
+            services: p.services.edges.map((s) => s.node)
+          }
+        ];
+      }
+
+      default:
+        throw new Error(`Unsupported Railway connection method`);
+    }
+  }
+
+  async getVariables(
+    config: RailwaySendReqOptions,
+    variables: { projectId: string; environmentId: string; serviceId?: string }
+  ) {
+    const res = await this.send<TRailwayResponse<{ variables: Record<string, string> }>>(
+      `query variables($environmentId: String!, $projectId: String!, $serviceId: String) { variables( projectId: $projectId, environmentId: $environmentId, serviceId: $serviceId ) }`,
+      config,
+      variables
+    );
+
+    if (!res?.variables) {
+      throw new BadRequestError({
+        message: "Failed to get railway variables - empty response"
+      });
+    }
+
+    return res.variables;
+  }
+
+  async deleteVariable(
+    config: RailwaySendReqOptions,
+    variables: { input: { projectId: string; environmentId: string; name: string; serviceId?: string } }
+  ) {
+    await this.send<TRailwayResponse<{ variables: Record<string, string> }>>(
+      `mutation variableDelete($input: VariableDeleteInput!) { variableDelete(input: $input) }`,
+      config,
+      variables
+    );
+  }
+
+  async upsertVariable(
+    config: RailwaySendReqOptions,
+    variables: { input: { projectId: string; environmentId: string; name: string; value: string; serviceId?: string } }
+  ) {
+    await this.send<TRailwayResponse<{ variables: Record<string, string> }>>(
+      `mutation variableUpsert($input: VariableUpsertInput!) { variableUpsert(input: $input) }`,
+      config,
+      variables
+    );
+  }
+}
+
+export const RailwayPublicAPI = new RailwayPublicClient();

backend/src/services/app-connection/railway/railway-connection-schemas.ts

@@ -0,0 +1,117 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { RailwayConnectionMethod } from "./railway-connection-constants";
+
+export const RailwayConnectionMethodSchema = z
+  .nativeEnum(RailwayConnectionMethod)
+  .describe(AppConnections.CREATE(AppConnection.Railway).method);
+
+export const RailwayConnectionAccessTokenCredentialsSchema = z.object({
+  apiToken: z
+    .string()
+    .trim()
+    .min(1, "API Token required")
+    .max(255)
+    .describe(AppConnections.CREDENTIALS.RAILWAY.apiToken)
+});
+
+const BaseRailwayConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.Railway)
+});
+
+export const RailwayConnectionSchema = BaseRailwayConnectionSchema.extend({
+  method: RailwayConnectionMethodSchema,
+  credentials: RailwayConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedRailwayConnectionSchema = z.discriminatedUnion("method", [
+  BaseRailwayConnectionSchema.extend({
+    method: RailwayConnectionMethodSchema,
+    credentials: RailwayConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateRailwayConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: RailwayConnectionMethodSchema,
+    credentials: RailwayConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Railway).credentials
+    )
+  })
+]);
+
+export const CreateRailwayConnectionSchema = ValidateRailwayConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Railway)
+);
+
+export const UpdateRailwayConnectionSchema = z
+  .object({
+    credentials: RailwayConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Railway).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Railway));
+
+export const RailwayConnectionListItemSchema = z.object({
+  name: z.literal("Railway"),
+  app: z.literal(AppConnection.Railway),
+  methods: z.nativeEnum(RailwayConnectionMethod).array()
+});
+
+export const RailwayResourceSchema = z.object({
+  node: z.object({
+    id: z.string(),
+    name: z.string()
+  })
+});
+
+export const RailwayProjectEdgeSchema = z.object({
+  node: z.object({
+    id: z.string(),
+    name: z.string(),
+    services: z.object({
+      edges: z.array(RailwayResourceSchema)
+    }),
+    environments: z.object({
+      edges: z.array(RailwayResourceSchema)
+    })
+  })
+});
+
+export const RailwayProjectsListSchema = z.object({
+  projects: z.object({
+    edges: z.array(RailwayProjectEdgeSchema)
+  })
+});
+
+export const RailwayAccountWorkspaceListSchema = z.object({
+  me: z.object({
+    workspaces: z.array(
+      z.object({
+        id: z.string(),
+        name: z.string(),
+        team: RailwayProjectsListSchema
+      })
+    )
+  })
+});
+
+export const RailwayGetProjectsByProjectTokenSchema = z.object({
+  projectToken: z.object({
+    project: RailwayProjectEdgeSchema.shape.node
+  })
+});
+
+export const RailwayGetSubscriptionTypeSchema = z.object({
+  project: z.object({
+    subscriptionType: z.enum(["free", "hobby", "pro", "trial"])
+  })
+});

