misc: added cleanup of global/instance-level resources

Update group-mappings.mdx

.env.example

@@ -36,16 +36,22 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
+CLIENT_ID_GITHUB_APP=
+CLIENT_SLUG_GITHUB_APP=
 CLIENT_ID_GITLAB=
 CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITHUB_APP=
 CLIENT_SECRET_GITLAB=
 CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=
 
+CLIENT_PRIVATE_KEY_GITHUB_APP=
+CLIENT_APP_ID_GITHUB_APP=
+
 # Sentry (optional) for monitoring errors
 SENTRY_DSN=
 

Dockerfile.standalone-infisical

@@ -95,6 +95,10 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 RUN apk add --upgrade --no-cache ca-certificates
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.31.1 && apk add --no-cache git
+
 RUN addgroup --system --gid 1001 nodejs \
   && adduser --system --uid 1001 non-root-user
 

backend/package-lock.json

@@ -28,6 +28,7 @@
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@node-saml/passport-saml": "^4.0.4",
+        "@octokit/auth-app": "^7.1.1",
         "@octokit/plugin-retry": "^5.0.5",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
@@ -5000,24 +5001,73 @@
       }
     },
     "node_modules/@octokit/auth-app": {
-      "version": "6.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-6.0.3.tgz",
-      "integrity": "sha512-9N7IlBAKEJR3tJgPSubCxIDYGXSdc+2xbkjYpk9nCyqREnH8qEMoMhiEB1WgoA9yTFp91El92XNXAi+AjuKnfw==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-7.1.1.tgz",
+      "integrity": "sha512-kRAd6yelV9OgvlEJE88H0VLlQdZcag9UlLr7dV0YYP37X8PPDvhgiTy66QVhDXdyoT0AleFN2w/qXkPdrSzINg==",
       "dependencies": {
-        "@octokit/auth-oauth-app": "^7.0.0",
-        "@octokit/auth-oauth-user": "^4.0.0",
-        "@octokit/request": "^8.0.2",
-        "@octokit/request-error": "^5.0.0",
-        "@octokit/types": "^12.0.0",
-        "deprecation": "^2.3.1",
+        "@octokit/auth-oauth-app": "^8.1.0",
+        "@octokit/auth-oauth-user": "^5.1.0",
+        "@octokit/request": "^9.1.1",
+        "@octokit/request-error": "^6.1.1",
+        "@octokit/types": "^13.4.1",
         "lru-cache": "^10.0.0",
-        "universal-github-app-jwt": "^1.1.2",
-        "universal-user-agent": "^6.0.0"
+        "universal-github-app-jwt": "^2.2.0",
+        "universal-user-agent": "^7.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/request": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
+      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
+      "dependencies": {
+        "@octokit/endpoint": "^10.0.0",
+        "@octokit/request-error": "^6.0.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/request-error": {
+      "version": "6.1.5",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
+      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
     "node_modules/@octokit/auth-app/node_modules/lru-cache": {
       "version": "10.2.0",
       "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.0.tgz",
@@ -5026,53 +5076,220 @@
         "node": "14 || >=16.14"
       }
     },
+    "node_modules/@octokit/auth-app/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-app": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-7.0.1.tgz",
-      "integrity": "sha512-RE0KK0DCjCHXHlQBoubwlLijXEKfhMhKm9gO56xYvFmP1QTMb+vvwRPmQLLx0V+5AvV9N9I3lr1WyTzwL3rMDg==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-8.1.1.tgz",
+      "integrity": "sha512-5UtmxXAvU2wfcHIPPDWzVSAWXVJzG3NWsxb7zCFplCWEmMCArSZV0UQu5jw5goLQXbFyOr5onzEH37UJB3zQQg==",
       "dependencies": {
-        "@octokit/auth-oauth-device": "^6.0.0",
-        "@octokit/auth-oauth-user": "^4.0.0",
-        "@octokit/request": "^8.0.2",
-        "@octokit/types": "^12.0.0",
-        "@types/btoa-lite": "^1.0.0",
-        "btoa-lite": "^1.0.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/auth-oauth-device": "^7.0.0",
+        "@octokit/auth-oauth-user": "^5.0.1",
+        "@octokit/request": "^9.0.0",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/request": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
+      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
+      "dependencies": {
+        "@octokit/endpoint": "^10.0.0",
+        "@octokit/request-error": "^6.0.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/request-error": {
+      "version": "6.1.5",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
+      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-app/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-device": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-6.0.1.tgz",
-      "integrity": "sha512-yxU0rkL65QkjbqQedgVx3gmW7YM5fF+r5uaSj9tM/cQGVqloXcqP2xK90eTyYvl29arFVCW8Vz4H/t47mL0ELw==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-7.1.1.tgz",
+      "integrity": "sha512-HWl8lYueHonuyjrKKIup/1tiy0xcmQCdq5ikvMO1YwkNNkxb6DXfrPjrMYItNLyCP/o2H87WuijuE+SlBTT8eg==",
       "dependencies": {
-        "@octokit/oauth-methods": "^4.0.0",
-        "@octokit/request": "^8.0.0",
-        "@octokit/types": "^12.0.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/oauth-methods": "^5.0.0",
+        "@octokit/request": "^9.0.0",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/auth-oauth-user": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-4.0.1.tgz",
-      "integrity": "sha512-N94wWW09d0hleCnrO5wt5MxekatqEJ4zf+1vSe8MKMrhZ7gAXKFOKrDEZW2INltvBWJCyDUELgGRv8gfErH1Iw==",
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
       "dependencies": {
-        "@octokit/auth-oauth-device": "^6.0.0",
-        "@octokit/oauth-methods": "^4.0.0",
-        "@octokit/request": "^8.0.2",
-        "@octokit/types": "^12.0.0",
-        "btoa-lite": "^1.0.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
       },
       "engines": {
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/request": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
+      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
+      "dependencies": {
+        "@octokit/endpoint": "^10.0.0",
+        "@octokit/request-error": "^6.0.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/request-error": {
+      "version": "6.1.5",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
+      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-device/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
+    "node_modules/@octokit/auth-oauth-user": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-5.1.1.tgz",
+      "integrity": "sha512-rRkMz0ErOppdvEfnemHJXgZ9vTPhBuC6yASeFaB7I2yLMd7QpjfrL1mnvRPlyKo+M6eeLxrKanXJ9Qte29SRsw==",
+      "dependencies": {
+        "@octokit/auth-oauth-device": "^7.0.1",
+        "@octokit/oauth-methods": "^5.0.0",
+        "@octokit/request": "^9.0.1",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/request": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
+      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
+      "dependencies": {
+        "@octokit/endpoint": "^10.0.0",
+        "@octokit/request-error": "^6.0.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/request-error": {
+      "version": "6.1.5",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
+      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/@octokit/auth-oauth-user/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-token": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
@@ -5136,28 +5353,82 @@
       }
     },
     "node_modules/@octokit/oauth-authorization-url": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-6.0.2.tgz",
-      "integrity": "sha512-CdoJukjXXxqLNK4y/VOiVzQVjibqoj/xHgInekviUJV73y/BSIcwvJ/4aNHPBPKcPWFnd4/lO9uqRV65jXhcLA==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz",
+      "integrity": "sha512-ooXV8GBSabSWyhLUowlMIVd9l1s2nsOGQdlP2SQ4LnkEsGXzeCvbSbCPdZThXhEFzleGPwbapT0Sb+YhXRyjCA==",
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/oauth-methods": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-4.0.1.tgz",
-      "integrity": "sha512-1NdTGCoBHyD6J0n2WGXg9+yDLZrRNZ0moTEex/LSPr49m530WNKcCfXDghofYptr3st3eTii+EHoG5k/o+vbtw==",
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-5.1.2.tgz",
+      "integrity": "sha512-C5lglRD+sBlbrhCUTxgJAFjWgJlmTx5bQ7Ch0+2uqRjYv7Cfb5xpX4WuSC9UgQna3sqRGBL9EImX9PvTpMaQ7g==",
       "dependencies": {
-        "@octokit/oauth-authorization-url": "^6.0.2",
-        "@octokit/request": "^8.0.2",
-        "@octokit/request-error": "^5.0.0",
-        "@octokit/types": "^12.0.0",
-        "btoa-lite": "^1.0.0"
+        "@octokit/oauth-authorization-url": "^7.0.0",
+        "@octokit/request": "^9.1.0",
+        "@octokit/request-error": "^6.1.0",
+        "@octokit/types": "^13.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/request": {
+      "version": "9.1.3",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
+      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
+      "dependencies": {
+        "@octokit/endpoint": "^10.0.0",
+        "@octokit/request-error": "^6.0.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/request-error": {
+      "version": "6.1.5",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
+      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/@octokit/oauth-methods/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/openapi-types": {
       "version": "19.1.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.1.0.tgz",
@@ -5272,13 +5543,13 @@
       }
     },
     "node_modules/@octokit/request": {
-      "version": "8.1.6",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.1.6.tgz",
-      "integrity": "sha512-YhPaGml3ncZC1NfXpP3WZ7iliL1ap6tLkAp6MvbK2fTTPytzVUyUesBBogcdMm86uRYO5rHaM1xIWxigWZ17MQ==",
+      "version": "8.4.0",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.0.tgz",
+      "integrity": "sha512-9Bb014e+m2TgBeEJGEbdplMVWwPmL1FPtggHQRkV+WVsMggPtEkLKPlcVYm/o8xKLkpJ7B+6N8WfQMtDLX2Dpw==",
       "dependencies": {
-        "@octokit/endpoint": "^9.0.0",
-        "@octokit/request-error": "^5.0.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/endpoint": "^9.0.1",
+        "@octokit/request-error": "^5.1.0",
+        "@octokit/types": "^13.1.0",
         "universal-user-agent": "^6.0.0"
       },
       "engines": {
@@ -5286,11 +5557,11 @@
       }
     },
     "node_modules/@octokit/request-error": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.0.1.tgz",
-      "integrity": "sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz",
+      "integrity": "sha512-GETXfE05J0+7H2STzekpKObFe765O5dlAKUTLNGeH+x47z7JjXHfsHKo5z21D/o/IOZTUEI6nyWyR+bZVP/n5Q==",
       "dependencies": {
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.1.0",
         "deprecation": "^2.0.0",
         "once": "^1.4.0"
       },
@@ -5298,6 +5569,32 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/request-error/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
     "node_modules/@octokit/rest": {
       "version": "20.0.2",
       "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-20.0.2.tgz",
@@ -14184,6 +14481,154 @@
         "@octokit/core": ">=5"
       }
     },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-app": {
+      "version": "6.1.2",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-6.1.2.tgz",
+      "integrity": "sha512-fWjIOpxnL8/YFY3kqquciFQ4o99aCqHw5kMFoGPYbz/h5HNZ11dJlV9zag5wS2nt0X1wJ5cs9BUo+CsAPfW4jQ==",
+      "dependencies": {
+        "@octokit/auth-oauth-app": "^7.1.0",
+        "@octokit/auth-oauth-user": "^4.1.0",
+        "@octokit/request": "^8.3.1",
+        "@octokit/request-error": "^5.1.0",
+        "@octokit/types": "^13.1.0",
+        "deprecation": "^2.3.1",
+        "lru-cache": "^10.0.0",
+        "universal-github-app-jwt": "^1.1.2",
+        "universal-user-agent": "^6.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-app/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-app": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-7.1.0.tgz",
+      "integrity": "sha512-w+SyJN/b0l/HEb4EOPRudo7uUOSW51jcK1jwLa+4r7PA8FPFpoxEnHBHMITqCsc/3Vo2qqFjgQfz/xUUvsSQnA==",
+      "dependencies": {
+        "@octokit/auth-oauth-device": "^6.1.0",
+        "@octokit/auth-oauth-user": "^4.1.0",
+        "@octokit/request": "^8.3.1",
+        "@octokit/types": "^13.0.0",
+        "@types/btoa-lite": "^1.0.0",
+        "btoa-lite": "^1.0.0",
+        "universal-user-agent": "^6.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-app/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-device": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-6.1.0.tgz",
+      "integrity": "sha512-FNQ7cb8kASufd6Ej4gnJ3f1QB5vJitkoV1O0/g6e6lUsQ7+VsSNRHRmFScN2tV4IgKA12frrr/cegUs0t+0/Lw==",
+      "dependencies": {
+        "@octokit/oauth-methods": "^4.1.0",
+        "@octokit/request": "^8.3.1",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^6.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-device/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-user": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-4.1.0.tgz",
+      "integrity": "sha512-FrEp8mtFuS/BrJyjpur+4GARteUCrPeR/tZJzD8YourzoVhRics7u7we/aDcKv+yywRNwNi/P4fRi631rG/OyQ==",
+      "dependencies": {
+        "@octokit/auth-oauth-device": "^6.1.0",
+        "@octokit/oauth-methods": "^4.1.0",
+        "@octokit/request": "^8.3.1",
+        "@octokit/types": "^13.0.0",
+        "btoa-lite": "^1.0.0",
+        "universal-user-agent": "^6.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-user/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/oauth-authorization-url": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-6.0.2.tgz",
+      "integrity": "sha512-CdoJukjXXxqLNK4y/VOiVzQVjibqoj/xHgInekviUJV73y/BSIcwvJ/4aNHPBPKcPWFnd4/lO9uqRV65jXhcLA==",
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/oauth-methods": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-4.1.0.tgz",
+      "integrity": "sha512-4tuKnCRecJ6CG6gr0XcEXdZtkTDbfbnD5oaHBmLERTjTMZNi2CbfEHZxPU41xXLDG4DfKf+sonu00zvKI9NSbw==",
+      "dependencies": {
+        "@octokit/oauth-authorization-url": "^6.0.2",
+        "@octokit/request": "^8.3.1",
+        "@octokit/request-error": "^5.1.0",
+        "@octokit/types": "^13.0.0",
+        "btoa-lite": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/oauth-methods/node_modules/@octokit/types": {
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "dependencies": {
+        "@octokit/openapi-types": "^22.2.0"
+      }
+    },
+    "node_modules/octokit-auth-probot/node_modules/@octokit/openapi-types": {
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+    },
+    "node_modules/octokit-auth-probot/node_modules/lru-cache": {
+      "version": "10.4.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
+    },
+    "node_modules/octokit-auth-probot/node_modules/universal-github-app-jwt": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-1.2.0.tgz",
+      "integrity": "sha512-dncpMpnsKBk0eetwfN8D8OUHGfiDhhJ+mtsbMl+7PfW7mYjiH8LIcqRmYMtzYLgSh47HjfdBtrBwIQ/gizKR3g==",
+      "dependencies": {
+        "@types/jsonwebtoken": "^9.0.0",
+        "jsonwebtoken": "^9.0.2"
+      }
+    },
     "node_modules/oidc-token-hash": {
       "version": "5.0.3",
       "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz",
@@ -18176,13 +18621,9 @@
       }
     },
     "node_modules/universal-github-app-jwt": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-1.1.2.tgz",
-      "integrity": "sha512-t1iB2FmLFE+yyJY9+3wMx0ejB+MQpEVkH0gQv7dR6FZyltyq+ZZO0uDpbopxhrZ3SLEO4dCEkIujOMldEQ2iOA==",
-      "dependencies": {
-        "@types/jsonwebtoken": "^9.0.0",
-        "jsonwebtoken": "^9.0.2"
-      }
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-2.2.0.tgz",
+      "integrity": "sha512-G5o6f95b5BggDGuUfKDApKaCgNYy2x7OdHY0zSMF081O0EJobw+1130VONhrA7ezGSV2FNOGyM+KQpQZAr9bIQ=="
     },
     "node_modules/universal-user-agent": {
       "version": "6.0.1",

backend/package.json

@@ -58,6 +58,7 @@
     "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
     "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
     "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migrate:org": "tsx ./scripts/migrate-organization.ts",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
     "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
     "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
@@ -132,6 +133,7 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/auth-app": "^7.1.1",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",

backend/scripts/migrate-organization.ts

@@ -0,0 +1,84 @@
+/* eslint-disable */
+import promptSync from "prompt-sync";
+import { execSync } from "child_process";
+import path from "path";
+import { existsSync } from "fs";
+
+const prompt = promptSync({
+  sigint: true
+});
+
+const exportDb = () => {
+  const exportHost = prompt("Enter your Postgres Host to migrate from: ");
+  const exportPort = prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432";
+  const exportUser = prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical";
+  const exportPassword = prompt("Enter your Postgres Password to migrate from: ");
+  const exportDatabase = prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical";
+
+  // we do not include the audit_log and secret_sharing entries
+  execSync(
+    `PGDATABASE="${exportDatabase}" PGPASSWORD="${exportPassword}" PGHOST="${exportHost}" PGPORT=${exportPort} PGUSER=${exportUser} pg_dump infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
+      __dirname,
+      "../src/db/dump.sql"
+    )}`,
+    { stdio: "inherit" }
+  );
+};
+
+const importDbForOrg = () => {
+  const importHost = prompt("Enter your Postgres Host to migrate to: ");
+  const importPort = prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432";
+  const importUser = prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical";
+  const importPassword = prompt("Enter your Postgres Password to migrate to: ");
+  const importDatabase = prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical";
+  const orgId = prompt("Enter the organization ID to migrate: ");
+
+  if (!existsSync(path.join(__dirname, "../src/db/dump.sql"))) {
+    console.log("File not found, please export the database first.");
+    return;
+  }
+
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -f ${path.join(
+      __dirname,
+      "../src/db/dump.sql"
+    )}`
+  );
+
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
+  );
+
+  // delete global/instance-level resources not relevant to the organization to migrate
+  // users
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
+  );
+
+  // identities
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
+  );
+
+  // reset slack configuration in superAdmin
+  execSync(
+    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
+  );
+
+  console.log("Organization migrated successfully.");
+};
+
+const main = () => {
+  const action = prompt(
+    "Enter the action to perform\n 1. Export from existing instance.\n 2. Import org to instance.\n \n Action: "
+  );
+  if (action === "1") {
+    exportDb();
+  } else if (action === "2") {
+    importDbForOrg();
+  } else {
+    console.log("Invalid action");
+  }
+};
+
+main();

