fix requested changes

improvement: Slug Validation Errors
2025-06-29 04:31:59 +00:00 · 2024-11-26 16:35:12 +01:00 · 2024-11-26 16:35:11 +01:00
2119 changed files with 50701 additions and 88096 deletions
--- a/.env.example
+++ b/.env.example
@ -74,8 +74,8 @@ CAPTCHA_SECRET=

 NEXT_PUBLIC_CAPTCHA_SITE_KEY=

-OTEL_TELEMETRY_COLLECTION_ENABLED=false
-OTEL_EXPORT_TYPE=prometheus
+OTEL_TELEMETRY_COLLECTION_ENABLED=
+OTEL_EXPORT_TYPE=
 OTEL_EXPORT_OTLP_ENDPOINT=
 OTEL_OTLP_PUSH_INTERVAL=

@ -88,20 +88,3 @@ PLAIN_WISH_LABEL_IDS=
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=

 ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
-
-# App Connections
-
-# aws assume-role
-INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
-INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
-
-# github oauth
-INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
-INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
-
-#github app
-INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
-INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
-INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
-INF_APP_CONNECTION_GITHUB_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_APP_ID=
--- a/.github/workflows/check-fe-ts-and-lint.yml
+++ b/.github/workflows/check-fe-ts-and-lint.yml
@ -18,18 +18,18 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 20
+      - name: 🔧 Setup Node 16
        uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "16"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: 📦 Install dependencies
        run: npm install
        working-directory: frontend
      - name: 🏗️ Run Type check
-        run: npm run type:check
+        run: npm run type:check 
        working-directory: frontend
      - name: 🏗️ Run Link check
-        run: npm run lint:fix
+        run: npm run lint:fix 
        working-directory: frontend
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@ -5,10 +5,6 @@ permissions:
  id-token: write
  contents: read

-concurrency: 
-  group: "infisical-core-deployment"
-  cancel-in-progress: true  
-
 jobs:
  infisical-tests:
    name: Integration tests
@ -101,7 +97,7 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-gamma-stage
@ -117,6 +113,10 @@ jobs:
    steps:
      - uses: twingate/github-action@v1
        with:
+        # The Twingate Service Key used to connect Twingate to the proper service
+        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+        #
+        # Required
          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
@ -153,37 +153,12 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
-      - name: Post slack message 
-        uses: slackapi/slack-github-action@v2.0.0
-        with:
-          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-          webhook-type: incoming-webhook
-          payload: |
-            text: "*Deployment Status Update*: ${{ job.status }}"
-            blocks:
-              - type: "section"
-                text:
-                  type: "mrkdwn"
-                  text: "*Deployment Status Update*: ${{ job.status }}"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Application:*\nInfisical Core"
-                  - type: "mrkdwn"
-                    text: "*Instance Type:*\nShared Infisical Cloud"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Region:*\nUS"
-                  - type: "mrkdwn"
-                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-

  production-eu:
      name: EU production deploy
@ -229,34 +204,9 @@ jobs:
            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
            environment-variables: "LOG_LEVEL=info"
        - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
          with:
            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
            service: infisical-core-platform
            cluster: infisical-core-platform
            wait-for-service-stability: true
-        - name: Post slack message 
-          uses: slackapi/slack-github-action@v2.0.0
-          with:
-            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-            webhook-type: incoming-webhook
-            payload: |
-              text: "*Deployment Status Update*: ${{ job.status }}"
-              blocks:
-                - type: "section"
-                  text:
-                    type: "mrkdwn"
-                    text: "*Deployment Status Update*: ${{ job.status }}"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Application:*\nInfisical Core"
-                    - type: "mrkdwn"
-                      text: "*Instance Type:*\nShared Infisical Cloud"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Region:*\nEU"
-                    - type: "mrkdwn"
-                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-
--- a/.infisicalignore
+++ b/.infisicalignore
@ -7,4 +7,3 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -23,16 +23,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -43,10 +44,20 @@ WORKDIR /app

 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user

-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

 USER non-root-user

+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@ -126,7 +137,6 @@ RUN apt-get update && apt-get install -y \
    freetds-dev \
    freetds-bin \
    tdsodbc \
-    openssh-client \
    && rm -rf /var/lib/apt/lists/*

 # Configure ODBC in production
@ -149,11 +159,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

 WORKDIR / 

@ -178,4 +191,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat

 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -27,16 +27,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -48,10 +49,20 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user

-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

 USER non-root-user

+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@ -128,8 +139,7 @@ RUN apk --update add \
    freetds-dev \
    bash \
    curl \
-    git \
-    openssh
+    git

 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
@ -148,11 +158,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY


 COPY --from=backend-runner /app /backend
@ -175,4 +188,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/README.md
+++ b/README.md
@ -14,6 +14,15 @@
  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>

+<p align="center">
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
+    <img src=".github/images/deploy-to-aws.png" width="137" />
+  </a>
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
+     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
+  </a>
+</p>
+
 <h4 align="center">
  <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
    <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@ -56,7 +65,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.

-### Infisical (Internal) PKI:
+### Internal PKI:

 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@ -64,17 +73,12 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.

-### Infisical Key Management System (KMS):
+### Key Management (KMS):

- **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.

-### Infisical SSH
-
- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
-
 ### General Platform:
-
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -7,8 +7,7 @@ WORKDIR /app
 RUN apk --update add \
        python3 \
        make \
-        g++ \
-        openssh
+        g++

 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -17,8 +17,7 @@ RUN apk --update add \
        openssl-dev \
        python3 \
        make \
-        g++ \
-        openssh
+        g++

 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -10,22 +10,17 @@ export const mockQueue = (): TQueueServiceFactory => {
    queue: async (name, jobData) => {
      job[name] = jobData;
    },
-    queuePg: async () => {},
-    initialize: async () => {},
    shutdown: async () => undefined,
    stopRepeatableJob: async () => true,
    start: (name, jobFn) => {
      queues[name] = jobFn;
      workers[name] = jobFn;
    },
-    startPg: async () => {},
    listen: (name, event) => {
      events[name] = event;
    },
-    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true,
-    stopRepeatableJobByKey: async () => true
+    stopRepeatableJobByJobId: async () => true
  };
 };
--- a/backend/e2e-test/routes/v3/secret-recursive.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-recursive.spec.ts
@ -1,86 +0,0 @@
-import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
-import { createSecretV2, deleteSecretV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
-
-import { seedData1 } from "@app/db/seed-data";
-
-describe("Secret Recursive Testing", async () => {
-  const projectId = seedData1.projectV3.id;
-  const folderAndSecretNames = [
-    { name: "deep1", path: "/", expectedSecretCount: 4 },
-    { name: "deep21", path: "/deep1", expectedSecretCount: 2 },
-    { name: "deep3", path: "/deep1/deep2", expectedSecretCount: 1 },
-    { name: "deep22", path: "/deep2", expectedSecretCount: 1 }
-  ];
-
-  beforeAll(async () => {
-    const rootFolderIds: string[] = [];
-    for (const folder of folderAndSecretNames) {
-      // eslint-disable-next-line no-await-in-loop
-      const createdFolder = await createFolder({
-        authToken: jwtAuthToken,
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: folder.path,
-        name: folder.name
-      });
-
-      if (folder.path === "/") {
-        rootFolderIds.push(createdFolder.id);
-      }
-      // eslint-disable-next-line no-await-in-loop
-      await createSecretV2({
-        secretPath: folder.path,
-        authToken: jwtAuthToken,
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        key: folder.name,
-        value: folder.name
-      });
-    }
-
-    return async () => {
-      await Promise.all(
-        rootFolderIds.map((id) =>
-          deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id,
-            workspaceId: projectId,
-            environmentSlug: "prod"
-          })
-        )
-      );
-
-      await deleteSecretV2({
-        authToken: jwtAuthToken,
-        secretPath: "/",
-        workspaceId: projectId,
-        environmentSlug: "prod",
-        key: folderAndSecretNames[0].name
-      });
-    };
-  });
-
-  test.each(folderAndSecretNames)("$path recursive secret fetching", async ({ path, expectedSecretCount }) => {
-    const secrets = await getSecretsV2({
-      authToken: jwtAuthToken,
-      secretPath: path,
-      workspaceId: projectId,
-      environmentSlug: "prod",
-      recursive: true
-    });
-
-    expect(secrets.secrets.length).toEqual(expectedSecretCount);
-    expect(secrets.secrets.sort((a, b) => a.secretKey.localeCompare(b.secretKey))).toEqual(
-      folderAndSecretNames
-        .filter((el) => el.path.startsWith(path))
-        .sort((a, b) => a.name.localeCompare(b.name))
-        .map((el) =>
-          expect.objectContaining({
-            secretKey: el.name,
-            secretValue: el.name
-          })
-        )
-    );
-  });
-});
--- a/backend/e2e-test/testUtils/secrets.ts
+++ b/backend/e2e-test/testUtils/secrets.ts
@ -97,7 +97,6 @@ export const getSecretsV2 = async (dto: {
  environmentSlug: string;
  secretPath: string;
  authToken: string;
-  recursive?: boolean;
 }) => {
  const getSecretsResponse = await testServer.inject({
    method: "GET",
@ -110,8 +109,7 @@ export const getSecretsV2 = async (dto: {
      environment: dto.environmentSlug,
      secretPath: dto.secretPath,
      expandSecretReferences: "true",
-      include_imports: "true",
-      recursive: String(dto.recursive || false)
+      include_imports: "true"
    }
  });
  expect(getSecretsResponse.statusCode).toBe(200);
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -53,13 +53,13 @@ export default {
        extension: "ts"
      });
      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL, { dbConnectionUrl: cfg.DB_CONNECTION_URI });
+      const queue = queueServiceFactory(cfg.REDIS_URL);
      const keyStore = keyStoreFactory(cfg.REDIS_URL);

      const hsmModule = initializeHsmModule();
      hsmModule.initialize();

-      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule(), redis });
+      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule() });

