Merge pull request #3362 from Infisical/misc/add-dev-setup-for-fips

feat: Fix pgadmin in dev

.github/workflows/release_docker_k8_operator.yaml

@@ -4,6 +4,10 @@ on:
         tags:
             - "infisical-k8-operator/v*.*.*"
 
+permissions:
+    contents: write
+    pull-requests: write
+
 jobs:
     release-image:
         name: Generate Helm Chart PR

.infisicalignore

@@ -12,3 +12,5 @@ docs/cli/commands/bootstrap.mdx:jwt:86
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:102
 docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
 frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
+k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
+k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52

backend/Dockerfile.dev.fips

@@ -0,0 +1,85 @@
+FROM node:20-slim
+
+# ? Setup a test SoftHSM module. In production a real HSM is used.
+
+ARG SOFTHSM2_VERSION=2.5.0
+
+ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
+    SOFTHSM2_SOURCES=/tmp/softhsm2
+
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config \
+    perl \
+    wget
+
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Build and install SoftHSM2
+RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
+WORKDIR ${SOFTHSM2_SOURCES}
+
+RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
+    && sh autogen.sh \
+    && ./configure --prefix=/usr/local --disable-gost \
+    && make \
+    && make install
+
+WORKDIR /root
+RUN rm -fr ${SOFTHSM2_SOURCES}
+
+# Install pkcs11-tool
+RUN apt-get install -y opensc
+
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+    
+WORKDIR /openssl-build
+RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
+    && tar -xf openssl-3.1.2.tar.gz \
+    && cd openssl-3.1.2 \
+    && ./Configure enable-fips \
+    && make \
+    && make install_fips
+
+# ? App setup
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1
+
+WORKDIR /app
+
+COPY package.json package.json
+COPY package-lock.json package-lock.json
+
+RUN npm install
+
+COPY . .
+
+ENV HOST=0.0.0.0
+ENV OPENSSL_CONF=/app/nodejs.cnf
+ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
+
+CMD ["npm", "run", "dev:docker"]

backend/nodejs.cnf

@@ -0,0 +1,16 @@
+nodejs_conf = nodejs_init
+
+.include /usr/local/ssl/fipsmodule.cnf
+
+[nodejs_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+fips = fips_sect
+
+[default_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes 

backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts

@@ -1,4 +1,5 @@
 import { Knex } from "knex";
+
 import { TableName } from "../schemas";
 
 export async function up(knex: Knex): Promise<void> {

backend/src/db/migrations/20250326171707_folder-last-secret-modified.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.datetime("lastSecretModified");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("lastSecretModified");
+    });
+  }
+}

backend/src/db/schemas/models.ts

@@ -233,3 +233,8 @@ export enum ActionProjectType {
   // project operations that happen on all types
   Any = "any"
 }
+
+export enum SortDirection {
+  ASC = "asc",
+  DESC = "desc"
+}

backend/src/db/schemas/secret-folders.ts

@@ -16,7 +16,8 @@ export const SecretFoldersSchema = z.object({
   envId: z.string().uuid(),
   parentId: z.string().uuid().nullable().optional(),
   isReserved: z.boolean().default(false).nullable().optional(),
-  description: z.string().nullable().optional()
+  description: z.string().nullable().optional(),
+  lastSecretModified: z.date().nullable().optional()
 });
 
 export type TSecretFolders = z.infer<typeof SecretFoldersSchema>;

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -9,13 +9,14 @@ import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
 
-import { EventType } from "./audit-log-types";
+import { EventType, filterableSecretEvents } from "./audit-log-types";
 
 export type TAuditLogDALFactory = ReturnType<typeof auditLogDALFactory>;
 
 type TFindQuery = {
   actor?: string;
   projectId?: string;
+  environment?: string;
   orgId?: string;
   eventType?: string;
   startDate?: string;
@@ -32,6 +33,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
     {
       orgId,
       projectId,
+      environment,
       userAgentType,
       startDate,
       endDate,
@@ -40,12 +42,14 @@ export const auditLogDALFactory = (db: TDbClient) => {
       actorId,
       actorType,
       secretPath,
+      secretKey,
       eventType,
       eventMetadata
     }: Omit<TFindQuery, "actor" | "eventType"> & {
       actorId?: string;
       actorType?: ActorType;
       secretPath?: string;
+      secretKey?: string;
       eventType?: EventType[];
       eventMetadata?: Record<string, string>;
     },
@@ -90,8 +94,29 @@ export const auditLogDALFactory = (db: TDbClient) => {
         });
       }
 