backend/src/@types/fastify.d.ts

@@ -39,6 +39,7 @@ import { TCertificateServiceFactory } from "@app/services/certificate/certificat
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
+import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
@@ -185,6 +186,7 @@ declare module "fastify" {
       workflowIntegration: TWorkflowIntegrationServiceFactory;
       cmek: TCmekServiceFactory;
       migration: TExternalMigrationServiceFactory;
+      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -336,6 +336,11 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
+import {
+  TExternalGroupOrgRoleMappings,
+  TExternalGroupOrgRoleMappingsInsert,
+  TExternalGroupOrgRoleMappingsUpdate
+} from "@app/db/schemas/external-group-org-role-mappings";
 import {
   TSecretV2TagJunction,
   TSecretV2TagJunctionInsert,
@@ -808,5 +813,10 @@ declare module "knex/types/tables" {
       TWorkflowIntegrationsInsert,
       TWorkflowIntegrationsUpdate
     >;
+    [TableName.ExternalGroupOrgRoleMapping]: KnexOriginal.CompositeTableType<
+      TExternalGroupOrgRoleMappings,
+      TExternalGroupOrgRoleMappingsInsert,
+      TExternalGroupOrgRoleMappingsUpdate
+    >;
   }
 }

backend/src/db/migrations/20241015084434_increase-identity-metadata-col-length.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 255).alter();
+    });
+  }
+}

backend/src/db/migrations/20241015145450_external-group-org-role-mapping.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  // add external group to org role mapping table
+  if (!(await knex.schema.hasTable(TableName.ExternalGroupOrgRoleMapping))) {
+    await knex.schema.createTable(TableName.ExternalGroupOrgRoleMapping, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("groupName").notNullable();
+      t.index("groupName");
+      t.string("role").notNullable();
+      t.uuid("roleId");
+      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.unique(["orgId", "groupName"]);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.ExternalGroupOrgRoleMapping);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.ExternalGroupOrgRoleMapping)) {
+    await dropOnUpdateTrigger(knex, TableName.ExternalGroupOrgRoleMapping);
+
+    await knex.schema.dropTable(TableName.ExternalGroupOrgRoleMapping);
+  }
+}

backend/src/db/migrations/20241021114650_add-missing-org-cascade-references.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SamlConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SamlConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+}

backend/src/db/schemas/external-group-org-role-mappings.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalGroupOrgRoleMappingsSchema = z.object({
+  id: z.string().uuid(),
+  groupName: z.string(),
+  role: z.string(),
+  roleId: z.string().uuid().nullable().optional(),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TExternalGroupOrgRoleMappings = z.infer<typeof ExternalGroupOrgRoleMappingsSchema>;
+export type TExternalGroupOrgRoleMappingsInsert = Omit<
+  z.input<typeof ExternalGroupOrgRoleMappingsSchema>,
+  TImmutableDBKeys
+>;
+export type TExternalGroupOrgRoleMappingsUpdate = Partial<
+  Omit<z.input<typeof ExternalGroupOrgRoleMappingsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -17,6 +17,7 @@ export enum TableName {
   Groups = "groups",
   GroupProjectMembership = "group_project_memberships",
   GroupProjectMembershipRole = "group_project_membership_roles",
+  ExternalGroupOrgRoleMapping = "external_group_org_role_mappings",
   UserGroupMembership = "user_group_membership",
   UserAliases = "user_aliases",
   UserEncryptionKey = "user_encryption_keys",

backend/src/ee/routes/v1/saml-router.ts

@@ -128,7 +128,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
             .map((key) => {
               // for the ones like in format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
               const formatedKey = key.startsWith("http") ? key.split("/").at(-1) || "" : key;
-              return { key: formatedKey, value: String((profile.attributes as Record<string, string>)[key]) };
+              return {
+                key: formatedKey,
+                value: String((profile.attributes as Record<string, string>)[key]).substring(0, 1020)
+              };
             })
             .filter((el) => el.key && !["email", "firstName", "lastName"].includes(el.key));
 

backend/src/ee/routes/v1/scim-router.ts

@@ -20,7 +20,7 @@ const ScimUserSchema = z.object({
       z.object({
         primary: z.boolean(),
         value: z.string().email(),
-        type: z.string().trim()
+        type: z.string().trim().default("work")
       })
     )
     .optional(),
@@ -210,8 +210,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
           .array(
             z.object({
               primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
+              value: z.string().email()
             })
           )
           .optional(),
@@ -281,8 +280,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
           .array(
             z.object({
               primary: z.boolean(),
-              value: z.string().email(),
-              type: z.string().trim()
+              value: z.string().email()
             })
           )
           .optional(),
@@ -301,7 +299,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             z.object({
               primary: z.boolean(),
               value: z.string().email(),
-              type: z.string().trim()
+              type: z.string().trim().default("work")
             })
           ),
           displayName: z.string().trim(),

backend/src/ee/routes/v1/secret-scanning-router.ts

@@ -2,6 +2,8 @@ import { z } from "zod";
 
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
 import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -23,6 +25,13 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
+      const appCfg = getConfig();
+      if (!appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(req.auth.orgId)) {
+        throw new BadRequestError({
+          message: "Secret scanning is temporarily unavailable."
+        });
+      }
+
       const session = await server.services.secretScanning.createInstallationSession({
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -30,6 +39,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
         actorOrgId: req.permission.orgId,
         orgId: req.body.organizationId
       });
+
       return session;
     }
   });

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -190,7 +190,9 @@ export enum EventType {
   DELETE_CMEK = "delete-cmek",
   GET_CMEKS = "get-cmeks",
   CMEK_ENCRYPT = "cmek-encrypt",
-  CMEK_DECRYPT = "cmek-decrypt"
+  CMEK_DECRYPT = "cmek-decrypt",
+  UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
+  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping"
 }
 
 interface UserActorMetadata {
@@ -1604,6 +1606,18 @@ interface CmekDecryptEvent {
   };
 }
 
+interface GetExternalGroupOrgRoleMappingsEvent {
+  type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
+  metadata?: Record<string, never>; // not needed, based off orgId
+}
+
+interface UpdateExternalGroupOrgRoleMappingsEvent {
+  type: EventType.UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
+  metadata: {
+    mappings: { groupName: string; roleSlug: string }[];
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1750,4 +1764,6 @@ export type Event =
   | DeleteCmekEvent
   | GetCmeksEvent
   | CmekEncryptEvent
-  | CmekDecryptEvent;
+  | CmekDecryptEvent
+  | GetExternalGroupOrgRoleMappingsEvent
+  | UpdateExternalGroupOrgRoleMappingsEvent;

backend/src/ee/services/scim/scim-service.ts

@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";
 import { scimPatch } from "scim-patch";
 
-import { OrgMembershipRole, OrgMembershipStatus, TableName, TOrgMemberships, TUsers } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -13,6 +13,7 @@ import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } f
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
+import { TExternalGroupOrgRoleMappingDALFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-dal";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
@@ -71,7 +72,10 @@ type TScimServiceFactoryDep = {
     | "transaction"
     | "updateMembershipById"
   >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById" | "findById">;
+  orgMembershipDAL: Pick<
+    TOrgMembershipDALFactory,
+    "find" | "findOne" | "create" | "updateById" | "findById" | "update"
+  >;
   projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
   groupDAL: Pick<
@@ -102,6 +106,7 @@ type TScimServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   smtpService: Pick<TSmtpService, "sendMail">;
   projectUserAdditionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
+  externalGroupOrgRoleMappingDAL: TExternalGroupOrgRoleMappingDALFactory;
 };
 
 export type TScimServiceFactory = ReturnType<typeof scimServiceFactory>;
@@ -122,7 +127,8 @@ export const scimServiceFactory = ({
   projectBotDAL,
   permissionService,
   projectUserAdditionalPrivilegeDAL,
-  smtpService
+  smtpService,
+  externalGroupOrgRoleMappingDAL
 }: TScimServiceFactoryDep) => {
   const createScimToken = async ({
     actor,
@@ -692,6 +698,43 @@ export const scimServiceFactory = ({
     });
   };
 
+  const $syncNewMembersRoles = async (group: TGroups, members: TScimGroup["members"]) => {
+    // this function handles configuring newly provisioned users org membership if an external group mapping exists
+
+    if (!members.length) return;
+
+    const externalGroupMapping = await externalGroupOrgRoleMappingDAL.findOne({
+      orgId: group.orgId,
+      groupName: group.name
+    });
+
+    // no mapping, user will have default org membership
+    if (!externalGroupMapping) return;
+
+    // only get org memberships that are new (invites)
+    const newOrgMemberships = await orgMembershipDAL.find({
+      status: "invited",
+      $in: {
+        id: members.map((member) => member.value)
+      }
+    });
+
+    if (!newOrgMemberships.length) return;
+
+    // set new membership roles to group mapping value
+    await orgMembershipDAL.update(
+      {
+        $in: {
+          id: newOrgMemberships.map((membership) => membership.id)
+        }
+      },
+      {
+        role: externalGroupMapping.role,
+        roleId: externalGroupMapping.roleId
+      }
+    );
+  };
+
   const createScimGroup = async ({ displayName, orgId, members }: TCreateScimGroupDTO) => {
     const plan = await licenseService.getPlan(orgId);
     if (!plan.groups)
@@ -745,6 +788,8 @@ export const scimServiceFactory = ({
           tx
         });
 
+        await $syncNewMembersRoles(group, members);
+
         return { group, newMembers };
       }
 
@@ -820,22 +865,41 @@ export const scimServiceFactory = ({
     orgId: string,
     { displayName, members = [] }: { displayName: string; members: { value: string }[] }
   ) => {
-    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      const [group] = await groupDAL.update(
-        {
-          id: groupId,
-          orgId
-        },
-        {
-          name: displayName
-        }
-      );
+    let group = await groupDAL.findOne({
+      id: groupId,
+      orgId
+    });
 
-      if (!group) {
-        throw new ScimRequestError({
-          detail: "Group Not Found",
-          status: 404
-        });
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
+
+    const updatedGroup = await groupDAL.transaction(async (tx) => {
+      if (group.name !== displayName) {
+        await externalGroupOrgRoleMappingDAL.update(
+          {
+            groupName: group.name,
+            orgId
+          },
+          {
+            groupName: displayName
+          }
+        );
+
+        const [modifiedGroup] = await groupDAL.update(
+          {
+            id: groupId,
+            orgId
+          },
+          {
+            name: displayName
+          }
+        );
+
+        group = modifiedGroup;
       }
 
       const orgMemberships = members.length
@@ -892,6 +956,8 @@ export const scimServiceFactory = ({
       return group;
     });
 
+    await $syncNewMembersRoles(group, members);
+
     return updatedGroup;
   };
 

backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts

@@ -1,6 +1,6 @@
 import { ProbotOctokit } from "probot";
 
-import { OrgMembershipRole } from "@app/db/schemas";
+import { OrgMembershipRole, TableName } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@@ -61,7 +61,7 @@ export const secretScanningQueueFactory = ({
   const getOrgAdminEmails = async (organizationId: string) => {
     // get emails of admins
     const adminsOfWork = await orgMemberDAL.findMembership({
-      orgId: organizationId,
+      [`${TableName.Organization}.id` as string]: organizationId,
       role: OrgMembershipRole.Admin
     });
     return adminsOfWork.filter((userObject) => userObject.email).map((userObject) => userObject.email as string);

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,7 +90,7 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
+    if (appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(actorOrgId)) {
       await Promise.all(
         repositories.map(({ id, full_name }) =>
           secretScanningQueue.startFullRepoScan({
@@ -164,7 +164,7 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
+    if (appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(installationLink.orgId)) {
       await secretScanningQueue.startPushEventScan({
         commits,
         pusher: { name: pusher.name, email: pusher.email },

backend/src/lib/config/env.ts

@@ -117,9 +117,16 @@ const envSchema = z
     // gcp secret manager
     CLIENT_ID_GCP_SECRET_MANAGER: zpStr(z.string().optional()),
     CLIENT_SECRET_GCP_SECRET_MANAGER: zpStr(z.string().optional()),
-    // github
+    // github oauth
     CLIENT_ID_GITHUB: zpStr(z.string().optional()),
     CLIENT_SECRET_GITHUB: zpStr(z.string().optional()),
+    // github app
+    CLIENT_ID_GITHUB_APP: zpStr(z.string().optional()),
+    CLIENT_SECRET_GITHUB_APP: zpStr(z.string().optional()),
+    CLIENT_PRIVATE_KEY_GITHUB_APP: zpStr(z.string().optional()),
+    CLIENT_APP_ID_GITHUB_APP: z.coerce.number().optional(),
+    CLIENT_SLUG_GITHUB_APP: zpStr(z.string().optional()),
+
     // azure
     CLIENT_ID_AZURE: zpStr(z.string().optional()),
     CLIENT_SECRET_AZURE: zpStr(z.string().optional()),
@@ -135,6 +142,7 @@ const envSchema = z
     SECRET_SCANNING_WEBHOOK_SECRET: zpStr(z.string().optional()),
     SECRET_SCANNING_GIT_APP_ID: zpStr(z.string().optional()),
     SECRET_SCANNING_PRIVATE_KEY: zpStr(z.string().optional()),
+    SECRET_SCANNING_ORG_WHITELIST: zpStr(z.string().optional()),
     // LICENSE
     LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
     LICENSE_SERVER_KEY: zpStr(z.string().optional()),
@@ -170,7 +178,8 @@ const envSchema = z
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
-    samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG
+    samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
+    SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));
 
 let envCfg: Readonly<z.infer<typeof envSchema>>;

backend/src/lib/errors/index.ts

@@ -71,6 +71,13 @@ export class BadRequestError extends Error {
   }
 }
 
+export class RateLimitError extends Error {
+  constructor({ message }: { message?: string }) {
+    super(message || "Rate limit exceeded");
+    this.name = "RateLimitExceeded";
+  }
+}
+
 export class NotFoundError extends Error {
   name: string;
 

backend/src/server/config/rateLimiter.ts

@@ -2,6 +2,7 @@ import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-lim
 import { Redis } from "ioredis";
 
 import { getConfig } from "@app/lib/config/env";
+import { RateLimitError } from "@app/lib/errors";
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   const appCfg = getConfig();
@@ -10,6 +11,11 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
     : null;
 
   return {
+    errorResponseBuilder: (_, context) => {
+      throw new RateLimitError({
+        message: `Rate limit exceeded. Please try again in ${context.after}`
+      });
+    },
     timeWindow: 60 * 1000,
     max: 600,
     redis,

backend/src/server/plugins/error-handler.ts

@@ -10,6 +10,7 @@ import {
   GatewayTimeoutError,
   InternalServerError,
   NotFoundError,
+  RateLimitError,
   ScimRequestError,
   UnauthorizedError
 } from "@app/lib/errors";
@@ -27,7 +28,8 @@ enum HttpStatusCodes {
   Forbidden = 403,
   // eslint-disable-next-line @typescript-eslint/no-shadow
   InternalServerError = 500,
-  GatewayTimeout = 504
+  GatewayTimeout = 504,
+  TooManyRequests = 429
 }
 
 export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
@@ -69,6 +71,12 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
         message: error.message,
         error: error.name
       });
+    } else if (error instanceof RateLimitError) {
+      void res.status(HttpStatusCodes.TooManyRequests).send({
+        statusCode: HttpStatusCodes.TooManyRequests,
+        message: error.message,
+        error: error.name
+      });
     } else if (error instanceof ScimRequestError) {
       void res.status(error.status).send({
         schemas: error.schemas,

backend/src/server/routes/index.ts

@@ -97,6 +97,8 @@ import { certificateTemplateDALFactory } from "@app/services/certificate-templat
 import { certificateTemplateEstConfigDALFactory } from "@app/services/certificate-template/certificate-template-est-config-dal";
 import { certificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { cmekServiceFactory } from "@app/services/cmek/cmek-service";
+import { externalGroupOrgRoleMappingDALFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-dal";
+import { externalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { externalMigrationQueueFactory } from "@app/services/external-migration/external-migration-queue";
 import { externalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { groupProjectDALFactory } from "@app/services/group-project/group-project-dal";
@@ -223,9 +225,7 @@ export const registerRoutes = async (
   }: { auditLogDb?: Knex; db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
   const appCfg = getConfig();
-  if (!appCfg.DISABLE_SECRET_SCANNING) {
-    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
-  }
+  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -336,6 +336,8 @@ export const registerRoutes = async (
   const projectSlackConfigDAL = projectSlackConfigDALFactory(db);
   const workflowIntegrationDAL = workflowIntegrationDALFactory(db);
 