      // @ts-expect-error type
      globalThis.testServer = server;
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -26,16 +26,13 @@
        "@fastify/rate-limit": "^9.0.0",
        "@fastify/request-context": "^5.1.0",
        "@fastify/session": "^10.7.0",
-        "@fastify/static": "^7.0.4",
        "@fastify/swagger": "^8.14.0",
        "@fastify/swagger-ui": "^2.1.0",
-        "@google-cloud/kms": "^4.5.0",
        "@node-saml/passport-saml": "^4.0.4",
        "@octokit/auth-app": "^7.1.1",
        "@octokit/plugin-retry": "^5.0.5",
        "@octokit/rest": "^20.0.2",
        "@octokit/webhooks-types": "^7.3.1",
-        "@octopusdeploy/api-client": "^3.4.1",
        "@opentelemetry/api": "^1.9.0",
        "@opentelemetry/auto-instrumentations-node": "^0.53.0",
        "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
@ -50,6 +47,7 @@
        "@sindresorhus/slugify": "1.1.0",
        "@slack/oauth": "^3.0.1",
        "@slack/web-api": "^7.3.4",
+        "@team-plain/typescript-sdk": "^4.6.1",
        "@ucast/mongo2js": "^1.3.4",
        "ajv": "^8.12.0",
        "argon2": "^0.31.2",
@ -93,7 +91,6 @@
        "passport-google-oauth20": "^2.0.0",
        "passport-ldapauth": "^3.0.1",
        "pg": "^8.11.3",
-        "pg-boss": "^10.1.5",
        "pg-query-stream": "^4.5.3",
        "picomatch": "^3.0.1",
        "pino": "^8.16.2",
@ -5407,7 +5404,6 @@
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/accept-negotiator/-/accept-negotiator-1.1.0.tgz",
      "integrity": "sha512-OIHZrb2ImZ7XG85HXOONLcJWGosv7sIvM2ifAPQVhg9Lv7qdmMBNVaai4QTdyuaqbKM5eO6sLSQOYI7wEQeCJQ==",
-      "license": "MIT",
      "engines": {
        "node": ">=14"
      }
@ -5547,7 +5543,6 @@
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/send/-/send-2.1.0.tgz",
      "integrity": "sha512-yNYiY6sDkexoJR0D8IDy3aRP3+L4wdqCpvx5WP+VtEU58sn7USmKynBzDQex5X42Zzvw2gNzzYgP90UfWShLFA==",
-      "license": "MIT",
      "dependencies": {
        "@lukeed/ms": "^2.0.1",
        "escape-html": "~1.0.3",
@ -5566,85 +5561,16 @@
      }
    },
    "node_modules/@fastify/static": {
-      "version": "7.0.4",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-7.0.4.tgz",
-      "integrity": "sha512-p2uKtaf8BMOZWLs6wu+Ihg7bWNBdjNgCwDza4MJtTqg+5ovKmcbgbR9Xs5/smZ1YISfzKOCNYmZV8LaCj+eJ1Q==",
-      "license": "MIT",
+      "version": "6.12.0",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
+      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
      "dependencies": {
        "@fastify/accept-negotiator": "^1.0.0",
        "@fastify/send": "^2.0.0",
        "content-disposition": "^0.5.3",
        "fastify-plugin": "^4.0.0",
-        "fastq": "^1.17.0",
-        "glob": "^10.3.4"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/@fastify/static/node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "glob": "^8.0.1",
+        "p-limit": "^3.1.0"
      }
    },
    "node_modules/@fastify/swagger": {
@ -5671,32 +5597,6 @@
        "yaml": "^2.2.2"
      }
    },
-    "node_modules/@fastify/swagger-ui/node_modules/@fastify/static": {
-      "version": "6.12.0",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
-      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@fastify/accept-negotiator": "^1.0.0",
-        "@fastify/send": "^2.0.0",
-        "content-disposition": "^0.5.3",
-        "fastify-plugin": "^4.0.0",
-        "glob": "^8.0.1",
-        "p-limit": "^3.1.0"
-      }
-    },
-    "node_modules/@google-cloud/kms": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
-      "integrity": "sha512-i2vC0DI7bdfEhQszqASTw0KVvbB7HsO2CwTBod423NawAu7FWi+gVVa7NLfXVNGJaZZayFfci2Hu+om/HmyEjQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "google-gax": "^4.0.3"
-      },
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
    "node_modules/@google-cloud/paginator": {
      "version": "5.0.2",
      "resolved": "https://registry.npmjs.org/@google-cloud/paginator/-/paginator-5.0.2.tgz",
@ -5763,6 +5663,14 @@
        "uuid": "dist/bin/uuid"
      }
    },
+    "node_modules/@graphql-typed-document-node/core": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/@graphql-typed-document-node/core/-/core-3.2.0.tgz",
+      "integrity": "sha512-mB9oAsNCm9aM3/SOv4YtBMqZbYj10R7dkq8byBqxGY/ncFwhf2oQzMV+LCRlWoDSEBJ3COiR1yeDvMtsoOsuFQ==",
+      "peerDependencies": {
+        "graphql": "^0.8.0 || ^0.9.0 || ^0.10.0 || ^0.11.0 || ^0.12.0 || ^0.13.0 || ^14.0.0 || ^15.0.0 || ^16.0.0 || ^17.0.0"
+      }
+    },
    "node_modules/@grpc/grpc-js": {
      "version": "1.12.2",
      "resolved": "https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.12.2.tgz",
@ -6148,10 +6056,9 @@
      "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
    },
    "node_modules/@lukeed/ms": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
-      "integrity": "sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==",
-      "license": "MIT",
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
+      "integrity": "sha512-Xs/4RZltsAL7pkvaNStUQt7netTkyxrS0K+RILcVr3TRMS/ToOg4I6uNfhB9SlGsnWBym4U+EaXq0f0cEMNkHA==",
      "engines": {
        "node": ">=8"
      }
@ -7048,21 +6955,6 @@
      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.1.0.tgz",
      "integrity": "sha512-y92CpG4kFFtBBjni8LHoV12IegJ+KFxLgKRengrVjKmGE5XMeCuGvlfRe75lTRrgXaG6XIWJlFpIDTlkoJsU8w=="
    },
-    "node_modules/@octopusdeploy/api-client": {
-      "version": "3.4.1",
-      "resolved": "https://registry.npmjs.org/@octopusdeploy/api-client/-/api-client-3.4.1.tgz",
-      "integrity": "sha512-j6FRgDNzc6AQoT3CAguYLWxoMR4W5TKCT1BCPpqjEN9mknmdMSKfYORs3djn/Yj/BhqtITTydDpBoREbzKY5+g==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "adm-zip": "^0.5.9",
-        "axios": "^1.2.1",
-        "form-data": "^4.0.0",
-        "glob": "^8.0.3",
-        "lodash": "^4.17.21",
-        "semver": "^7.3.8",
-        "urijs": "^1.19.11"
-      }
-    },
    "node_modules/@opentelemetry/api": {
      "version": "1.9.0",
      "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz",
@ -10048,6 +9940,18 @@
      "optional": true,
      "peer": true
    },
+    "node_modules/@team-plain/typescript-sdk": {
+      "version": "4.6.1",
+      "resolved": "https://registry.npmjs.org/@team-plain/typescript-sdk/-/typescript-sdk-4.6.1.tgz",
+      "integrity": "sha512-Uy9QJXu9U7bJb6WXL9sArGk7FXPpzdqBd6q8tAF1vexTm8fbTJRqcikTKxGtZmNADt+C2SapH3cApM4oHpO4lQ==",
+      "dependencies": {
+        "@graphql-typed-document-node/core": "^3.2.0",
+        "ajv": "^8.12.0",
+        "ajv-formats": "^2.1.1",
+        "graphql": "^16.6.0",
+        "zod": "3.22.4"
+      }
+    },
    "node_modules/@techteamer/ocsp": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/@techteamer/ocsp/-/ocsp-1.0.1.tgz",
@ -12339,6 +12243,14 @@
      "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
      "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="
    },
+    "node_modules/buffer-writer": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/buffer-writer/-/buffer-writer-2.0.0.tgz",
+      "integrity": "sha512-a7ZpuTZU1TRtnwyCNW3I5dc0wWNC3VR9S++Ewyk2HHZdrO3CQJqSpd+95Us590V6AL7JqUAH2IwZ/398PmNFgw==",
+      "engines": {
+        "node": ">=4"
+      }
+    },
    "node_modules/bullmq": {
      "version": "5.4.2",
      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.4.2.tgz",
@ -13966,9 +13878,9 @@
      }
    },
    "node_modules/express": {
-      "version": "4.21.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
-      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
+      "version": "4.21.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
+      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
      "license": "MIT",
      "dependencies": {
        "accepts": "~1.3.8",
@ -13990,7 +13902,7 @@
        "methods": "~1.1.2",
        "on-finished": "2.4.1",
        "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.12",
+        "path-to-regexp": "0.1.10",
        "proxy-addr": "~2.0.7",
        "qs": "6.13.0",
        "range-parser": "~1.2.1",
@ -14005,10 +13917,6 @@
      },
      "engines": {
        "node": ">= 0.10.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/express-session": {
@ -15162,44 +15070,6 @@
        "safe-buffer": "^5.0.1"
      }
    },
-    "node_modules/google-gax": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/google-gax/-/google-gax-4.4.1.tgz",
-      "integrity": "sha512-Phyp9fMfA00J3sZbJxbbB4jC55b7DBjE3F6poyL3wKMEBVKA79q6BGuHcTiM28yOzVql0NDbRL8MLLh8Iwk9Dg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@grpc/grpc-js": "^1.10.9",
-        "@grpc/proto-loader": "^0.7.13",
-        "@types/long": "^4.0.0",
-        "abort-controller": "^3.0.0",
-        "duplexify": "^4.0.0",
-        "google-auth-library": "^9.3.0",
-        "node-fetch": "^2.7.0",
-        "object-hash": "^3.0.0",
-        "proto3-json-serializer": "^2.0.2",
-        "protobufjs": "^7.3.2",
-        "retry-request": "^7.0.0",
-        "uuid": "^9.0.1"
-      },
-      "engines": {
-        "node": ">=14"
-      }
-    },
-    "node_modules/google-gax/node_modules/@types/long": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@types/long/-/long-4.0.2.tgz",
-      "integrity": "sha512-MqTGEo5bj5t157U6fA/BiDynNkn0YknVdh48CMPkTSpFTVmvao5UQmm7uEF6xBEo7qIMAlY/JSleYaE6VOdpaA==",
-      "license": "MIT"
-    },
-    "node_modules/google-gax/node_modules/object-hash": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz",
-      "integrity": "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 6"
-      }
-    },
    "node_modules/googleapis": {
      "version": "137.1.0",
      "resolved": "https://registry.npmjs.org/googleapis/-/googleapis-137.1.0.tgz",
@ -15250,6 +15120,14 @@
      "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
      "dev": true
    },
+    "node_modules/graphql": {
+      "version": "16.9.0",
+      "resolved": "https://registry.npmjs.org/graphql/-/graphql-16.9.0.tgz",
+      "integrity": "sha512-GGTKBX4SD7Wdb8mqeDLni2oaRGYQWjWHGKPQ24ZMnUtKfcsVoiv4uX8+LJr1K6U5VW2Lu1BwJnj7uiori0YtRw==",
+      "engines": {
+        "node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
+      }
+    },
    "node_modules/gtoken": {
      "version": "7.1.0",
      "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-7.1.0.tgz",
@ -17479,16 +17357,15 @@
      }
    },
    "node_modules/nanoid": {
-      "version": "3.3.8",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
-      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
+      "version": "3.3.7",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
+      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/ai"
        }
      ],
-      "license": "MIT",
      "bin": {
        "nanoid": "bin/nanoid.cjs"
      },
@ -18292,6 +18169,11 @@
      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
      "license": "BlueOak-1.0.0"
    },
+    "node_modules/packet-reader": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/packet-reader/-/packet-reader-1.0.0.tgz",
+      "integrity": "sha512-HAKu/fG3HpHFO0AA8WE8q2g+gBJaZ9MG7fcKk+IJPLTGAD6Psw4443l+9DGRbOIh3/aXr7Phy0TjilYivJo5XQ=="
+    },
    "node_modules/parent-module": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@ -18475,9 +18357,9 @@
      "license": "ISC"
    },
    "node_modules/path-to-regexp": {
-      "version": "0.1.12",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
-      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
+      "version": "0.1.10",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
      "license": "MIT"
    },
    "node_modules/path-type": {
@ -18510,13 +18392,15 @@
      "integrity": "sha512-KG8UEiEVkR3wGEb4m5yZkVCzigAD+cVEJck2CzYZO37ZGJfctvVptVO192MwrtPhzONn6go8ylnOdMhKqi4nfg=="
    },
    "node_modules/pg": {
-      "version": "8.13.1",
-      "resolved": "https://registry.npmjs.org/pg/-/pg-8.13.1.tgz",
-      "integrity": "sha512-OUir1A0rPNZlX//c7ksiu7crsGZTKSOXJPgtNiHGIlC9H0lO+NC6ZDYksSgBYY/thSWhnSRBv8w1lieNNGATNQ==",
+      "version": "8.11.3",
+      "resolved": "https://registry.npmjs.org/pg/-/pg-8.11.3.tgz",
+      "integrity": "sha512-+9iuvG8QfaaUrrph+kpF24cXkH1YOOUeArRNYIxq1viYHZagBxrTno7cecY1Fa44tJeZvaoG+Djpkc3JwehN5g==",
      "dependencies": {
-        "pg-connection-string": "^2.7.0",
-        "pg-pool": "^3.7.0",
-        "pg-protocol": "^1.7.0",
+        "buffer-writer": "2.0.0",
+        "packet-reader": "1.0.0",
+        "pg-connection-string": "^2.6.2",
+        "pg-pool": "^3.6.1",
+        "pg-protocol": "^1.6.0",
        "pg-types": "^2.1.0",
        "pgpass": "1.x"
      },
@ -18535,19 +18419,6 @@
        }
      }
    },
-    "node_modules/pg-boss": {
-      "version": "10.1.5",
-      "resolved": "https://registry.npmjs.org/pg-boss/-/pg-boss-10.1.5.tgz",
-      "integrity": "sha512-H87NL6c7N6nTCSCePh16EaSQVSFevNXWdJuzY6PZz4rw+W/nuMKPfI/vYyXS0AdT1g1Q3S3EgeOYOHcB7ZVToQ==",
-      "dependencies": {
-        "cron-parser": "^4.9.0",
-        "pg": "^8.13.0",
-        "serialize-error": "^8.1.0"
-      },
-      "engines": {
-        "node": ">=20"
-      }
-    },
    "node_modules/pg-cloudflare": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/pg-cloudflare/-/pg-cloudflare-1.1.1.tgz",
@ -18584,17 +18455,17 @@
      }
    },
    "node_modules/pg-pool": {
-      "version": "3.7.0",
-      "resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-3.7.0.tgz",
-      "integrity": "sha512-ZOBQForurqh4zZWjrgSwwAtzJ7QiRX0ovFkZr2klsen3Nm0aoh33Ls0fzfv3imeH/nw/O27cjdz5kzYJfeGp/g==",
+      "version": "3.6.1",
+      "resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-3.6.1.tgz",
+      "integrity": "sha512-jizsIzhkIitxCGfPRzJn1ZdcosIt3pz9Sh3V01fm1vZnbnCMgmGl5wvGGdNN2EL9Rmb0EcFoCkixH4Pu+sP9Og==",
      "peerDependencies": {
        "pg": ">=8.0"
      }
    },
    "node_modules/pg-protocol": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/pg-protocol/-/pg-protocol-1.7.0.tgz",
-      "integrity": "sha512-hTK/mE36i8fDDhgDFjy6xNOG+LCorxLG3WO17tku+ij6sVHXh1jQUJ8hYAnRhNla4QVD2H8er/FOjc/+EgC6yQ=="
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/pg-protocol/-/pg-protocol-1.6.0.tgz",
+      "integrity": "sha512-M+PDm637OY5WM307051+bsDia5Xej6d9IR4GwJse1qA1DIhiKlksvrneZOYQq42OM+spubpcNYEo2FcKQrDk+Q=="
    },
    "node_modules/pg-query-stream": {
      "version": "4.5.3",
@ -18623,9 +18494,9 @@
      }
    },
    "node_modules/pg/node_modules/pg-connection-string": {
-      "version": "2.7.0",
-      "resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-2.7.0.tgz",
-      "integrity": "sha512-PI2W9mv53rXJQEOb8xNR8lH7Hr+EKa6oJa38zsK0S/ky2er16ios1wLKhZyxzD7jUReiWokc9WK5nxSnC7W1TA=="
+      "version": "2.6.2",
+      "resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-2.6.2.tgz",
+      "integrity": "sha512-ch6OwaeaPYcova4kKZ15sbJ2hKb/VP48ZD2gE7i1J+L4MspCtBMAx8nMgz7bksc7IojCIIWuEhHibSMFH8m8oA=="
    },
    "node_modules/pgpass": {
      "version": "1.0.5",
@ -19336,18 +19207,6 @@
        "node": ">=6"
      }
    },
-    "node_modules/proto3-json-serializer": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/proto3-json-serializer/-/proto3-json-serializer-2.0.2.tgz",
-      "integrity": "sha512-SAzp/O4Yh02jGdRc+uIrGoe87dkN/XtwxfZ4ZyafJHymd79ozp5VG5nyZ7ygqPM5+cpLDjjGnYFUkngonyDPOQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "protobufjs": "^7.2.5"
-      },
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
    "node_modules/protobufjs": {
      "version": "7.4.0",
      "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.4.0.tgz",
@ -20236,20 +20095,6 @@
      "resolved": "https://registry.npmjs.org/seq-queue/-/seq-queue-0.0.5.tgz",
      "integrity": "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q=="
    },
-    "node_modules/serialize-error": {
-      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/serialize-error/-/serialize-error-8.1.0.tgz",
-      "integrity": "sha512-3NnuWfM6vBYoy5gZFvHiYsVbafvI9vZv/+jlIigFn4oP4zjNPK3LhcY0xSCgeb1a5L8jO71Mit9LlNoi2UfDDQ==",
-      "dependencies": {
-        "type-fest": "^0.20.2"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/serve-static": {
      "version": "1.16.2",
      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz",
@ -22269,6 +22114,7 @@
      "version": "0.20.2",
      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz",
      "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
+      "dev": true,
      "engines": {
        "node": ">=10"
      },
@ -22551,12 +22397,6 @@
        "punycode": "^2.1.0"
      }
    },
-    "node_modules/urijs": {
-      "version": "1.19.11",
-      "resolved": "https://registry.npmjs.org/urijs/-/urijs-1.19.11.tgz",
-      "integrity": "sha512-HXgFDgDommxn5/bIv0cnQZsPhHDA90NPHD6+c/v21U5+Sx5hoP8+dP9IZXBU1gIfvdRfhG8cel9QNPeionfcCQ==",
-      "license": "MIT"
-    },
    "node_modules/url": {
      "version": "0.10.3",
      "resolved": "https://registry.npmjs.org/url/-/url-0.10.3.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@ -134,16 +134,13 @@
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
-    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
-    "@google-cloud/kms": "^4.5.0",
    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
-    "@octopusdeploy/api-client": "^3.4.1",
    "@opentelemetry/api": "^1.9.0",
    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
    "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
@ -158,6 +155,7 @@
    "@sindresorhus/slugify": "1.1.0",
    "@slack/oauth": "^3.0.1",
    "@slack/web-api": "^7.3.4",
+    "@team-plain/typescript-sdk": "^4.6.1",
    "@ucast/mongo2js": "^1.3.4",
    "ajv": "^8.12.0",
    "argon2": "^0.31.2",
@ -201,7 +199,6 @@
    "passport-google-oauth20": "^2.0.0",
    "passport-ldapauth": "^3.0.1",
    "pg": "^8.11.3",
-    "pg-boss": "^10.1.5",
    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
--- a/backend/src/@types/fastify-request-context.d.ts
+++ b/backend/src/@types/fastify-request-context.d.ts
@ -2,6 +2,6 @@ import "@fastify/request-context";

 declare module "@fastify/request-context" {
  interface RequestContextData {
-    reqId: string;
+    requestId: string;
  }
 }
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -1,7 +1,5 @@
 import "fastify";

-import { Redis } from "ioredis";
-
 import { TUsers } from "@app/db/schemas";
 import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
@ -31,12 +29,9 @@ import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-ap
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
-import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
-import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
-import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
@ -55,7 +50,6 @@ import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-acces
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@ -80,7 +74,6 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@ -94,10 +87,6 @@ import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";

 declare module "fastify" {
-  interface Session {
-    callbackPort: string;
-  }
-
  interface FastifyRequest {
    realIp: string;
    // used for mfa session authentication
@ -126,7 +115,6 @@ declare module "fastify" {
  }