backend/src/services/app-connection/railway/railway-connection-service.ts

@@ -0,0 +1,30 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listProjects as getRailwayProjects } from "./railway-connection-fns";
+import { TRailwayConnection } from "./railway-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TRailwayConnection>;
+
+export const railwayConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Railway, connectionId, actor);
+    try {
+      const projects = await getRailwayProjects(appConnection);
+
+      return projects;
+    } catch (error) {
+      logger.error(error, "Failed to establish connection with Railway");
+      return [];
+    }
+  };
+
+  return {
+    listProjects
+  };
+};

backend/src/services/app-connection/railway/railway-connection-types.ts

@@ -0,0 +1,79 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateRailwayConnectionSchema,
+  RailwayConnectionSchema,
+  ValidateRailwayConnectionCredentialsSchema
+} from "./railway-connection-schemas";
+
+export type TRailwayConnection = z.infer<typeof RailwayConnectionSchema>;
+
+export type TRailwayConnectionInput = z.infer<typeof CreateRailwayConnectionSchema> & {
+  app: AppConnection.Railway;
+};
+
+export type TValidateRailwayConnectionCredentialsSchema = typeof ValidateRailwayConnectionCredentialsSchema;
+
+export type TRailwayConnectionConfig = DiscriminativePick<TRailwayConnection, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TRailwayService = {
+  id: string;
+  name: string;
+};
+
+export type TRailwayEnvironment = {
+  id: string;
+  name: string;
+};
+
+export type RailwayProject = {
+  id: string;
+  name: string;
+  services: TRailwayService[];
+  environments: TRailwayEnvironment[];
+};
+
+export type TRailwayResponse<T = unknown> = {
+  data?: T;
+  errors?: {
+    message: string;
+  }[];
+};
+
+export type TAccountProjectListResponse = TRailwayResponse<{
+  projects: {
+    edges: TProjectEdge[];
+  };
+}>;
+
+export interface TProjectEdge {
+  node: {
+    id: string;
+    name: string;
+    services: {
+      edges: TServiceEdge[];
+    };
+    environments: {
+      edges: TEnvironmentEdge[];
+    };
+  };
+}
+
+type TServiceEdge = {
+  node: {
+    id: string;
+    name: string;
+  };
+};
+
+type TEnvironmentEdge = {
+  node: {
+    id: string;
+    name: string;
+  };
+};

backend/src/services/org/org-service.ts

@@ -912,14 +912,6 @@ export const orgServiceFactory = ({
 
         // if there exist no org membership we set is as given by the request
         if (!inviteeOrgMembership) {
-          if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-            // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-            throw new BadRequestError({
-              name: "InviteUser",
-              message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
-            });
-          }
-
           if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
             // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
             throw new BadRequestError({

backend/src/services/secret-folder/secret-folder-service.ts

@@ -214,7 +214,7 @@ export const secretFolderServiceFactory = ({
             }
           },
           message: "Folder created",
-          folderId: doc.id,
+          folderId: parentFolder.id,
           changes: [
             {
               type: CommitType.ADD,

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const CLOUDFLARE_WORKERS_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Cloudflare Workers",
+  destination: SecretSync.CloudflareWorkers,
+  connection: AppConnection.Cloudflare,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-fns.ts