+  const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
+
   const permissionService = permissionServiceFactory({
     permissionDAL,
     orgRoleDAL,
@@ -442,7 +444,8 @@ export const registerRoutes = async (
     projectKeyDAL,
     projectBotDAL,
     permissionService,
-    smtpService
+    smtpService,
+    externalGroupOrgRoleMappingDAL
   });
 
   const ldapService = ldapConfigServiceFactory({
@@ -493,6 +496,9 @@ export const registerRoutes = async (
     authDAL,
     userDAL
   });
+
+  const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
+
   const orgService = orgServiceFactory({
     userAliasDAL,
     identityMetadataDAL,
@@ -515,7 +521,8 @@ export const registerRoutes = async (
     userDAL,
     groupDAL,
     orgBotDAL,
-    oidcConfigDAL
+    oidcConfigDAL,
+    projectBotService
   });
   const signupService = authSignupServiceFactory({
     tokenService,
@@ -533,7 +540,12 @@ export const registerRoutes = async (
     orgService,
     licenseService
   });
-  const orgRoleService = orgRoleServiceFactory({ permissionService, orgRoleDAL, orgDAL });
+  const orgRoleService = orgRoleServiceFactory({
+    permissionService,
+    orgRoleDAL,
+    orgDAL,
+    externalGroupOrgRoleMappingDAL
+  });
   const superAdminService = superAdminServiceFactory({
     userDAL,
     authService: loginService,
@@ -574,7 +586,6 @@ export const registerRoutes = async (
     secretScanningDAL,
     secretScanningQueue
   });
-  const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
 
   const projectMembershipService = projectMembershipServiceFactory({
     projectMembershipDAL,
@@ -838,7 +849,10 @@ export const registerRoutes = async (
     integrationAuthDAL,
     snapshotDAL,
     snapshotSecretV2BridgeDAL,
-    secretApprovalRequestDAL
+    secretApprovalRequestDAL,
+    projectKeyDAL,
+    projectUserMembershipRoleDAL,
+    orgService
   });
   const secretImportService = secretImportServiceFactory({
     licenseService,
@@ -1225,6 +1239,13 @@ export const registerRoutes = async (
     permissionService
   });
 
+  const externalGroupOrgRoleMappingService = externalGroupOrgRoleMappingServiceFactory({
+    permissionService,
+    licenseService,
+    orgRoleDAL,
+    externalGroupOrgRoleMappingDAL
+  });
+
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
@@ -1310,7 +1331,8 @@ export const registerRoutes = async (
     orgAdmin: orgAdminService,
     slack: slackService,
     workflowIntegration: workflowIntegrationService,
-    migration: migrationService
+    migration: migrationService,
+    externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/admin-router.ts

@@ -109,7 +109,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             firstName: true,
             lastName: true,
             email: true,
-            id: true
+            id: true,
+            superAdmin: true
           }).array()
         })
       }

backend/src/server/routes/v1/external-group-org-role-mapping-router.ts

@@ -0,0 +1,83 @@
+import slugify from "@sindresorhus/slugify";
+import { z } from "zod";
+
+import { ExternalGroupOrgRoleMappingsSchema } from "@app/db/schemas/external-group-org-role-mappings";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerExternalGroupOrgRoleMappingRouter = async (server: FastifyZodProvider) => {
+  // get mappings for current org
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: ExternalGroupOrgRoleMappingsSchema.array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const mappings = server.services.externalGroupOrgRoleMapping.listExternalGroupOrgRoleMappings(req.permission);
+
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS
+        }
+      });
+
+      return mappings;
+    }
+  });
+
+  // update mappings for current org
+  server.route({
+    method: "PUT", // using put since this endpoint creates, updates and deletes mappings
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        mappings: z
+          .object({
+            groupName: z.string().trim().min(1),
+            roleSlug: z
+              .string()
+              .min(1)
+              .toLowerCase()
+              .refine((v) => slugify(v) === v, {
+                message: "Role must be a valid slug"
+              })
+          })
+          .array()
+      }),
+      response: {
+        200: ExternalGroupOrgRoleMappingsSchema.array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { body, permission } = req;
+
+      const mappings = server.services.externalGroupOrgRoleMapping.updateExternalGroupOrgRoleMappings(body, permission);
+
+      await server.services.auditLog.createAuditLog({
+        orgId: permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS,
+          metadata: body
+        }
+      });
+
+      return mappings;
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -7,6 +7,7 @@ import { registerProjectBotRouter } from "./bot-router";
 import { registerCaRouter } from "./certificate-authority-router";
 import { registerCertRouter } from "./certificate-router";
 import { registerCertificateTemplateRouter } from "./certificate-template-router";
+import { registerExternalGroupOrgRoleMappingRouter } from "./external-group-org-role-mapping-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
 import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
@@ -106,4 +107,5 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerUserEngagementRouter, { prefix: "/user-engagement" });
   await server.register(registerDashboardRouter, { prefix: "/dashboard" });
   await server.register(registerCmekRouter, { prefix: "/kms" });
+  await server.register(registerExternalGroupOrgRoleMappingRouter, { prefix: "/external-group-mappings" });
 };

backend/src/server/routes/v1/integration-auth-router.ts

@@ -189,6 +189,7 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
         workspaceId: z.string().trim(),
         code: z.string().trim(),
         integration: z.string().trim(),
+        installationId: z.string().trim().optional(),
         url: z.string().trim().url().optional()
       }),
       response: {
@@ -452,6 +453,40 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/:integrationAuthId/duplicate",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      body: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          integrationAuth: integrationAuthPubSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const integrationAuth = await server.services.integrationAuth.duplicateIntegrationAuth({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        id: req.params.integrationAuthId,
+        projectId: req.body.projectId
+      });
+
+      return { integrationAuth };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/:integrationAuthId/github/envs",

backend/src/server/routes/v1/organization-router.ts

@@ -17,6 +17,8 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
+import { integrationAuthPubSchema } from "../sanitizedSchemas";
+
 export const registerOrgRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "GET",
@@ -68,6 +70,35 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:organizationId/integration-authorizations",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          authorizations: integrationAuthPubSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const authorizations = await server.services.integrationAuth.listOrgIntegrationAuth({
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId
+      });
+
+      return { authorizations };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/audit-logs",
@@ -138,7 +169,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const auditLogs = await server.services.auditLog.listAuditLogs({
         filter: {
@@ -180,7 +211,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
                 email: true,
                 firstName: true,
                 lastName: true,
-                id: true
+                id: true,
+                superAdmin: true
               }).merge(z.object({ publicKey: z.string().nullable() }))
             })
           )

backend/src/server/routes/v1/password-router.ts

@@ -65,7 +65,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
       const appCfg = getConfig();
       await server.services.password.changePassword({ ...req.body, userId: req.permission.id });
 
-      void res.cookie("jid", appCfg.COOKIE_SECRET_SIGN_KEY, {
+      void res.cookie("jid", "", {
         httpOnly: true,
         path: "/",
         sameSite: "strict",

backend/src/services/external-group-org-role-mapping/external-group-org-role-mapping-dal.ts

@@ -0,0 +1,46 @@
+import { Tables } from "knex/types/tables";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { TExternalGroupOrgRoleMappings } from "@app/db/schemas/external-group-org-role-mappings";
+import { ormify } from "@app/lib/knex";
+
+export type TExternalGroupOrgRoleMappingDALFactory = ReturnType<typeof externalGroupOrgRoleMappingDALFactory>;
+
+export const externalGroupOrgRoleMappingDALFactory = (db: TDbClient) => {
+  const externalGroupOrgRoleMappingOrm = ormify(db, TableName.ExternalGroupOrgRoleMapping);
+
+  const updateExternalGroupOrgRoleMappingForOrg = async (
+    orgId: string,
+    newMappings: readonly Tables[TableName.ExternalGroupOrgRoleMapping]["insert"][]
+  ) => {
+    const currentMappings = await externalGroupOrgRoleMappingOrm.find({ orgId });
+
+    const newMap = new Map(newMappings.map((mapping) => [mapping.groupName, mapping]));
+    const currentMap = new Map(currentMappings.map((mapping) => [mapping.groupName, mapping]));
+
+    const mappingsToDelete = currentMappings.filter((mapping) => !newMap.has(mapping.groupName));
+    const mappingsToUpdate = currentMappings
+      .filter((mapping) => newMap.has(mapping.groupName))
+      .map((mapping) => ({ id: mapping.id, ...newMap.get(mapping.groupName) }));
+    const mappingsToInsert = newMappings.filter((mapping) => !currentMap.has(mapping.groupName));
+
+    const mappings = await externalGroupOrgRoleMappingOrm.transaction(async (tx) => {
+      await externalGroupOrgRoleMappingOrm.delete({ $in: { id: mappingsToDelete.map((mapping) => mapping.id) } }, tx);
+
+      const updatedMappings: TExternalGroupOrgRoleMappings[] = [];
+      for await (const { id, ...mappingData } of mappingsToUpdate) {
+        const updatedMapping = await externalGroupOrgRoleMappingOrm.update({ id }, mappingData, tx);
+        updatedMappings.push(updatedMapping[0]);
+      }
+
+      const insertedMappings = await externalGroupOrgRoleMappingOrm.insertMany(mappingsToInsert, tx);
+
+      return [...updatedMappings, ...insertedMappings];
+    });
+
+    return mappings;
+  };
+
+  return { ...externalGroupOrgRoleMappingOrm, updateExternalGroupOrgRoleMappingForOrg };
+};

backend/src/services/external-group-org-role-mapping/external-group-org-role-mapping-fns.ts

@@ -0,0 +1,67 @@
+import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
+import { isCustomOrgRole } from "@app/services/org/org-role-fns";
+
+import { TExternalGroupOrgMembershipRoleMappingDTO } from "./external-group-org-role-mapping-types";
+
+export const constructGroupOrgMembershipRoleMappings = async ({
+  mappingsDTO,
+  orgId,
+  orgRoleDAL,
+  licenseService
+}: {
+  mappingsDTO: TExternalGroupOrgMembershipRoleMappingDTO[];
+  orgRoleDAL: TOrgRoleDALFactory;
+  licenseService: TLicenseServiceFactory;
+  orgId: string;
+}) => {
+  const plan = await licenseService.getPlan(orgId);
+
+  // prevent setting custom values if not in plan
+  if (mappingsDTO.some((map) => isCustomOrgRole(map.roleSlug)) && !plan?.rbac)
+    throw new BadRequestError({
+      message:
+        "Failed to set group organization role mapping due to plan RBAC restriction. Upgrade plan to set custom role mapping."
+    });
+
+  const customRoleSlugs = mappingsDTO
+    .filter((mapping) => isCustomOrgRole(mapping.roleSlug))
+    .map((mapping) => mapping.roleSlug);
+
+  let customRolesMap: Map<string, TOrgRoles> = new Map();
+  if (customRoleSlugs.length > 0) {
+    const customRoles = await orgRoleDAL.find({
+      $in: {
+        slug: customRoleSlugs
+      }
+    });
+
+    customRolesMap = new Map(customRoles.map((role) => [role.slug, role]));
+  }
+
+  const mappings = mappingsDTO.map(({ roleSlug, groupName }) => {
+    if (isCustomOrgRole(roleSlug)) {
+      const customRole = customRolesMap.get(roleSlug);
+
+      if (!customRole) throw new NotFoundError({ message: `Custom role ${roleSlug} not found.` });
+
+      return {
+        groupName,
+        role: OrgMembershipRole.Custom,
+        roleId: customRole.id,
+        orgId
+      };
+    }
+
+    return {
+      groupName,
+      role: roleSlug,
+      roleId: null, // need to set explicitly null for updates
+      orgId
+    };
+  });
+
+  return mappings;
+};

backend/src/services/external-group-org-role-mapping/external-group-org-role-mapping-service.ts

@@ -0,0 +1,78 @@
+import { ForbiddenError } from "@casl/ability";
+import { FastifyRequest } from "fastify";
+
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { constructGroupOrgMembershipRoleMappings } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-fns";
+import { TSyncExternalGroupOrgMembershipRoleMappingsDTO } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-types";
+import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
+
+import { TExternalGroupOrgRoleMappingDALFactory } from "./external-group-org-role-mapping-dal";
+
+type TExternalGroupOrgRoleMappingServiceFactoryDep = {
+  externalGroupOrgRoleMappingDAL: TExternalGroupOrgRoleMappingDALFactory;
+  permissionService: TPermissionServiceFactory;
+  licenseService: TLicenseServiceFactory;
+  orgRoleDAL: TOrgRoleDALFactory;
+};
+
+export type TExternalGroupOrgRoleMappingServiceFactory = ReturnType<typeof externalGroupOrgRoleMappingServiceFactory>;
+
+export const externalGroupOrgRoleMappingServiceFactory = ({
+  externalGroupOrgRoleMappingDAL,
+  licenseService,
+  permissionService,
+  orgRoleDAL
+}: TExternalGroupOrgRoleMappingServiceFactoryDep) => {
+  const listExternalGroupOrgRoleMappings = async (actor: FastifyRequest["permission"]) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    // TODO: will need to change if we add support for ldap, oidc, etc.
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Scim);
+
+    const mappings = await externalGroupOrgRoleMappingDAL.find({
+      orgId: actor.orgId
+    });
+
+    return mappings;
+  };
+
+  const updateExternalGroupOrgRoleMappings = async (
+    dto: TSyncExternalGroupOrgMembershipRoleMappingsDTO,
+    actor: FastifyRequest["permission"]
+  ) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor.type,
+      actor.id,
+      actor.orgId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    // TODO: will need to change if we add support for ldap, oidc, etc.
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim);
+
+    const mappings = await constructGroupOrgMembershipRoleMappings({
+      mappingsDTO: dto.mappings,
+      orgRoleDAL,
+      licenseService,
+      orgId: actor.orgId
+    });
+
+    const data = await externalGroupOrgRoleMappingDAL.updateExternalGroupOrgRoleMappingForOrg(actor.orgId, mappings);
+
+    return data;
+  };
+
+  return {
+    updateExternalGroupOrgRoleMappings,
+    listExternalGroupOrgRoleMappings
+  };
+};

backend/src/services/external-group-org-role-mapping/external-group-org-role-mapping-types.ts

@@ -0,0 +1,8 @@
+export type TExternalGroupOrgMembershipRoleMappingDTO = {
+  groupName: string;
+  roleSlug: string;
+};
+
+export type TSyncExternalGroupOrgMembershipRoleMappingsDTO = {
+  mappings: TExternalGroupOrgMembershipRoleMappingDTO[];
+};

backend/src/services/external-migration/external-migration-fns.ts

@@ -126,6 +126,7 @@ export const importDataIntoInfisicalFn = async ({
 
   const originalToNewProjectId = new Map<string, string>();
   const originalToNewEnvironmentId = new Map<string, string>();
+  const projectsNotImported: string[] = [];
 
   await projectDAL.transaction(async (tx) => {
     for await (const project of data.projects) {
@@ -143,16 +144,21 @@ export const importDataIntoInfisicalFn = async ({
           logger.error(e, `Failed to import to project [name:${project.name}]`);
           throw new BadRequestError({ message: `Failed to import to project [name:${project.name}]` });
         });
-
       originalToNewProjectId.set(project.id, newProject.id);
     }
 
     // Import environments
     if (data.environments) {
       for await (const environment of data.environments) {
-        const projectId = originalToNewProjectId.get(environment.projectId)!;
+        const projectId = originalToNewProjectId.get(environment.projectId);
         const slug = slugify(`${environment.name}-${alphaNumericNanoId(4)}`);
 
+        if (!projectId) {
+          projectsNotImported.push(environment.projectId);
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
         const existingEnv = await projectEnvDAL.findOne({ projectId, slug }, tx);
 
         if (existingEnv) {
@@ -180,6 +186,11 @@ export const importDataIntoInfisicalFn = async ({
       >();
 
       for (const secret of data.secrets) {
+        if (!originalToNewEnvironmentId.get(secret.environmentId)) {
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
         if (!mappedToEnvironmentId.has(secret.environmentId)) {
           mappedToEnvironmentId.set(secret.environmentId, []);
         }
@@ -214,22 +225,21 @@ export const importDataIntoInfisicalFn = async ({
             name: "Create secret"
           });
 
-        const secretsByKeys = await secretDAL.findBySecretKeys(
-          folder.id,
-          secrets.map((el) => ({
-            key: el.secretKey,
-            type: SecretType.Shared
-          })),
-          tx
-        );
-        if (secretsByKeys.length) {
-          throw new BadRequestError({
-            message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
-          });
-        }
-
         const secretBatches = chunkArray(secrets, 2500);
         for await (const secretBatch of secretBatches) {
+          const secretsByKeys = await secretDAL.findBySecretKeys(
+            folder.id,
+            secretBatch.map((el) => ({
+              key: el.secretKey,
+              type: SecretType.Shared
+            })),
+            tx
+          );
+          if (secretsByKeys.length) {
+            throw new BadRequestError({
+              message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
+            });
+          }
           await fnSecretBulkInsert({
             inputSecrets: secretBatch.map((el) => {
               const references = getAllNestedSecretReferences(el.secretValue);
@@ -255,4 +265,6 @@ export const importDataIntoInfisicalFn = async ({
       }
     }
   });
+
+  return { projectsNotImported };
 };

backend/src/services/external-migration/external-migration-queue.ts

@@ -97,7 +97,7 @@ export const externalMigrationQueueFactory = ({
 
       const decryptedJson = JSON.parse(decrypted) as TImportInfisicalDataCreate;
 
-      await importDataIntoInfisicalFn({
+      const { projectsNotImported } = await importDataIntoInfisicalFn({
         input: decryptedJson,
         projectDAL,
         projectEnvDAL,
@@ -112,6 +112,17 @@ export const externalMigrationQueueFactory = ({
         secretV2BridgeService
       });
 
+      if (projectsNotImported.length) {
+        logger.info(
+          {
+            actorEmail,
+            actorOrgId: decryptedJson.actorOrgId,
+            projectsNotImported
+          },
+          "One or more projects were not imported during import from external source"
+        );
+      }
+
       await smtpService.sendMail({
         recipients: [actorEmail],
         subjectLine: "Infisical import successful",

backend/src/services/integration-auth/integration-app-list.ts

@@ -1,9 +1,13 @@
 /* eslint-disable no-await-in-loop */
+import { createAppAuth } from "@octokit/auth-app";
 import { Octokit } from "@octokit/rest";
 