-      if (projectId && secretPath) {
-        void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object('secretPath', ?::text)`, [secretPath]);
+      const eventIsSecretType = !eventType?.length || eventType.some((event) => filterableSecretEvents.includes(event));
+      // We only want to filter for environment/secretPath/secretKey if the user is either checking for all event types
+
+      // ? Note(daniel): use the `eventMetadata" @> ?::jsonb` approach to properly use our GIN index
+      if (projectId && eventIsSecretType) {
+        if (environment || secretPath) {
+          // Handle both environment and secret path together to only use the GIN index once
+          void sqlQuery.whereRaw(`"eventMetadata" @> ?::jsonb`, [
+            JSON.stringify({
+              ...(environment && { environment }),
+              ...(secretPath && { secretPath })
+            })
+          ]);
+        }
+
+        // Handle secret key separately to include the OR condition
+        if (secretKey) {
+          void sqlQuery.whereRaw(
+            `("eventMetadata" @> ?::jsonb
+            OR "eventMetadata"->'secrets' @> ?::jsonb)`,
+            [JSON.stringify({ secretKey }), JSON.stringify([{ secretKey }])]
+          );
+        }
       }
 
       // Filter by actor type

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -63,6 +63,8 @@ export const auditLogServiceFactory = ({
       actorType: filter.actorType,
       eventMetadata: filter.eventMetadata,
       secretPath: filter.secretPath,
+      secretKey: filter.secretKey,
+      environment: filter.environment,
       ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -33,9 +33,11 @@ export type TListProjectAuditLogDTO = {
     endDate?: string;
     startDate?: string;
     projectId?: string;
+    environment?: string;
     auditLogActorId?: string;
     actorType?: ActorType;
     secretPath?: string;
+    secretKey?: string;
     eventMetadata?: Record<string, string>;
   };
 } & Omit<TProjectPermission, "projectId">;
@@ -283,9 +285,21 @@ export enum EventType {
   KMIP_OPERATION_ACTIVATE = "kmip-operation-activate",
   KMIP_OPERATION_REVOKE = "kmip-operation-revoke",
   KMIP_OPERATION_LOCATE = "kmip-operation-locate",
-  KMIP_OPERATION_REGISTER = "kmip-operation-register"
+  KMIP_OPERATION_REGISTER = "kmip-operation-register",
+
+  PROJECT_ACCESS_REQUEST = "project-access-request"
 }
 
+export const filterableSecretEvents: EventType[] = [
+  EventType.GET_SECRET,
+  EventType.DELETE_SECRETS,
+  EventType.CREATE_SECRETS,
+  EventType.UPDATE_SECRETS,
+  EventType.CREATE_SECRET,
+  EventType.UPDATE_SECRET,
+  EventType.DELETE_SECRET
+];
+
 interface UserActorMetadata {
   userId: string;
   email?: string | null;
@@ -2265,6 +2279,15 @@ interface KmipOperationRegisterEvent {
   };
 }
 
+interface ProjectAccessRequestEvent {
+  type: EventType.PROJECT_ACCESS_REQUEST;
+  metadata: {
+    projectId: string;
+    requesterId: string;
+    requesterEmail: string;
+  };
+}
+
 interface SetupKmipEvent {
   type: EventType.SETUP_KMIP;
   metadata: {
@@ -2499,5 +2522,6 @@ export type Event =
   | KmipOperationRevokeEvent
   | KmipOperationLocateEvent
   | KmipOperationRegisterEvent
+  | ProjectAccessRequestEvent
   | CreateSecretRequestEvent
   | SecretApprovalRequestReview;

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -183,7 +183,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) {
+    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id) {
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
     }
 