@@ -0,0 +1,121 @@
+import { request } from "@app/lib/config/request";
+import { applyJitter } from "@app/lib/dates";
+import { delay as delayMs } from "@app/lib/delay";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+import { TCloudflareWorkersSyncWithCredentials } from "./cloudflare-workers-types";
+
+const getSecretKeys = async (secretSync: TCloudflareWorkersSyncWithCredentials): Promise<string[]> => {
+  const {
+    destinationConfig,
+    connection: {
+      credentials: { apiToken, accountId }
+    }
+  } = secretSync;
+
+  const { data } = await request.get<{
+    result: Array<{ name: string }>;
+  }>(
+    `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${destinationConfig.scriptId}/secrets`,
+    {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    }
+  );
+
+  return data.result.map((s) => s.name);
+};
+
+export const CloudflareWorkersSyncFns = {
+  syncSecrets: async (secretSync: TCloudflareWorkersSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection: {
+        credentials: { apiToken, accountId }
+      },
+      destinationConfig: { scriptId }
+    } = secretSync;
+
+    const existingSecretNames = await getSecretKeys(secretSync);
+    const secretMapKeys = new Set(Object.keys(secretMap));
+
+    for await (const [key, val] of Object.entries(secretMap)) {
+      await delayMs(Math.max(0, applyJitter(100, 200)));
+      await request.put(
+        `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${scriptId}/secrets`,
+        { name: key, text: val.value, type: "secret_text" },
+        {
+          headers: {
+            Authorization: `Bearer ${apiToken}`,
+            "Content-Type": "application/json"
+          }
+        }
+      );
+    }
+
+    if (!secretSync.syncOptions.disableSecretDeletion) {
+      const secretsToDelete = existingSecretNames.filter((existingKey) => {
+        const isManagedBySchema = matchesSchema(
+          existingKey,
+          secretSync.environment?.slug || "",
+          secretSync.syncOptions.keySchema
+        );
+        const isInNewSecretMap = secretMapKeys.has(existingKey);
+        return !isInNewSecretMap && isManagedBySchema;
+      });
+
+      for await (const key of secretsToDelete) {
+        await delayMs(Math.max(0, applyJitter(100, 200)));
+        await request.delete(
+          `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${scriptId}/secrets/${key}`,
+          {
+            headers: {
+              Authorization: `Bearer ${apiToken}`
+            }
+          }
+        );
+      }
+    }
+  },
+
+  getSecrets: async (secretSync: TCloudflareWorkersSyncWithCredentials): Promise<TSecretMap> => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  },
+
+  removeSecrets: async (secretSync: TCloudflareWorkersSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection: {
+        credentials: { apiToken, accountId }
+      },
+      destinationConfig: { scriptId }
+    } = secretSync;
+
+    const existingSecretNames = await getSecretKeys(secretSync);
+    const secretMapToRemoveKeys = new Set(Object.keys(secretMap));
+
+    for await (const existingKey of existingSecretNames) {
+      const isManagedBySchema = matchesSchema(
+        existingKey,
+        secretSync.environment?.slug || "",
+        secretSync.syncOptions.keySchema
+      );
+      const isInSecretMapToRemove = secretMapToRemoveKeys.has(existingKey);
+
+      if (isInSecretMapToRemove && isManagedBySchema) {
+        await delayMs(Math.max(0, applyJitter(100, 200)));
+        await request.delete(
+          `${IntegrationUrls.CLOUDFLARE_WORKERS_API_URL}/client/v4/accounts/${accountId}/workers/scripts/${scriptId}/secrets/${existingKey}`,
+          {
+            headers: {
+              Authorization: `Bearer ${apiToken}`
+            }
+          }
+        );
+      }
+    }
+  }
+};

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas.ts

@@ -0,0 +1,55 @@
+import RE2 from "re2";
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const CloudflareWorkersSyncDestinationConfigSchema = z.object({
+  scriptId: z
+    .string()
+    .min(1, "Script ID is required")
+    .max(64)
+    .refine((val) => {
+      const re2 = new RE2(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/);
+      return re2.test(val);
+    }, "Invalid script ID format")
+    .describe(SecretSyncs.DESTINATION_CONFIG.CLOUDFLARE_WORKERS.scriptId)
+});
+
+const CloudflareWorkersSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const CloudflareWorkersSyncSchema = BaseSecretSyncSchema(
+  SecretSync.CloudflareWorkers,
+  CloudflareWorkersSyncOptionsConfig
+).extend({
+  destination: z.literal(SecretSync.CloudflareWorkers),
+  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema
+});
+
+export const CreateCloudflareWorkersSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.CloudflareWorkers,
+  CloudflareWorkersSyncOptionsConfig
+).extend({
+  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema
+});
+
+export const UpdateCloudflareWorkersSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.CloudflareWorkers,
+  CloudflareWorkersSyncOptionsConfig
+).extend({
+  destinationConfig: CloudflareWorkersSyncDestinationConfigSchema.optional()
+});
+
+export const CloudflareWorkersSyncListItemSchema = z.object({
+  name: z.literal("Cloudflare Workers"),
+  connection: z.literal(AppConnection.Cloudflare),
+  destination: z.literal(SecretSync.CloudflareWorkers),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/cloudflare-workers/cloudflare-workers-types.ts