+import { TIntegrationAuths } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { NotFoundError } from "@app/lib/errors";
 
+import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import { Integrations, IntegrationUrls } from "./integration-list";
 
 // akhilmhdh: check this part later. Copied from old base
@@ -230,7 +234,13 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
 /**
  * Return list of repositories for Github integration
  */
-const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
+const getAppsGithub = async ({
+  accessToken,
+  authMetadata
+}: {
+  accessToken: string;
+  authMetadata?: TIntegrationAuthMetadata;
+}) => {
   interface GitHubApp {
     id: string;
     name: string;
@@ -242,6 +252,29 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
     };
   }
 
+  if (authMetadata?.installationId) {
+    const appCfg = getConfig();
+    const octokit = new Octokit({
+      authStrategy: createAppAuth,
+      auth: {
+        appId: appCfg.CLIENT_APP_ID_GITHUB_APP,
+        privateKey: appCfg.CLIENT_PRIVATE_KEY_GITHUB_APP,
+        installationId: authMetadata.installationId
+      }
+    });
+
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+    const repos = await octokit.paginate("GET /installation/repositories", {
+      per_page: 100
+    });
+
+    return repos.map((a) => ({
+      appId: String(a.id),
+      name: a.name,
+      owner: a.owner.login
+    }));
+  }
+
   // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
   const repos = (await new Octokit({
     auth: accessToken
@@ -1056,6 +1089,7 @@ const getAppsAzureDevOps = async ({ accessToken, orgName }: { accessToken: strin
 
 export const getApps = async ({
   integration,
+  integrationAuth,
   accessToken,
   accessId,
   teamId,
@@ -1066,6 +1100,7 @@ export const getApps = async ({
   integration: string;
   accessToken: string;
   accessId?: string;
+  integrationAuth: TIntegrationAuths;
   teamId?: string | null;
   azureDevOpsOrgName?: string | null;
   workspaceSlug?: string;
@@ -1099,7 +1134,8 @@ export const getApps = async ({
 
     case Integrations.GITHUB:
       return getAppsGithub({
-        accessToken
+        accessToken,
+        authMetadata: IntegrationAuthMetadataSchema.parse(integrationAuth.metadata || {})
       });
 
     case Integrations.GITLAB:

backend/src/services/integration-auth/integration-auth-dal.ts

@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName, TIntegrationAuths, TIntegrationAuthsUpdate } from "@app/db/schemas";
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 
 export type TIntegrationAuthDALFactory = ReturnType<typeof integrationAuthDALFactory>;
 
@@ -28,8 +28,23 @@ export const integrationAuthDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getByOrg = async (orgId: string, tx?: Knex) => {
+    try {
+      const integrationAuths = await (tx || db)(TableName.IntegrationAuth)
+        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.IntegrationAuth}.projectId`)
+        .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.Project}.orgId`)
+        .where(`${TableName.Organization}.id`, "=", orgId)
+        .select(selectAllTableCols(TableName.IntegrationAuth));
+
+      return integrationAuths;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "get by org" });
+    }
+  };
+
   return {
     ...integrationAuthOrm,
-    bulkUpdate
+    bulkUpdate,
+    getByOrg
   };
 };

backend/src/services/integration-auth/integration-auth-schema.ts

@@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const IntegrationAuthMetadataSchema = z.object({
+  installationId: z.string().optional()
+});
+
+export type TIntegrationAuthMetadata = z.infer<typeof IntegrationAuthMetadataSchema>;

backend/src/services/integration-auth/integration-auth-service.ts

@@ -1,14 +1,16 @@
 import { ForbiddenError } from "@casl/ability";
+import { createAppAuth } from "@octokit/auth-app";
 import { Octokit } from "@octokit/rest";
 import AWS from "aws-sdk";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { TProjectPermission } from "@app/lib/types";
+import { TGenericPermission, TProjectPermission } from "@app/lib/types";
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
@@ -16,11 +18,13 @@ import { KmsDataKey } from "../kms/kms-types";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { getApps } from "./integration-app-list";
 import { TIntegrationAuthDALFactory } from "./integration-auth-dal";
+import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import {
   TBitbucketWorkspace,
   TChecklyGroups,
   TDeleteIntegrationAuthByIdDTO,
   TDeleteIntegrationAuthsDTO,
+  TDuplicateGithubIntegrationAuthDTO,
   TGetIntegrationAuthDTO,
   TGetIntegrationAuthTeamCityBuildConfigDTO,
   THerokuPipelineCoupling,
@@ -86,6 +90,24 @@ export const integrationAuthServiceFactory = ({
     return authorizations;
   };
 
+  const listOrgIntegrationAuth = async ({ actorId, actor, actorOrgId, actorAuthMethod }: TGenericPermission) => {
+    const authorizations = await integrationAuthDAL.getByOrg(actorOrgId as string);
+
+    return Promise.all(
+      authorizations.filter(async (auth) => {
+        const { permission } = await permissionService.getProjectPermission(
+          actor,
+          actorId,
+          auth.projectId,
+          actorAuthMethod,
+          actorOrgId
+        );
+
+        return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+      })
+    );
+  };
+
   const getIntegrationAuth = async ({ actor, id, actorId, actorAuthMethod, actorOrgId }: TGetIntegrationAuthDTO) => {
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: "Failed to find integration" });
@@ -109,7 +131,8 @@ export const integrationAuthServiceFactory = ({
     actorAuthMethod,
     integration,
     url,
-    code
+    code,
+    installationId
   }: TOauthExchangeDTO) => {
     if (!Object.values(Integrations).includes(integration as Integrations))
       throw new BadRequestError({ message: "Invalid integration" });
@@ -123,7 +146,7 @@ export const integrationAuthServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
 
-    const tokenExchange = await exchangeCode({ integration, code, url });
+    const tokenExchange = await exchangeCode({ integration, code, url, installationId });
     const updateDoc: TIntegrationAuthsInsert = {
       projectId,
       integration,
@@ -141,6 +164,16 @@ export const integrationAuthServiceFactory = ({
       updateDoc.metadata = {
         authMethod: "oauth2"
       };
+    } else if (integration === Integrations.GITHUB && installationId) {
+      updateDoc.metadata = {
+        installationId,
+        installationName: tokenExchange.installationName,
+        authMethod: "app"
+      };
+    }
+
+    if (installationId && integration === Integrations.GITHUB) {
+      return integrationAuthDAL.create(updateDoc);
     }
 
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(projectId);
@@ -176,12 +209,23 @@ export const integrationAuthServiceFactory = ({
         updateDoc.accessCiphertext = accessEncToken.ciphertext;
       }
     }
+
     return integrationAuthDAL.transaction(async (tx) => {
-      const doc = await integrationAuthDAL.findOne({ projectId, integration }, tx);
-      if (!doc) {
+      const integrationAuths = await integrationAuthDAL.find({ projectId, integration }, { tx });
+      let existingIntegrationAuth: TIntegrationAuths | undefined;
+
+      // we need to ensure that the integration auth that we use for Github is actually Oauth
+      if (integration === Integrations.GITHUB) {
+        existingIntegrationAuth = integrationAuths.find((integAuth) => !integAuth.metadata);
+      } else {
+        [existingIntegrationAuth] = integrationAuths;
+      }
+
+      if (!existingIntegrationAuth) {
         return integrationAuthDAL.create(updateDoc, tx);
       }
-      return integrationAuthDAL.updateById(doc.id, updateDoc, tx);
+
+      return integrationAuthDAL.updateById(existingIntegrationAuth.id, updateDoc, tx);
     });
   };
 
@@ -334,6 +378,13 @@ export const integrationAuthServiceFactory = ({
     ) {
       return { accessToken: "", accessId: "" };
     }
+    if (
+      integrationAuth.integration === Integrations.GITHUB &&
+      IntegrationAuthMetadataSchema.parse(integrationAuth.metadata || {}).installationId
+    ) {
+      return { accessToken: "", accessId: "" };
+    }
+
     if (shouldUseSecretV2Bridge) {
       const { decryptor: secretManagerDecryptor, encryptor: secretManagerEncryptor } =
         await kmsService.createCipherPairWithDataKey({
@@ -460,6 +511,7 @@ export const integrationAuthServiceFactory = ({
     const { accessToken, accessId } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
     const apps = await getApps({
       integration: integrationAuth.integration,
+      integrationAuth,
       accessToken,
       accessId,
       teamId,
@@ -575,6 +627,7 @@ export const integrationAuthServiceFactory = ({
   };
 
   const getGithubOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthGithubOrgsDTO) => {
+    const appCfg = getConfig();
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: "Failed to find integration" });
 
@@ -587,9 +640,44 @@ export const integrationAuthServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
 
-    const octokit = new Octokit({
+    let octokit: Octokit;
+    const { installationId } = (integrationAuth.metadata as TIntegrationAuthMetadata) || {};
+    if (installationId) {
+      octokit = new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+          appId: appCfg.CLIENT_APP_ID_GITHUB_APP,
+          privateKey: appCfg.CLIENT_PRIVATE_KEY_GITHUB_APP,
+          installationId
+        }
+      });
+
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+      const repos = await octokit.paginate("GET /installation/repositories", {
+        per_page: 100
+      });
+
+      const orgSet: Set<string> = new Set();
+
+      return repos
+        .filter((repo) => repo.owner.type === "Organization")
+        .map((repo) => ({
+          name: repo.owner.login,
+          orgId: String(repo.owner.id)
+        }))
+        .filter((org) => {
+          const isOrgProcessed = orgSet.has(org.orgId);
+          if (!isOrgProcessed) {
+            orgSet.add(org.orgId);
+          }
+
+          return !isOrgProcessed;
+        });
+    }
+
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
+    octokit = new Octokit({
       auth: accessToken
     });
 
@@ -598,7 +686,9 @@ export const integrationAuthServiceFactory = ({
         "X-GitHub-Api-Version": "2022-11-28"
       }
     });
-    if (!data) return [];
+    if (!data) {
+      return [];
+    }
 
     return data.map(({ login: name, id: orgId }) => ({ name, orgId: String(orgId) }));
   };
@@ -626,9 +716,24 @@ export const integrationAuthServiceFactory = ({
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
 
-    const octokit = new Octokit({
-      auth: accessToken
-    });
+    let octokit: Octokit;
+    const appCfg = getConfig();
+
+    const authMetadata = IntegrationAuthMetadataSchema.parse(integrationAuth.metadata || {});
+    if (authMetadata.installationId) {
+      octokit = new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+          appId: appCfg.CLIENT_APP_ID_GITHUB_APP,
+          privateKey: appCfg.CLIENT_PRIVATE_KEY_GITHUB_APP,
+          installationId: authMetadata.installationId
+        }
+      });
+    } else {
+      octokit = new Octokit({
+        auth: accessToken
+      });
+    }
 
     const {
       data: { environments }
@@ -1315,8 +1420,58 @@ export const integrationAuthServiceFactory = ({
     return delIntegrationAuth;
   };
 
+  // At the moment, we only use this for Github App integration as it's a special case
+  const duplicateIntegrationAuth = async ({
+    id,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId,
+    projectId
+  }: TDuplicateGithubIntegrationAuthDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) {
+      throw new NotFoundError({ message: "Failed to find integration" });
+    }
+
+    const { permission: sourcePermission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(sourcePermission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.Integrations
+    );
+
+    const { permission: targetPermission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(targetPermission).throwUnlessCan(
+      ProjectPermissionActions.Create,
+      ProjectPermissionSub.Integrations
+    );
+
+    const newIntegrationAuth: Omit<typeof integrationAuth, "id"> & { id?: string } = {
+      ...integrationAuth,
+      id: undefined,
+      projectId
+    };
+
+    return integrationAuthDAL.create(newIntegrationAuth);
+  };
+
   return {
     listIntegrationAuthByProjectId,
+    listOrgIntegrationAuth,
     getIntegrationOptions,
     getIntegrationAuth,
     oauthExchange,
@@ -1343,6 +1498,7 @@ export const integrationAuthServiceFactory = ({
     getNorthFlankSecretGroups,
     getTeamcityBuildConfigs,
     getBitbucketWorkspaces,
-    getIntegrationAccessToken
+    getIntegrationAccessToken,
+    duplicateIntegrationAuth
   };
 };

backend/src/services/integration-auth/integration-auth-types.ts

@@ -9,6 +9,7 @@ export type TOauthExchangeDTO = {
   integration: string;
   code: string;
   url?: string;
+  installationId?: string;
 } & TProjectPermission;
 
 export type TSaveIntegrationAccessTokenDTO = {
@@ -107,6 +108,10 @@ export type TDeleteIntegrationAuthByIdDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TDuplicateGithubIntegrationAuthDTO = {
+  id: string;
+} & TProjectPermission;
+
 export type TGetIntegrationAuthTeamCityBuildConfigDTO = {
   id: string;
   appId: string;

backend/src/services/integration-auth/integration-delete-secret.ts

@@ -1,7 +1,10 @@
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+import { createAppAuth } from "@octokit/auth-app";
 import { retry } from "@octokit/plugin-retry";
 import { Octokit } from "@octokit/rest";
 
 import { TIntegrationAuths, TIntegrations } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -15,6 +18,7 @@ import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
+import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import { TIntegrationAuthServiceFactory } from "./integration-auth-service";
 import { Integrations } from "./integration-list";
 
@@ -154,10 +158,12 @@ const getIntegrationSecretsV1 = async (
 
 export const deleteGithubSecrets = async ({
   integration,
+  authMetadata,
   secrets,
   accessToken
 }: {
   integration: Omit<TIntegrations, "envId">;
+  authMetadata: TIntegrationAuthMetadata;
   secrets: Record<string, boolean>;
   accessToken: string;
 }) => {
@@ -170,9 +176,23 @@ export const deleteGithubSecrets = async ({
   }
 
   const OctokitWithRetry = Octokit.plugin(retry);
-  const octokit = new OctokitWithRetry({
-    auth: accessToken
-  });
+  let octokit: Octokit;
+  const appCfg = getConfig();
+
+  if (authMetadata.installationId) {
+    octokit = new OctokitWithRetry({
+      authStrategy: createAppAuth,
+      auth: {
+        appId: appCfg.CLIENT_APP_ID_GITHUB_APP,
+        privateKey: appCfg.CLIENT_PRIVATE_KEY_GITHUB_APP,
+        installationId: authMetadata.installationId
+      }
+    });
+  } else {
+    octokit = new OctokitWithRetry({
+      auth: accessToken
+    });
+  }
 
   enum GithubScope {
     Repo = "github-repo",
@@ -192,6 +212,7 @@ export const deleteGithubSecrets = async ({
       break;
     }
     case GithubScope.Env: {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
       encryptedGithubSecrets = (
         await octokit.request("GET /repositories/{repository_id}/environments/{environment_name}/secrets", {
           repository_id: Number(integration.appId),
@@ -346,6 +367,7 @@ export const deleteIntegrationSecrets = async ({
     case Integrations.GITHUB: {
       await deleteGithubSecrets({
         integration,
+        authMetadata: IntegrationAuthMetadataSchema.parse(integrationAuth.metadata || {}),
         accessToken,
         secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets
       });

backend/src/services/integration-auth/integration-list.ts

@@ -96,7 +96,9 @@ export enum IntegrationUrls {
   GCP_SECRET_MANAGER_SERVICE_NAME = "secretmanager.googleapis.com",
   GCP_SECRET_MANAGER_URL = `https://${GCP_SECRET_MANAGER_SERVICE_NAME}`,
   GCP_SERVICE_USAGE_URL = "https://serviceusage.googleapis.com",
-  GCP_CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
+  GCP_CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform",
+
+  GITHUB_USER_INSTALLATIONS = "https://api.github.com/user/installations"
 }
 
 export const getIntegrationOptions = async () => {
@@ -138,6 +140,7 @@ export const getIntegrationOptions = async () => {
       isAvailable: true,
       type: "oauth",
       clientId: appCfg.CLIENT_ID_GITHUB,
+      clientSlug: appCfg.CLIENT_SLUG_GITHUB_APP,
       docsLink: ""
     },
     {

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -19,6 +19,7 @@ import {
   UpdateSecretCommand
 } from "@aws-sdk/client-secrets-manager";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { createAppAuth } from "@octokit/auth-app";
 import { Octokit } from "@octokit/rest";
 import AWS, { AWSError } from "aws-sdk";
 import { AxiosError } from "axios";
@@ -36,6 +37,7 @@ import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { IntegrationMetadataSchema } from "../integration/integration-schema";
+import { IntegrationAuthMetadataSchema } from "./integration-auth-schema";
 import { TIntegrationsWithEnvironment } from "./integration-auth-types";
 import {
   IntegrationInitialSyncBehavior,
@@ -728,7 +730,7 @@ const syncSecretsAWSParameterStore = async ({
           awsParameterStoreSecretsObj[key].KeyId !== metadata.kmsKeyId;
 