@@ -256,7 +256,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease)
+    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id)
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
 
     const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -8,7 +8,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
   const appCfg = getConfig();
-  // if (appCfg.NODE_ENV === "development") return; // incase you want to remove this check in dev
+  // if (appCfg.NODE_ENV === "development") return ["host.docker.internal"]; // incase you want to remove this check in dev
 
   const reservedHosts = [appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI)].concat(
     (appCfg.DB_READ_REPLICAS || []).map((el) => getDbConnectionHost(el.DB_CONNECTION_URI)),

backend/src/ee/services/license/license-service.ts

@@ -5,6 +5,7 @@
 // TODO(akhilmhdh): With tony find out the api structure and fill it here
 
 import { ForbiddenError } from "@casl/ability";
+import { CronJob } from "cron";
 import { Knex } from "knex";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
@@ -85,6 +86,20 @@ export const licenseServiceFactory = ({
     appCfg.LICENSE_KEY || ""
   );
 
+  const syncLicenseKeyOnPremFeatures = async (shouldThrow: boolean = false) => {
+    logger.info("Start syncing license key features");
+    try {
+      const {
+        data: { currentPlan }
+      } = await licenseServerOnPremApi.request.get<{ currentPlan: TFeatureSet }>("/api/license/v1/plan");
+      onPremFeatures = currentPlan;
+      logger.info("Successfully synchronized license key features");
+    } catch (error) {
+      logger.error(error, "Failed to synchronize license key features");
+      if (shouldThrow) throw error;
+    }
+  };
+
   const init = async () => {
     try {
       if (appCfg.LICENSE_SERVER_KEY) {
@@ -98,10 +113,7 @@ export const licenseServiceFactory = ({
       if (appCfg.LICENSE_KEY) {
         const token = await licenseServerOnPremApi.refreshLicense();
         if (token) {
-          const {
-            data: { currentPlan }
-          } = await licenseServerOnPremApi.request.get<{ currentPlan: TFeatureSet }>("/api/license/v1/plan");
-          onPremFeatures = currentPlan;
+          await syncLicenseKeyOnPremFeatures(true);
           instanceType = InstanceType.EnterpriseOnPrem;
           logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
           isValidLicense = true;
@@ -147,6 +159,15 @@ export const licenseServiceFactory = ({
     }
   };
 
+  const initializeBackgroundSync = async () => {
+    if (appCfg.LICENSE_KEY) {
+      logger.info("Setting up background sync process for refresh onPremFeatures");
+      const job = new CronJob("*/10 * * * *", syncLicenseKeyOnPremFeatures);
+      job.start();
+      return job;
+    }
+  };
+
   const getPlan = async (orgId: string, projectId?: string) => {
     logger.info(`getPlan: attempting to fetch plan for [orgId=${orgId}] [projectId=${projectId}]`);
     try {
@@ -662,6 +683,7 @@ export const licenseServiceFactory = ({
     getOrgTaxInvoices,
     getOrgTaxIds,
     addOrgTaxId,
-    delOrgTaxId
+    delOrgTaxId,
+    initializeBackgroundSync
   };
 };

backend/src/lib/api-docs/constants.ts

@@ -632,7 +632,9 @@ export const FOLDERS = {
     environment: "The slug of the environment to list folders from.",
     path: "The path to list folders from.",
     directory: "The directory to list folders from. (Deprecated in favor of path)",
-    recursive: "Whether or not to fetch all folders from the specified base path, and all of its subdirectories."
+    recursive: "Whether or not to fetch all folders from the specified base path, and all of its subdirectories.",
+    lastSecretModified:
+      "The timestamp used to filter folders with secrets modified after the specified date. The format for this timestamp is ISO 8601 (e.g. 2025-04-01T09:41:45-04:00)"
   },
   GET_BY_ID: {
     folderId: "The ID of the folder to get details."
@@ -840,9 +842,13 @@ export const AUDIT_LOGS = {
   EXPORT: {
     projectId:
       "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
+    environment:
+      "The environment to filter logs by. If not provided, logs from all environments will be returned. Note that the projectId parameter must also be provided.",
     eventType: "The type of the event to export.",
     secretPath:
       "The path of the secret to query audit logs for. Note that the projectId parameter must also be provided.",
+    secretKey:
+      "The key of the secret to query audit logs for. Note that the projectId parameter must also be provided.",
     userAgentType: "Choose which consuming application to export audit logs for.",
     eventMetadata:
       "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",

backend/src/lib/validator/validate-string.ts

@@ -36,7 +36,8 @@ export enum CharacterType {
   DoubleQuote = "doubleQuote", // "
   Comma = "comma", // ,
   Semicolon = "semicolon", // ;
-  Exclamation = "exclamation" // !
+  Exclamation = "exclamation", // !
+  Fullstop = "fullStop" // .
 }
 