@@ -0,0 +1,19 @@
+import z from "zod";
+
+import { TCloudflareConnection } from "@app/services/app-connection/cloudflare/cloudflare-connection-types";
+
+import {
+  CloudflareWorkersSyncListItemSchema,
+  CloudflareWorkersSyncSchema,
+  CreateCloudflareWorkersSyncSchema
+} from "./cloudflare-workers-schemas";
+
+export type TCloudflareWorkersSyncListItem = z.infer<typeof CloudflareWorkersSyncListItemSchema>;
+
+export type TCloudflareWorkersSync = z.infer<typeof CloudflareWorkersSyncSchema>;
+
+export type TCloudflareWorkersSyncInput = z.infer<typeof CreateCloudflareWorkersSyncSchema>;
+
+export type TCloudflareWorkersSyncWithCredentials = TCloudflareWorkersSync & {
+  connection: TCloudflareConnection;
+};

backend/src/services/secret-sync/cloudflare-workers/index.ts

@@ -0,0 +1,4 @@
+export * from "./cloudflare-workers-constants";
+export * from "./cloudflare-workers-fns";
+export * from "./cloudflare-workers-schemas";
+export * from "./cloudflare-workers-types";

backend/src/services/secret-sync/railway/railway-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const RAILWAY_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Railway",
+  destination: SecretSync.Railway,
+  connection: AppConnection.Railway,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/railway/railway-sync-fns.ts

@@ -0,0 +1,124 @@
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+
+import { RailwayPublicAPI } from "@app/services/app-connection/railway/railway-connection-public-client";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+
+import { SecretSyncError } from "../secret-sync-errors";
+import { TSecretMap } from "../secret-sync-types";
+import { TRailwaySyncWithCredentials } from "./railway-sync-types";
+
+export const RailwaySyncFns = {
+  async getSecrets(secretSync: TRailwaySyncWithCredentials): Promise<TSecretMap> {
+    try {
+      const config = secretSync.destinationConfig;
+
+      const variables = await RailwayPublicAPI.getVariables(secretSync.connection, {
+        projectId: config.projectId,
+        environmentId: config.environmentId,
+        serviceId: config.serviceId || undefined
+      });
+
+      const entries = {} as TSecretMap;
+
+      for (const [key, value] of Object.entries(variables)) {
+        // Skip importing private railway variables
+        // eslint-disable-next-line no-continue
+        if (key.startsWith("RAILWAY_")) continue;
+
+        entries[key] = {
+          value
+        };
+      }
+
+      return entries;
+    } catch (error) {
+      throw new SecretSyncError({
+        error,
+        message: "Failed to import secrets from Railway"
+      });
+    }
+  },
+
+  async syncSecrets(secretSync: TRailwaySyncWithCredentials, secretMap: TSecretMap) {
+    const {
+      environment,
+      syncOptions: { disableSecretDeletion, keySchema }
+    } = secretSync;
+    const railwaySecrets = await this.getSecrets(secretSync);
+    const config = secretSync.destinationConfig;
+
+    for await (const key of Object.keys(secretMap)) {
+      try {
+        const existing = railwaySecrets[key];
+
+        if (existing === undefined || existing.value !== secretMap[key].value) {
+          await RailwayPublicAPI.upsertVariable(secretSync.connection, {
+            input: {
+              projectId: config.projectId,
+              environmentId: config.environmentId,
+              serviceId: config.serviceId || undefined,
+              name: key,
+              value: secretMap[key].value ?? ""
+            }
+          });
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+
+    if (disableSecretDeletion) return;
+
+    for await (const key of Object.keys(railwaySecrets)) {
+      try {
+        // eslint-disable-next-line no-continue
+        if (!matchesSchema(key, environment?.slug || "", keySchema)) continue;
+
+        if (!secretMap[key]) {
+          await RailwayPublicAPI.deleteVariable(secretSync.connection, {
+            input: {
+              projectId: config.projectId,
+              environmentId: config.environmentId,
+              serviceId: config.serviceId || undefined,
+              name: key
+            }
+          });
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+  },
+
+  async removeSecrets(secretSync: TRailwaySyncWithCredentials, secretMap: TSecretMap) {
+    const existing = await this.getSecrets(secretSync);
+    const config = secretSync.destinationConfig;
+
+    for await (const secret of Object.keys(existing)) {
+      try {
+        if (secret in secretMap) {
+          await RailwayPublicAPI.deleteVariable(secretSync.connection, {
+            input: {
+              projectId: config.projectId,
+              environmentId: config.environmentId,
+              serviceId: config.serviceId || undefined,
+              name: secret
+            }
+          });
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: secret
+        });
+      }
+    }
+  }
+};