         // we ensure that the KMS key configured in the integration is applied for ALL parameters on AWS
-        if (shouldUpdateKms || awsParameterStoreSecretsObj[key].Value !== secrets[key].value) {
+        if (secrets[key].value && (shouldUpdateKms || awsParameterStoreSecretsObj[key].Value !== secrets[key].value)) {
           await ssm
             .putParameter({
               Name: `${integration.path}${key}`,
@@ -789,7 +791,7 @@ const syncSecretsAWSParameterStore = async ({
         logger.info(
           `getIntegrationSecrets: inside of shouldDisableDelete AWS SSM [projectId=${projectId}] [environment=${integration.environment.slug}]  [secretPath=${integration.secretPath}] [step=2]`
         );
-        if (!(key in secrets)) {
+        if (!(key in secrets) || !secrets[key].value) {
           logger.info(
             `getIntegrationSecrets: inside of shouldDisableDelete AWS SSM [projectId=${projectId}] [environment=${integration.environment.slug}]  [secretPath=${integration.secretPath}] [step=3]`
           );
@@ -1542,11 +1544,13 @@ const syncSecretsNetlify = async ({
  */
 const syncSecretsGitHub = async ({
   integration,
+  integrationAuth,
   secrets,
   accessToken,
   appendices
 }: {
   integration: TIntegrations;
+  integrationAuth: TIntegrationAuths;
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
   appendices?: { prefix: string; suffix: string };
@@ -1568,9 +1572,24 @@ const syncSecretsGitHub = async ({
     selected_repositories_url?: string | undefined;
   }
 
-  const octokit = new Octokit({
-    auth: accessToken
-  });
+  const authMetadata = IntegrationAuthMetadataSchema.parse(integrationAuth.metadata || {});
+  let octokit: Octokit;
+  const appCfg = getConfig();
+
+  if (authMetadata.installationId) {
+    octokit = new Octokit({
+      authStrategy: createAppAuth,
+      auth: {
+        appId: appCfg.CLIENT_APP_ID_GITHUB_APP,
+        privateKey: appCfg.CLIENT_PRIVATE_KEY_GITHUB_APP,
+        installationId: authMetadata.installationId
+      }
+    });
+  } else {
+    octokit = new Octokit({
+      auth: accessToken
+    });
+  }
 
   enum GithubScope {
     Repo = "github-repo",
@@ -4069,6 +4088,7 @@ export const syncIntegrationSecrets = async ({
     case Integrations.GITHUB:
       await syncSecretsGitHub({
         integration,
+        integrationAuth,
         secrets,
         accessToken,
         appendices

backend/src/services/integration-auth/integration-token.ts

@@ -2,7 +2,7 @@ import jwt from "jsonwebtoken";
 
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 
 import { Integrations, IntegrationUrls } from "./integration-list";
 
@@ -234,12 +234,73 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
   };
 };
 
-const exchangeCodeGithub = async ({ code }: { code: string }) => {
+const exchangeCodeGithub = async ({ code, installationId }: { code: string; installationId?: string }) => {
   const appCfg = getConfig();
-  if (!appCfg.CLIENT_ID_GITHUB || !appCfg.CLIENT_SECRET_GITHUB) {
-    throw new BadRequestError({ message: "Missing client id and client secret" });
+
+  if (!installationId && (!appCfg.CLIENT_ID_GITHUB || !appCfg.CLIENT_SECRET_GITHUB)) {
+    throw new InternalServerError({ message: "Missing client id and client secret" });
   }
 
+  if (installationId && (!appCfg.CLIENT_ID_GITHUB_APP || !appCfg.CLIENT_SECRET_GITHUB_APP)) {
+    throw new InternalServerError({
+      message: "Missing Github app client ID and client secret"
+    });
+  }
+
+  if (installationId) {
+    // handle app installations
+    const oauthRes = (
+      await request.get<ExchangeCodeGithubResponse>(IntegrationUrls.GITHUB_TOKEN_URL, {
+        params: {
+          client_id: appCfg.CLIENT_ID_GITHUB_APP,
+          client_secret: appCfg.CLIENT_SECRET_GITHUB_APP,
+          code,
+          redirect_uri: `${appCfg.SITE_URL}/integrations/github/oauth2/callback`
+        },
+        headers: {
+          Accept: "application/json",
+          "Accept-Encoding": "application/json"
+        }
+      })
+    ).data;
+
+    // use access token to validate installation ID
+    const installationsRes = (
+      await request.get<{
+        installations: {
+          id: number;
+          account: {
+            login: string;
+          };
+        }[];
+      }>(IntegrationUrls.GITHUB_USER_INSTALLATIONS, {
+        headers: {
+          Accept: "application/json",
+          Authorization: `Bearer ${oauthRes.access_token}`,
+          "Accept-Encoding": "application/json"
+        }
+      })
+    ).data;
+
+    const matchingInstallation = installationsRes.installations.find(
+      (installation) => installation.id === +installationId
+    );
+
+    if (!matchingInstallation) {
+      throw new ForbiddenRequestError({
+        message: "User has no access to the provided installation"
+      });
+    }
+
+    return {
+      accessToken: "", // for github app integrations, we only need the installationID from the metadata
+      refreshToken: null,
+      accessExpiresAt: null,
+      installationName: matchingInstallation.account.login
+    };
+  }
+
+  // handle oauth github integration
   const res = (
     await request.get<ExchangeCodeGithubResponse>(IntegrationUrls.GITHUB_TOKEN_URL, {
       params: {
@@ -346,6 +407,7 @@ type TExchangeReturn = {
   url?: string;
   teamId?: string;
   accountId?: string;
+  installationName?: string;
 };
 
 /**
@@ -355,11 +417,13 @@ type TExchangeReturn = {
 export const exchangeCode = async ({
   integration,
   code,
-  url
+  url,
+  installationId
 }: {
   integration: string;
   code: string;
   url?: string;
+  installationId?: string;
 }): Promise<TExchangeReturn> => {
   switch (integration) {
     case Integrations.GCP_SECRET_MANAGER:
@@ -384,7 +448,8 @@ export const exchangeCode = async ({
       });
     case Integrations.GITHUB:
       return exchangeCodeGithub({
-        code
+        code,
+        installationId
       });
     case Integrations.GITLAB:
       return exchangeCodeGitlab({

backend/src/services/integration/integration-service.ts

@@ -258,27 +258,7 @@ export const integrationServiceFactory = ({
       });
     }
 
-    const deletedIntegration = await integrationDAL.transaction(async (tx) => {
-      // delete integration
-      const deletedIntegrationResult = await integrationDAL.deleteById(id, tx);
-
-      // check if there are other integrations that share the same integration auth
-      const integrations = await integrationDAL.find(
-        {
-          integrationAuthId: integration.integrationAuthId
-        },
-        tx
-      );
-
-      if (integrations.length === 0) {
-        // no other integration shares the same integration auth
-        // -> delete the integration auth
-        await integrationAuthDAL.deleteById(integration.integrationAuthId, tx);
-      }
-
-      return deletedIntegrationResult;
-    });
-
+    const deletedIntegration = await integrationDAL.deleteById(id);
     return { ...integration, ...deletedIntegration };
   };
 

backend/src/services/org/org-dal.ts

@@ -106,16 +106,19 @@ export const orgDALFactory = (db: TDbClient) => {
           db.ref("firstName").withSchema(TableName.Users),
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("superAdmin").withSchema(TableName.Users),
           db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
         )
         .where({ isGhost: false }) // MAKE SURE USER IS NOT A GHOST USER
         .orderBy("firstName")
         .orderBy("lastName");
 
-      return members.map(({ email, isEmailVerified, username, firstName, lastName, userId, publicKey, ...data }) => ({
-        ...data,
-        user: { email, isEmailVerified, username, firstName, lastName, id: userId, publicKey }
-      }));
+      return members.map(
+        ({ email, isEmailVerified, username, firstName, lastName, userId, publicKey, superAdmin, ...data }) => ({
+          ...data,
+          user: { email, isEmailVerified, username, firstName, lastName, id: userId, publicKey, superAdmin }
+        })
+      );
     } catch (error) {
       throw new DatabaseError({ error, name: "Find all org members" });
     }

backend/src/services/org/org-role-fns.ts

@@ -5,6 +5,8 @@ import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
 
 const RESERVED_ORG_ROLE_SLUGS = Object.values(OrgMembershipRole).filter((role) => role !== "custom");
 
+export const isCustomOrgRole = (roleSlug: string) => !RESERVED_ORG_ROLE_SLUGS.includes(roleSlug as OrgMembershipRole);
+
 // this is only for updating an org
 export const getDefaultOrgMembershipRoleForUpdateOrg = async ({
   membershipRoleSlug,
@@ -17,9 +19,7 @@ export const getDefaultOrgMembershipRoleForUpdateOrg = async ({
   orgRoleDAL: TOrgRoleDALFactory;
   plan: TFeatureSet;
 }) => {
-  const isCustomRole = !RESERVED_ORG_ROLE_SLUGS.includes(membershipRoleSlug as OrgMembershipRole);
-
-  if (isCustomRole) {
+  if (isCustomOrgRole(membershipRoleSlug)) {
     if (!plan?.rbac)
       throw new BadRequestError({
         message:
@@ -41,9 +41,7 @@ export const getDefaultOrgMembershipRoleForUpdateOrg = async ({
 export const getDefaultOrgMembershipRole = async (
   defaultOrgMembershipRole: string // can either be ID or reserved slug
 ) => {
-  const isCustomRole = !RESERVED_ORG_ROLE_SLUGS.includes(defaultOrgMembershipRole as OrgMembershipRole);
-
-  if (isCustomRole)
+  if (isCustomOrgRole(defaultOrgMembershipRole))
     return {
       roleId: defaultOrgMembershipRole,
       role: OrgMembershipRole.Custom

backend/src/services/org/org-role-service.ts

@@ -11,6 +11,7 @@ import {
 } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { TExternalGroupOrgRoleMappingDALFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 
 import { ActorAuthMethod } from "../auth/auth-type";
@@ -20,11 +21,17 @@ type TOrgRoleServiceFactoryDep = {
   orgRoleDAL: TOrgRoleDALFactory;
   permissionService: TPermissionServiceFactory;
   orgDAL: TOrgDALFactory;
+  externalGroupOrgRoleMappingDAL: TExternalGroupOrgRoleMappingDALFactory;
 };
 
 export type TOrgRoleServiceFactory = ReturnType<typeof orgRoleServiceFactory>;
 
-export const orgRoleServiceFactory = ({ orgRoleDAL, orgDAL, permissionService }: TOrgRoleServiceFactoryDep) => {
+export const orgRoleServiceFactory = ({
+  orgRoleDAL,
+  orgDAL,
+  permissionService,
+  externalGroupOrgRoleMappingDAL
+}: TOrgRoleServiceFactoryDep) => {
   const createRole = async (
     userId: string,
     orgId: string,
@@ -144,6 +151,17 @@ export const orgRoleServiceFactory = ({ orgRoleDAL, orgDAL, permissionService }:
         message: "Cannot delete default org membership role. Please re-assign and try again."
       });
 
+    const externalGroupMapping = await externalGroupOrgRoleMappingDAL.findOne({
+      orgId,
+      roleId
+    });
+
+    if (externalGroupMapping)
+      throw new BadRequestError({
+        message:
+          "Cannot delete role assigned to external group organization role mapping. Please re-assign external mapping and try again."
+      });
+
     const [deletedRole] = await orgRoleDAL.delete({ id: roleId, orgId });
     if (!deletedRole) throw new NotFoundError({ message: "Organization role not found", name: "Update role" });
 

backend/src/services/org/org-service.ts

@@ -41,8 +41,9 @@ import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
 import { TIdentityMetadataDALFactory } from "../identity/identity-metadata-dal";
 import { TProjectDALFactory } from "../project/project-dal";
-import { assignWorkspaceKeysToMembers } from "../project/project-fns";
+import { assignWorkspaceKeysToMembers, createProjectKey } from "../project/project-fns";
 import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
+import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
@@ -80,7 +81,7 @@ type TOrgServiceFactoryDep = {
     TProjectMembershipDALFactory,
     "findProjectMembershipsByUserId" | "delete" | "create" | "find" | "insertMany" | "transaction"
   >;
-  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey" | "create">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOrgMembershipById" | "findOne" | "findById">;
   incidentContactDAL: TIncidentContactsDALFactory;
   samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne" | "findEnforceableSamlCfg">;
@@ -94,8 +95,9 @@ type TOrgServiceFactoryDep = {
   >;
   projectUserAdditionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
-  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "insertMany">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne" | "updateById">;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "insertMany" | "create">;
+  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
 };
 
 export type TOrgServiceFactory = ReturnType<typeof orgServiceFactory>;
@@ -122,7 +124,8 @@ export const orgServiceFactory = ({
   oidcConfigDAL,
   projectBotDAL,
   projectUserMembershipRoleDAL,
-  identityMetadataDAL
+  identityMetadataDAL,
+  projectBotService
 }: TOrgServiceFactoryDep) => {
   /*
    * Get organization details by the organization id
@@ -718,20 +721,67 @@ export const orgServiceFactory = ({
 
         const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
 
-        const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);
-        if (!ghostUser) {
-          throw new NotFoundError({
-            name: "InviteUser",
-            message: "Failed to find project owner"
-          });
-        }
+        // this will auto generate bot
+        const { botKey, bot: autoGeneratedBot } = await projectBotService.getBotKey(projectId, true);
 
-        const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx);
-        if (!ghostUserLatestKey) {
-          throw new NotFoundError({
-            name: "InviteUser",
-            message: "Failed to find project owner's latest key"
+        const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);
+        let ghostUserId = ghostUser?.id;
+
+        //  backfill missing ghost user
+        if (!ghostUserId) {
+          const newGhostUser = await addGhostUser(project.orgId, tx);
+          const projectMembership = await projectMembershipDAL.create(
+            {
+              userId: newGhostUser.user.id,
+              projectId: project.id
+            },
+            tx
+          );
+          await projectUserMembershipRoleDAL.create(
+            { projectMembershipId: projectMembership.id, role: ProjectMembershipRole.Admin },
+            tx
+          );
+
+          const { key: encryptedProjectKey, iv: encryptedProjectKeyIv } = createProjectKey({
+            publicKey: newGhostUser.keys.publicKey,
+            privateKey: newGhostUser.keys.plainPrivateKey,
+            plainProjectKey: botKey
           });
+
+          // 4. Save the project key for the ghost user.
+          await projectKeyDAL.create(
+            {
+              projectId: project.id,
+              receiverId: newGhostUser.user.id,
+              encryptedKey: encryptedProjectKey,
+              nonce: encryptedProjectKeyIv,
+              senderId: newGhostUser.user.id
+            },
+            tx
+          );
+
+          const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(
+            newGhostUser.keys.plainPrivateKey
+          );
+          if (autoGeneratedBot) {
+            await projectBotDAL.updateById(
+              autoGeneratedBot.id,
+              {
+                tag,
+                iv,
+                encryptedProjectKey,
+                encryptedProjectKeyNonce: encryptedProjectKeyIv,
+                encryptedPrivateKey: ciphertext,
+                isActive: true,
+                publicKey: newGhostUser.keys.publicKey,
+                senderId: newGhostUser.user.id,
+                algorithm,
+                keyEncoding: encoding
+              },
+              tx
+            );
+          }
+          ghostUserId = newGhostUser.user.id;
         }
 
         const bot = await projectBotDAL.findOne({ projectId }, tx);
@@ -742,6 +792,14 @@ export const orgServiceFactory = ({
           });
         }
 
+        const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUserId, projectId, tx);
+        if (!ghostUserLatestKey) {
+          throw new NotFoundError({
+            name: "InviteUser",
+            message: "Failed to find project owner's latest key"
+          });
+        }
+
         const botPrivateKey = infisicalSymmetricDecrypt({
           keyEncoding: bot.keyEncoding as SecretKeyEncoding,
           iv: bot.iv,
@@ -785,7 +843,7 @@ export const orgServiceFactory = ({
           newWsMembers.map((el) => ({
             encryptedKey: el.workspaceEncryptedKey,
             nonce: el.workspaceEncryptedNonce,
-            senderId: ghostUser.id,
+            senderId: ghostUserId,
             receiverId: el.orgMembershipId,
             projectId
           })),

backend/src/services/project-bot/project-bot-fns.ts

@@ -24,14 +24,14 @@ export const getBotKeyFnFactory = (
   projectBotDAL: TProjectBotDALFactory,
   projectDAL: Pick<TProjectDALFactory, "findById">
 ) => {
-  const getBotKeyFn = async (projectId: string) => {
+  const getBotKeyFn = async (projectId: string, shouldGetBotKey?: boolean) => {
     const project = await projectDAL.findById(projectId);
     if (!project)
       throw new NotFoundError({
         message: "Project not found during bot lookup. Are you sure you are using the correct project ID?"
       });
 
-    if (project.version === 3) {
+    if (project.version === 3 && !shouldGetBotKey) {
       return { project, shouldUseSecretV2Bridge: true };
     }
 
@@ -65,8 +65,9 @@ export const getBotKeyFnFactory = (
       const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(botKey.privateKey);
       const encryptedWorkspaceKey = encryptAsymmetric(workspaceKey, botKey.publicKey, userPrivateKey);
 
+      let botId;
       if (!bot) {
-        await projectBotDAL.create({
+        const newBot = await projectBotDAL.create({
           name: "Infisical Bot (Ghost)",
           projectId,
           isActive: true,
@@ -80,8 +81,9 @@ export const getBotKeyFnFactory = (
           encryptedProjectKeyNonce: encryptedWorkspaceKey.nonce,
           senderId: projectV1Keys.userId
         });
+        botId = newBot.id;
       } else {
-        await projectBotDAL.updateById(bot.id, {
+        const updatedBot = await projectBotDAL.updateById(bot.id, {
           isActive: true,
           tag,
           iv,
@@ -93,8 +95,10 @@ export const getBotKeyFnFactory = (
           encryptedProjectKeyNonce: encryptedWorkspaceKey.nonce,
           senderId: projectV1Keys.userId
         });
+        botId = updatedBot.id;
       }
-      return { botKey: workspaceKey, project, shouldUseSecretV2Bridge: false };
+
+      return { botKey: workspaceKey, project, shouldUseSecretV2Bridge: false, bot: { id: botId } };
     }
 
     const botPrivateKey = getBotPrivateKey({ bot });
@@ -104,7 +108,7 @@ export const getBotKeyFnFactory = (
       nonce: bot.encryptedProjectKeyNonce,
       publicKey: bot.sender.publicKey
     });
-    return { botKey, project, shouldUseSecretV2Bridge: false };
+    return { botKey, project, shouldUseSecretV2Bridge: false, bot: { id: bot.id } };
   };
 
   return getBotKeyFn;

backend/src/services/project-bot/project-bot-service.ts

@@ -27,8 +27,8 @@ export const projectBotServiceFactory = ({
 }: TProjectBotServiceFactoryDep) => {
   const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
 