  interface FastifyInstance {
-    redis: Redis;
    services: {
      login: TAuthLoginFactory;
      password: TAuthPasswordFactory;
@ -167,7 +155,6 @@ declare module "fastify" {
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      identityOidcAuth: TIdentityOidcAuthServiceFactory;
-      identityJwtAuth: TIdentityJwtAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@ -181,8 +168,6 @@ declare module "fastify" {
      auditLogStream: TAuditLogStreamServiceFactory;
      certificate: TCertificateServiceFactory;
      certificateTemplate: TCertificateTemplateServiceFactory;
-      sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
-      sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
@ -210,8 +195,6 @@ declare module "fastify" {
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
      projectTemplate: TProjectTemplateServiceFactory;
      totp: TTotpServiceFactory;
-      appConnection: TAppConnectionServiceFactory;
-      secretSync: TSecretSyncServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -98,9 +98,6 @@ import {
  TIdentityGcpAuths,
  TIdentityGcpAuthsInsert,
  TIdentityGcpAuthsUpdate,
-  TIdentityJwtAuths,
-  TIdentityJwtAuthsInsert,
-  TIdentityJwtAuthsUpdate,
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
@ -202,9 +199,6 @@ import {
  TProjectSlackConfigs,
  TProjectSlackConfigsInsert,
  TProjectSlackConfigsUpdate,
-  TProjectSplitBackfillIds,
-  TProjectSplitBackfillIdsInsert,
-  TProjectSplitBackfillIdsUpdate,
  TProjectsUpdate,
  TProjectTemplates,
  TProjectTemplatesInsert,
@ -218,9 +212,6 @@ import {
  TRateLimit,
  TRateLimitInsert,
  TRateLimitUpdate,
-  TResourceMetadata,
-  TResourceMetadataInsert,
-  TResourceMetadataUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -320,21 +311,6 @@ import {
  TSlackIntegrations,
  TSlackIntegrationsInsert,
  TSlackIntegrationsUpdate,
-  TSshCertificateAuthorities,
-  TSshCertificateAuthoritiesInsert,
-  TSshCertificateAuthoritiesUpdate,
-  TSshCertificateAuthoritySecrets,
-  TSshCertificateAuthoritySecretsInsert,
-  TSshCertificateAuthoritySecretsUpdate,
-  TSshCertificateBodies,
-  TSshCertificateBodiesInsert,
-  TSshCertificateBodiesUpdate,
-  TSshCertificates,
-  TSshCertificatesInsert,
-  TSshCertificatesUpdate,
-  TSshCertificateTemplates,
-  TSshCertificateTemplatesInsert,
-  TSshCertificateTemplatesUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
@ -366,13 +342,11 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
 import {
  TExternalGroupOrgRoleMappings,
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
-import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@ -398,31 +372,6 @@ declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
-    [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TSshCertificateAuthorities,
-      TSshCertificateAuthoritiesInsert,
-      TSshCertificateAuthoritiesUpdate
-    >;
-    [TableName.SshCertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
-      TSshCertificateAuthoritySecrets,
-      TSshCertificateAuthoritySecretsInsert,
-      TSshCertificateAuthoritySecretsUpdate
-    >;
-    [TableName.SshCertificateTemplate]: KnexOriginal.CompositeTableType<
-      TSshCertificateTemplates,
-      TSshCertificateTemplatesInsert,
-      TSshCertificateTemplatesUpdate
-    >;
-    [TableName.SshCertificate]: KnexOriginal.CompositeTableType<
-      TSshCertificates,
-      TSshCertificatesInsert,
-      TSshCertificatesUpdate
-    >;
-    [TableName.SshCertificateBody]: KnexOriginal.CompositeTableType<
-      TSshCertificateBodies,
-      TSshCertificateBodiesInsert,
-      TSshCertificateBodiesUpdate
-    >;
    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
      TCertificateAuthorities,
      TCertificateAuthoritiesInsert,
@ -641,11 +590,6 @@ declare module "knex/types/tables" {
      TIdentityOidcAuthsInsert,
      TIdentityOidcAuthsUpdate
    >;
-    [TableName.IdentityJwtAuth]: KnexOriginal.CompositeTableType<
-      TIdentityJwtAuths,
-      TIdentityJwtAuthsInsert,
-      TIdentityJwtAuthsUpdate
-    >;
    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
@ -886,21 +830,5 @@ declare module "knex/types/tables" {
      TProjectTemplatesUpdate
    >;
    [TableName.TotpConfig]: KnexOriginal.CompositeTableType<TTotpConfigs, TTotpConfigsInsert, TTotpConfigsUpdate>;
-    [TableName.ProjectSplitBackfillIds]: KnexOriginal.CompositeTableType<
-      TProjectSplitBackfillIds,
-      TProjectSplitBackfillIdsInsert,
-      TProjectSplitBackfillIdsUpdate
-    >;
-    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
-      TResourceMetadata,
-      TResourceMetadataInsert,
-      TResourceMetadataUpdate
-    >;
-    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
-      TAppConnections,
-      TAppConnectionsInsert,
-      TAppConnectionsUpdate
-    >;
-    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
  }
 }
--- a/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
+++ b/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
@ -1,59 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicy,
-    "deletedAt"
-  );
-  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.SecretApprovalPolicy,
-    "deletedAt"
-  );
-
-  if (!hasAccessApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.timestamp("deletedAt");
-    });
-  }
-  if (!hasSecretApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-      t.timestamp("deletedAt");
-    });
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-    t.dropForeign(["privilegeId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicy,
-    "deletedAt"
-  );
-  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.SecretApprovalPolicy,
-    "deletedAt"
-  );
-
-  if (hasAccessApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.dropColumn("deletedAt");
-    });
-  }
-  if (hasSecretApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-      t.dropColumn("deletedAt");
-    });
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-    t.dropForeign(["privilegeId"]);
-    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
-  });
-}
--- a/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
+++ b/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
@ -1,34 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityJwtAuth))) {
-    await knex.schema.createTable(TableName.IdentityJwtAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("configurationType").notNullable();
-      t.string("jwksUrl").notNullable();
-      t.binary("encryptedJwksCaCert").notNullable();
-      t.binary("encryptedPublicKeys").notNullable();
-      t.string("boundIssuer").notNullable();
-      t.string("boundAudiences").notNullable();
-      t.jsonb("boundClaims").notNullable();
-      t.string("boundSubject").notNullable();
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityJwtAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
-}
--- a/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
+++ b/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      t.index("folderId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      t.dropIndex("folderId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20241213122350_project-split-to-products.ts
+++ b/backend/src/db/migrations/20241213122350_project-split-to-products.ts
@ -1,297 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-import { v4 as uuidV4 } from "uuid";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { ProjectType, TableName } from "../schemas";
-
-/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
-const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
-  const newProjectId = uuidV4();
-  const project = await knex(TableName.Project).where("id", projectId).first();
-  await knex(TableName.Project).insert({
-    ...project,
-    type: projectType,
-    // @ts-ignore id is required
-    id: newProjectId,
-    slug: slugify(`${project?.name}-${alphaNumericNanoId(4)}`)
-  });
-
-  const customRoleMapping: Record<string, string> = {};
-  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
-  if (projectCustomRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectRoles,
-      projectCustomRoles.map((el) => {
-        const id = uuidV4();
-        customRoleMapping[el.id] = id;
-        return {
-          ...el,
-          id,
-          projectId: newProjectId,
-          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
-        };
-      })
-    );
-  }
-  const groupMembershipMapping: Record<string, string> = {};
-  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
-  if (groupMemberships.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembership,
-      groupMemberships.map((el) => {
-        const id = uuidV4();
-        groupMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    groupMemberships.map((el) => el.id)
-  );
-  if (groupMembershipRoles.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembershipRole,
-      groupMembershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const identityProjectMembershipMapping: Record<string, string> = {};
-  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
-  if (identities.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembership,
-      identities.map((el) => {
-        const id = uuidV4();
-        identityProjectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    identities.map((el) => el.id)
-  );
-  if (identitiesRoles.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembershipRole,
-      identitiesRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const projectMembershipMapping: Record<string, string> = {};
-  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
-  if (projectUserMembers.length) {
-    await knex.batchInsert(
-      TableName.ProjectMembership,
-      projectUserMembers.map((el) => {
-        const id = uuidV4();
-        projectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
-    "projectMembershipId",
-    projectUserMembers.map((el) => el.id)
-  );
-  if (membershipRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectUserMembershipRole,
-      membershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
-  if (kmsKeys.length) {
-    await knex.batchInsert(
-      TableName.KmsKey,
-      kmsKeys.map((el) => {
-        const id = uuidV4();
-        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
-        return { ...el, id, slug, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
-  if (projectBot) {
-    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
-    await knex(TableName.ProjectBot).insert(newProjectBot);
-  }
-
-  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
-  if (projectKeys.length) {
-    await knex.batchInsert(
-      TableName.ProjectKeys,
-      projectKeys.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  return newProjectId;
-};
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
-  if (!hasSplitMappingTable) {
-    await knex.schema.createTable(TableName.ProjectSplitBackfillIds, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("sourceProjectId", 36).notNullable();
-      t.foreign("sourceProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("destinationProjectType").notNullable();
-      t.string("destinationProjectId", 36).notNullable();
-      t.foreign("destinationProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  if (!hasTypeColumn) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type");
-    });
-
-    let projectsToBeTyped;
-    do {
-      // eslint-disable-next-line no-await-in-loop
-      projectsToBeTyped = await knex(TableName.Project).whereNull("type").limit(BATCH_SIZE).select("id");
-      if (projectsToBeTyped.length) {
-        // eslint-disable-next-line no-await-in-loop
-        await knex(TableName.Project)
-          .whereIn(
-            "id",
-            projectsToBeTyped.map((el) => el.id)
-          )
-          .update({ type: ProjectType.SecretManager });
-      }
-    } while (projectsToBeTyped.length > 0);
-
-    const projectsWithCertificates = await knex(TableName.CertificateAuthority)
-      .distinct("projectId")
-      .select("projectId");
-    /* eslint-disable no-await-in-loop,no-param-reassign */
-    for (const { projectId } of projectsWithCertificates) {
-      const newProjectId = await newProject(knex, projectId, ProjectType.CertificateManager);
-      await knex(TableName.CertificateAuthority).where("projectId", projectId).update({ projectId: newProjectId });
-      await knex(TableName.PkiAlert).where("projectId", projectId).update({ projectId: newProjectId });
-      await knex(TableName.PkiCollection).where("projectId", projectId).update({ projectId: newProjectId });
-      await knex(TableName.ProjectSplitBackfillIds).insert({
-        sourceProjectId: projectId,
-        destinationProjectType: ProjectType.CertificateManager,
-        destinationProjectId: newProjectId
-      });
-    }
-
-    const projectsWithCmek = await knex(TableName.KmsKey)
-      .where("isReserved", false)
-      .whereNotNull("projectId")
-      .distinct("projectId")
-      .select("projectId");
-    for (const { projectId } of projectsWithCmek) {
-      if (projectId) {
-        const newProjectId = await newProject(knex, projectId, ProjectType.KMS);
-        await knex(TableName.KmsKey)
-          .where({
-            isReserved: false,
-            projectId
-          })
-          .update({ projectId: newProjectId });
-        await knex(TableName.ProjectSplitBackfillIds).insert({
-          sourceProjectId: projectId,
-          destinationProjectType: ProjectType.KMS,
-          destinationProjectId: newProjectId
-        });
-      }
-    }
-
-    /* eslint-enable */
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
-
-  if (hasTypeColumn && hasSplitMappingTable) {
-    const splitProjectMappings = await knex(TableName.ProjectSplitBackfillIds).where({});
-    const certMapping = splitProjectMappings.filter(
-      (el) => el.destinationProjectType === ProjectType.CertificateManager
-    );
-    /* eslint-disable no-await-in-loop */
-    for (const project of certMapping) {
-      await knex(TableName.CertificateAuthority)
-        .where("projectId", project.destinationProjectId)
-        .update({ projectId: project.sourceProjectId });
-      await knex(TableName.PkiAlert)
-        .where("projectId", project.destinationProjectId)
-        .update({ projectId: project.sourceProjectId });
-      await knex(TableName.PkiCollection)
-        .where("projectId", project.destinationProjectId)
-        .update({ projectId: project.sourceProjectId });
-    }
-
-    /* eslint-enable */
-    const kmsMapping = splitProjectMappings.filter((el) => el.destinationProjectType === ProjectType.KMS);
-    /* eslint-disable no-await-in-loop */
-    for (const project of kmsMapping) {
-      await knex(TableName.KmsKey)
-        .where({
-          isReserved: false,
-          projectId: project.destinationProjectId
-        })
-        .update({ projectId: project.sourceProjectId });
-    }
-    /* eslint-enable */
-    await knex(TableName.ProjectMembership)
-      .whereIn(
-        "projectId",
-        splitProjectMappings.map((el) => el.destinationProjectId)
-      )
-      .delete();
-    await knex(TableName.ProjectRoles)
-      .whereIn(
-        "projectId",
-        splitProjectMappings.map((el) => el.destinationProjectId)
-      )
-      .delete();
-    await knex(TableName.Project)
-      .whereIn(
-        "id",
-        splitProjectMappings.map((el) => el.destinationProjectId)
-      )
-      .delete();
-
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("type");
-    });
-  }
-
-  if (hasSplitMappingTable) {
-    await knex.schema.dropTableIfExists(TableName.ProjectSplitBackfillIds);
-  }
-}
--- a/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
+++ b/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
@ -1,99 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthority))) {
-    await knex.schema.createTable(TableName.SshCertificateAuthority, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("status").notNullable(); // active / disabled
-      t.string("friendlyName").notNullable();
-      t.string("keyAlgorithm").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthoritySecret))) {
-    await knex.schema.createTable(TableName.SshCertificateAuthoritySecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCaId").notNullable().unique();
-      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.binary("encryptedPrivateKey").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificateTemplate))) {
-    await knex.schema.createTable(TableName.SshCertificateTemplate, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCaId").notNullable();
-      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.string("status").notNullable(); // active / disabled
-      t.string("name").notNullable();
-      t.string("ttl").notNullable();
-      t.string("maxTTL").notNullable();
-      t.specificType("allowedUsers", "text[]").notNullable();
-      t.specificType("allowedHosts", "text[]").notNullable();
-      t.boolean("allowUserCertificates").notNullable();
-      t.boolean("allowHostCertificates").notNullable();
-      t.boolean("allowCustomKeyIds").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificate))) {
-    await knex.schema.createTable(TableName.SshCertificate, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCaId").notNullable();
-      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-      t.uuid("sshCertificateTemplateId");
-      t.foreign("sshCertificateTemplateId")
-        .references("id")
-        .inTable(TableName.SshCertificateTemplate)
-        .onDelete("SET NULL");
-      t.string("serialNumber").notNullable().unique();
-      t.string("certType").notNullable(); // user or host
-      t.specificType("principals", "text[]").notNullable();
-      t.string("keyId").notNullable();
-      t.datetime("notBefore").notNullable();
-      t.datetime("notAfter").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificate);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificateBody))) {
-    await knex.schema.createTable(TableName.SshCertificateBody, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCertId").notNullable().unique();
-      t.foreign("sshCertId").references("id").inTable(TableName.SshCertificate).onDelete("CASCADE");
-      t.binary("encryptedCertificate").notNullable();
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SshCertificateBody);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SshCertificateBody);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateBody);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificate);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificate);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificateTemplate);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthoritySecret);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthority);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
-}
--- a/backend/src/db/migrations/20241218165837_resource-metadata.ts
+++ b/backend/src/db/migrations/20241218165837_resource-metadata.ts
@ -1,40 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
-    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value", 1020).notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.uuid("secretId");
-      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (!hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.jsonb("secretMetadata");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.dropColumn("secretMetadata");
-    });
-  }
-}
--- a/backend/src/db/migrations/20241218181018_app-connection.ts
+++ b/backend/src/db/migrations/20241218181018_app-connection.ts
@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AppConnection))) {
-    await knex.schema.createTable(TableName.AppConnection, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("app").notNullable();
-      t.string("method").notNullable();
-      t.binary("encryptedCredentials").notNullable();
-      t.integer("version").defaultTo(1).notNullable();
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.AppConnection);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AppConnection);
-  await dropOnUpdateTrigger(knex, TableName.AppConnection);
-}
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // find any duplicate group names within organizations
-  const duplicates = await knex(TableName.Groups)
-    .select("orgId", "name")
-    .count("* as count")
-    .groupBy("orgId", "name")
-    .having(knex.raw("count(*) > 1"));
-
-  // for each set of duplicates, update all but one with a numbered suffix
-  for await (const duplicate of duplicates) {
-    const groups = await knex(TableName.Groups)
-      .select("id", "name")
-      .where({
-        orgId: duplicate.orgId,
-        name: duplicate.name
-      })
-      .orderBy("createdAt", "asc"); // keep original name for oldest group
-
-    // skip the first (oldest) group, rename others with numbered suffix
-    for (let i = 1; i < groups.length; i += 1) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.Groups)
-        .where("id", groups[i].id)
-        .update({
-          name: `${groups[i].name} (${i})`,
-
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore TS doesn't know about Knex's timestamp types
-          updatedAt: new Date()
-        });
-    }
-  }
-
-  // add the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // Remove the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-}
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (!hasEnforceCapitalizationCol) {
-      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(false).alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (hasEnforceCapitalizationCol) {
-      t.dropColumn("enforceCapitalization");
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(true).alter();
-    }
-  });
-}
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@ -1,50 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
-    await knex.schema.createTable(TableName.SecretSync, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("destination").notNullable();
-      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
-      t.integer("version").defaultTo(1).notNullable();
-      t.jsonb("destinationConfig").notNullable();
-      t.jsonb("syncOptions").notNullable();
-      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
-      // is deleted), to preserve sync configuration
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("folderId");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
-      t.uuid("connectionId").notNullable();
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.timestamps(true, true, true);
-      // sync secrets to destination
-      t.string("syncStatus");
-      t.string("lastSyncJobId");
-      t.string("lastSyncMessage");
-      t.datetime("lastSyncedAt");
-      // import secrets from destination
-      t.string("importStatus");
-      t.string("lastImportJobId");
-      t.string("lastImportMessage");
-      t.datetime("lastImportedAt");
-      // remove secrets from destination
-      t.string("removeStatus");
-      t.string("lastRemoveJobId");
-      t.string("lastRemoveMessage");
-      t.datetime("lastRemovedAt");
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSync);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSync);
-  await dropOnUpdateTrigger(knex, TableName.SecretSync);
-}
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -15,8 +15,7 @@ export const AccessApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  enforcementLevel: z.string().default("hard")
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/app-connections.ts
+++ b/backend/src/db/schemas/app-connections.ts
@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AppConnectionsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  app: z.string(),
-  method: z.string(),
-  encryptedCredentials: zodBuffer,
-  version: z.number().default(1),
-  orgId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAppConnections = z.infer<typeof AppConnectionsSchema>;
-export type TAppConnectionsInsert = Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>;
-export type TAppConnectionsUpdate = Partial<Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/identity-jwt-auths.ts
+++ b/backend/src/db/schemas/identity-jwt-auths.ts
@ -1,33 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityJwtAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  identityId: z.string().uuid(),
-  configurationType: z.string(),
-  jwksUrl: z.string(),
-  encryptedJwksCaCert: zodBuffer,
-  encryptedPublicKeys: zodBuffer,
-  boundIssuer: z.string(),
-  boundAudiences: z.string(),
-  boundClaims: z.unknown(),
-  boundSubject: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;
-export type TIdentityJwtAuthsInsert = Omit<z.input<typeof IdentityJwtAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityJwtAuthsUpdate = Partial<Omit<z.input<typeof IdentityJwtAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -30,7 +30,6 @@ export * from "./identity-access-tokens";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
-export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
@ -65,13 +64,11 @@ export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
-export * from "./project-split-backfill-ids";
 export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
-export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
@ -108,11 +105,6 @@ export * from "./secrets";
 export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./slack-integrations";
-export * from "./ssh-certificate-authorities";
-export * from "./ssh-certificate-authority-secrets";
-export * from "./ssh-certificate-bodies";
-export * from "./ssh-certificate-templates";
-export * from "./ssh-certificates";
 export * from "./super-admin";
 export * from "./totp-configs";
 export * from "./trusted-ips";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -2,11 +2,6 @@ import { z } from "zod";

 export enum TableName {
  Users = "users",
-  SshCertificateAuthority = "ssh_certificate_authorities",
-  SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
-  SshCertificateTemplate = "ssh_certificate_templates",
-  SshCertificate = "ssh_certificates",
-  SshCertificateBody = "ssh_certificate_bodies",
  CertificateAuthority = "certificate_authorities",
  CertificateTemplateEstConfig = "certificate_template_est_configs",
  CertificateAuthorityCert = "certificate_authority_certs",
@ -73,14 +68,12 @@ export enum TableName {
  IdentityUaClientSecret = "identity_ua_client_secrets",
  IdentityAwsAuth = "identity_aws_auths",
  IdentityOidcAuth = "identity_oidc_auths",
-  IdentityJwtAuth = "identity_jwt_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
-  ResourceMetadata = "resource_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@ -112,7 +105,6 @@ export enum TableName {
  SecretApprovalRequestSecretV2 = "secret_approval_requests_secrets_v2",
  SecretApprovalRequestSecretTagV2 = "secret_approval_request_secret_tags_v2",
  SnapshotSecretV2 = "secret_snapshot_secrets_v2",
-  ProjectSplitBackfillIds = "project_split_backfill_ids",
  // junction tables with tags
  SecretV2JnTag = "secret_v2_tag_junction",
  JnSecretTag = "secret_tag_junction",
@ -130,9 +122,7 @@ export enum TableName {
  KmsKeyVersion = "kms_key_versions",
  WorkflowIntegrations = "workflow_integrations",
  SlackIntegrations = "slack_integrations",
-  ProjectSlackConfigs = "project_slack_configs",
-  AppConnection = "app_connections",
-  SecretSync = "secret_syncs"
+  ProjectSlackConfigs = "project_slack_configs"
 }

 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@ -206,22 +196,5 @@ export enum IdentityAuthMethod {
  GCP_AUTH = "gcp-auth",
  AWS_AUTH = "aws-auth",
  AZURE_AUTH = "azure-auth",
-  OIDC_AUTH = "oidc-auth",
-  JWT_AUTH = "jwt-auth"
-}
-
-export enum ProjectType {
-  SecretManager = "secret-manager",
-  CertificateManager = "cert-manager",
-  KMS = "kms",
-  SSH = "ssh"
-}
-
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  // project operations that happen on all types
-  Any = "any"
+  OIDC_AUTH = "oidc-auth"
 }
--- a/backend/src/db/schemas/project-split-backfill-ids.ts
+++ b/backend/src/db/schemas/project-split-backfill-ids.ts
@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ProjectSplitBackfillIdsSchema = z.object({
-  id: z.string().uuid(),
-  sourceProjectId: z.string(),
-  destinationProjectType: z.string(),
-  destinationProjectId: z.string()
-});
-
-export type TProjectSplitBackfillIds = z.infer<typeof ProjectSplitBackfillIdsSchema>;
-export type TProjectSplitBackfillIdsInsert = Omit<z.input<typeof ProjectSplitBackfillIdsSchema>, TImmutableDBKeys>;
-export type TProjectSplitBackfillIdsUpdate = Partial<
-  Omit<z.input<typeof ProjectSplitBackfillIdsSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
  id: z.string(),
  name: z.string(),
  slug: z.string(),
-  autoCapitalization: z.boolean().default(false).nullable().optional(),
+  autoCapitalization: z.boolean().default(true).nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
@ -24,9 +24,7 @@ export const ProjectsSchema = z.object({
  auditLogsRetentionDays: z.number().nullable().optional(),
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
-  description: z.string().nullable().optional(),
-  type: z.string(),
-  enforceCapitalization: z.boolean().default(false)
+  description: z.string().nullable().optional()
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/resource-metadata.ts
+++ b/backend/src/db/schemas/resource-metadata.ts
@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ResourceMetadataSchema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  value: z.string(),
-  orgId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  secretId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
-export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
-export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@ -15,8 +15,7 @@ export const SecretApprovalPoliciesSchema = z.object({
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  enforcementLevel: z.string().default("hard")
 });

 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
+++ b/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
@ -24,8 +24,7 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
  requestId: z.string().uuid(),
  op: z.string(),
  secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional(),
-  secretMetadata: z.unknown().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional()
 });