backend/src/services/secret-sync/railway/railway-sync-schemas.ts

@@ -0,0 +1,56 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const RailwaySyncDestinationConfigSchema = z.object({
+  projectId: z
+    .string()
+    .trim()
+    .min(1, "Railway project ID required")
+    .describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.projectId),
+  projectName: z.string().trim().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.projectName),
+  environmentId: z
+    .string()
+    .trim()
+    .min(1, "Railway environment ID required")
+    .describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.environmentId),
+  environmentName: z.string().trim().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.environmentName),
+  serviceId: z.string().optional().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.serviceId),
+  serviceName: z.string().optional().describe(SecretSyncs.DESTINATION_CONFIG.RAILWAY.serviceName)
+});
+
+const RailwaySyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const RailwaySyncSchema = BaseSecretSyncSchema(SecretSync.Railway, RailwaySyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Railway),
+  destinationConfig: RailwaySyncDestinationConfigSchema
+});
+
+export const CreateRailwaySyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Railway,
+  RailwaySyncOptionsConfig
+).extend({
+  destinationConfig: RailwaySyncDestinationConfigSchema
+});
+
+export const UpdateRailwaySyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Railway,
+  RailwaySyncOptionsConfig
+).extend({
+  destinationConfig: RailwaySyncDestinationConfigSchema.optional()
+});
+
+export const RailwaySyncListItemSchema = z.object({
+  name: z.literal("Railway"),
+  connection: z.literal(AppConnection.Railway),
+  destination: z.literal(SecretSync.Railway),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/railway/railway-sync-types.ts

@@ -0,0 +1,31 @@
+import z from "zod";
+
+import { TRailwayConnection } from "@app/services/app-connection/railway";
+
+import { CreateRailwaySyncSchema, RailwaySyncListItemSchema, RailwaySyncSchema } from "./railway-sync-schemas";
+
+export type TRailwaySyncListItem = z.infer<typeof RailwaySyncListItemSchema>;
+
+export type TRailwaySync = z.infer<typeof RailwaySyncSchema>;
+
+export type TRailwaySyncInput = z.infer<typeof CreateRailwaySyncSchema>;
+
+export type TRailwaySyncWithCredentials = TRailwaySync & {
+  connection: TRailwayConnection;
+};
+
+export type TRailwaySecret = {
+  createdAt: string;
+  environmentId?: string | null;
+  id: string;
+  isSealed: boolean;
+  name: string;
+  serviceId?: string | null;
+  updatedAt: string;
+};
+
+export type TRailwayVariablesGraphResponse = {
+  data: {
+    variables: Record<string, string>;
+  };
+};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -21,7 +21,10 @@ export enum SecretSync {
   Flyio = "flyio",
   GitLab = "gitlab",
   CloudflarePages = "cloudflare-pages",
-  Zabbix = "zabbix"
+  CloudflareWorkers = "cloudflare-workers",
+
+  Zabbix = "zabbix",
+  Railway = "railway"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -31,6 +31,7 @@ import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./az
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
 import { CLOUDFLARE_PAGES_SYNC_LIST_OPTION } from "./cloudflare-pages/cloudflare-pages-constants";
 import { CloudflarePagesSyncFns } from "./cloudflare-pages/cloudflare-pages-fns";
+import { CLOUDFLARE_WORKERS_SYNC_LIST_OPTION, CloudflareWorkersSyncFns } from "./cloudflare-workers";
 import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
@@ -39,6 +40,8 @@ import { HC_VAULT_SYNC_LIST_OPTION, HCVaultSyncFns } from "./hc-vault";
 import { HEROKU_SYNC_LIST_OPTION, HerokuSyncFns } from "./heroku";
 import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
 import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
+import { RAILWAY_SYNC_LIST_OPTION } from "./railway/railway-sync-constants";
+import { RailwaySyncFns } from "./railway/railway-sync-fns";
 import { RENDER_SYNC_LIST_OPTION, RenderSyncFns } from "./render";
 import { SECRET_SYNC_PLAN_MAP } from "./secret-sync-maps";
 import { TEAMCITY_SYNC_LIST_OPTION, TeamCitySyncFns } from "./teamcity";
@@ -70,7 +73,10 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
   [SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
   [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION,
-  [SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION
+  [SecretSync.CloudflareWorkers]: CLOUDFLARE_WORKERS_SYNC_LIST_OPTION,
+
+  [SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION,
+  [SecretSync.Railway]: RAILWAY_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -238,8 +244,12 @@ export const SecretSyncFns = {
         return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.CloudflareWorkers:
+        return CloudflareWorkersSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Zabbix:
         return ZabbixSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Railway:
+        return RailwaySyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -332,9 +342,15 @@ export const SecretSyncFns = {
       case SecretSync.CloudflarePages:
         secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.CloudflareWorkers:
+        secretMap = await CloudflareWorkersSyncFns.getSecrets(secretSync);
+        break;
       case SecretSync.Zabbix:
         secretMap = await ZabbixSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.Railway:
+        secretMap = await RailwaySyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -412,8 +428,12 @@ export const SecretSyncFns = {
         return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.CloudflareWorkers:
+        return CloudflareWorkersSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Zabbix:
         return ZabbixSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Railway:
+        return RailwaySyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -24,7 +24,10 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.Flyio]: "Fly.io",
   [SecretSync.GitLab]: "GitLab",
   [SecretSync.CloudflarePages]: "Cloudflare Pages",
-  [SecretSync.Zabbix]: "Zabbix"
+  [SecretSync.CloudflareWorkers]: "Cloudflare Workers",
+
+  [SecretSync.Zabbix]: "Zabbix",
+  [SecretSync.Railway]: "Railway"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -50,7 +53,10 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Flyio]: AppConnection.Flyio,
   [SecretSync.GitLab]: AppConnection.GitLab,
   [SecretSync.CloudflarePages]: AppConnection.Cloudflare,
-  [SecretSync.Zabbix]: AppConnection.Zabbix
+  [SecretSync.CloudflareWorkers]: AppConnection.Cloudflare,
+
+  [SecretSync.Zabbix]: AppConnection.Zabbix,
+  [SecretSync.Railway]: AppConnection.Railway
 };
 