-  const getBotKey = async (projectId: string) => {
-    return getBotKeyFn(projectId);
+  const getBotKey = async (projectId: string, shouldGetBotKey?: boolean) => {
+    return getBotKeyFn(projectId, shouldGetBotKey);
   };
 
   const findBotByProjectId = async ({

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -1,7 +1,7 @@
 import path from "node:path";
 
 import { TableName, TSecretFolders, TSecretsV2 } from "@app/db/schemas";
-import { ForbiddenRequestError } from "@app/lib/errors";
+import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 
@@ -342,7 +342,7 @@ export const recursivelyGetSecretPaths = async ({
   });
 
   if (!env) {
-    throw new Error(`'${environment}' environment not found in project with ID ${projectId}`);
+    throw new NotFoundError({ message: `'${environment}' environment not found in project with ID ${projectId}` });
   }
 
   // Fetch all folders in env once with a single query

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -193,14 +193,16 @@ export const secretV2BridgeServiceFactory = ({
       })
     );
 
-    await snapshotService.performSnapshot(folderId);
-    await secretQueueService.syncSecrets({
-      secretPath,
-      actorId,
-      actor,
-      projectId,
-      environmentSlug: folder.environment.slug
-    });
+    if (inputSecret.type === SecretType.Shared) {
+      await snapshotService.performSnapshot(folderId);
+      await secretQueueService.syncSecrets({
+        secretPath,
+        actorId,
+        actor,
+        projectId,
+        environmentSlug: folder.environment.slug
+      });
+    }
 
     return reshapeBridgeSecret(projectId, environment, secretPath, {
       ...secret[0],
@@ -349,14 +351,17 @@ export const secretV2BridgeServiceFactory = ({
       projectId
     });
 
-    await snapshotService.performSnapshot(folderId);
-    await secretQueueService.syncSecrets({
-      actor,
-      actorId,
-      secretPath,
-      projectId,
-      environmentSlug: folder.environment.slug
-    });
+    if (inputSecret.type === SecretType.Shared) {
+      await snapshotService.performSnapshot(folderId);
+      await secretQueueService.syncSecrets({
+        secretPath,
+        actorId,
+        actor,
+        projectId,
+        environmentSlug: folder.environment.slug
+      });
+    }
+
     return reshapeBridgeSecret(projectId, environment, secretPath, {
       ...updatedSecret[0],
       value: inputSecret.secretValue || "",
@@ -427,14 +432,16 @@ export const secretV2BridgeServiceFactory = ({
       })
     );
 
-    await snapshotService.performSnapshot(folderId);
-    await secretQueueService.syncSecrets({
-      actor,
-      actorId,
-      secretPath,
-      projectId,
-      environmentSlug: folder.environment.slug
-    });
+    if (inputSecret.type === SecretType.Shared) {
+      await snapshotService.performSnapshot(folderId);
+      await secretQueueService.syncSecrets({
+        secretPath,
+        actorId,
+        actor,
+        projectId,
+        environmentSlug: folder.environment.slug
+      });
+    }
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,

backend/src/services/secret/secret-fns.ts

@@ -152,7 +152,7 @@ export const recursivelyGetSecretPaths = ({
     });
 
     if (!env) {
-      throw new Error(`'${environment}' environment not found in project with ID ${projectId}`);
+      throw new NotFoundError({ message: `'${environment}' environment not found in project with ID ${projectId}` });
     }
 
     // Fetch all folders in env once with a single query

backend/src/services/secret/secret-queue.ts

@@ -17,6 +17,7 @@ import { TSnapshotSecretV2DALFactory } from "@app/ee/services/secret-snapshot/sn
 import { KeyStorePrefixes, KeyStoreTtls, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { getTimeDifferenceInSeconds, groupBy, isSamePath, unique } from "@app/lib/fn";
@@ -37,10 +38,14 @@ import { syncIntegrationSecrets } from "../integration-auth/integration-sync-sec
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TOrgDALFactory } from "../org/org-dal";
+import { TOrgServiceFactory } from "../org/org-service";
 import { TProjectDALFactory } from "../project/project-dal";
+import { createProjectKey } from "../project/project-fns";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
+import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
@@ -77,7 +82,8 @@ type TSecretQueueFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne" | "find">;
   projectDAL: TProjectDALFactory;
   projectBotDAL: TProjectBotDALFactory;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findAllProjectMembers">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "create">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findAllProjectMembers" | "create">;
   smtpService: TSmtpService;
   orgDAL: Pick<TOrgDALFactory, "findOrgByProjectId">;
   secretVersionDAL: TSecretVersionDALFactory;
@@ -95,6 +101,8 @@ type TSecretQueueFactoryDep = {
   snapshotSecretV2BridgeDAL: Pick<TSnapshotSecretV2DALFactory, "insertMany" | "batchInsert">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "setItemWithExpiry" | "getItem">;
   auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
+  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
+  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create">;
 };
 
 export type TGetSecrets = {
@@ -111,6 +119,8 @@ type TIntegrationSecret = Record<
   string,
   { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
 >;
+
+// TODO(akhilmhdh): split this into multiple queue
 export const secretQueueFactory = ({
   queueService,
   integrationDAL,
@@ -141,7 +151,10 @@ export const secretQueueFactory = ({
   snapshotSecretV2BridgeDAL,
   secretApprovalRequestDAL,
   keyStore,
-  auditLogService
+  auditLogService,
+  orgService,
+  projectUserMembershipRoleDAL,
+  projectKeyDAL
 }: TSecretQueueFactoryDep) => {
   const removeSecretReminder = async (dto: TRemoveSecretReminderDTO) => {
     const appCfg = getConfig();
@@ -1028,11 +1041,13 @@ export const secretQueueFactory = ({
     const {
       botKey,
       shouldUseSecretV2Bridge: isProjectUpgradedToV3,
-      project
+      project,
+      bot
     } = await projectBotService.getBotKey(projectId);
     if (isProjectUpgradedToV3 || project.upgradeStatus === ProjectUpgradeStatus.InProgress) {
       return;
     }
+
     if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
     await projectDAL.updateById(projectId, { upgradeStatus: ProjectUpgradeStatus.InProgress });
 
@@ -1044,6 +1059,57 @@ export const secretQueueFactory = ({
     const folders = await folderDAL.findByProjectId(projectId);
     // except secret version and snapshot migrate rest of everything first in a transaction
     await secretDAL.transaction(async (tx) => {
+      // if project v1 create the project ghost user
+      if (project.version === ProjectVersion.V1) {
+        const ghostUser = await orgService.addGhostUser(project.orgId, tx);
+        const projectMembership = await projectMembershipDAL.create(
+          {
+            userId: ghostUser.user.id,
+            projectId: project.id
+          },
+          tx
+        );
+        await projectUserMembershipRoleDAL.create(
+          { projectMembershipId: projectMembership.id, role: ProjectMembershipRole.Admin },
+          tx
+        );
+
+        const { key: encryptedProjectKey, iv: encryptedProjectKeyIv } = createProjectKey({
+          publicKey: ghostUser.keys.publicKey,
+          privateKey: ghostUser.keys.plainPrivateKey,
+          plainProjectKey: botKey
+        });
+
+        // 4. Save the project key for the ghost user.
+        await projectKeyDAL.create(
+          {
+            projectId: project.id,
+            receiverId: ghostUser.user.id,
+            encryptedKey: encryptedProjectKey,
+            nonce: encryptedProjectKeyIv,
+            senderId: ghostUser.user.id
+          },
+          tx
+        );
+        const { iv, tag, ciphertext, encoding, algorithm } = infisicalSymmetricEncypt(ghostUser.keys.plainPrivateKey);
+        await projectBotDAL.updateById(
+          bot.id,
+          {
+            tag,
+            iv,
+            encryptedProjectKey,
+            encryptedProjectKeyNonce: encryptedProjectKeyIv,
+            encryptedPrivateKey: ciphertext,
+            isActive: true,
+            publicKey: ghostUser.keys.publicKey,
+            senderId: ghostUser.user.id,
+            algorithm,
+            keyEncoding: encoding
+          },
+          tx
+        );
+      }
+
       for (const folder of folders) {
         const folderId = folder.id;
         /*

backend/src/services/secret/secret-service.ts

@@ -264,14 +264,16 @@ export const secretServiceFactory = ({
       })
     );
 
-    await snapshotService.performSnapshot(folderId);
-    await secretQueueService.syncSecrets({
-      secretPath: path,
-      actorId,
-      actor,
-      projectId,
-      environmentSlug: folder.environment.slug
-    });
+    if (inputSecret.type === SecretType.Shared) {
+      await snapshotService.performSnapshot(folderId);
+      await secretQueueService.syncSecrets({
+        secretPath: path,
+        actorId,
+        actor,
+        projectId,
+        environmentSlug: folder.environment.slug
+      });
+    }
     return { ...secret[0], environment, workspace: projectId, tags, secretPath: path };
   };
 
@@ -399,14 +401,16 @@ export const secretServiceFactory = ({
       })
     );
 
-    await snapshotService.performSnapshot(folderId);
-    await secretQueueService.syncSecrets({
-      actor,
-      actorId,
-      secretPath: path,
-      projectId,
-      environmentSlug: folder.environment.slug
-    });
+    if (inputSecret.type === SecretType.Shared) {
+      await snapshotService.performSnapshot(folderId);
+      await secretQueueService.syncSecrets({
+        secretPath: path,
+        actorId,
+        actor,
+        projectId,
+        environmentSlug: folder.environment.slug
+      });
+    }
     return { ...updatedSecret[0], workspace: projectId, environment, secretPath: path };
   };
 
@@ -474,15 +478,17 @@ export const secretServiceFactory = ({
       })
     );
 
-    await snapshotService.performSnapshot(folderId);
-    await secretQueueService.syncSecrets({
-      actor,
-      actorId,
-      secretPath: path,
-      projectId,
-      environmentSlug: folder.environment.slug
-    });
-    // TODO(akhilmhdh-pg): license check, posthog service and snapshot
+    if (inputSecret.type === SecretType.Shared) {
+      await snapshotService.performSnapshot(folderId);
+      await secretQueueService.syncSecrets({
+        secretPath: path,
+        actorId,
+        actor,
+        projectId,
+        environmentSlug: folder.environment.slug
+      });
+    }
+
     return { ...deletedSecret[0], _id: deletedSecret[0].id, workspace: projectId, environment, secretPath: path };
   };
 

cli/packages/api/api.go

@@ -415,6 +415,10 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 		req.SetQueryParam("recursive", "true")
 	}
 
+	if request.ExpandSecretReferences {
+		req.SetQueryParam("expandSecretReferences", "true")
+	}
+
 	response, err := req.Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
 
 	if err != nil {

cli/packages/api/model.go

@@ -569,12 +569,13 @@ type CreateDynamicSecretLeaseV1Response struct {
 }
 
 type GetRawSecretsV3Request struct {
-	Environment   string `json:"environment"`
-	WorkspaceId   string `json:"workspaceId"`
-	SecretPath    string `json:"secretPath"`
-	IncludeImport bool   `json:"include_imports"`
-	Recursive     bool   `json:"recursive"`
-	TagSlugs      string `json:"tagSlugs,omitempty"`
+	Environment            string `json:"environment"`
+	WorkspaceId            string `json:"workspaceId"`
+	SecretPath             string `json:"secretPath"`
+	IncludeImport          bool   `json:"include_imports"`
+	Recursive              bool   `json:"recursive"`
+	TagSlugs               string `json:"tagSlugs,omitempty"`
+	ExpandSecretReferences bool   `json:"expandSecretReferences,omitempty"`
 }
 
 type GetRawSecretsV3Response struct {
@@ -587,6 +588,7 @@ type GetRawSecretsV3Response struct {
 		SecretKey     string `json:"secretKey"`
 		SecretValue   string `json:"secretValue"`
 		SecretComment string `json:"secretComment"`
+		SecretPath    string `json:"secretPath"`
 	} `json:"secrets"`
 	Imports []ImportedRawSecretV3 `json:"imports"`
 	ETag    string
@@ -610,6 +612,7 @@ type GetRawSecretV3ByNameResponse struct {
 		SecretKey     string `json:"secretKey"`
 		SecretValue   string `json:"secretValue"`
 		SecretComment string `json:"secretComment"`
+		SecretPath    string `json:"secretPath"`
 	} `json:"secret"`
 	ETag string
 }

cli/packages/cmd/agent.go

@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -311,9 +312,34 @@ func ParseAgentConfig(configFile []byte) (*Config, error) {
 	return config, nil
 }
 
-func secretTemplateFunction(accessToken string, existingEtag string, currentEtag *string) func(string, string, string) ([]models.SingleEnvironmentVariable, error) {
-	return func(projectID, envSlug, secretPath string) ([]models.SingleEnvironmentVariable, error) {
-		res, err := util.GetPlainTextSecretsV3(accessToken, projectID, envSlug, secretPath, false, false, "")
+type secretArguments struct {
+	IsRecursive                  bool  `json:"recursive"`
+	ShouldExpandSecretReferences *bool `json:"expandSecretReferences,omitempty"`
+}
+
+func (s *secretArguments) SetDefaults() {
+	if s.ShouldExpandSecretReferences == nil {
+		var bool = true
+		s.ShouldExpandSecretReferences = &bool
+	}
+}
+
+func secretTemplateFunction(accessToken string, existingEtag string, currentEtag *string) func(string, string, string, ...string) ([]models.SingleEnvironmentVariable, error) {
+	// ...string is because golang doesn't have optional arguments.
+	// thus we make it slice and pick it only first element
+	return func(projectID, envSlug, secretPath string, args ...string) ([]models.SingleEnvironmentVariable, error) {
+		var parsedArguments secretArguments
+		// to make it optional
+		if len(args) > 0 {
+			err := json.Unmarshal([]byte(args[0]), &parsedArguments)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		parsedArguments.SetDefaults()
+
+		res, err := util.GetPlainTextSecretsV3(accessToken, projectID, envSlug, secretPath, false, parsedArguments.IsRecursive, "", *parsedArguments.ShouldExpandSecretReferences)
 		if err != nil {
 			return nil, err
 		}
@@ -322,9 +348,7 @@ func secretTemplateFunction(accessToken string, existingEtag string, currentEtag
 			*currentEtag = res.Etag
 		}
 
-		expandedSecrets := util.ExpandSecrets(res.Secrets, models.ExpandSecretsAuthentication{UniversalAuthAccessToken: accessToken}, "")
-
-		return expandedSecrets, nil
+		return res.Secrets, nil
 	}
 }
 
@@ -456,7 +480,6 @@ func ProcessLiteralTemplate(templateId int, templateString string, data interfac
 	return &buf, nil
 }
 
-
 type AgentManager struct {
 	accessToken              string
 	accessTokenTTL           time.Duration

cli/packages/cmd/export.go

@@ -87,11 +87,12 @@ var exportCmd = &cobra.Command{
 		}
 
 		request := models.GetAllSecretsParameters{
-			Environment:   environmentName,
-			TagSlugs:      tagSlugs,
-			WorkspaceId:   projectId,
-			SecretsPath:   secretsPath,
-			IncludeImport: includeImports,
+			Environment:            environmentName,
+			TagSlugs:               tagSlugs,
+			WorkspaceId:            projectId,
+			SecretsPath:            secretsPath,
+			IncludeImport:          includeImports,
+			ExpandSecretReferences: shouldExpandSecrets,
 		}
 
 		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
@@ -137,18 +138,6 @@ var exportCmd = &cobra.Command{
 		}
 
 		var output string
-		if shouldExpandSecrets {
-
-			authParams := models.ExpandSecretsAuthentication{}
-
-			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-				authParams.InfisicalToken = token.Token
-			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-				authParams.UniversalAuthAccessToken = token.Token
-			}
-
-			secrets = util.ExpandSecrets(secrets, authParams, "")
-		}
 		secrets = util.FilterSecretsByTag(secrets, tagSlugs)
 		secrets = util.SortSecretsByKeys(secrets)
 

cli/packages/cmd/login.go

@@ -216,7 +216,9 @@ var loginCmd = &cobra.Command{
 			}
 			//override domain
 			domainQuery := true
-			if config.INFISICAL_URL_MANUAL_OVERRIDE != "" && config.INFISICAL_URL_MANUAL_OVERRIDE != util.INFISICAL_DEFAULT_API_URL {
+			if config.INFISICAL_URL_MANUAL_OVERRIDE != "" &&
+				config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_EU_URL) &&
+				config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_US_URL) {
 				overrideDomain, err := DomainOverridePrompt()
 				if err != nil {
 					util.HandleError(err)
@@ -526,16 +528,17 @@ func askForDomain() error {
 
 	// query user to choose between Infisical cloud or self hosting
 	const (
-		INFISICAL_CLOUD = "Infisical Cloud"
-		SELF_HOSTING    = "Self Hosting"
-		ADD_NEW_DOMAIN  = "Add a new domain"
+		INFISICAL_CLOUD_US = "Infisical Cloud (US Region)"
+		INFISICAL_CLOUD_EU = "Infisical Cloud (EU Region)"
+		SELF_HOSTING       = "Self Hosting"
+		ADD_NEW_DOMAIN     = "Add a new domain"
 	)
 