 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;
--- a/backend/src/db/schemas/secret-syncs.ts
+++ b/backend/src/db/schemas/secret-syncs.ts
@ -1,40 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretSyncsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  destination: z.string(),
-  isAutoSyncEnabled: z.boolean().default(true),
-  version: z.number().default(1),
-  destinationConfig: z.unknown(),
-  syncOptions: z.unknown(),
-  projectId: z.string(),
-  folderId: z.string().uuid().nullable().optional(),
-  connectionId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  syncStatus: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional(),
-  lastSyncMessage: z.string().nullable().optional(),
-  lastSyncedAt: z.date().nullable().optional(),
-  importStatus: z.string().nullable().optional(),
-  lastImportJobId: z.string().nullable().optional(),
-  lastImportMessage: z.string().nullable().optional(),
-  lastImportedAt: z.date().nullable().optional(),
-  removeStatus: z.string().nullable().optional(),
-  lastRemoveJobId: z.string().nullable().optional(),
-  lastRemoveMessage: z.string().nullable().optional(),
-  lastRemovedAt: z.date().nullable().optional()
-});
-
-export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
-export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
-export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-certificate-authorities.ts
+++ b/backend/src/db/schemas/ssh-certificate-authorities.ts
@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshCertificateAuthoritiesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  projectId: z.string(),
-  status: z.string(),
-  friendlyName: z.string(),
-  keyAlgorithm: z.string()
-});
-
-export type TSshCertificateAuthorities = z.infer<typeof SshCertificateAuthoritiesSchema>;
-export type TSshCertificateAuthoritiesInsert = Omit<z.input<typeof SshCertificateAuthoritiesSchema>, TImmutableDBKeys>;
-export type TSshCertificateAuthoritiesUpdate = Partial<
-  Omit<z.input<typeof SshCertificateAuthoritiesSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/ssh-certificate-authority-secrets.ts
+++ b/backend/src/db/schemas/ssh-certificate-authority-secrets.ts
@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshCertificateAuthoritySecretsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  sshCaId: z.string().uuid(),
-  encryptedPrivateKey: zodBuffer
-});
-
-export type TSshCertificateAuthoritySecrets = z.infer<typeof SshCertificateAuthoritySecretsSchema>;
-export type TSshCertificateAuthoritySecretsInsert = Omit<
-  z.input<typeof SshCertificateAuthoritySecretsSchema>,
-  TImmutableDBKeys
->;
-export type TSshCertificateAuthoritySecretsUpdate = Partial<
-  Omit<z.input<typeof SshCertificateAuthoritySecretsSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/ssh-certificate-bodies.ts
+++ b/backend/src/db/schemas/ssh-certificate-bodies.ts
@ -1,22 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshCertificateBodiesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  sshCertId: z.string().uuid(),
-  encryptedCertificate: zodBuffer
-});
-
-export type TSshCertificateBodies = z.infer<typeof SshCertificateBodiesSchema>;
-export type TSshCertificateBodiesInsert = Omit<z.input<typeof SshCertificateBodiesSchema>, TImmutableDBKeys>;
-export type TSshCertificateBodiesUpdate = Partial<Omit<z.input<typeof SshCertificateBodiesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-certificate-templates.ts
+++ b/backend/src/db/schemas/ssh-certificate-templates.ts
@ -1,30 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshCertificateTemplatesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  sshCaId: z.string().uuid(),
-  status: z.string(),
-  name: z.string(),
-  ttl: z.string(),
-  maxTTL: z.string(),
-  allowedUsers: z.string().array(),
-  allowedHosts: z.string().array(),
-  allowUserCertificates: z.boolean(),
-  allowHostCertificates: z.boolean(),
-  allowCustomKeyIds: z.boolean()
-});
-
-export type TSshCertificateTemplates = z.infer<typeof SshCertificateTemplatesSchema>;
-export type TSshCertificateTemplatesInsert = Omit<z.input<typeof SshCertificateTemplatesSchema>, TImmutableDBKeys>;
-export type TSshCertificateTemplatesUpdate = Partial<
-  Omit<z.input<typeof SshCertificateTemplatesSchema>, TImmutableDBKeys>
->;
--- a/backend/src/db/schemas/ssh-certificates.ts
+++ b/backend/src/db/schemas/ssh-certificates.ts
@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SshCertificatesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  sshCaId: z.string().uuid(),
-  sshCertificateTemplateId: z.string().uuid().nullable().optional(),
-  serialNumber: z.string(),
-  certType: z.string(),
-  principals: z.string().array(),
-  keyId: z.string(),
-  notBefore: z.date(),
-  notAfter: z.date()
-});
-
-export type TSshCertificates = z.infer<typeof SshCertificatesSchema>;
-export type TSshCertificatesInsert = Omit<z.input<typeof SshCertificatesSchema>, TImmutableDBKeys>;
-export type TSshCertificatesUpdate = Partial<Omit<z.input<typeof SshCertificatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@ -4,7 +4,7 @@ import { Knex } from "knex";

 import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";

-import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { ProjectMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";

 export const DEFAULT_PROJECT_ENVS = [
@ -24,7 +24,6 @@ export async function seed(knex: Knex): Promise<void> {
      name: seedData1.project.name,
      orgId: seedData1.organization.id,
      slug: "first-project",
-      type: ProjectType.SecretManager,
      // eslint-disable-next-line
      // @ts-ignore
      id: seedData1.project.id
--- a/backend/src/db/seeds/4-project-v3.ts
+++ b/backend/src/db/seeds/4-project-v3.ts
@ -1,6 +1,6 @@
 import { Knex } from "knex";

-import { ProjectMembershipRole, ProjectType, ProjectVersion, TableName } from "../schemas";
+import { ProjectMembershipRole, ProjectVersion, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";

 export const DEFAULT_PROJECT_ENVS = [
@ -16,7 +16,6 @@ export async function seed(knex: Knex): Promise<void> {
      orgId: seedData1.organization.id,
      slug: seedData1.projectV3.slug,
      version: ProjectVersion.V3,
-      type: ProjectType.SecretManager,
      // eslint-disable-next-line
      // @ts-ignore
      id: seedData1.projectV3.id
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -109,8 +109,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              approvers: z.string().array(),
              secretPath: z.string().nullish(),
              envId: z.string(),
-              enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              enforcementLevel: z.string()
            }),
            reviewers: z
              .object({
--- a/backend/src/ee/routes/v1/external-kms-router.ts
+++ b/backend/src/ee/routes/v1/external-kms-router.ts
@ -4,15 +4,9 @@ import { ExternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import {
  ExternalKmsAwsSchema,
-  ExternalKmsGcpCredentialSchema,
-  ExternalKmsGcpSchema,
  ExternalKmsInputSchema,
-  ExternalKmsInputUpdateSchema,
-  KmsGcpKeyFetchAuthType,
-  KmsProviders,
-  TExternalKmsGcpCredentialSchema
+  ExternalKmsInputUpdateSchema
 } from "@app/ee/services/external-kms/providers/model";
-import { NotFoundError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -50,8 +44,7 @@ const sanitizedExternalSchemaForGetById = KmsKeysSchema.extend({
    statusDetails: true,
    provider: true
  }).extend({
-    // for GCP, we don't return the credential object as it is sensitive data that should not be exposed
-    providerInput: z.union([ExternalKmsAwsSchema, ExternalKmsGcpSchema.pick({ gcpRegion: true, keyName: true })])
+    providerInput: ExternalKmsAwsSchema
  })
 });

@ -293,67 +286,4 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
      return { externalKms };
    }
  });
-
-  server.route({
-    method: "POST",
-    url: "/gcp/keys",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.discriminatedUnion("authMethod", [
-        z.object({
-          authMethod: z.literal(KmsGcpKeyFetchAuthType.Credential),
-          region: z.string().trim().min(1),
-          credential: ExternalKmsGcpCredentialSchema
-        }),
-        z.object({
-          authMethod: z.literal(KmsGcpKeyFetchAuthType.Kms),
-          region: z.string().trim().min(1),
-          kmsId: z.string().trim().min(1)
-        })
-      ]),
-      response: {
-        200: z.object({
-          keys: z.string().array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { region, authMethod } = req.body;
-      let credentialJson: TExternalKmsGcpCredentialSchema | undefined;
-
-      if (authMethod === KmsGcpKeyFetchAuthType.Credential) {
-        credentialJson = req.body.credential;
-      } else if (authMethod === KmsGcpKeyFetchAuthType.Kms) {
-        const externalKms = await server.services.externalKms.findById({
-          actor: req.permission.type,
-          actorId: req.permission.id,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId,
-          id: req.body.kmsId
-        });
-
-        if (!externalKms || externalKms.external.provider !== KmsProviders.Gcp) {
-          throw new NotFoundError({ message: "KMS not found or not of type GCP" });
-        }
-
-        credentialJson = externalKms.external.providerInput.credential as TExternalKmsGcpCredentialSchema;
-      }
-
-      if (!credentialJson) {
-        throw new NotFoundError({
-          message: "Something went wrong while fetching the GCP credential, please check inputs and try again"
-        });
-      }
-
-      const results = await server.services.externalKms.fetchGcpKeys({
-        credential: credentialJson,
-        gcpRegion: region
-      });
-
-      return results;
-    }
-  });
 };
--- a/backend/src/ee/routes/v1/group-router.ts
+++ b/backend/src/ee/routes/v1/group-router.ts
@ -1,7 +1,6 @@
 import { z } from "zod";

 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
-import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
 import { GROUPS } from "@app/lib/api-docs";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -152,8 +151,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
        offset: z.coerce.number().min(0).max(100).default(0).describe(GROUPS.LIST_USERS.offset),
        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
        username: z.string().trim().optional().describe(GROUPS.LIST_USERS.username),
-        search: z.string().trim().optional().describe(GROUPS.LIST_USERS.search),
-        filter: z.nativeEnum(EFilterReturnedUsers).optional().describe(GROUPS.LIST_USERS.filterUsers)
+        search: z.string().trim().optional().describe(GROUPS.LIST_USERS.search)
      }),
      response: {
        200: z.object({
@ -166,8 +164,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
          })
            .merge(
              z.object({
-                isPartOfGroup: z.boolean(),
-                joinedGroupAt: z.date().nullable()
+                isPartOfGroup: z.boolean()
              })
            )
            .array(),
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -22,13 +22,9 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
-import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
-import { registerSshCaRouter } from "./ssh-certificate-authority-router";
-import { registerSshCertRouter } from "./ssh-certificate-router";
-import { registerSshCertificateTemplateRouter } from "./ssh-certificate-template-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
 import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";

@ -72,15 +68,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
    { prefix: "/pki" }
  );

-  await server.register(
-    async (sshRouter) => {
-      await sshRouter.register(registerSshCaRouter, { prefix: "/ca" });
-      await sshRouter.register(registerSshCertRouter, { prefix: "/certificates" });
-      await sshRouter.register(registerSshCertificateTemplateRouter, { prefix: "/certificate-templates" });
-    },
-    { prefix: "/ssh" }
-  );
-
  await server.register(
    async (ssoRouter) => {
      await ssoRouter.register(registerSamlRouter);
@ -93,7 +80,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
-  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
  await server.register(registerGroupRouter, { prefix: "/groups" });
  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
--- a/backend/src/ee/routes/v1/oidc-router.ts
+++ b/backend/src/ee/routes/v1/oidc-router.ts
@ -9,6 +9,7 @@
 import { Authenticator, Strategy } from "@fastify/passport";
 import fastifySession from "@fastify/session";
 import RedisStore from "connect-redis";
+import { Redis } from "ioredis";
 import { z } from "zod";

 import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
@ -20,6 +21,7 @@ import { AuthMode } from "@app/services/auth/auth-type";

 export const registerOidcRouter = async (server: FastifyZodProvider) => {
  const appCfg = getConfig();
+  const redis = new Redis(appCfg.REDIS_URL);
  const passport = new Authenticator({ key: "oidc", userProperty: "passportUser" });

  /*
@ -28,7 +30,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
  - Fastify session <> Redis structure is based on the ff: https://github.com/fastify/session/blob/master/examples/redis.js
  */
  const redisStore = new RedisStore({
-    client: server.redis,
+    client: redis,
    prefix: "oidc-session:",
    ttl: 600 // 10 minutes
  });
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -23,8 +23,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          "Please choose a different slug, the slug you have entered is reserved"
        ),
        name: z.string().trim(),
-        description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
+        description: z.string().trim().optional(),
        permissions: z.any().array()
      }),
      response: {
@ -96,8 +95,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          )
          .optional(),
        name: z.string().trim().optional(),
-        description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
+        description: z.string().trim().optional(),
        permissions: z.any().array().optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -39,7 +39,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          )
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
@ -87,7 +87,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
        roleId: z.string().trim().describe(PROJECT_ROLE.UPDATE.roleId)
      }),
      body: z.object({
-        slug: slugSchema({ max: 64 })
+        slug: slugSchema()
          .refine(
            (val) => !Object.values(ProjectMembershipRole).includes(val as ProjectMembershipRole),
            "Please choose a different slug, the slug you have entered is reserved"
@ -95,7 +95,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .describe(PROJECT_ROLE.UPDATE.slug)
          .optional(),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -84,10 +84,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                samlConfig.audience = `spn:${ssoConfig.issuer}`;
              }
            }
-            if (
-              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
-              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
-            ) {
+            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
              samlConfig.wantAssertionsSigned = false;
            }

@ -126,10 +123,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
              `email: ${email} firstName: ${profile.firstName as string}`
            );

-            throw new BadRequestError({
-              message:
-                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
-            });
+            throw new Error("Invalid saml request. Missing email or first name");
          }

          const userMetadata = Object.keys(profile.attributes || {})
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -12,7 +12,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";

 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
  UsersSchema.pick({
@ -53,8 +52,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                })
                .array(),
              secretPath: z.string().optional().nullable(),
-              enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              enforcementLevel: z.string()
            }),
            committerUser: approvalRequestUser,
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@ -262,8 +260,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                approvals: z.number(),
                approvers: approvalRequestUser.array(),
                secretPath: z.string().optional().nullable(),
-                enforcementLevel: z.string(),
-                deletedAt: z.date().nullish()
+                enforcementLevel: z.string()
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
@ -275,7 +272,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                .extend({
                  op: z.string(),
                  tags: tagSchema,
-                  secretMetadata: ResourceMetadataSchema.nullish(),
                  secret: z
                    .object({
                      id: z.string(),
@ -293,8 +289,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                      secretKey: z.string(),
                      secretValue: z.string().optional(),
                      secretComment: z.string().optional(),
-                      tags: tagSchema,
-                      secretMetadata: ResourceMetadataSchema.nullish()
+                      tags: tagSchema
                    })
                    .optional()
                })
--- a/backend/src/ee/routes/v1/secret-router.ts
+++ b/backend/src/ee/routes/v1/secret-router.ts
@ -1,71 +0,0 @@
-import z from "zod";
-
-import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
-import { RAW_SECRETS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const AccessListEntrySchema = z
-  .object({
-    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
-    id: z.string(),
-    membershipId: z.string(),
-    name: z.string()
-  })
-  .array();
-
-export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:secretName/access-list",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get list of users, machine identities, and groups with access to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
-      }),
-      querystring: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
-      }),
-      response: {
-        200: z.object({
-          groups: AccessListEntrySchema,
-          identities: AccessListEntrySchema,
-          users: AccessListEntrySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretName } = req.params;
-      const { secretPath, environment, workspaceId: projectId } = req.query;
-
-      return server.services.secret.getSecretAccessList({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectId,
-        secretName
-      });
-    }
-  });
-};
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -1,13 +1,9 @@
 import { z } from "zod";

 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import {
-  SecretScanningResolvedStatus,
-  SecretScanningRiskStatus
-} from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -101,45 +97,6 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    }
  });

-  server.route({
-    url: "/organization/:organizationId/risks/export",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({ organizationId: z.string().trim() }),
-      querystring: z.object({
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const risks = await server.services.secretScanning.getAllRisksByOrg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
-      });
-      return { risks };
-    }
-  });
-
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
@ -148,46 +105,20 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
-
-      querystring: z.object({
-        offset: z.coerce.number().min(0).default(0),
-        limit: z.coerce.number().min(1).max(20000).default(100),
-        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
-        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-
      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array(),
-          totalCount: z.number(),
-          repos: z.array(z.string())
-        })
+        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
+      const { risks } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          limit: req.query.limit,
-          offset: req.query.offset,
-          orderBy: req.query.orderBy,
-          orderDirection: req.query.orderDirection,
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
+        orgId: req.params.organizationId
      });
-      return { risks, totalCount, repos };
+      return { risks };
    }
  });