 export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@@ -76,5 +82,8 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.Flyio]: SecretSyncPlanType.Regular,
   [SecretSync.GitLab]: SecretSyncPlanType.Regular,
   [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular,
-  [SecretSync.Zabbix]: SecretSyncPlanType.Regular
+  [SecretSync.CloudflareWorkers]: SecretSyncPlanType.Regular,
+
+  [SecretSync.Zabbix]: SecretSyncPlanType.Regular,
+  [SecretSync.Railway]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -78,6 +78,12 @@ import {
   TCloudflarePagesSyncListItem,
   TCloudflarePagesSyncWithCredentials
 } from "./cloudflare-pages/cloudflare-pages-types";
+import {
+  TCloudflareWorkersSync,
+  TCloudflareWorkersSyncInput,
+  TCloudflareWorkersSyncListItem,
+  TCloudflareWorkersSyncWithCredentials
+} from "./cloudflare-workers";
 import { TFlyioSync, TFlyioSyncInput, TFlyioSyncListItem, TFlyioSyncWithCredentials } from "./flyio/flyio-sync-types";
 import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
 import { TGitLabSync, TGitLabSyncInput, TGitLabSyncListItem, TGitLabSyncWithCredentials } from "./gitlab";
@@ -94,6 +100,12 @@ import {
   THumanitecSyncListItem,
   THumanitecSyncWithCredentials
 } from "./humanitec";
+import {
+  TRailwaySync,
+  TRailwaySyncInput,
+  TRailwaySyncListItem,
+  TRailwaySyncWithCredentials
+} from "./railway/railway-sync-types";
 import {
   TRenderSync,
   TRenderSyncInput,
@@ -138,7 +150,9 @@ export type TSecretSync =
   | TFlyioSync
   | TGitLabSync
   | TCloudflarePagesSync
-  | TZabbixSync;
+  | TCloudflareWorkersSync
+  | TZabbixSync
+  | TRailwaySync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -163,7 +177,9 @@ export type TSecretSyncWithCredentials =
   | TFlyioSyncWithCredentials
   | TGitLabSyncWithCredentials
   | TCloudflarePagesSyncWithCredentials
-  | TZabbixSyncWithCredentials;
+  | TCloudflareWorkersSyncWithCredentials
+  | TZabbixSyncWithCredentials
+  | TRailwaySyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -188,7 +204,9 @@ export type TSecretSyncInput =
   | TFlyioSyncInput
   | TGitLabSyncInput
   | TCloudflarePagesSyncInput
-  | TZabbixSyncInput;
+  | TCloudflareWorkersSyncInput
+  | TZabbixSyncInput
+  | TRailwaySyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -213,7 +231,9 @@ export type TSecretSyncListItem =
   | TFlyioSyncListItem
   | TGitLabSyncListItem
   | TCloudflarePagesSyncListItem
-  | TZabbixSyncListItem;
+  | TCloudflareWorkersSyncListItem
+  | TZabbixSyncListItem
+  | TRailwaySyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