 /**
@@ -81,7 +82,8 @@ export const characterValidator = (allowedCharacters: CharacterType[]) => {
     [CharacterType.DoubleQuote]: '\\"',
     [CharacterType.Comma]: ",",
     [CharacterType.Semicolon]: ";",
-    [CharacterType.Exclamation]: "!"
+    [CharacterType.Exclamation]: "!",
+    [CharacterType.Fullstop]: "."
   };
 
   // Combine patterns from allowed characters

backend/src/server/routes/index.ts

@@ -662,6 +662,7 @@ export const registerRoutes = async (
   });
 
   const orgAdminService = orgAdminServiceFactory({
+    smtpService,
     projectDAL,
     permissionService,
     projectUserMembershipRoleDAL,
@@ -964,7 +965,8 @@ export const registerRoutes = async (
     projectSlackConfigDAL,
     slackIntegrationDAL,
     projectTemplateService,
-    groupProjectDAL
+    groupProjectDAL,
+    smtpService
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -1607,6 +1609,10 @@ export const registerRoutes = async (
     if (rateLimitSyncJob) {
       cronJobs.push(rateLimitSyncJob);
     }
+    const licenseSyncJob = await licenseService.initializeBackgroundSync();
+    if (licenseSyncJob) {
+      cronJobs.push(licenseSyncJob);
+    }
   }
 
   server.decorate<FastifyZodProvider["store"]>("store", {

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -6,6 +6,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
@@ -14,6 +15,7 @@ import {
   validateAltNamesField,
   validateCaDateField
 } from "@app/services/certificate-authority/certificate-authority-validators";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerCaRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -649,6 +651,16 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: ca.id,
+          commonName: req.body.commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate,
         certificateChain,
@@ -707,7 +719,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
+      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
         await server.services.certificateAuthority.signCertFromCa({
           isInternal: false,
           caId: req.params.caId,
@@ -731,6 +743,16 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SignCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: ca.id,
+          commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate: certificate.toString("pem"),
         certificateChain,

backend/src/server/routes/v1/certificate-router.ts

@@ -5,6 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_AUTHORITIES, CERTIFICATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyUsage, CrlReason } from "@app/services/certificate/certificate-types";
@@ -12,6 +13,7 @@ import {
   validateAltNamesField,
   validateCaDateField
 } from "@app/services/certificate-authority/certificate-authority-validators";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerCertRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -150,6 +152,17 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: req.body.caId,
+          certificateTemplateId: req.body.certificateTemplateId,
+          commonName: req.body.commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate,
         certificateChain,
@@ -228,7 +241,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
+      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
         await server.services.certificateAuthority.signCertFromCa({
           isInternal: false,
           actor: req.permission.type,
@@ -251,6 +264,17 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SignCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: req.body.caId,
+          certificateTemplateId: req.body.certificateTemplateId,
+          commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate: certificate.toString("pem"),
         certificateChain,

backend/src/server/routes/v1/dashboard-router.ts

@@ -897,6 +897,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         projectId: z.string().trim(),
         environment: z.string().trim(),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        recursive: booleanSchema.default(false),
         filterByAction: z
           .enum([ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSecretActions.ReadValue])
           .default(ProjectPermissionSecretActions.ReadValue)
@@ -915,7 +916,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { projectId, environment, secretPath, filterByAction } = req.query;
+      const { projectId, environment, secretPath, filterByAction, recursive } = req.query;
 
       const { secrets } = await server.services.secret.getAccessibleSecrets({
         actorId: req.permission.id,
@@ -925,7 +926,8 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         environment,
         secretPath,
         projectId,
-        filterByAction
+        filterByAction,
+        recursive
       });
 
       return { secrets };

backend/src/server/routes/v1/organization-router.ts

@@ -111,12 +111,14 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       description: "Get all audit logs for an organization",
       querystring: z.object({
         projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
+        environment: z.string().optional().describe(AUDIT_LOGS.EXPORT.environment),
         actorType: z.nativeEnum(ActorType).optional(),
         secretPath: z
           .string()
           .optional()
           .transform((val) => (!val ? val : removeTrailingSlash(val)))
           .describe(AUDIT_LOGS.EXPORT.secretPath),
+        secretKey: z.string().optional().describe(AUDIT_LOGS.EXPORT.secretKey),
 