--- a/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
@ -1,279 +0,0 @@
-import { z } from "zod";
-
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-schema";
-import { SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
-import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
-
-export const registerSshCaRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Create SSH CA",
-      body: z.object({
-        projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
-        friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
-        keyAlgorithm: z
-          .nativeEnum(CertKeyAlgorithm)
-          .default(CertKeyAlgorithm.RSA_2048)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm)
-      }),
-      response: {
-        200: z.object({
-          ca: sanitizedSshCa.extend({
-            publicKey: z.string()
-          })
-        })
-      }
-    },
-    handler: async (req) => {
-      const ca = await server.services.sshCertificateAuthority.createSshCa({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.CREATE_SSH_CA,
-          metadata: {
-            sshCaId: ca.id,
-            friendlyName: ca.friendlyName
-          }
-        }
-      });
-
-      return {
-        ca
-      };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:sshCaId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Get SSH CA",
-      params: z.object({
-        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET.sshCaId)
-      }),
-      response: {
-        200: z.object({
-          ca: sanitizedSshCa.extend({
-            publicKey: z.string()
-          })
-        })
-      }
-    },
-    handler: async (req) => {
-      const ca = await server.services.sshCertificateAuthority.getSshCaById({
-        caId: req.params.sshCaId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.GET_SSH_CA,
-          metadata: {
-            sshCaId: ca.id,
-            friendlyName: ca.friendlyName
-          }
-        }
-      });
-
-      return {
-        ca
-      };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:sshCaId/public-key",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get public key of SSH CA",
-      params: z.object({
-        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_PUBLIC_KEY.sshCaId)
-      }),
-      response: {
-        200: z.string()
-      }
-    },
-    handler: async (req) => {
-      const publicKey = await server.services.sshCertificateAuthority.getSshCaPublicKey({
-        caId: req.params.sshCaId
-      });
-
-      return publicKey;
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:sshCaId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update SSH CA",
-      params: z.object({
-        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.sshCaId)
-      }),
-      body: z.object({
-        friendlyName: z.string().optional().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.friendlyName),
-        status: z.nativeEnum(SshCaStatus).optional().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.status)
-      }),
-      response: {
-        200: z.object({
-          ca: sanitizedSshCa.extend({
-            publicKey: z.string()
-          })
-        })
-      }
-    },
-    handler: async (req) => {
-      const ca = await server.services.sshCertificateAuthority.updateSshCaById({
-        caId: req.params.sshCaId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.UPDATE_SSH_CA,
-          metadata: {
-            sshCaId: ca.id,
-            friendlyName: ca.friendlyName,
-            status: ca.status as SshCaStatus
-          }
-        }
-      });
-
-      return {
-        ca
-      };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:sshCaId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Delete SSH CA",
-      params: z.object({
-        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.DELETE.sshCaId)
-      }),
-      response: {
-        200: z.object({
-          ca: sanitizedSshCa
-        })
-      }
-    },
-    handler: async (req) => {
-      const ca = await server.services.sshCertificateAuthority.deleteSshCaById({
-        caId: req.params.sshCaId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.DELETE_SSH_CA,
-          metadata: {
-            sshCaId: ca.id,
-            friendlyName: ca.friendlyName
-          }
-        }
-      });
-
-      return {
-        ca
-      };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:sshCaId/certificate-templates",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Get list of certificate templates for the SSH CA",
-      params: z.object({
-        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_CERTIFICATE_TEMPLATES.sshCaId)
-      }),
-      response: {
-        200: z.object({
-          certificateTemplates: sanitizedSshCertificateTemplate.array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const { certificateTemplates, ca } = await server.services.sshCertificateAuthority.getSshCaCertificateTemplates({
-        caId: req.params.sshCaId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.GET_SSH_CA_CERTIFICATE_TEMPLATES,
-          metadata: {
-            sshCaId: ca.id,
-            friendlyName: ca.friendlyName
-          }
-        }
-      });
-
-      return {
-        certificateTemplates
-      };
-    }
-  });
-};
--- a/backend/src/ee/routes/v1/ssh-certificate-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-router.ts
@ -1,164 +0,0 @@
-import ms from "ms";
-import { z } from "zod";
-
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
-import { writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
-
-export const registerSshCertRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/sign",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Sign SSH public key",
-      body: z.object({
-        certificateTemplateId: z
-          .string()
-          .trim()
-          .min(1)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.certificateTemplateId),
-        publicKey: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.publicKey),
-        certType: z
-          .nativeEnum(SshCertType)
-          .default(SshCertType.USER)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.certType),
-        principals: z
-          .array(z.string().transform((val) => val.trim()))
-          .nonempty("Principals array must not be empty")
-          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.principals),
-        ttl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional()
-          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.ttl),
-        keyId: z.string().trim().max(50).optional().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.keyId)
-      }),
-      response: {
-        200: z.object({
-          serialNumber: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.serialNumber),
-          signedKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.signedKey)
-        })
-      }
-    },
-    handler: async (req) => {
-      const { serialNumber, signedPublicKey, certificateTemplate, ttl, keyId } =
-        await server.services.sshCertificateAuthority.signSshKey({
-          actor: req.permission.type,
-          actorId: req.permission.id,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId,
-          ...req.body
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.SIGN_SSH_KEY,
-          metadata: {
-            certificateTemplateId: certificateTemplate.id,
-            certType: req.body.certType,
-            principals: req.body.principals,
-            ttl: String(ttl),
-            keyId
-          }
-        }
-      });
-
-      return {
-        serialNumber,
-        signedKey: signedPublicKey
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/issue",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Issue SSH credentials (certificate + key)",
-      body: z.object({
-        certificateTemplateId: z
-          .string()
-          .trim()
-          .min(1)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certificateTemplateId),
-        keyAlgorithm: z
-          .nativeEnum(CertKeyAlgorithm)
-          .default(CertKeyAlgorithm.RSA_2048)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm),
-        certType: z
-          .nativeEnum(SshCertType)
-          .default(SshCertType.USER)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certType),
-        principals: z
-          .array(z.string().transform((val) => val.trim()))
-          .nonempty("Principals array must not be empty")
-          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.principals),
-        ttl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional()
-          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.ttl),
-        keyId: z.string().trim().max(50).optional().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyId)
-      }),
-      response: {
-        200: z.object({
-          serialNumber: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.serialNumber),
-          signedKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.signedKey),
-          privateKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.privateKey),
-          publicKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.publicKey),
-          keyAlgorithm: z
-            .nativeEnum(CertKeyAlgorithm)
-            .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
-        })
-      }
-    },
-    handler: async (req) => {
-      const { serialNumber, signedPublicKey, privateKey, publicKey, certificateTemplate, ttl, keyId } =
-        await server.services.sshCertificateAuthority.issueSshCreds({
-          actor: req.permission.type,
-          actorId: req.permission.id,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId,
-          ...req.body
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.ISSUE_SSH_CREDS,
-          metadata: {
-            certificateTemplateId: certificateTemplate.id,
-            keyAlgorithm: req.body.keyAlgorithm,
-            certType: req.body.certType,
-            principals: req.body.principals,
-            ttl: String(ttl),
-            keyId
-          }
-        }
-      });
-
-      return {
-        serialNumber,
-        signedKey: signedPublicKey,
-        privateKey,
-        publicKey,
-        keyAlgorithm: req.body.keyAlgorithm
-      };
-    }
-  });
-};
--- a/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
@ -1,258 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import ms from "ms";
-import { z } from "zod";
-
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
-import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
-import {
-  isValidHostPattern,
-  isValidUserPattern
-} from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
-import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerSshCertificateTemplateRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:certificateTemplateId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
-      }),
-      response: {
-        200: sanitizedSshCertificateTemplate
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.sshCertificateTemplate.getSshCertTemplate({
-        id: req.params.certificateTemplateId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: certificateTemplate.projectId,
-        event: {
-          type: EventType.GET_SSH_CERTIFICATE_TEMPLATE,
-          metadata: {
-            certificateTemplateId: certificateTemplate.id
-          }
-        }
-      });
-
-      return certificateTemplate;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z
-        .object({
-          sshCaId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.sshCaId),
-          name: z
-            .string()
-            .min(1)
-            .max(36)
-            .refine((v) => slugify(v) === v, {
-              message: "Name must be a valid slug"
-            })
-            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.name),
-          ttl: z
-            .string()
-            .refine((val) => ms(val) > 0, "TTL must be a positive number")
-            .default("1h")
-            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.ttl),
-          maxTTL: z
-            .string()
-            .refine((val) => ms(val) > 0, "Max TTL must be a positive number")
-            .default("30d")
-            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.maxTTL),
-          allowedUsers: z
-            .array(z.string().refine(isValidUserPattern, "Invalid user pattern"))
-            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowedUsers),
-          allowedHosts: z
-            .array(z.string().refine(isValidHostPattern, "Invalid host pattern"))
-            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowedHosts),
-          allowUserCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowUserCertificates),
-          allowHostCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowHostCertificates),
-          allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
-        })
-        .refine((data) => ms(data.maxTTL) > ms(data.ttl), {
-          message: "Max TLL must be greater than TTL",
-          path: ["maxTTL"]
-        }),
-      response: {
-        200: sanitizedSshCertificateTemplate
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { certificateTemplate, ca } = await server.services.sshCertificateTemplate.createSshCertTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.CREATE_SSH_CERTIFICATE_TEMPLATE,
-          metadata: {
-            certificateTemplateId: certificateTemplate.id,
-            sshCaId: ca.id,
-            name: certificateTemplate.name,
-            ttl: certificateTemplate.ttl,
-            maxTTL: certificateTemplate.maxTTL,
-            allowedUsers: certificateTemplate.allowedUsers,
-            allowedHosts: certificateTemplate.allowedHosts,
-            allowUserCertificates: certificateTemplate.allowUserCertificates,
-            allowHostCertificates: certificateTemplate.allowHostCertificates,
-            allowCustomKeyIds: certificateTemplate.allowCustomKeyIds
-          }
-        }
-      });
-
-      return certificateTemplate;
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:certificateTemplateId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        status: z.nativeEnum(SshCertTemplateStatus).optional(),
-        name: z
-          .string()
-          .min(1)
-          .max(36)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
-          .optional()
-          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.name),
-        ttl: z
-          .string()
-          .refine((val) => ms(val) > 0, "TTL must be a positive number")
-          .optional()
-          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.ttl),
-        maxTTL: z
-          .string()
-          .refine((val) => ms(val) > 0, "Max TTL must be a positive number")
-          .optional()
-          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.maxTTL),
-        allowedUsers: z
-          .array(z.string().refine(isValidUserPattern, "Invalid user pattern"))
-          .optional()
-          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowedUsers),
-        allowedHosts: z
-          .array(z.string().refine(isValidHostPattern, "Invalid host pattern"))
-          .optional()
-          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowedHosts),
-        allowUserCertificates: z.boolean().optional().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowUserCertificates),
-        allowHostCertificates: z.boolean().optional().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowHostCertificates),
-        allowCustomKeyIds: z.boolean().optional().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowCustomKeyIds)
-      }),
-      params: z.object({
-        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.certificateTemplateId)
-      }),
-      response: {
-        200: sanitizedSshCertificateTemplate
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { certificateTemplate, projectId } = await server.services.sshCertificateTemplate.updateSshCertTemplate({
-        ...req.body,
-        id: req.params.certificateTemplateId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId,
-        event: {
-          type: EventType.UPDATE_SSH_CERTIFICATE_TEMPLATE,
-          metadata: {
-            status: certificateTemplate.status as SshCertTemplateStatus,
-            certificateTemplateId: certificateTemplate.id,
-            sshCaId: certificateTemplate.sshCaId,
-            name: certificateTemplate.name,
-            ttl: certificateTemplate.ttl,
-            maxTTL: certificateTemplate.maxTTL,
-            allowedUsers: certificateTemplate.allowedUsers,
-            allowedHosts: certificateTemplate.allowedHosts,
-            allowUserCertificates: certificateTemplate.allowUserCertificates,
-            allowHostCertificates: certificateTemplate.allowHostCertificates,
-            allowCustomKeyIds: certificateTemplate.allowCustomKeyIds
-          }
-        }
-      });
-
-      return certificateTemplate;
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:certificateTemplateId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
-      }),
-      response: {
-        200: sanitizedSshCertificateTemplate
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const certificateTemplate = await server.services.sshCertificateTemplate.deleteSshCertTemplate({
-        id: req.params.certificateTemplateId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: certificateTemplate.projectId,
-        event: {
-          type: EventType.DELETE_SSH_CERTIFICATE_TEMPLATE,
-          metadata: {
-            certificateTemplateId: certificateTemplate.id
-          }
-        }
-      });
-
-      return certificateTemplate;
-    }
-  });
-};
--- a/backend/src/ee/routes/v2/project-role-router.ts
+++ b/backend/src/ee/routes/v2/project-role-router.ts
@ -36,7 +36,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          )
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
@ -91,7 +91,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .optional()
          .describe(PROJECT_ROLE.UPDATE.slug),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -139,10 +139,5 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
    }
  };

-  const softDeleteById = async (policyId: string, tx?: Knex) => {
-    const softDeletedPolicy = await accessApprovalPolicyOrm.updateById(policyId, { deletedAt: new Date() }, tx);
-    return softDeletedPolicy;
-  };
-
-  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
+  return { ...accessApprovalPolicyOrm, find, findById };
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@ -9,11 +8,7 @@ import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";

-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
-import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-request/access-approval-request-reviewer-dal";
-import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
-import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
@ -26,7 +21,7 @@ import {
  TUpdateAccessApprovalPolicy
 } from "./access-approval-policy-types";

-type TAccessApprovalPolicyServiceFactoryDep = {
+type TSecretApprovalPolicyServiceFactoryDep = {
  projectDAL: TProjectDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
@ -35,9 +30,6 @@ type TAccessApprovalPolicyServiceFactoryDep = {
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
  groupDAL: TGroupDALFactory;
  userDAL: Pick<TUserDALFactory, "find">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
-  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
-  accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
 };

 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@ -49,11 +41,8 @@ export const accessApprovalPolicyServiceFactory = ({
  permissionService,
  projectEnvDAL,
  projectDAL,
-  userDAL,
-  accessApprovalRequestDAL,
-  additionalPrivilegeDAL,
-  accessApprovalRequestReviewerDAL
-}: TAccessApprovalPolicyServiceFactoryDep) => {
+  userDAL
+}: TSecretApprovalPolicyServiceFactoryDep) => {
  const createAccessApprovalPolicy = async ({
    name,
    actor,
@ -87,15 +76,13 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: project.id,
+      project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
-
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@ -193,16 +180,16 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission({
+    /* const { permission } = */ await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: project.id,
+      project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    // ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

-    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
+    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id });
    return accessApprovalPolicies;
  };

@ -244,14 +231,13 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!accessApprovalPolicy) {
      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
    }
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: accessApprovalPolicy.projectId,
+      accessApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);

@ -328,42 +314,19 @@ export const accessApprovalPolicyServiceFactory = ({
    const policy = await accessApprovalPolicyDAL.findById(policyId);
    if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: policy.projectId,
+      policy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
    );

-    await accessApprovalPolicyDAL.transaction(async (tx) => {
-      await accessApprovalPolicyDAL.softDeleteById(policyId, tx);
-      const allAccessApprovalRequests = await accessApprovalRequestDAL.find({ policyId });
-
-      if (allAccessApprovalRequests.length) {
-        const accessApprovalRequestsIds = allAccessApprovalRequests.map((request) => request.id);
-
-        const privilegeIdsArray = allAccessApprovalRequests
-          .map((request) => request.privilegeId)
-          .filter((id): id is string => id != null);
-
-        if (privilegeIdsArray.length) {
-          await additionalPrivilegeDAL.delete({ $in: { id: privilegeIdsArray } }, tx);
-        }
-
-        await accessApprovalRequestReviewerDAL.update(
-          { $in: { id: accessApprovalRequestsIds }, status: ApprovalStatus.PENDING },
-          { status: ApprovalStatus.REJECTED },
-          tx
-        );
-      }
-    });
-
+    await accessApprovalPolicyDAL.deleteById(policyId);
    return policy;
  };

@ -379,14 +342,13 @@ export const accessApprovalPolicyServiceFactory = ({

    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: project.id,
+      project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -394,11 +356,7 @@ export const accessApprovalPolicyServiceFactory = ({
    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
    if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });

-    const policies = await accessApprovalPolicyDAL.find({
-      envId: environment.id,
-      projectId: project.id,
-      deletedAt: null
-    });
+    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
    if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });

    return { count: policies.length };
@ -419,14 +377,13 @@ export const accessApprovalPolicyServiceFactory = ({
      });
    }

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: policy.projectId,
+      policy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@ -61,8 +61,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
          db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
          db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
-          db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
        )

        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
@ -119,8 +118,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            approvals: doc.policyApprovals,
            secretPath: doc.policySecretPath,
            enforcementLevel: doc.policyEnforcementLevel,
-            envId: doc.policyEnvId,
-            deletedAt: doc.policyDeletedAt
+            envId: doc.policyEnvId
          },
          requestedByUser: {
            userId: doc.requestedByUserId,
@ -143,7 +141,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
              }
            : null,

-          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
+          isApproved: !!doc.privilegeId
        }),
        childrenMapper: [
          {
@ -254,8 +252,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
        tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
-        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals")
      );

  const findById = async (id: string, tx?: Knex) => {
@ -274,8 +271,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
            name: el.policyName,
            approvals: el.policyApprovals,
            secretPath: el.policySecretPath,
-            enforcementLevel: el.policyEnforcementLevel,
-            deletedAt: el.policyDeletedAt
+            enforcementLevel: el.policyEnforcementLevel
          },
          requestedByUser: {
            userId: el.requestedByUserId,
@ -367,7 +363,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
        )

        .where(`${TableName.Environment}.projectId`, projectId)
-        .where(`${TableName.AccessApprovalPolicy}.deletedAt`, null)
        .select(selectAllTableCols(TableName.AccessApprovalRequest))
        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"));
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";

-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -100,14 +100,13 @@ export const accessApprovalRequestServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: project.id,
+      project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -131,9 +130,6 @@ export const accessApprovalRequestServiceFactory = ({
        message: `No policy in environment with slug '${environment.slug}' and with secret path '${secretPath}' was found.`
      });
    }
-    if (policy.deletedAt) {
-      throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
-    }

    const approverIds: string[] = [];
    const approverGroupIds: string[] = [];
@ -214,7 +210,7 @@ export const accessApprovalRequestServiceFactory = ({
      );

      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;

      await triggerSlackNotification({
        projectId: project.id,
@ -274,14 +270,13 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: project.id,
+      project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -314,20 +309,13 @@ export const accessApprovalRequestServiceFactory = ({
    }

    const { policy } = accessApprovalRequest;
-    if (policy.deletedAt) {
-      throw new BadRequestError({
-        message: "The policy associated with this access request has been deleted."
-      });
-    }
-
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: accessApprovalRequest.projectId,
+      accessApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );

    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -425,14 +413,13 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: project.id,
+      project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
        }
      )
      .catch((err) => {
-        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
+        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
      });
    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
    const logStream = await auditLogStreamDAL.create({
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -100,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {

      // Filter by date range
      if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
      }
      if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
      }

      // we timeout long running queries to prevent DB resource issues (2 minutes)
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -1,7 +1,6 @@
 import { RawAxiosRequestHeaders } from "axios";

 import { SecretKeyEncoding } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@ -21,129 +20,26 @@ type TAuditLogQueueServiceFactoryDep = {
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };

-export type TAuditLogQueueServiceFactory = Awaited<ReturnType<typeof auditLogQueueServiceFactory>>;
+export type TAuditLogQueueServiceFactory = ReturnType<typeof auditLogQueueServiceFactory>;

 // keep this timeout 5s it must be fast because else the queue will take time to finish
 // audit log is a crowded queue thus needs to be fast
 export const AUDIT_LOG_STREAM_TIMEOUT = 5 * 1000;
-
-export const auditLogQueueServiceFactory = async ({
+export const auditLogQueueServiceFactory = ({
  auditLogDAL,
  queueService,
  projectDAL,
  licenseService,
  auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep) => {
-  const appCfg = getConfig();
-
  const pushToLog = async (data: TCreateAuditLogDTO) => {
-    if (appCfg.USE_PG_QUEUE && appCfg.SHOULD_INIT_PG_QUEUE) {
-      await queueService.queuePg<QueueName.AuditLog>(QueueJobs.AuditLog, data, {
-        retryLimit: 10,
-        retryBackoff: true
-      });
-    } else {
-      await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
-      });
-    }
-  };
-
-  if (appCfg.SHOULD_INIT_PG_QUEUE) {
-    await queueService.startPg<QueueName.AuditLog>(
-      QueueJobs.AuditLog,
-      async ([job]) => {
-        const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
-        let { orgId } = job.data;
-        const MS_IN_DAY = 24 * 60 * 60 * 1000;
-        let project;
-
-        if (!orgId) {
-          // it will never be undefined for both org and project id
-          // TODO(akhilmhdh): use caching here in dal to avoid db calls
-          project = await projectDAL.findById(projectId as string);
-          orgId = project.orgId;
-        }
-
-        const plan = await licenseService.getPlan(orgId);
-        if (plan.auditLogsRetentionDays === 0) {
-          // skip inserting if audit log retention is 0 meaning its not supported
-          return;
-        }
-
-        // For project actions, set TTL to project-level audit log retention config
-        // This condition ensures that the plan's audit log retention days cannot be bypassed
-        const ttlInDays =
-          project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
-            ? project.auditLogsRetentionDays
-            : plan.auditLogsRetentionDays;
-
-        const ttl = ttlInDays * MS_IN_DAY;
-
-        const auditLog = await auditLogDAL.create({
-          actor: actor.type,
-          actorMetadata: actor.metadata,
-          userAgent,
-          projectId,
-          projectName: project?.name,
-          ipAddress,
-          orgId,
-          eventType: event.type,
-          expiresAt: new Date(Date.now() + ttl),
-          eventMetadata: event.metadata,
-          userAgentType
-        });
-
-        const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
-        await Promise.allSettled(
-          logStreams.map(
-            async ({
-              url,
-              encryptedHeadersTag,
-              encryptedHeadersIV,
-              encryptedHeadersKeyEncoding,
-              encryptedHeadersCiphertext
-            }) => {
-              const streamHeaders =
-                encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
-                  ? (JSON.parse(
-                      infisicalSymmetricDecrypt({
-                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                        iv: encryptedHeadersIV,
-                        tag: encryptedHeadersTag,
-                        ciphertext: encryptedHeadersCiphertext
-                      })
-                    ) as LogStreamHeaders[])
-                  : [];
-
-              const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-
-              if (streamHeaders.length)
-                streamHeaders.forEach(({ key, value }) => {
-                  headers[key] = value;
-                });
-
-              return request.post(url, auditLog, {
-                headers,
-                // request timeout
-                timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                // connection timeout
-                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-              });
-            }
-          )
-        );
+    await queueService.queue(QueueName.AuditLog, QueueJobs.AuditLog, data, {
+      removeOnFail: {
+        count: 3
      },
-      {
-        batchSize: 1,
-        workerCount: 30,
-        pollingIntervalSeconds: 0.5
-      }
-    );
-  }
+      removeOnComplete: true
+    });
+  };

  queueService.start(QueueName.AuditLog, async (job) => {
    const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";