-	options := []string{INFISICAL_CLOUD, SELF_HOSTING}
+	options := []string{INFISICAL_CLOUD_US, INFISICAL_CLOUD_EU, SELF_HOSTING}
 	optionsPrompt := promptui.Select{
 		Label: "Select your hosting option",
 		Items: options,
-		Size:  2,
+		Size:  3,
 	}
 
 	_, selectedHostingOption, err := optionsPrompt.Run()
@@ -543,10 +546,15 @@ func askForDomain() error {
 		return err
 	}
 
-	if selectedHostingOption == INFISICAL_CLOUD {
-		//cloud option
-		config.INFISICAL_URL = fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_URL)
-		config.INFISICAL_LOGIN_URL = fmt.Sprintf("%s/login", util.INFISICAL_DEFAULT_URL)
+	if selectedHostingOption == INFISICAL_CLOUD_US {
+		// US cloud option
+		config.INFISICAL_URL = fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_US_URL)
+		config.INFISICAL_LOGIN_URL = fmt.Sprintf("%s/login", util.INFISICAL_DEFAULT_US_URL)
+		return nil
+	} else if selectedHostingOption == INFISICAL_CLOUD_EU {
+		// EU cloud option
+		config.INFISICAL_URL = fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_EU_URL)
+		config.INFISICAL_LOGIN_URL = fmt.Sprintf("%s/login", util.INFISICAL_DEFAULT_EU_URL)
 		return nil
 	}
 

cli/packages/cmd/root.go

@@ -40,7 +40,7 @@ func init() {
 	cobra.OnInitialize(initLog)
 	rootCmd.PersistentFlags().StringP("log-level", "l", "info", "log level (trace, debug, info, warn, error, fatal)")
 	rootCmd.PersistentFlags().Bool("telemetry", true, "Infisical collects non-sensitive telemetry data to enhance features and improve user experience. Participation is voluntary")
-	rootCmd.PersistentFlags().StringVar(&config.INFISICAL_URL, "domain", util.INFISICAL_DEFAULT_API_URL, "Point the CLI to your own backend [can also set via environment variable name: INFISICAL_API_URL]")
+	rootCmd.PersistentFlags().StringVar(&config.INFISICAL_URL, "domain", fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_US_URL), "Point the CLI to your own backend [can also set via environment variable name: INFISICAL_API_URL]")
 	rootCmd.PersistentFlags().Bool("silent", false, "Disable output of tip/info messages. Useful when running in scripts or CI/CD pipelines.")
 	rootCmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 		silent, err := cmd.Flags().GetBool("silent")

cli/packages/cmd/run.go

@@ -137,15 +137,16 @@ var runCmd = &cobra.Command{
 		}
 
 		request := models.GetAllSecretsParameters{
-			Environment:   environmentName,
-			WorkspaceId:   projectId,
-			TagSlugs:      tagSlugs,
-			SecretsPath:   secretsPath,
-			IncludeImport: includeImports,
-			Recursive:     recursive,
+			Environment:            environmentName,
+			WorkspaceId:            projectId,
+			TagSlugs:               tagSlugs,
+			SecretsPath:            secretsPath,
+			IncludeImport:          includeImports,
+			Recursive:              recursive,
+			ExpandSecretReferences: shouldExpandSecrets,
 		}
 
-		injectableEnvironment, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, shouldExpandSecrets, token)
+		injectableEnvironment, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
 		if err != nil {
 			util.HandleError(err, "Could not fetch secrets", "If you are using a service token to fetch secrets, please ensure it is valid")
 		}
@@ -153,7 +154,7 @@ var runCmd = &cobra.Command{
 		log.Debug().Msgf("injecting the following environment variables into shell: %v", injectableEnvironment.Variables)
 
 		if watchMode {
-			executeCommandWithWatchMode(command, args, watchModeInterval, request, projectConfigDir, shouldExpandSecrets, secretOverriding, token)
+			executeCommandWithWatchMode(command, args, watchModeInterval, request, projectConfigDir, secretOverriding, token)
 		} else {
 			if cmd.Flags().Changed("command") {
 				command := cmd.Flag("command").Value.String()
@@ -306,7 +307,7 @@ func waitForExitCommand(cmd *exec.Cmd) (int, error) {
 	return waitStatus.ExitStatus(), nil
 }
 
-func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInterval int, request models.GetAllSecretsParameters, projectConfigDir string, expandSecrets bool, secretOverriding bool, token *models.TokenDetails) {
+func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInterval int, request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) {
 
 	var cmd *exec.Cmd
 	var err error
@@ -420,7 +421,7 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 		<-recheckSecretsChannel
 		watchMutex.Lock()
 
-		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, expandSecrets, token)
+		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
 		if err != nil {
 			log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
 			continue
@@ -437,7 +438,7 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 	}
 }
 
-func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, shouldExpandSecrets bool, token *models.TokenDetails) (models.InjectableEnvironmentResult, error) {
+func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, projectConfigDir string, secretOverriding bool, token *models.TokenDetails) (models.InjectableEnvironmentResult, error) {
 
 	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
 		request.InfisicalToken = token.Token
@@ -457,19 +458,6 @@ func fetchAndFormatSecretsForShell(request models.GetAllSecretsParameters, proje
 		secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_SHARED)
 	}
 
-	if shouldExpandSecrets {
-
-		authParams := models.ExpandSecretsAuthentication{}
-
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			authParams.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			authParams.UniversalAuthAccessToken = token.Token
-		}
-
-		secrets = util.ExpandSecrets(secrets, authParams, projectConfigDir)
-	}
-
 	secretsByKey := getSecretsByKeys(secrets)
 	environmentVariables := make(map[string]string)
 

cli/packages/cmd/secrets.go

@@ -79,12 +79,13 @@ var secretsCmd = &cobra.Command{
 		}
 
 		request := models.GetAllSecretsParameters{
-			Environment:   environmentName,
-			WorkspaceId:   projectId,
-			TagSlugs:      tagSlugs,
-			SecretsPath:   secretsPath,
-			IncludeImport: includeImports,
-			Recursive:     recursive,
+			Environment:            environmentName,
+			WorkspaceId:            projectId,
+			TagSlugs:               tagSlugs,
+			SecretsPath:            secretsPath,
+			IncludeImport:          includeImports,
+			Recursive:              recursive,
+			ExpandSecretReferences: shouldExpandSecrets,
 		}
 
 		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
@@ -104,17 +105,6 @@ var secretsCmd = &cobra.Command{
 			secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_SHARED)
 		}
 
-		if shouldExpandSecrets {
-			authParams := models.ExpandSecretsAuthentication{}
-			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-				authParams.InfisicalToken = token.Token
-			} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-				authParams.UniversalAuthAccessToken = token.Token
-			}
-
-			secrets = util.ExpandSecrets(secrets, authParams, "")
-		}
-
 		// Sort the secrets by key so we can create a consistent output
 		secrets = util.SortSecretsByKeys(secrets)
 
@@ -382,12 +372,13 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 	}
 
 	request := models.GetAllSecretsParameters{
-		Environment:   environmentName,
-		WorkspaceId:   projectId,
-		TagSlugs:      tagSlugs,
-		SecretsPath:   secretsPath,
-		IncludeImport: includeImports,
-		Recursive:     recursive,
+		Environment:            environmentName,
+		WorkspaceId:            projectId,
+		TagSlugs:               tagSlugs,
+		SecretsPath:            secretsPath,
+		IncludeImport:          includeImports,
+		Recursive:              recursive,
+		ExpandSecretReferences: shouldExpand,
 	}
 
 	if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
@@ -407,17 +398,6 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_SHARED)
 	}
 
-	if shouldExpand {
-		authParams := models.ExpandSecretsAuthentication{}
-		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
-			authParams.InfisicalToken = token.Token
-		} else if token != nil && token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER {
-			authParams.UniversalAuthAccessToken = token.Token
-		}
-
-		secrets = util.ExpandSecrets(secrets, authParams, "")
-	}
-
 	requestedSecrets := []models.SingleEnvironmentVariable{}
 
 	secretsMap := getSecretsByKeys(secrets)

cli/packages/cmd/user.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"errors"
+	"fmt"
 	"net/url"
 
 	"github.com/Infisical/infisical-merge/packages/config"
@@ -119,7 +120,7 @@ var domainCmd = &cobra.Command{
 
 		domain := ""
 		domainQuery := true
-		if config.INFISICAL_URL_MANUAL_OVERRIDE != util.INFISICAL_DEFAULT_API_URL {
+		if config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_EU_URL) && config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_US_URL) {
 
 			override, err := DomainOverridePrompt()
 			if err != nil {

cli/packages/models/cli.go

@@ -30,6 +30,7 @@ type SingleEnvironmentVariable struct {
 	Value       string `json:"value"`
 	Type        string `json:"type"`
 	ID          string `json:"_id"`
+	SecretPath  string `json:"secretPath"`
 	Tags        []struct {
 		ID        string `json:"_id"`
 		Name      string `json:"name"`
@@ -103,6 +104,7 @@ type GetAllSecretsParameters struct {
 	SecretsPath              string
 	IncludeImport            bool
 	Recursive                bool
+	ExpandSecretReferences   bool
 }
 
 type InjectableEnvironmentResult struct {

cli/packages/util/constants.go

@@ -3,8 +3,8 @@ package util
 const (
 	CONFIG_FILE_NAME                           = "infisical-config.json"
 	CONFIG_FOLDER_NAME                         = ".infisical"
-	INFISICAL_DEFAULT_API_URL                  = "https://app.infisical.com/api"
-	INFISICAL_DEFAULT_URL                      = "https://app.infisical.com"
+	INFISICAL_DEFAULT_US_URL                   = "https://app.infisical.com"
+	INFISICAL_DEFAULT_EU_URL                   = "https://eu.infisical.com"
 	INFISICAL_WORKSPACE_CONFIG_FILE_NAME       = ".infisical.json"
 	INFISICAL_TOKEN_NAME                       = "INFISICAL_TOKEN"
 	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"

cli/packages/util/init.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/Infisical/infisical-merge/packages/models"
 )
 
@@ -11,7 +12,7 @@ func GetOrganizationsNameList(organizationResponse api.GetOrganizationsResponse)
 	organizations := organizationResponse.Organizations
 
 	if len(organizations) == 0 {
-		message := fmt.Sprintf("You don't have any organization created in Infisical. You must first create a organization at %s", INFISICAL_DEFAULT_URL)
+		message := fmt.Sprintf("You don't have any organization created in Infisical. You must first create a organization at %s", config.INFISICAL_URL)
 		PrintErrorMessageAndExit(message)
 	}
 
@@ -37,7 +38,7 @@ func GetWorkspacesInOrganization(workspaceResponse api.GetWorkSpacesResponse, or
 	}
 
 	if len(filteredWorkspaces) == 0 {
-		message := fmt.Sprintf("You don't have any projects created in Infisical organization. You must first create a project at %s", INFISICAL_DEFAULT_URL)
+		message := fmt.Sprintf("You don't have any projects created in Infisical organization. You must first create a project at %s", config.INFISICAL_URL)
 		PrintErrorMessageAndExit(message)
 	}
 

cli/packages/util/secrets.go

@@ -8,8 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"path"
-	"regexp"
 	"strings"
 	"unicode"
 
@@ -21,7 +19,7 @@ import (
 	"github.com/zalando/go-keyring"
 )
 
-func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment string, secretPath string, includeImports bool, recursive bool, tagSlugs string) ([]models.SingleEnvironmentVariable, error) {
+func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment string, secretPath string, includeImports bool, recursive bool, tagSlugs string, expandSecretReferences bool) ([]models.SingleEnvironmentVariable, error) {
 	serviceTokenParts := strings.SplitN(fullServiceToken, ".", 4)
 	if len(serviceTokenParts) < 4 {
 		return nil, fmt.Errorf("invalid service token entered. Please double check your service token and try again")
@@ -49,12 +47,13 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 	}
 
 	rawSecrets, err := api.CallGetRawSecretsV3(httpClient, api.GetRawSecretsV3Request{
-		WorkspaceId:   serviceTokenDetails.Workspace,
-		Environment:   environment,
-		SecretPath:    secretPath,
-		IncludeImport: includeImports,
-		Recursive:     recursive,
-		TagSlugs:      tagSlugs,
+		WorkspaceId:            serviceTokenDetails.Workspace,
+		Environment:            environment,
+		SecretPath:             secretPath,
+		IncludeImport:          includeImports,
+		Recursive:              recursive,
+		TagSlugs:               tagSlugs,
+		ExpandSecretReferences: expandSecretReferences,
 	})
 
 	if err != nil {
@@ -78,17 +77,18 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 
 }
 
-func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentName string, secretsPath string, includeImports bool, recursive bool, tagSlugs string) (models.PlaintextSecretResult, error) {
+func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentName string, secretsPath string, includeImports bool, recursive bool, tagSlugs string, expandSecretReferences bool) (models.PlaintextSecretResult, error) {
 	httpClient := resty.New()
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
 	getSecretsRequest := api.GetRawSecretsV3Request{
-		WorkspaceId:   workspaceId,
-		Environment:   environmentName,
-		IncludeImport: includeImports,
-		Recursive:     recursive,
-		TagSlugs:      tagSlugs,
+		WorkspaceId:            workspaceId,
+		Environment:            environmentName,
+		IncludeImport:          includeImports,
+		Recursive:              recursive,
+		TagSlugs:               tagSlugs,
+		ExpandSecretReferences: expandSecretReferences,
 	}
 
 	if secretsPath != "" {
@@ -104,7 +104,7 @@ func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentNa
 	plainTextSecrets := []models.SingleEnvironmentVariable{}
 
 	for _, secret := range rawSecrets.Secrets {
-		plainTextSecrets = append(plainTextSecrets, models.SingleEnvironmentVariable{Key: secret.SecretKey, Value: secret.SecretValue, Type: secret.Type, WorkspaceId: secret.Workspace})
+		plainTextSecrets = append(plainTextSecrets, models.SingleEnvironmentVariable{Key: secret.SecretKey, Value: secret.SecretValue, Type: secret.Type, WorkspaceId: secret.Workspace, SecretPath: secret.SecretPath})
 	}
 
 	if includeImports {
@@ -145,6 +145,7 @@ func GetSinglePlainTextSecretByNameV3(accessToken string, workspaceId string, en
 		Type:        rawSecret.Secret.Type,
 		ID:          rawSecret.Secret.ID,
 		Comment:     rawSecret.Secret.SecretComment,
+		SecretPath:  rawSecret.Secret.SecretPath,
 	}
 
 	return formattedSecrets, rawSecret.ETag, nil
@@ -283,7 +284,7 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 		}
 
 		res, err := GetPlainTextSecretsV3(loggedInUserDetails.UserCredentials.JTWToken, infisicalDotJson.WorkspaceId,
-			params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs)
+			params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs, true)
 		log.Debug().Msgf("GetAllEnvironmentVariables: Trying to fetch secrets JTW token [err=%s]", err)
 
 		if err == nil {
@@ -312,7 +313,7 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 	} else {
 		if params.InfisicalToken != "" {
 			log.Debug().Msg("Trying to fetch secrets using service token")
-			secretsToReturn, errorToReturn = GetPlainTextSecretsViaServiceToken(params.InfisicalToken, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs)
+			secretsToReturn, errorToReturn = GetPlainTextSecretsViaServiceToken(params.InfisicalToken, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs, params.ExpandSecretReferences)
 		} else if params.UniversalAuthAccessToken != "" {
 
 			if params.WorkspaceId == "" {
@@ -320,7 +321,7 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 			}
 
 			log.Debug().Msg("Trying to fetch secrets using universal auth")
-			res, err := GetPlainTextSecretsV3(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs)
+			res, err := GetPlainTextSecretsV3(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs, params.ExpandSecretReferences)
 
 			errorToReturn = err
 			secretsToReturn = res.Secrets
@@ -330,44 +331,6 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 	return secretsToReturn, errorToReturn
 }
 
-var secRefRegex = regexp.MustCompile(`\${([^\}]*)}`)
-
-func recursivelyExpandSecret(expandedSecs map[string]string, interpolatedSecs map[string]string, crossSecRefFetch func(env string, path []string, key string) string, key string) string {
-	if v, ok := expandedSecs[key]; ok {
-		return v
-	}
-
-	interpolatedVal, ok := interpolatedSecs[key]
-	if !ok {
-		HandleError(fmt.Errorf("could not find refered secret -  %s", key), "Kindly check whether its provided")
-	}
-
-	refs := secRefRegex.FindAllStringSubmatch(interpolatedVal, -1)
-	for _, val := range refs {
-		// key: "${something}" val: [${something},something]
-		interpolatedExp, interpolationKey := val[0], val[1]
-		ref := strings.Split(interpolationKey, ".")
-
-		// ${KEY1} => [key1]
-		if len(ref) == 1 {
-			val := recursivelyExpandSecret(expandedSecs, interpolatedSecs, crossSecRefFetch, interpolationKey)
-			interpolatedVal = strings.ReplaceAll(interpolatedVal, interpolatedExp, val)
-			continue
-		}
-
-		// cross board reference ${env.folder.key1} => [env folder key1]
-		if len(ref) > 1 {
-			secEnv, tmpSecPath, secKey := ref[0], ref[1:len(ref)-1], ref[len(ref)-1]
-			interpolatedSecs[interpolationKey] = crossSecRefFetch(secEnv, tmpSecPath, secKey) // get the reference value
-			val := recursivelyExpandSecret(expandedSecs, interpolatedSecs, crossSecRefFetch, interpolationKey)
-			interpolatedVal = strings.ReplaceAll(interpolatedVal, interpolatedExp, val)
-		}
-
-	}
-	expandedSecs[key] = interpolatedVal
-	return interpolatedVal
-}
-
 func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]models.SingleEnvironmentVariable {
 	secretMapByName := make(map[string]models.SingleEnvironmentVariable, len(secrets))
 