docs/Dockerfile

@@ -1,6 +1,36 @@
-FROM node:20-alpine
+FROM node:20-alpine AS builder
+
 WORKDIR /app
-RUN npm install -g mint
+
+RUN npm install -g mint@4.2.13
+
 COPY . .
+
+# Install a local version of our OpenAPI spec
+RUN apk add --no-cache wget jq && \
+    wget -O spec.json https://app.infisical.com/api/docs/json && \
+    jq '.api.openapi = "./spec.json"' docs.json > temp.json && \
+    mv temp.json docs.json
+
+# Run mint dev briefly to download the web client
+RUN timeout 30 mint dev || true
+
+FROM node:20-alpine
+
+WORKDIR /app
+
+RUN addgroup -g 1001 -S mintuser && \
+    adduser -S -D -H -u 1001 -s /sbin/nologin -G mintuser mintuser && \
+    npm install -g mint@4.2.13
+
+COPY --chown=mintuser:mintuser . .
+
+COPY --from=builder --chown=mintuser:mintuser /root/.mintlify /home/mintuser/.mintlify
+COPY --from=builder --chown=mintuser:mintuser /app/docs.json /app/docs.json
+COPY --from=builder --chown=mintuser:mintuser /app/spec.json /app/spec.json
+
+USER mintuser
+
 EXPOSE 3000
+
 CMD ["mint", "dev"]

docs/api-reference/endpoints/app-connections/railway/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/railway/available"
+---

docs/api-reference/endpoints/app-connections/railway/create.mdx

@@ -0,0 +1,8 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/railway"
+---
+
+<Note>
+    Check out the configuration docs for [Railway Connections](/integrations/app-connections/railway) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/railway/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/railway/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/railway/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/railway/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/railway/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/railway/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/railway/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/railway"
+---

docs/api-reference/endpoints/app-connections/railway/update.mdx

@@ -0,0 +1,8 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/railway/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Railway Connections](/integrations/app-connections/railway) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/cloudflare-workers"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/cloudflare-workers/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/cloudflare-workers/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/cloudflare-workers/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/cloudflare-workers"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/cloudflare-workers/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/cloudflare-workers/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/cloudflare-workers/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/cloudflare-workers/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/railway/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/railway"
+---

docs/api-reference/endpoints/secret-syncs/railway/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/railway/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/railway/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/railway/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/railway/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/railway/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/railway/import-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Import Secrets"
+openapi: "POST /api/v1/secret-syncs/railway/{syncId}/import-secrets"
+---

docs/api-reference/endpoints/secret-syncs/railway/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/railway"
+---

docs/api-reference/endpoints/secret-syncs/railway/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/railway/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/railway/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/railway/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/railway/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/railway/{syncId}"
+---