@ -27,14 +26,13 @@ export const auditLogServiceFactory = ({
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
    // Filter logs for specific project
    if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
        actor,
        actorId,
-        projectId: filter.projectId,
+        filter.projectId,
        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
-      });
+        actorOrgId
+      );
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
      // Organization-wide logs
@ -81,8 +79,7 @@ export const auditLogServiceFactory = ({
    }
    // add all cases in which project id or org id cannot be added
    if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId)
-        throw new BadRequestError({ message: "Must specify either project id or org id" });
+      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
    }

    return auditLogQueue.pushToLog(data);
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -2,24 +2,12 @@ import {
  TCreateProjectTemplateDTO,
  TUpdateProjectTemplateDTO
 } from "@app/ee/services/project-template/project-template-types";
-import { SshCaStatus, SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
-import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
-import {
-  TCreateSecretSyncDTO,
-  TDeleteSecretSyncDTO,
-  TSecretSyncRaw,
-  TUpdateSecretSyncDTO
-} from "@app/services/secret-sync/secret-sync-types";

 export type TListProjectAuditLogDTO = {
  filter: {
@ -38,7 +26,7 @@ export type TListProjectAuditLogDTO = {

 export type TCreateAuditLogDTO = {
  event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
  orgId?: string;
  projectId?: string;
 } & BaseAuthData;
@ -72,7 +60,6 @@ export enum EventType {
  DELETE_SECRETS = "delete-secrets",
  GET_WORKSPACE_KEY = "get-workspace-key",
  AUTHORIZE_INTEGRATION = "authorize-integration",
-  UPDATE_INTEGRATION_AUTH = "update-integration-auth",
  UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
  CREATE_INTEGRATION = "create-integration",
  DELETE_INTEGRATION = "delete-integration",
@ -107,11 +94,6 @@ export enum EventType {
  UPDATE_IDENTITY_OIDC_AUTH = "update-identity-oidc-auth",
  GET_IDENTITY_OIDC_AUTH = "get-identity-oidc-auth",
  REVOKE_IDENTITY_OIDC_AUTH = "revoke-identity-oidc-auth",
-  LOGIN_IDENTITY_JWT_AUTH = "login-identity-jwt-auth",
-  ADD_IDENTITY_JWT_AUTH = "add-identity-jwt-auth",
-  UPDATE_IDENTITY_JWT_AUTH = "update-identity-jwt-auth",
-  GET_IDENTITY_JWT_AUTH = "get-identity-jwt-auth",
-  REVOKE_IDENTITY_JWT_AUTH = "revoke-identity-jwt-auth",
  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
@ -155,17 +137,6 @@ export enum EventType {
  SECRET_APPROVAL_REQUEST = "secret-approval-request",
  SECRET_APPROVAL_CLOSED = "secret-approval-closed",
  SECRET_APPROVAL_REOPENED = "secret-approval-reopened",
-  SIGN_SSH_KEY = "sign-ssh-key",
-  ISSUE_SSH_CREDS = "issue-ssh-creds",
-  CREATE_SSH_CA = "create-ssh-certificate-authority",
-  GET_SSH_CA = "get-ssh-certificate-authority",
-  UPDATE_SSH_CA = "update-ssh-certificate-authority",
-  DELETE_SSH_CA = "delete-ssh-certificate-authority",
-  GET_SSH_CA_CERTIFICATE_TEMPLATES = "get-ssh-certificate-authority-certificate-templates",
-  CREATE_SSH_CERTIFICATE_TEMPLATE = "create-ssh-certificate-template",
-  UPDATE_SSH_CERTIFICATE_TEMPLATE = "update-ssh-certificate-template",
-  DELETE_SSH_CERTIFICATE_TEMPLATE = "delete-ssh-certificate-template",
-  GET_SSH_CERTIFICATE_TEMPLATE = "get-ssh-certificate-template",
  CREATE_CA = "create-certificate-authority",
  GET_CA = "get-certificate-authority",
  UPDATE_CA = "update-certificate-authority",
@ -231,24 +202,7 @@ export enum EventType {
  CREATE_PROJECT_TEMPLATE = "create-project-template",
  UPDATE_PROJECT_TEMPLATE = "update-project-template",
  DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template",
-  GET_APP_CONNECTIONS = "get-app-connections",
-  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
-  GET_APP_CONNECTION = "get-app-connection",
-  CREATE_APP_CONNECTION = "create-app-connection",
-  UPDATE_APP_CONNECTION = "update-app-connection",
-  DELETE_APP_CONNECTION = "delete-app-connection",
-  CREATE_SHARED_SECRET = "create-shared-secret",
-  DELETE_SHARED_SECRET = "delete-shared-secret",
-  READ_SHARED_SECRET = "read-shared-secret",
-  GET_SECRET_SYNCS = "get-secret-syncs",
-  GET_SECRET_SYNC = "get-secret-sync",
-  CREATE_SECRET_SYNC = "create-secret-sync",
-  UPDATE_SECRET_SYNC = "update-secret-sync",
-  DELETE_SECRET_SYNC = "delete-secret-sync",
-  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
-  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
-  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets"
+  APPLY_PROJECT_TEMPLATE = "apply-project-template"
 }

 interface UserActorMetadata {
@ -271,8 +225,6 @@ interface ScimClientActorMetadata {}

 interface PlatformActorMetadata {}

-interface UnknownUserActorMetadata {}
-
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -288,11 +240,6 @@ export interface PlatformActor {
  metadata: PlatformActorMetadata;
 }

-export interface UnknownUserActor {
-  type: ActorType.UNKNOWN_USER;
-  metadata: UnknownUserActorMetadata;
-}
-
 export interface IdentityActor {
  type: ActorType.IDENTITY;
  metadata: IdentityActorMetadata;
@ -410,13 +357,6 @@ interface AuthorizeIntegrationEvent {
  };
 }

-interface UpdateIntegrationAuthEvent {
-  type: EventType.UPDATE_INTEGRATION_AUTH;
-  metadata: {
-    integration: string;
-  };
-}
-
 interface UnauthorizeIntegrationEvent {
  type: EventType.UNAUTHORIZE_INTEGRATION;
  metadata: {
@ -955,67 +895,6 @@ interface GetIdentityOidcAuthEvent {
  };
 }

-interface LoginIdentityJwtAuthEvent {
-  type: EventType.LOGIN_IDENTITY_JWT_AUTH;
-  metadata: {
-    identityId: string;
-    identityJwtAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityJwtAuthEvent {
-  type: EventType.ADD_IDENTITY_JWT_AUTH;
-  metadata: {
-    identityId: string;
-    configurationType: string;
-    jwksUrl?: string;
-    jwksCaCert: string;
-    publicKeys: string[];
-    boundIssuer: string;
-    boundAudiences: string;
-    boundClaims: Record<string, string>;
-    boundSubject: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityJwtAuthEvent {
-  type: EventType.UPDATE_IDENTITY_JWT_AUTH;
-  metadata: {
-    identityId: string;
-    configurationType?: string;
-    jwksUrl?: string;
-    jwksCaCert?: string;
-    publicKeys?: string[];
-    boundIssuer?: string;
-    boundAudiences?: string;
-    boundClaims?: Record<string, string>;
-    boundSubject?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface DeleteIdentityJwtAuthEvent {
-  type: EventType.REVOKE_IDENTITY_JWT_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface GetIdentityJwtAuthEvent {
-  type: EventType.GET_IDENTITY_JWT_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateEnvironmentEvent {
  type: EventType.CREATE_ENVIRONMENT;
  metadata: {
@ -1253,117 +1132,6 @@ interface SecretApprovalRequest {
  };
 }

-interface SignSshKey {
-  type: EventType.SIGN_SSH_KEY;
-  metadata: {
-    certificateTemplateId: string;
-    certType: SshCertType;
-    principals: string[];
-    ttl: string;
-    keyId: string;
-  };
-}
-
-interface IssueSshCreds {
-  type: EventType.ISSUE_SSH_CREDS;
-  metadata: {
-    certificateTemplateId: string;
-    keyAlgorithm: CertKeyAlgorithm;
-    certType: SshCertType;
-    principals: string[];
-    ttl: string;
-    keyId: string;
-  };
-}
-
-interface CreateSshCa {
-  type: EventType.CREATE_SSH_CA;
-  metadata: {
-    sshCaId: string;
-    friendlyName: string;
-  };
-}
-
-interface GetSshCa {
-  type: EventType.GET_SSH_CA;
-  metadata: {
-    sshCaId: string;
-    friendlyName: string;
-  };
-}
-
-interface UpdateSshCa {
-  type: EventType.UPDATE_SSH_CA;
-  metadata: {
-    sshCaId: string;
-    friendlyName: string;
-    status: SshCaStatus;
-  };
-}
-
-interface DeleteSshCa {
-  type: EventType.DELETE_SSH_CA;
-  metadata: {
-    sshCaId: string;
-    friendlyName: string;
-  };
-}
-
-interface GetSshCaCertificateTemplates {
-  type: EventType.GET_SSH_CA_CERTIFICATE_TEMPLATES;
-  metadata: {
-    sshCaId: string;
-    friendlyName: string;
-  };
-}
-
-interface CreateSshCertificateTemplate {
-  type: EventType.CREATE_SSH_CERTIFICATE_TEMPLATE;
-  metadata: {
-    certificateTemplateId: string;
-    sshCaId: string;
-    name: string;
-    ttl: string;
-    maxTTL: string;
-    allowedUsers: string[];
-    allowedHosts: string[];
-    allowUserCertificates: boolean;
-    allowHostCertificates: boolean;
-    allowCustomKeyIds: boolean;
-  };
-}
-
-interface GetSshCertificateTemplate {
-  type: EventType.GET_SSH_CERTIFICATE_TEMPLATE;
-  metadata: {
-    certificateTemplateId: string;
-  };
-}
-
-interface UpdateSshCertificateTemplate {
-  type: EventType.UPDATE_SSH_CERTIFICATE_TEMPLATE;
-  metadata: {
-    certificateTemplateId: string;
-    sshCaId: string;
-    name: string;
-    status: SshCertTemplateStatus;
-    ttl: string;
-    maxTTL: string;
-    allowedUsers: string[];
-    allowedHosts: string[];
-    allowUserCertificates: boolean;
-    allowHostCertificates: boolean;
-    allowCustomKeyIds: boolean;
-  };
-}
-
-interface DeleteSshCertificateTemplate {
-  type: EventType.DELETE_SSH_CERTIFICATE_TEMPLATE;
-  metadata: {
-    certificateTemplateId: string;
-  };
-}
-
 interface CreateCa {
  type: EventType.CREATE_CA;
  metadata: {
@ -1900,149 +1668,6 @@ interface ApplyProjectTemplateEvent {
  };
 }

-interface GetAppConnectionsEvent {
-  type: EventType.GET_APP_CONNECTIONS;
-  metadata: {
-    app?: AppConnection;
-    count: number;
-    connectionIds: string[];
-  };
-}
-
-interface GetAvailableAppConnectionsDetailsEvent {
-  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
-  metadata: {
-    app?: AppConnection;
-    count: number;
-    connectionIds: string[];
-  };
-}
-
-interface GetAppConnectionEvent {
-  type: EventType.GET_APP_CONNECTION;
-  metadata: {
-    connectionId: string;
-  };
-}
-
-interface CreateAppConnectionEvent {
-  type: EventType.CREATE_APP_CONNECTION;
-  metadata: Omit<TCreateAppConnectionDTO, "credentials"> & { connectionId: string };
-}
-
-interface UpdateAppConnectionEvent {
-  type: EventType.UPDATE_APP_CONNECTION;
-  metadata: Omit<TUpdateAppConnectionDTO, "credentials"> & { connectionId: string; credentialsUpdated: boolean };
-}
-
-interface DeleteAppConnectionEvent {
-  type: EventType.DELETE_APP_CONNECTION;
-  metadata: {
-    connectionId: string;
-  };
-}
-
-interface CreateSharedSecretEvent {
-  type: EventType.CREATE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    accessType: string;
-    name?: string;
-    expiresAfterViews?: number;
-    usingPassword: boolean;
-    expiresAt: string;
-  };
-}
-
-interface DeleteSharedSecretEvent {
-  type: EventType.DELETE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-  };
-}
-
-interface ReadSharedSecretEvent {
-  type: EventType.READ_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-    accessType: string;
-  };
-}
-
-interface GetSecretSyncsEvent {
-  type: EventType.GET_SECRET_SYNCS;
-  metadata: {
-    destination?: SecretSync;
-    count: number;
-    syncIds: string[];
-  };
-}
-
-interface GetSecretSyncEvent {
-  type: EventType.GET_SECRET_SYNC;
-  metadata: {
-    destination: SecretSync;
-    syncId: string;
-  };
-}
-
-interface CreateSecretSyncEvent {
-  type: EventType.CREATE_SECRET_SYNC;
-  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
-}
-
-interface UpdateSecretSyncEvent {
-  type: EventType.UPDATE_SECRET_SYNC;
-  metadata: TUpdateSecretSyncDTO;
-}
-
-interface DeleteSecretSyncEvent {
-  type: EventType.DELETE_SECRET_SYNC;
-  metadata: TDeleteSecretSyncDTO;
-}
-
-interface SecretSyncSyncSecretsEvent {
-  type: EventType.SECRET_SYNC_SYNC_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    syncMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
-interface SecretSyncImportSecretsEvent {
-  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    importMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-    importBehavior: SecretSyncImportBehavior;
-  };
-}
-
-interface SecretSyncRemoveSecretsEvent {
-  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
-  metadata: Pick<
-    TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
-  > & {
-    syncId: string;
-    removeMessage: string | null;
-    jobId: string;
-    jobRanAt: Date;
-  };
-}
-
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@ -2055,7 +1680,6 @@ export type Event =
  | DeleteSecretBatchEvent
  | GetWorkspaceKeyEvent
  | AuthorizeIntegrationEvent
-  | UpdateIntegrationAuthEvent
  | UnauthorizeIntegrationEvent
  | CreateIntegrationEvent
  | DeleteIntegrationEvent
@ -2109,11 +1733,6 @@ export type Event =
  | DeleteIdentityOidcAuthEvent
  | UpdateIdentityOidcAuthEvent
  | GetIdentityOidcAuthEvent
-  | LoginIdentityJwtAuthEvent
-  | AddIdentityJwtAuthEvent
-  | UpdateIdentityJwtAuthEvent
-  | GetIdentityJwtAuthEvent
-  | DeleteIdentityJwtAuthEvent
  | CreateEnvironmentEvent
  | GetEnvironmentEvent
  | UpdateEnvironmentEvent
@ -2138,17 +1757,6 @@ export type Event =
  | SecretApprovalClosed
  | SecretApprovalRequest
  | SecretApprovalReopened
-  | SignSshKey
-  | IssueSshCreds
-  | CreateSshCa
-  | GetSshCa
-  | UpdateSshCa
-  | DeleteSshCa
-  | GetSshCaCertificateTemplates
-  | CreateSshCertificateTemplate
-  | UpdateSshCertificateTemplate
-  | GetSshCertificateTemplate
-  | DeleteSshCertificateTemplate
  | CreateCa
  | GetCa
  | UpdateCa
@ -2214,21 +1822,4 @@ export type Event =
  | CreateProjectTemplateEvent
  | UpdateProjectTemplateEvent
  | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent
-  | GetAppConnectionsEvent
-  | GetAvailableAppConnectionsDetailsEvent
-  | GetAppConnectionEvent
-  | CreateAppConnectionEvent
-  | UpdateAppConnectionEvent
-  | DeleteAppConnectionEvent
-  | CreateSharedSecretEvent
-  | DeleteSharedSecretEvent
-  | ReadSharedSecretEvent
-  | GetSecretSyncsEvent
-  | GetSecretSyncEvent
-  | CreateSecretSyncEvent
-  | UpdateSecretSyncEvent
-  | DeleteSecretSyncEvent
-  | SecretSyncSyncSecretsEvent
-  | SecretSyncImportSecretsEvent
-  | SecretSyncRemoveSecretsEvent;
+  | ApplyProjectTemplateEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -67,14 +66,13 @@ export const certificateAuthorityCrlServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: ca.projectId,
+      ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );

    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";

-import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@ -67,14 +67,13 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -113,7 +112,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      })
    ) as object;

-    const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
+    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
    const { maxTTL } = dynamicSecretCfg;
    const expireAt = new Date(new Date().getTime() + ms(selectedTTL));
    if (maxTTL) {
@ -147,14 +146,13 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -189,7 +187,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      })
    ) as object;

-    const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
+    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
    const { maxTTL } = dynamicSecretCfg;
    const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
    if (maxTTL) {
@ -227,14 +225,13 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -297,14 +294,13 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -340,14 +336,13 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@ -73,14 +73,13 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -145,14 +144,13 @@ export const dynamicSecretServiceFactory = ({

    const projectId = project.id;

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -229,14 +227,13 @@ export const dynamicSecretServiceFactory = ({

    const projectId = project.id;

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -290,14 +287,13 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });

    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -341,14 +337,13 @@ export const dynamicSecretServiceFactory = ({
    isInternal
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );

      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
@ -385,14 +380,13 @@ export const dynamicSecretServiceFactory = ({
    search,
    projectId
  }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -434,14 +428,13 @@ export const dynamicSecretServiceFactory = ({
      projectId = project.id;
    }

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -466,14 +459,13 @@ export const dynamicSecretServiceFactory = ({
    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
    actor: OrgServiceActor
  ) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
      projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actor.authMethod,
+      actor.orgId
+    );

    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
      permission.can(
@ -512,14 +504,13 @@ export const dynamicSecretServiceFactory = ({
    ...params
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );

      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
--- a/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
@ -127,7 +127,7 @@ const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: strin
 };

 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 64)();
 };

@ -211,7 +211,7 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
    return { entityId };
  };

-  const renew = async (_inputs: unknown, entityId: string) => {
+  const renew = async (inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts
@ -9,7 +9,7 @@ const MSFT_GRAPH_API_URL = "https://graph.microsoft.com/v1.0/";
 const MSFT_LOGIN_URL = "https://login.microsoftonline.com";

 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 64)();
 };

@ -122,7 +122,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
    return users;
  };

-  const renew = async (_inputs: unknown, entityId: string) => {
+  const renew = async (inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/cassandra.ts
@ -9,7 +9,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";

 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 48)(size);
 };

--- a/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/elastic-search.ts
@ -8,7 +8,7 @@ import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretElasticSearchSchema, ElasticSearchAuthTypes, TDynamicProviderFns } from "./models";

 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 64)();
 };

@ -95,7 +95,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
    return { entityId };
  };

-  const renew = async (_inputs: unknown, entityId: string) => {
+  const renew = async (inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts
@ -8,7 +8,7 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";

 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 48)(size);
 };

--- a/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/mongo-db.ts
@ -8,7 +8,7 @@ import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretMongoDBSchema, TDynamicProviderFns } from "./models";

 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 48)(size);
 };

--- a/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts
@ -11,7 +11,7 @@ import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRabbitMqSchema, TDynamicProviderFns } from "./models";

 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 64)();
 };

@ -141,7 +141,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
    return { entityId };
  };

-  const renew = async (_inputs: unknown, entityId: string) => {
+  const renew = async (inputs: unknown, entityId: string) => {
    // No renewal necessary
    return { entityId };
  };
--- a/backend/src/ee/services/dynamic-secret/providers/redis.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/redis.ts
@ -10,7 +10,7 @@ import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";

 const generatePassword = () => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 64)();
 };