@@ -378,70 +341,6 @@ func getSecretsByKeys(secrets []models.SingleEnvironmentVariable) map[string]mod
 	return secretMapByName
 }
 
-func ExpandSecrets(secrets []models.SingleEnvironmentVariable, auth models.ExpandSecretsAuthentication, projectConfigPathDir string) []models.SingleEnvironmentVariable {
-	expandedSecs := make(map[string]string)
-	interpolatedSecs := make(map[string]string)
-	// map[env.secret-path][keyname]Secret
-	crossEnvRefSecs := make(map[string]map[string]models.SingleEnvironmentVariable) // a cache to hold all cross board reference secrets
-
-	for _, sec := range secrets {
-		// get all references in a secret
-		refs := secRefRegex.FindAllStringSubmatch(sec.Value, -1)
-		// nil means its a secret without reference
-		if refs == nil {
-			expandedSecs[sec.Key] = sec.Value // atomic secrets without any interpolation
-		} else {
-			interpolatedSecs[sec.Key] = sec.Value
-		}
-	}
-
-	for i, sec := range secrets {
-		// already present pick that up
-		if expandedVal, ok := expandedSecs[sec.Key]; ok {
-			secrets[i].Value = expandedVal
-			continue
-		}
-
-		expandedVal := recursivelyExpandSecret(expandedSecs, interpolatedSecs, func(env string, secPaths []string, secKey string) string {
-			secPaths = append([]string{"/"}, secPaths...)
-			secPath := path.Join(secPaths...)
-
-			secPathDot := strings.Join(secPaths, ".")
-			uniqKey := fmt.Sprintf("%s.%s", env, secPathDot)
-
-			if crossRefSec, ok := crossEnvRefSecs[uniqKey]; !ok {
-
-				var refSecs []models.SingleEnvironmentVariable
-				var err error
-
-				// if not in cross reference cache, fetch it from server
-				if auth.InfisicalToken != "" {
-					refSecs, err = GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: env, InfisicalToken: auth.InfisicalToken, SecretsPath: secPath}, projectConfigPathDir)
-				} else if auth.UniversalAuthAccessToken != "" {
-					refSecs, err = GetAllEnvironmentVariables((models.GetAllSecretsParameters{Environment: env, UniversalAuthAccessToken: auth.UniversalAuthAccessToken, SecretsPath: secPath, WorkspaceId: sec.WorkspaceId}), projectConfigPathDir)
-				} else if IsLoggedIn() {
-					refSecs, err = GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: env, SecretsPath: secPath}, projectConfigPathDir)
-				} else {
-					HandleError(errors.New("no authentication provided"), "Please provide authentication to fetch secrets")
-				}
-				if err != nil {
-					HandleError(err, fmt.Sprintf("Could not fetch secrets in environment: %s secret-path: %s", env, secPath), "If you are using a service token to fetch secrets, please ensure it is valid")
-				}
-				refSecsByKey := getSecretsByKeys(refSecs)
-				// save it to avoid calling api again for same environment and folder path
-				crossEnvRefSecs[uniqKey] = refSecsByKey
-				return refSecsByKey[secKey].Value
-
-			} else {
-				return crossRefSec[secKey].Value
-			}
-		}, sec.Key)
-
-		secrets[i].Value = expandedVal
-	}
-	return secrets
-}
-
 func OverrideSecrets(secrets []models.SingleEnvironmentVariable, secretType string) []models.SingleEnvironmentVariable {
 	personalSecrets := make(map[string]models.SingleEnvironmentVariable)
 	sharedSecrets := make(map[string]models.SingleEnvironmentVariable)

cli/secret-render-template

@@ -1,5 +1,5 @@
-{{- with secret "6553ccb2b7da580d7f6e7260" "dev" "/" }}
+{{- with secret "8fac9f01-4a81-44d7-8ff0-3d7be684f56f" "staging" "/" `{"recursive":true, "expandSecretReferences": false}` }}
 {{- range . }}
 {{ .Key }}={{ .Value }}
 {{- end }}
-{{- end }}
+{{- end }}

docs/cli/commands/token.mdx

@@ -4,7 +4,7 @@ description: "Manage your Infisical identity access tokens"
 ---
 
 ```bash 
-infisical service-token renew <ua-access-token>
+infisical token renew <ua-access-token>
 ```
 
 ## Description

docs/contributing/platform/developing.mdx

@@ -1,6 +1,6 @@
 ---
-title: 'Local development'
-description: 'This guide will help you set up and run the Infisical platform in local development.'
+title: "Local development"
+description: "This guide will help you set up and run the Infisical platform in local development."
 ---
 
 ## Fork and clone the repo
@@ -15,28 +15,28 @@ git checkout -b MY_BRANCH_NAME
 
 ## Set up environment variables
 
-
 Start by creating a .env file at the root of the Infisical directory then copy the contents of the file linked [here](https://github.com/Infisical/infisical/blob/main/.env.example). View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each.
 
 ## Starting Infisical for development
 
 We use Docker to spin up all required services for Infisical in local development. If you are unfamiliar with Docker, don’t worry, all you have to do is install Docker for your
-machine and run the command below to start up the development server. 
+machine and run the command below to start up the development server.
 
-#### Start local server 
+#### Start local server
 
 ```bash
-docker-compose -f docker-compose.dev.yml up --build --force-recreate
+docker compose -f docker-compose.dev.yml up --build --force-recreate
 ```
-#### Access local server 
+
+#### Access local server
 
 Once all the services have spun up, browse to http://localhost:8080.
 
-#### Shutdown local server 
+#### Shutdown local server
 
 ```bash
 # To stop environment use Control+C (on Mac) CTRL+C (on Win) or
-docker-compose -f docker-compose.dev.yml down
+docker compose -f docker-compose.dev.yml down
 ```
 
 ## Starting Infisical docs locally
@@ -56,9 +56,10 @@ yarn global add mintlify
 ```
 
 #### Running the docs
+
 Go to `docs` directory and run `mintlify dev`. This will start up the docs on `localhost:3000`
 
 ```bash
 # From the root directory
 cd docs; mintlify dev;
-```
+```

docs/documentation/platform/admin-panel/org-admin-console.mdx

@@ -1,32 +1,31 @@
 ---
 title: "Organization Admin Console"
-description: "Manage your Infisical organization from our organization admin console."
+description: "View and manage resources across your organization"
 ---
 
-The Organization Admin Console provides a user-friendly interface for Infisical organization admins to manage organization-related configurations.
+<Note>
+    The Organization Admin Console can only be accessed by organization members with admin status.
+</Note>
+
 
 ## Accessing the Organization Admin Console
 
-Only organization admins have access to the Organization Admin Console. 
+On the sidebar, tap on your initials to access the settings dropdown and press the **Organization Admin Console** option.
 
-![Access Organization Admin Panel](/images/platform/admin-panels/access-org-admin-console.png)
+![Access Organization Admin Console](/images/platform/admin-panels/access-org-admin-console.png)
 
-1. Click on the profile icon in the left sidebar.
-2. From the dropdown menu, select `Organization Admin Console`.
+## Projects Tab
 
-## Projects Section
+The Projects tab lists all the projects within your organization, including those which you are not a member of. You can easily filter projects by name or slug using the search bar.
 
 ![Projects Section](/images/platform/admin-panels/org-admin-console-projects.png)
 
-The Projects Section lists all projects created within your organization, including those you do not have membership in. You can easily search for a project by name using the search bar.
 
 ### Accessing a Project in Your Organization
 
-If you want to access a project in which you are not a member but are an organization admin, follow these steps:
+You can access a project that you are not a member of by tapping on the options menu of the project row and pressing the **Access** button.
+Doing so will grant you admin permissions for the selected project and add you as a member.
 
 ![Access project](/images/platform/admin-panels/org-admin-console-access.png)
 
-1. Click on the three-dot icon next to the project you wish to access.
-2. Click on the **Access** button.
 
-This will grant you admin permissions for the selected project and generate an audit log of your access, ensuring transparency regarding admin privileges.

docs/documentation/platform/admin-panel/overview.mdx

@@ -1,17 +1,17 @@
 ---
-description: "Learn about Infisical's Admin Panel."
+description: "Learn about Infisical's Admin Consoles"
 ---
 
-The Infisical Admin Panel allows you to configure and manage various resources within your organization and server.
+Infisical offers a server and organization level console for admins to customize their settings and manage various resources across the platform.
 
 <CardGroup cols={2}>
   <Card
-    title="Server Admin Panel"
+    title="Server Admin Console"
     href="./server-admin"
     icon="user-tie"
     color="#000000"
   >
-    Configure and manage your server settings effectively.
+    Configure and manage server related features.
   </Card>
   
   <Card
@@ -20,6 +20,6 @@ The Infisical Admin Panel allows you to configure and manage various resources w
     icon="sitemap"
     color="#000000"
   >
-    Manage settings specific to your organization.
+    View and access resources across your organization.
   </Card>
 </CardGroup>

docs/documentation/platform/admin-panel/server-admin.mdx

@@ -1,70 +1,69 @@
 ---
-title: "Server Admin Panel"
-description: "Manage your Infisical server from the Server Admin Panel."
+title: "Server Admin Console"
+description: "Configure and manage server related features"
 ---
 
-The Server Admin Panel provides a user interface for Infisical server administrators to configure various parameters as needed. This includes configuring rate limits, managing allowed signups, and more.
+The Server Admin Console provides **server administrators** with the ability to
+customize settings and manage users for their entire Infisical instance.
 
-## Accessing the Server Admin Panel
+<Note>
+    The first user to setup an account on your Infisical instance is designated as the server administrator by default.
+</Note>
 
-The first user who created the account in Infisical is designated as the server administrator. You can access the admin panel by navigating as follows:
+## Accessing the Server Admin Console
 
-![Access Server Admin Panel](/images/platform/admin-panels/access-server-admin-panel.png)
 
-1. Click on the profile icon in the left sidebar.
-2. From the dropdown menu, select `Server Admin Panel`.
+On the sidebar, tap on your initials to access the settings dropdown and press the **Server Admin Console** option.
 
-## General Section
+![Access Server Admin Console](/images/platform/admin-panels/access-server-admin-panel.png)
+
+## General Tab
+Configure general settings for your instance.
 
 ![General Settings](/images/platform/admin-panels/admin-panel-general.png)
 
+
 ### Allow User Signups
 
-This setting controls whether users can sign up for your Infisical instance. The options are:
-
-1. **Anyone**: Any user with access to your instance can sign up.
-2. **Disabled**: No one will be able to sign up.
+User signups are enabled by default, allowing **Anyone** with access to your instance to sign up. This can alternatively be **Disabled** to prevent any users from signing up.
 
 ### Restrict Signup Domain
 
-This setting allows only users with specific email domains (such as your organization's domain) to sign up.
+Signup can be restricted to users matching one or more email domains, such as your organization's domain, to control who has access to your instance.
 
 ### Default Organization
 
-Use this setting if you want all users accessing your Infisical instance to log in through your configured SAML/LDAP provider. This prevents users from manually entering their organization slug during authentication and redirects them to the SAML/LDAP authentication page.
+If you're using SAML/LDAP for only one organization on your instance, you can specify a default organization to use at login to skip requiring users to manually enter the organization slug.
 
 ### Trust Emails
 
-By default, Infisical does not trust emails logged in via SAML/LDAP/OIDC due to the potential for email spoofing. Users must verify their email addresses before proceeding. You can disable this validation if you are running an Infisical instance within your organization and trust incoming emails from your members.
+By default, users signing up through SAML/LDAP/OIDC will still need to verify their email address to prevent email spoofing. This requirement can be skipped by enabling the switch to trust logins through the respective method.
 
-## Authentication Section
+
+## Authentication Tab
+
+From this tab, you can configure which login methods are enabled for your instance.
 
 ![Authentication Settings](/images/platform/admin-panels/admin-panel-auths.png)
 
-This section allows you to configure various login and signup methods for your instance.
 
-## Rate Limit Section
+## Rate Limit Tab
+
+This tab allows you to set various rate limits for your Infisical instance. You do not need to redeploy when making changes to rate limits as these will be propagated automatically.
 
 ![Rate Limit Settings](/images/platform/admin-panels/admin-panel-rate-limits.png)
 
-Configure the rate limits for your Infisical instance across various endpoints. You do not need to redeploy when making changes to rate limits; they will be automatically synchronized to all instances.
 
-<Info>
+<Note>
   Note that rate limit configuration is a paid feature. Please contact sales@infisical.com to purchase a license for its use.
-</Info>
+</Note>
 
-## User Management Section
+## User Management Tab
+
+From this tab, you can view all the users who have signed up for your instance. You can search for users using the search bar and remove them from your instance by pressing the **X** button on their respective row.
 
 ![User Management](/images/platform/admin-panels/admin-panel-users.png)
 
-The User Management section lists all users who have signed up for your instance. You can search for users using the search bar. 
-
-To delete a user from Infisical:
-
-1. Search for the user.
-2. Click the cross button next to the user.
-3. Confirm the warning popup.
-
-<Info>
-  Note that user management configuration is a paid feature. Please contact sales@infisical.com to purchase a license for its use.
-</Info>
+<Note>
+    Note that rate limit configuration is a paid feature. Please contact sales@infisical.com to purchase a license for its use.
+</Note>

docs/documentation/platform/ldap/overview.mdx

@@ -36,7 +36,7 @@ If the documentation for your required identity provider is not shown in the lis
     verification step upon their first login.
 
     If you're running a self-hosted instance of Infisical and would like it to trust emails from external identity providers,
-    you can configure this behavior in the admin panel.
+    you can configure this behavior in the Server Admin Console.
 
   </Accordion>
 </AccordionGroup>

docs/documentation/platform/organization.mdx

@@ -16,8 +16,10 @@ as well as create a new project.
 
 The **Settings** page lets you manage information about your organization including:
 
-- Name: The name of your organization.
-- Incident contacts: Emails that should be alerted if anything abnormal is detected within the organization.
+- **Name**: The name of your organization.
+- **Slug**: The slug of your organization.
+- **Default Organization Member Role**: The role assigned to users when joining your organization unless otherwise specified.
+- **Incident Contacts**: Emails that should be alerted if anything abnormal is detected within the organization.
 
 ![organization settings general](../../images/platform/organization/organization-settings-general.png)
 

docs/documentation/platform/scim/azure.mdx

@@ -28,6 +28,13 @@ Prerequisites:
         
         ![SCIM copy token](/images/platform/scim/scim-copy-token.png)
     </Step>
+    <Step title="Add Users and Groups in Azure">
+        In Azure, navigate to Enterprise Application > Users and Groups. Add any users and/or groups to your application that you would like
+        to be provisioned over to Infisical.
+
+        ![SCIM Azure Users and Groups](/images/platform/scim/azure/scim-azure-add-users-and-groups.png)
+
+    </Step>
     <Step title="Configure SCIM in Azure">
         In Azure, head to your Enterprise Application > Provisioning > Overview and press **Get started**.
         
@@ -39,7 +46,7 @@ Prerequisites:
         - Tenant URL: Input **SCIM URL** from Step 1.
         - Secret Token: Input the **New SCIM Token** from Step 1.
         
-        Afterwards, press the **Test Connection** button to check that SCIM is configured properly.
+        Afterwards, click **Enable SCIM** and press the **Test Connection** button to check that SCIM is configured properly.
         
         ![SCIM Azure](/images/platform/scim/azure/scim-azure-config.png)
         
@@ -71,4 +78,4 @@ Prerequisites:
     
     For this reason, SCIM-provisioned users are initialized but must finish setting up their account when logging in the first time by creating a master encryption/decryption key. With this implementation, IdPs and SCIM providers cannot and will not have access to the decryption key needed to decrypt your secrets.
 </Accordion>
-</AccordionGroup>
+</AccordionGroup>

docs/documentation/platform/scim/group-mappings.mdx

@@ -0,0 +1,26 @@
+---
+title: "SCIM Group Mappings"
+description: "Learn how to enhance your SCIM implementation using group mappings"
+---
+
+<Info>
+    SCIM provisioning, and by extension group mapping, is a paid feature.
+    
+    If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
+    then you should contact sales@infisical.com to purchase an enterprise license to use it.
+</Info>
+
+## SCIM Group to Organization Role Mapping
+
+By default, when users are provisioned via SCIM, they will be assigned the default organization role configured in [Organization General Settings](/documentation/platform/organization#settings).
+
+For more precise control over membership roles, you can set up SCIM Group to Organization Role Mappings. This enables you to assign specific roles based on the group from which a user is provisioned.
+
+![SCIM Group Mapping](/images/platform/scim/scim-group-mapping.png)
+
+To configure a mapping, simply enter the SCIM group's name and select the role you would like users to be assigned from this group. Be sure
+to tap **Update Mappings** once complete.
+
+<Note>
+    SCIM Group Mappings only apply when users are first provisioned. Previously provisioned users will not be affected, allowing you to customize user roles after they are added.
+</Note>

docs/documentation/platform/sso/overview.mdx

@@ -45,7 +45,7 @@ If your required identity provider is not shown in the list above, please reach
     verification step upon their first login.
 
     If you're running a self-hosted instance of Infisical and would like it to trust emails from external identity providers,
-    you can configure this behavior in the admin panel.
+    you can configure this behavior in the Server Admin Console.
 
   </Accordion>
 </AccordionGroup>