docs/docs.json

@@ -488,6 +488,7 @@
                   "integrations/app-connections/oci",
                   "integrations/app-connections/oracledb",
                   "integrations/app-connections/postgres",
+                  "integrations/app-connections/railway",
                   "integrations/app-connections/render",
                   "integrations/app-connections/teamcity",
                   "integrations/app-connections/terraform-cloud",
@@ -513,6 +514,7 @@
                   "integrations/secret-syncs/azure-key-vault",
                   "integrations/secret-syncs/camunda",
                   "integrations/secret-syncs/cloudflare-pages",
+                  "integrations/secret-syncs/cloudflare-workers",
                   "integrations/secret-syncs/databricks",
                   "integrations/secret-syncs/flyio",
                   "integrations/secret-syncs/gcp-secret-manager",
@@ -522,6 +524,7 @@
                   "integrations/secret-syncs/heroku",
                   "integrations/secret-syncs/humanitec",
                   "integrations/secret-syncs/oci-vault",
+                  "integrations/secret-syncs/railway",
                   "integrations/secret-syncs/render",
                   "integrations/secret-syncs/teamcity",
                   "integrations/secret-syncs/terraform-cloud",
@@ -563,8 +566,8 @@
                   "integrations/cloud/digital-ocean-app-platform",
                   "integrations/cloud/heroku",
                   "integrations/cloud/netlify",
-                  "integrations/cloud/railway",
                   "integrations/cloud/flyio",
+                  "integrations/cloud/railway",
                   "integrations/cloud/render",
                   "integrations/cloud/laravel-forge",
                   "integrations/cloud/supabase",
@@ -853,30 +856,30 @@
               {
                 "group": "Organizations",
                 "pages": [
-                {
-                  "group": "OIDC SSO",
-                  "pages": [
-                    "api-reference/endpoints/organizations/oidc-sso/get-oidc-config",
-                    "api-reference/endpoints/organizations/oidc-sso/update-oidc-config",
-                    "api-reference/endpoints/organizations/oidc-sso/create-oidc-config"
-                  ]
-                },
-                {
-                  "group": "LDAP SSO",
-                  "pages": [
-                    "api-reference/endpoints/organizations/ldap-sso/get-ldap-config",
-                    "api-reference/endpoints/organizations/ldap-sso/update-ldap-config",
-                    "api-reference/endpoints/organizations/ldap-sso/create-ldap-config"
-                  ]
-                },
-                {
-                  "group": "SAML SSO",
-                  "pages": [
-                    "api-reference/endpoints/organizations/saml-sso/get-saml-config",
-                    "api-reference/endpoints/organizations/saml-sso/update-saml-config",
-                    "api-reference/endpoints/organizations/saml-sso/create-saml-config"
-                  ]
-                },
+                  {
+                    "group": "OIDC SSO",
+                    "pages": [
+                      "api-reference/endpoints/organizations/oidc-sso/get-oidc-config",
+                      "api-reference/endpoints/organizations/oidc-sso/update-oidc-config",
+                      "api-reference/endpoints/organizations/oidc-sso/create-oidc-config"
+                    ]
+                  },
+                  {
+                    "group": "LDAP SSO",
+                    "pages": [
+                      "api-reference/endpoints/organizations/ldap-sso/get-ldap-config",
+                      "api-reference/endpoints/organizations/ldap-sso/update-ldap-config",
+                      "api-reference/endpoints/organizations/ldap-sso/create-ldap-config"
+                    ]
+                  },
+                  {
+                    "group": "SAML SSO",
+                    "pages": [
+                      "api-reference/endpoints/organizations/saml-sso/get-saml-config",
+                      "api-reference/endpoints/organizations/saml-sso/update-saml-config",
+                      "api-reference/endpoints/organizations/saml-sso/create-saml-config"
+                    ]
+                  },
                   "api-reference/endpoints/organizations/memberships",
                   "api-reference/endpoints/organizations/update-membership",
                   "api-reference/endpoints/organizations/delete-membership",
@@ -1517,6 +1520,18 @@
                       "api-reference/endpoints/app-connections/postgres/delete"
                     ]
                   },
+                  {
+                    "group": "Railway",
+                    "pages": [
+                      "api-reference/endpoints/app-connections/railway/list",
+                      "api-reference/endpoints/app-connections/railway/available",
+                      "api-reference/endpoints/app-connections/railway/get-by-id",
+                      "api-reference/endpoints/app-connections/railway/get-by-name",
+                      "api-reference/endpoints/app-connections/railway/create",
+                      "api-reference/endpoints/app-connections/railway/update",
+                      "api-reference/endpoints/app-connections/railway/delete"
+                    ]
+                  },
                   {
                     "group": "Render",
                     "pages": [
@@ -1706,6 +1721,19 @@
                       "api-reference/endpoints/secret-syncs/cloudflare-pages/remove-secrets"
                     ]
                   },
+                  {
+                    "group": "Cloudflare Workers",
+                    "pages": [
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/list",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-id",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/get-by-name",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/create",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/update",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/delete",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/sync-secrets",
+                      "api-reference/endpoints/secret-syncs/cloudflare-workers/remove-secrets"
+                    ]
+                  },
                   {
                     "group": "Databricks",
                     "pages": [
@@ -1826,6 +1854,20 @@
                       "api-reference/endpoints/secret-syncs/oci-vault/remove-secrets"
                     ]
                   },
+                  {
+                    "group": "Railway",
+                    "pages": [
+                      "api-reference/endpoints/secret-syncs/railway/list",
+                      "api-reference/endpoints/secret-syncs/railway/get-by-id",
+                      "api-reference/endpoints/secret-syncs/railway/get-by-name",
+                      "api-reference/endpoints/secret-syncs/railway/create",
+                      "api-reference/endpoints/secret-syncs/railway/update",
+                      "api-reference/endpoints/secret-syncs/railway/delete",
+                      "api-reference/endpoints/secret-syncs/railway/sync-secrets",
+                      "api-reference/endpoints/secret-syncs/railway/import-secrets",
+                      "api-reference/endpoints/secret-syncs/railway/remove-secrets"
+                    ]
+                  },
                   {
                     "group": "Render",
                     "pages": [
@@ -2172,7 +2214,7 @@
   "api": {
     "openapi": "https://app.infisical.com/api/docs/json",
     "mdx": {
-      "server": ["https://app.infisical.com", "http://localhost:8080"]
+      "server": ["https://app.infisical.com"]
     }
   },
   "appearance": {