--- a/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/snowflake.ts
@ -12,7 +12,7 @@ import { DynamicSecretSnowflakeSchema, TDynamicProviderFns } from "./models";
 const noop = () => {};

 const generatePassword = (size = 48) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 48)(size);
 };

--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@ -14,7 +14,7 @@ const generatePassword = (provider: SqlProviders) => {
  // oracle has limit of 48 password length
  const size = provider === SqlProviders.Oracle ? 30 : 48;

-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 48)(size);
 };

@ -34,8 +34,6 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {

  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
-
    const db = knex({
      client: providerInputs.client,
      connection: {
@ -45,16 +43,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
        user: providerInputs.username,
        password: providerInputs.password,
        ssl,
-        pool: { min: 0, max: 1 },
-        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
-        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
-        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
-        options: isMsSQLClient
-          ? {
-              trustServerCertificate: !providerInputs.ca,
-              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
-            }
-          : undefined
+        pool: { min: 0, max: 1 }
      },
      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
    });
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@ -1,9 +1,7 @@
-import { KMSServiceException } from "@aws-sdk/client-kms";
-import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";

-import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -22,8 +20,7 @@ import {
  TUpdateExternalKmsDTO
 } from "./external-kms-types";
 import { AwsKmsProviderFactory } from "./providers/aws-kms";
-import { GcpKmsProviderFactory } from "./providers/gcp-kms";
-import { ExternalKmsAwsSchema, ExternalKmsGcpSchema, KmsProviders, TExternalKmsGcpSchema } from "./providers/model";
+import { ExternalKmsAwsSchema, KmsProviders } from "./providers/model";

 type TExternalKmsServiceFactoryDep = {
  externalKmsDAL: TExternalKmsDALFactory;
@ -73,16 +70,7 @@ export const externalKmsServiceFactory = ({
    switch (provider.type) {
      case KmsProviders.Aws:
        {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
-            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
-              throw new InternalServerError({
-                message: error.message ? `AWS error: ${error.message}` : ""
-              });
-            }
-
-            throw error;
-          });
-
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
          // if missing kms key this generate a new kms key id and returns new provider input
          const newProviderInput = await externalKms.generateInputKmsKey();
          sanitizedProviderInput = JSON.stringify(newProviderInput);
@ -90,13 +78,6 @@ export const externalKmsServiceFactory = ({
          await externalKms.validateConnection();
        }
        break;
-      case KmsProviders.Gcp:
-        {
-          const externalKms = await GcpKmsProviderFactory({ inputs: provider.inputs });
-          await externalKms.validateConnection();
-          sanitizedProviderInput = JSON.stringify(provider.inputs);
-        }
-        break;
      default:
        throw new BadRequestError({ message: "external kms provided is invalid" });
    }
@ -107,7 +88,7 @@ export const externalKmsServiceFactory = ({
    });

    const { cipherTextBlob: encryptedProviderInputs } = orgDataKeyEncryptor({
-      plainText: Buffer.from(sanitizedProviderInput)
+      plainText: Buffer.from(sanitizedProviderInput, "utf8")
    });

    const externalKms = await externalKmsDAL.transaction(async (tx) => {
@ -181,7 +162,7 @@ export const externalKmsServiceFactory = ({
        case KmsProviders.Aws:
          {
            const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
-              JSON.parse(decryptedProviderInputBlob.toString())
+              JSON.parse(decryptedProviderInputBlob.toString("utf8"))
            );
            const updatedProviderInput = { ...decryptedProviderInput, ...provider.inputs };
            const externalKms = await AwsKmsProviderFactory({ inputs: updatedProviderInput });
@ -189,17 +170,6 @@ export const externalKmsServiceFactory = ({
            sanitizedProviderInput = JSON.stringify(updatedProviderInput);
          }
          break;
-        case KmsProviders.Gcp:
-          {
-            const decryptedProviderInput = await ExternalKmsGcpSchema.parseAsync(
-              JSON.parse(decryptedProviderInputBlob.toString())
-            );
-            const updatedProviderInput = { ...decryptedProviderInput, ...provider.inputs };
-            const externalKms = await GcpKmsProviderFactory({ inputs: updatedProviderInput });
-            await externalKms.validateConnection();
-            sanitizedProviderInput = JSON.stringify(updatedProviderInput);
-          }
-          break;
        default:
          throw new BadRequestError({ message: "external kms provided is invalid" });
      }
@ -208,7 +178,7 @@ export const externalKmsServiceFactory = ({
    let encryptedProviderInputs: Buffer | undefined;
    if (sanitizedProviderInput) {
      const { cipherTextBlob } = orgDataKeyEncryptor({
-        plainText: Buffer.from(sanitizedProviderInput)
+        plainText: Buffer.from(sanitizedProviderInput, "utf8")
      });
      encryptedProviderInputs = cipherTextBlob;
    }
@ -301,17 +271,10 @@ export const externalKmsServiceFactory = ({
    switch (externalKmsDoc.provider) {
      case KmsProviders.Aws: {
        const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
-          JSON.parse(decryptedProviderInputBlob.toString())
+          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
        );
        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
      }
-      case KmsProviders.Gcp: {
-        const decryptedProviderInput = await ExternalKmsGcpSchema.parseAsync(
-          JSON.parse(decryptedProviderInputBlob.toString())
-        );
-
-        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
-      }
      default:
        throw new BadRequestError({ message: "external kms provided is invalid" });
    }
@ -349,34 +312,21 @@ export const externalKmsServiceFactory = ({
    switch (externalKmsDoc.provider) {
      case KmsProviders.Aws: {
        const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
-          JSON.parse(decryptedProviderInputBlob.toString())
+          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
        );
        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
      }
-      case KmsProviders.Gcp: {
-        const decryptedProviderInput = await ExternalKmsGcpSchema.parseAsync(
-          JSON.parse(decryptedProviderInputBlob.toString())
-        );
-
-        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
-      }
      default:
        throw new BadRequestError({ message: "external kms provided is invalid" });
    }
  };

-  const fetchGcpKeys = async ({ credential, gcpRegion }: Pick<TExternalKmsGcpSchema, "credential" | "gcpRegion">) => {
-    const externalKms = await GcpKmsProviderFactory({ inputs: { credential, gcpRegion, keyName: "" } });
-    return externalKms.getKeysList();
-  };
-
  return {
    create,
    updateById,
    deleteById,
    list,
    findById,
-    findByName,
-    fetchGcpKeys
+    findByName
  };
 };
--- a/backend/src/ee/services/external-kms/providers/gcp-kms.ts
+++ b/backend/src/ee/services/external-kms/providers/gcp-kms.ts
@ -1,113 +0,0 @@
-import { KeyManagementServiceClient } from "@google-cloud/kms";
-
-import { BadRequestError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
-
-import { ExternalKmsGcpSchema, TExternalKmsGcpClientSchema, TExternalKmsProviderFns } from "./model";
-
-const getGcpKmsClient = async ({ credential, gcpRegion }: TExternalKmsGcpClientSchema) => {
-  const gcpKmsClient = new KeyManagementServiceClient({
-    credentials: credential
-  });
-  const projectId = credential.project_id;
-  const locationName = gcpKmsClient.locationPath(projectId, gcpRegion);
-
-  return {
-    gcpKmsClient,
-    locationName
-  };
-};
-
-type GcpKmsProviderArgs = {
-  inputs: unknown;
-};
-type TGcpKmsProviderFactoryReturn = TExternalKmsProviderFns & {
-  getKeysList: () => Promise<{ keys: string[] }>;
-};
-
-export const GcpKmsProviderFactory = async ({ inputs }: GcpKmsProviderArgs): Promise<TGcpKmsProviderFactoryReturn> => {
-  const { credential, gcpRegion, keyName } = await ExternalKmsGcpSchema.parseAsync(inputs);
-  const { gcpKmsClient, locationName } = await getGcpKmsClient({
-    credential,
-    gcpRegion
-  });
-
-  const validateConnection = async () => {
-    try {
-      await gcpKmsClient.listKeyRings({
-        parent: locationName
-      });
-      return true;
-    } catch (error) {
-      throw new BadRequestError({
-        message: "Cannot connect to GCP KMS"
-      });
-    }
-  };
-
-  // Used when adding the KMS to fetch the list of keys in specified region
-  const getKeysList = async () => {
-    try {
-      const [keyRings] = await gcpKmsClient.listKeyRings({
-        parent: locationName
-      });
-
-      const validKeyRings = keyRings
-        .filter(
-          (keyRing): keyRing is { name: string } =>
-            keyRing !== null && typeof keyRing === "object" && "name" in keyRing && typeof keyRing.name === "string"
-        )
-        .map((keyRing) => keyRing.name);
-      const keyList: string[] = [];
-      const keyListPromises = validKeyRings.map((keyRingName) =>
-        gcpKmsClient
-          .listCryptoKeys({
-            parent: keyRingName
-          })
-          .then(([cryptoKeys]) =>
-            cryptoKeys
-              .filter(
-                (key): key is { name: string } =>
-                  key !== null && typeof key === "object" && "name" in key && typeof key.name === "string"
-              )
-              .map((key) => key.name)
-          )
-      );
-
-      const cryptoKeyLists = await Promise.all(keyListPromises);
-      keyList.push(...cryptoKeyLists.flat());
-      return { keys: keyList };
-    } catch (error) {
-      logger.error(error, "Could not validate GCP KMS connection and credentials");
-      throw new BadRequestError({
-        message: "Could not validate GCP KMS connection and credentials",
-        error
-      });
-    }
-  };
-
-  const encrypt = async (data: Buffer) => {
-    const encryptedText = await gcpKmsClient.encrypt({
-      name: keyName,
-      plaintext: data
-    });
-    if (!encryptedText[0].ciphertext) throw new Error("encryption failed");
-    return { encryptedBlob: Buffer.from(encryptedText[0].ciphertext) };
-  };
-
-  const decrypt = async (encryptedBlob: Buffer) => {
-    const decryptedText = await gcpKmsClient.decrypt({
-      name: keyName,
-      ciphertext: encryptedBlob
-    });
-    if (!decryptedText[0].plaintext) throw new Error("decryption failed");
-    return { data: Buffer.from(decryptedText[0].plaintext) };
-  };
-
-  return {
-    validateConnection,
-    getKeysList,
-    encrypt,
-    decrypt
-  };
-};
--- a/backend/src/ee/services/external-kms/providers/model.ts
+++ b/backend/src/ee/services/external-kms/providers/model.ts
@ -1,23 +1,13 @@
 import { z } from "zod";

 export enum KmsProviders {
-  Aws = "aws",
-  Gcp = "gcp"
+  Aws = "aws"
 }

 export enum KmsAwsCredentialType {
  AssumeRole = "assume-role",
  AccessKey = "access-key"
 }
-// Google uses snake_case for their enum values and we need to match that
-export enum KmsGcpCredentialType {
-  ServiceAccount = "service_account"
-}
-
-export enum KmsGcpKeyFetchAuthType {
-  Credential = "credential",
-  Kms = "kmsId"
-}

 export const ExternalKmsAwsSchema = z.object({
  credential: z
@ -52,44 +42,14 @@ export const ExternalKmsAwsSchema = z.object({
 });
 export type TExternalKmsAwsSchema = z.infer<typeof ExternalKmsAwsSchema>;

-export const ExternalKmsGcpCredentialSchema = z.object({
-  type: z.literal(KmsGcpCredentialType.ServiceAccount),
-  project_id: z.string().min(1),
-  private_key_id: z.string().min(1),
-  private_key: z.string().min(1),
-  client_email: z.string().min(1),
-  client_id: z.string().min(1),
-  auth_uri: z.string().min(1),
-  token_uri: z.string().min(1),
-  auth_provider_x509_cert_url: z.string().min(1),
-  client_x509_cert_url: z.string().min(1),
-  universe_domain: z.string().min(1)
-});
-
-export type TExternalKmsGcpCredentialSchema = z.infer<typeof ExternalKmsGcpCredentialSchema>;
-
-export const ExternalKmsGcpSchema = z.object({
-  credential: ExternalKmsGcpCredentialSchema.describe("GCP Service Account JSON credential to connect"),
-  gcpRegion: z.string().trim().describe("GCP region where the KMS key is located"),
-  keyName: z.string().trim().describe("GCP key name")
-});
-export type TExternalKmsGcpSchema = z.infer<typeof ExternalKmsGcpSchema>;
-
-const ExternalKmsGcpClientSchema = ExternalKmsGcpSchema.pick({ gcpRegion: true }).extend({
-  credential: ExternalKmsGcpCredentialSchema
-});
-export type TExternalKmsGcpClientSchema = z.infer<typeof ExternalKmsGcpClientSchema>;
-
 // The root schema of the JSON
 export const ExternalKmsInputSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema }),
-  z.object({ type: z.literal(KmsProviders.Gcp), inputs: ExternalKmsGcpSchema })
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema })
 ]);
 export type TExternalKmsInputSchema = z.infer<typeof ExternalKmsInputSchema>;

 export const ExternalKmsInputUpdateSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema.partial() }),
-  z.object({ type: z.literal(KmsProviders.Gcp), inputs: ExternalKmsGcpSchema.partial() })
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema.partial() })
 ]);
 export type TExternalKmsInputUpdateSchema = z.infer<typeof ExternalKmsInputUpdateSchema>;

--- a/backend/src/ee/services/group/group-dal.ts
+++ b/backend/src/ee/services/group/group-dal.ts
@ -5,8 +5,6 @@ import { TableName, TGroups } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";

-import { EFilterReturnedUsers } from "./group-types";
-
 export type TGroupDALFactory = ReturnType<typeof groupDALFactory>;

 export const groupDALFactory = (db: TDbClient) => {
@ -68,8 +66,7 @@ export const groupDALFactory = (db: TDbClient) => {
    offset = 0,
    limit,
    username, // depreciated in favor of search
-    search,
-    filter
+    search
  }: {
    orgId: string;
    groupId: string;
@ -77,7 +74,6 @@ export const groupDALFactory = (db: TDbClient) => {
    limit?: number;
    username?: string;
    search?: string;
-    filter?: EFilterReturnedUsers;
  }) => {
    try {
      const query = db
@ -94,7 +90,6 @@ export const groupDALFactory = (db: TDbClient) => {
        .select(
          db.ref("id").withSchema(TableName.OrgMembership),
          db.ref("groupId").withSchema(TableName.UserGroupMembership),
-          db.ref("createdAt").withSchema(TableName.UserGroupMembership).as("joinedGroupAt"),
          db.ref("email").withSchema(TableName.Users),
          db.ref("username").withSchema(TableName.Users),
          db.ref("firstName").withSchema(TableName.Users),
@ -116,37 +111,17 @@ export const groupDALFactory = (db: TDbClient) => {
        void query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
      }

-      switch (filter) {
-        case EFilterReturnedUsers.EXISTING_MEMBERS:
-          void query.andWhere(`${TableName.UserGroupMembership}.createdAt`, "is not", null);
-          break;
-        case EFilterReturnedUsers.NON_MEMBERS:
-          void query.andWhere(`${TableName.UserGroupMembership}.createdAt`, "is", null);
-          break;
-        default:
-          break;
-      }
-
      const members = await query;

      return {
        members: members.map(
-          ({
-            email,
-            username: memberUsername,
-            firstName,
-            lastName,
-            userId,
-            groupId: memberGroupId,
-            joinedGroupAt
-          }) => ({
+          ({ email, username: memberUsername, firstName, lastName, userId, groupId: memberGroupId }) => ({
            id: userId,
            email,
            username: memberUsername,
            firstName,
            lastName,
-            isPartOfGroup: !!memberGroupId,
-            joinedGroupAt
+            isPartOfGroup: !!memberGroupId
          })
        ),
        // @ts-expect-error col select is raw and not strongly typed
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@ -32,7 +32,7 @@ type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
  groupDAL: Pick<
    TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@ -88,26 +88,12 @@ export const groupServiceFactory = ({
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });

-    const group = await groupDAL.transaction(async (tx) => {
-      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      if (existingGroup) {
-        throw new BadRequestError({
-          message: `Failed to create group with name '${name}'. Group with the same name already exists`
-        });
-      }
-
-      const newGroup = await groupDAL.create(
-        {
-          name,
-          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
-          orgId: actorOrgId,
-          role: isCustomRole ? OrgMembershipRole.Custom : role,
-          roleId: customRole?.id
-        },
-        tx
-      );
-
-      return newGroup;
+    const group = await groupDAL.create({
+      name,
+      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      orgId: actorOrgId,
+      role: isCustomRole ? OrgMembershipRole.Custom : role,
+      roleId: customRole?.id
    });

    return group;
@ -159,36 +145,21 @@ export const groupServiceFactory = ({
      if (isCustomRole) customRole = customOrgRole;
    }

-    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      if (name) {
-        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-
-        if (existingGroup && existingGroup.id !== id) {
-          throw new BadRequestError({
-            message: `Failed to update group with name '${name}'. Group with the same name already exists`
-          });
-        }
+    const [updatedGroup] = await groupDAL.update(
+      {
+        id: group.id
+      },
+      {
+        name,
+        slug: slug ? slugify(slug) : undefined,
+        ...(role
+          ? {
+              role: customRole ? OrgMembershipRole.Custom : role,
+              roleId: customRole?.id ?? null
+            }
+          : {})
      }
-
-      const [updated] = await groupDAL.update(
-        {
-          id: group.id
-        },
-        {
-          name,
-          slug: slug ? slugify(slug) : undefined,
-          ...(role
-            ? {
-                role: customRole ? OrgMembershipRole.Custom : role,
-                roleId: customRole?.id ?? null
-              }
-            : {})
-        },
-        tx
-      );
-
-      return updated;
-    });
+    );

    return updatedGroup;
  };
@ -251,8 +222,7 @@ export const groupServiceFactory = ({
    actorId,
    actorAuthMethod,
    actorOrgId,
-    search,
-    filter
+    search
  }: TListGroupUsersDTO) => {
    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });

@ -281,8 +251,7 @@ export const groupServiceFactory = ({
      offset,
      limit,
      username,
-      search,
-      filter
+      search
    });

    return { users: members, totalCount };
@ -314,8 +283,8 @@ export const groupServiceFactory = ({
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);

    // check if user has broader or equal to privileges than group
-    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
-    if (!hasRequiredPrivileges)
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });

    const user = await userDAL.findOne({ username });
@ -369,8 +338,8 @@ export const groupServiceFactory = ({
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);

    // check if user has broader or equal to privileges than group
-    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
-    if (!hasRequiredPrivileges)
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });

    const user = await userDAL.findOne({ username });
--- a/backend/src/ee/services/group/group-types.ts
+++ b/backend/src/ee/services/group/group-types.ts
@ -39,7 +39,6 @@ export type TListGroupUsersDTO = {
  limit: number;
  username?: string;
  search?: string;
-  filter?: EFilterReturnedUsers;
 } & TGenericPermission;

 export type TAddUserToGroupDTO = {
@ -102,8 +101,3 @@ export type TConvertPendingGroupAdditionsToGroupMemberships = {
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
  tx?: Knex;
 };
-
-export enum EFilterReturnedUsers {
-  EXISTING_MEMBERS = "existingMembers",
-  NON_MEMBERS = "nonMembers"
-}
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@ -1,8 +1,8 @@
-import { ForbiddenError, subject } from "@casl/ability";
+import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";

-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
@ -55,26 +55,21 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Identity, { identityId })
+      actorOrgId
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -137,26 +132,21 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
+      actorOrgId
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -219,26 +209,21 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
+      actorOrgId
    );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@ -266,18 +251,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
+      actorOrgId
    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);

    return {
      ...identityPrivilege,
@ -301,18 +282,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
+      actorOrgId
    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);

    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
      slug,
@ -337,18 +314,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
+      actorOrgId
    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);

    const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find(
      {
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -1,8 +1,7 @@
-import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
+import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";

-import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@ -63,27 +62,21 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Identity, { identityId })
+      actorOrgId
    );
-
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -146,28 +139,22 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Identity, { identityId })
+      actorOrgId
    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);

-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );

    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -247,27 +234,21 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });

-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Identity, { identityId })
+      actorOrgId
    );
-
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@ -306,18 +287,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Identity, { identityId })
+      actorOrgId
    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);

    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
      slug,
@ -349,19 +326,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Identity, { identityId })
+      actorOrgId
    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);

    const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find({
      projectMembershipId: identityProjectMembership.id
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -476,14 +476,14 @@ export const ldapConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
        });
      }

-      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@ -24,7 +24,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  rbac: false,
  customRateLimits: false,
  customAlerts: false,
-  secretAccessInsights: false,
  auditLogs: false,
  auditLogsRetentionDays: 0,
  auditLogStreams: false,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -246,7 +246,8 @@ export const licenseServiceFactory = ({
  };

  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const plan = await getPlan(orgId, projectId);
    return plan;
  };
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -48,7 +48,6 @@ export type TFeatureSet = {
  samlSSO: false;
  hsm: false;
  oidcSSO: false;
-  secretAccessInsights: false;
  scim: false;
  ldap: false;
  groups: false;
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@ -1,12 +1,4 @@
-import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
-import { z } from "zod";
-
-import {
-  CASL_ACTION_SCHEMA_ENUM,
-  CASL_ACTION_SCHEMA_NATIVE_ENUM
-} from "@app/ee/services/permission/permission-schemas";
-import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
-import { PermissionConditionOperators } from "@app/lib/casl";
+import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";

 export enum OrgPermissionActions {
  Read = "read",
@ -15,14 +7,6 @@ export enum OrgPermissionActions {
  Delete = "delete"
 }

-export enum OrgPermissionAppConnectionActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  Connect = "connect"
-}
-
 export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }
@ -43,15 +27,11 @@ export enum OrgPermissionSubjects {
  Kms = "kms",
  AdminConsole = "organization-admin-console",
  AuditLogs = "audit-logs",
-  ProjectTemplates = "project-templates",
-  AppConnections = "app-connections"
+  ProjectTemplates = "project-templates"
 }

-export type AppConnectionSubjectFields = {
-  connectionId: string;
-};
-
 export type OrgPermissionSet =
+  | [OrgPermissionActions.Read, OrgPermissionSubjects.Workspace]
  | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
  | [OrgPermissionActions, OrgPermissionSubjects.Role]
  | [OrgPermissionActions, OrgPermissionSubjects.Member]
@ -67,112 +47,12 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
-  | [
-      OrgPermissionAppConnectionActions,
-      (
-        | OrgPermissionSubjects.AppConnections
-        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
-      )
-    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];

-const AppConnectionConditionSchema = z
-  .object({
-    connectionId: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
-        })
-        .partial()
-    ])
-  })
-  .partial();
-
-export const OrgPermissionSchema = z.discriminatedUnion("subject", [
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
-    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
-      "Describe what action an entity can take."
-    ),
-    conditions: AppConnectionConditionSchema.describe(
-      "When specified, only matching conditions will be allowed to access given resource."
-    ).optional()
-  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
-      "Describe what action an entity can take."
-    )
-  })
-]);
-
 const buildAdminPermission = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
  // ws permissions
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
  // role permission
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
@ -245,12 +125,6 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);

-  can(OrgPermissionAppConnectionActions.Read, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Create, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Edit, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
-
  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);

  return rules;
@ -261,6 +135,7 @@ export const orgAdminPermissions = buildAdminPermission();
 const buildMemberPermission = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
@ -281,8 +156,6 @@ const buildMemberPermission = () => {

  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);

-  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
-
  return rules;
 };

--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -125,404 +125,6 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };

-  const getProjectGroupPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.GroupProjectMembership)
-        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
-        .join(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
-        .select(
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Groups).as("groupId"),
-          db.ref("name").withSchema(TableName.Groups).as("groupName"),
-          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
-        );
-
-      const groupPermissions = sqlNestRelationships({
-        data: docs,
-        key: "groupId",
-        parentMapper: ({ groupId, groupName, membershipId }) => ({
-          groupId,
-          username: groupName,
-          id: membershipId
-        }),
-        childrenMapper: [
-          {
-            key: "groupProjectMembershipRoleId",
-            label: "groupRoles" as const,
-            mapper: ({
-              groupProjectMembershipRoleId,
-              groupProjectMembershipRole,
-              groupProjectMembershipRolePermission,
-              groupProjectMembershipRoleCustomRoleSlug,
-              groupProjectMembershipRoleIsTemporary,
-              groupProjectMembershipRoleTemporaryMode,
-              groupProjectMembershipRoleTemporaryAccessEndTime,
-              groupProjectMembershipRoleTemporaryAccessStartTime,
-              groupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: groupProjectMembershipRoleId,
-              role: groupProjectMembershipRole,
-              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
-              permissions: groupProjectMembershipRolePermission,
-              temporaryRange: groupProjectMembershipRoleTemporaryRange,
-              temporaryMode: groupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: groupProjectMembershipRoleIsTemporary
-            })
-          }
-        ]
-      });
-
-      return groupPermissions
-        .map((groupPermission) => {
-          if (!groupPermission) return undefined;
-
-          const activeGroupRoles =
-            groupPermission?.groupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...groupPermission,
-            roles: activeGroupRoles
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
-    }
-  };
-
-  const getProjectUserPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.Users)
-        .where("isGhost", "=", false)
-        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
-          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
-        })
-        .leftJoin(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .join(TableName.ProjectMembership, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
-        })
-        .leftJoin(
-          TableName.ProjectUserMembershipRole,
-          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
-          `${TableName.ProjectMembership}.id`
-        )
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.ProjectUserMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
-        })
-        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
-            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .select(
-          db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("username").withSchema(TableName.Users).as("username"),
-          // groups specific
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
-          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
-          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
-          // user specific
-          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
-          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
-          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
-          db
-            .ref("permissions")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryRange"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
-          // general
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
-
-      const userPermissions = sqlNestRelationships({
-        data: docs,
-        key: "userId",
-        parentMapper: ({
-          orgId,
-          username,
-          orgAuthEnforced,
-          membershipId,
-          groupMembershipId,
-          membershipCreatedAt,
-          groupMembershipCreatedAt,
-          groupMembershipUpdatedAt,
-          membershipUpdatedAt,
-          projectType,
-          userId
-        }) => ({
-          orgId,
-          orgAuthEnforced,
-          userId,
-          projectId,
-          username,
-          projectType,
-          id: membershipId || groupMembershipId,
-          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
-          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
-        }),
-        childrenMapper: [
-          {
-            key: "userGroupProjectMembershipRoleId",
-            label: "userGroupRoles" as const,
-            mapper: ({
-              userGroupProjectMembershipRoleId,
-              userGroupProjectMembershipRole,
-              userGroupProjectMembershipRolePermission,
-              userGroupProjectMembershipRoleCustomRoleSlug,
-              userGroupProjectMembershipRoleIsTemporary,
-              userGroupProjectMembershipRoleTemporaryMode,
-              userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              userGroupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: userGroupProjectMembershipRoleId,
-              role: userGroupProjectMembershipRole,
-              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
-              permissions: userGroupProjectMembershipRolePermission,
-              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
-              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userGroupProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userProjectMembershipRoleId",
-            label: "projectMembershipRoles" as const,
-            mapper: ({
-              userProjectMembershipRoleId,
-              userProjectMembershipRole,
-              userProjectCustomRolePermission,
-              userProjectMembershipRoleIsTemporary,
-              userProjectMembershipRoleTemporaryMode,
-              userProjectMembershipRoleTemporaryRange,
-              userProjectMembershipRoleTemporaryAccessEndTime,
-              userProjectMembershipRoleTemporaryAccessStartTime,
-              userProjectMembershipRoleCustomRoleSlug
-            }) => ({
-              id: userProjectMembershipRoleId,
-              role: userProjectMembershipRole,
-              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
-              permissions: userProjectCustomRolePermission,
-              temporaryRange: userProjectMembershipRoleTemporaryRange,
-              temporaryMode: userProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userAdditionalPrivilegesId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              userAdditionalPrivilegesId,
-              userAdditionalPrivilegesPermissions,
-              userAdditionalPrivilegesIsTemporary,
-              userAdditionalPrivilegesTemporaryMode,
-              userAdditionalPrivilegesTemporaryRange,
-              userAdditionalPrivilegesTemporaryAccessEndTime,
-              userAdditionalPrivilegesTemporaryAccessStartTime
-            }) => ({
-              id: userAdditionalPrivilegesId,
-              permissions: userAdditionalPrivilegesPermissions,
-              temporaryRange: userAdditionalPrivilegesTemporaryRange,
-              temporaryMode: userAdditionalPrivilegesTemporaryMode,
-              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
-              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
-              isTemporary: userAdditionalPrivilegesIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return userPermissions
-        .map((userPermission) => {
-          if (!userPermission) return undefined;
-          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
-
-          // when introducting cron mode change it here
-          const activeRoles =
-            userPermission?.projectMembershipRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeGroupRoles =
-            userPermission?.userGroupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeAdditionalPrivileges =
-            userPermission?.additionalPrivileges?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...userPermission,
-            roles: [...activeRoles, ...activeGroupRoles],
-            additionalPrivileges: activeAdditionalPrivileges
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
-    }
-  };
-
  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
      const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@ -667,7 +269,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
          db.ref("id").withSchema(TableName.Project).as("projectId")
        );

@ -683,15 +284,13 @@ export const permissionDALFactory = (db: TDbClient) => {
          membershipCreatedAt,
          groupMembershipCreatedAt,
          groupMembershipUpdatedAt,
-          membershipUpdatedAt,
-          projectType
+          membershipUpdatedAt
        }) => ({
          orgId,
          orgAuthEnforced,
          userId,
          projectId,
          username,
-          projectType,
          id: membershipId || groupMembershipId,
          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
@ -812,163 +411,6 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };

-  const getProjectIdentityPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.IdentityProjectMembership)
-        .join(
-          TableName.IdentityProjectMembershipRole,
-          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(
-          TableName.IdentityProjectAdditionalPrivilege,
-          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(
-          // Join the Project table to later select orgId
-          TableName.Project,
-          `${TableName.IdentityProjectMembership}.projectId`,
-          `${TableName.Project}.id`
-        )
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
-            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Identity).as("identityId"),
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
-          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
-        );
-
-      const permissions = sqlNestRelationships({
-        data: docs,
-        key: "identityId",
-        parentMapper: ({
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          orgId,
-          identityName,
-          projectType,
-          identityId
-        }) => ({
-          id: membershipId,
-          identityId,
-          username: identityName,
-          projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt,
-          orgId,
-          projectType,
-          // just a prefilled value
-          orgAuthEnforced: false
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              IdentityProjectMembershipRoleSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
-          },
-          {
-            key: "identityApId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              identityApId,
-              identityApPermissions,
-              identityApIsTemporary,
-              identityApTemporaryMode,
-              identityApTemporaryRange,
-              identityApTemporaryAccessEndTime,
-              identityApTemporaryAccessStartTime
-            }) => ({
-              id: identityApId,
-              permissions: identityApPermissions,
-              temporaryRange: identityApTemporaryRange,
-              temporaryMode: identityApTemporaryMode,
-              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
-              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
-              isTemporary: identityApIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return permissions
-        .map((permission) => {
-          if (!permission) {
-            return undefined;
-          }
-
-          // when introducting cron mode change it here
-          const activeRoles = permission?.roles.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-
-          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
-    }
-  };
-
  const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
    try {
      const docs = await db
@ -1007,7 +449,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
          db.ref("name").withSchema(TableName.Identity).as("identityName"),
          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
@ -1039,14 +480,7 @@ export const permissionDALFactory = (db: TDbClient) => {
      const permission = sqlNestRelationships({
        data: docs,
        key: "membershipId",
-        parentMapper: ({
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          orgId,
-          identityName,
-          projectType
-        }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId, identityName }) => ({
          id: membershipId,
          identityId,
          username: identityName,
@ -1054,7 +488,6 @@ export const permissionDALFactory = (db: TDbClient) => {
          createdAt: membershipCreatedAt,
          updatedAt: membershipUpdatedAt,
          orgId,
-          projectType,
          // just a prefilled value
          orgAuthEnforced: false
        }),
@ -1123,9 +556,6 @@ export const permissionDALFactory = (db: TDbClient) => {
    getOrgPermission,
    getOrgIdentityPermission,
    getProjectPermission,
-    getProjectIdentityPermission,
-    getProjectUserPermissions,
-    getProjectIdentityPermissions,
-    getProjectGroupPermissions
+    getProjectIdentityPermission
  };
 };
--- a/backend/src/ee/services/permission/permission-schemas.ts
+++ b/backend/src/ee/services/permission/permission-schemas.ts
@ -1,9 +0,0 @@
-import { z } from "zod";
-
-export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  z
-    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-    .transform((el) => (typeof el === "string" ? [el] : el));
-
-export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@ -1,6 +1,3 @@
-import { ActionProjectType } from "@app/db/schemas";
-import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-
 export type TBuildProjectPermissionDTO = {
  permissions?: unknown;
  role: string;
@ -10,34 +7,3 @@ export type TBuildOrgPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
-
-export type TGetUserProjectPermissionArg = {
-  userId: string;
-  projectId: string;
-  authMethod: ActorAuthMethod;
-  actionProjectType: ActionProjectType;
-  userOrgId?: string;
-};
-
-export type TGetIdentityProjectPermissionArg = {
-  identityId: string;
-  projectId: string;
-  identityOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
-
-export type TGetServiceTokenProjectPermissionArg = {
-  serviceTokenId: string;
-  projectId: string;
-  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
-
-export type TGetProjectPermissionArg = {
-  actor: ActorType;
-  actorId: string;
-  projectId: string;
-  actorAuthMethod: ActorAuthMethod;
-  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -4,7 +4,6 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";

 import {
-  ActionProjectType,
  OrgMembershipRole,
  ProjectMembershipRole,
  ServiceTokenScopes,
@ -23,14 +22,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
-import {
-  TBuildOrgPermissionDTO,
-  TBuildProjectPermissionDTO,
-  TGetIdentityProjectPermissionArg,
-  TGetProjectPermissionArg,
-  TGetServiceTokenProjectPermissionArg,
-  TGetUserProjectPermissionArg
-} from "./permission-service-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@ -200,13 +192,12 @@ export const permissionServiceFactory = ({
  };

  // user permission for a project in an organization
-  const getUserProjectPermission = async ({
-    userId,
-    projectId,
-    authMethod,
-    userOrgId,
-    actionProjectType
-  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
+  const getUserProjectPermission = async (
+    userId: string,
+    projectId: string,
+    authMethod: ActorAuthMethod,
+    userOrgId?: string
+  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });

@ -227,12 +218,6 @@ export const permissionServiceFactory = ({

    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);

-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -277,12 +262,11 @@ export const permissionServiceFactory = ({
    };
  };

-  const getIdentityProjectPermission = async ({
-    identityId,
-    projectId,
-    identityOrgId,
-    actionProjectType
-  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+  const getIdentityProjectPermission = async (
+    identityId: string,
+    projectId: string,
+    identityOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission)
      throw new ForbiddenRequestError({
@ -301,12 +285,6 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }

-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
    const rolePermissions =
      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -352,12 +330,11 @@ export const permissionServiceFactory = ({
    };
  };

-  const getServiceTokenProjectPermission = async ({
-    serviceTokenId,
-    projectId,
-    actorOrgId,
-    actionProjectType
-  }: TGetServiceTokenProjectPermissionArg) => {
+  const getServiceTokenProjectPermission = async (
+    serviceTokenId: string,
+    projectId: string,
+    actorOrgId: string | undefined
+  ) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });

@ -381,12 +358,6 @@ export const permissionServiceFactory = ({
      });
    }

-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
-      throw new BadRequestError({
-        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@ -410,154 +381,20 @@ export const permissionServiceFactory = ({
        hasRole: (role: string) => boolean;
      };

-  const getProjectPermissions = async (projectId: string) => {
-    // fetch user permissions
-    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
-    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
-      const rolePermissions =
-        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          userProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: userProjectPermission.userId,
-            username: userProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: userProjectPermission.userId,
-        name: userProjectPermission.username,
-        membershipId: userProjectPermission.id
-      };
-    });
-
-    // fetch identity permissions
-    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
-    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
-      const rolePermissions =
-        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          identityProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: identityProjectPermission.identityId,
-            username: identityProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: identityProjectPermission.identityId,
-        name: identityProjectPermission.username,
-        membershipId: identityProjectPermission.id
-      };
-    });
-
-    // fetch group permissions
-    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
-    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
-      const rolePermissions =
-        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const rules = buildProjectPermissionRules(rolePermissions);
-      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
-        conditionsMatcher
-      });
-
-      return {
-        permission,
-        id: groupProjectPermission.groupId,
-        name: groupProjectPermission.username,
-        membershipId: groupProjectPermission.id
-      };
-    });
-
-    return {
-      userPermissions,
-      identityPermissions,
-      groupPermissions
-    };
-  };
-
-  const getProjectPermission = async <T extends ActorType>({
-    actor,
-    actorId,
-    projectId,
-    actorAuthMethod,
-    actorOrgId,
-    actionProjectType
-  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
-    switch (actor) {
+  const getProjectPermission = async <T extends ActorType>(
+    type: T,
+    id: string,
+    projectId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<T>> => {
+    switch (type) {
      case ActorType.USER:
-        return getUserProjectPermission({
-          userId: actorId,
-          projectId,
-          authMethod: actorAuthMethod,
-          userOrgId: actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission({
-          serviceTokenId: actorId,
-          projectId,
-          actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission({
-          identityId: actorId,
-          projectId,
-          identityOrgId: actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new BadRequestError({
          message: "Invalid actor provided",
@ -594,7 +431,6 @@ export const permissionServiceFactory = ({
    getOrgPermission,
    getUserProjectPermission,
    getProjectPermission,
-    getProjectPermissions,
    getOrgPermissionByRole,
    getProjectPermissionByRole,
    buildOrgPermission,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
McPizza0	0b1f4f0e2a	fix requested changes	2024-11-26 16:35:12 +01:00
McPizza0	b4485a2a57	improvement: Slug Validation Errors	2024-11-26 16:35:11 +01:00