         // eventType is split with , for multiple values, we need to transform it to array
         eventType: z

backend/src/server/routes/v1/project-router.ts

@@ -8,15 +8,17 @@ import {
   ProjectSlackConfigsSchema,
   ProjectType,
   SecretFoldersSchema,
+  SortDirection,
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { ProjectFilterType } from "@app/services/project/project-types";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+import { ProjectFilterType, SearchProjectSortBy } from "@app/services/project/project-types";
 import { validateSlackChannelsField } from "@app/services/slack/slack-auth-validators";
 
 import { integrationAuthPubSchema, SanitizedProjectSchema } from "../sanitizedSchemas";
@@ -704,4 +706,107 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       return environmentsFolders;
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/search",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        limit: z.number().default(100),
+        offset: z.number().default(0),
+        type: z.nativeEnum(ProjectType).optional(),
+        orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
+        orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
+        name: z
+          .string()
+          .trim()
+          .refine((val) => characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])(val), {
+            message: "Invalid pattern: only alphanumeric characters, - are allowed."
+          })
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          projects: SanitizedProjectSchema.extend({ isMember: z.boolean() }).array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { docs: projects, totalCount } = await server.services.project.searchProjects({
+        permission: req.permission,
+        ...req.body
+      });
+
+      return { projects, totalCount };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:workspaceId/project-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+      body: z.object({
+        comment: z
+          .string()
+          .trim()
+          .max(2500)
+          .refine(
+            (val) =>
+              characterValidator([
+                CharacterType.AlphaNumeric,
+                CharacterType.Hyphen,
+                CharacterType.Comma,
+                CharacterType.Fullstop,
+                CharacterType.Spaces,
+                CharacterType.Exclamation
+              ])(val),
+            {
+              message: "Invalid pattern: only alphanumeric characters, spaces, -.!, are allowed."
+            }
+          )
+          .optional()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.project.requestProjectAccess({
+        permission: req.permission,
+        comment: req.body.comment,
+        projectId: req.params.workspaceId
+      });
+
+      if (req.auth.actor === ActorType.USER) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          projectId: req.params.workspaceId,
+          event: {
+            type: EventType.PROJECT_ACCESS_REQUEST,
+            metadata: {
+              projectId: req.params.workspaceId,
+              requesterEmail: req.auth.user.email || req.auth.user.username,
+              requesterId: req.auth.userId
+            }
+          }
+        });
+      }
+
+      return { message: "Project access request has been send to project admins" };
+    }
+  });
 };

backend/src/server/routes/v1/secret-folder-router.ts

@@ -335,6 +335,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       querystring: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
         environment: z.string().trim().describe(FOLDERS.LIST.environment),
+        lastSecretModified: z.string().datetime().trim().optional().describe(FOLDERS.LIST.lastSecretModified),
         path: z
           .string()
           .trim()

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -1818,7 +1818,8 @@ export const certificateAuthorityServiceFactory = ({
       certificateChain: `${issuingCaCertificate}\n${caCertChain}`.trim(),
       issuingCaCertificate,
       serialNumber,
-      ca
+      ca,
+      commonName: cn
     };
   };
 

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -42,6 +42,31 @@ type TIdentityAwsAuthServiceFactoryDep = {
 
 export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
 
+const awsRegionFromHeader = (authorizationHeader: string): string | null => {
+  // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
+  // The Authorization header takes the following form.
+  //  Authorization: AWS4-HMAC-SHA256
+  //	Credential=AKIAIOSFODNN7EXAMPLE/20230719/us-east-1/sts/aws4_request,
+  // 	SignedHeaders=content-length;content-type;host;x-amz-date,
+  //	Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
+  //
+  // The credential is in the form of "<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request"
+  try {
+    const fields = authorizationHeader.split(" ");
+    for (const field of fields) {
+      if (field.startsWith("Credential=")) {
+        const parts = field.split("/");
+        if (parts.length >= 3) {
+          return parts[2];
+        }
+      }
+    }
+  } catch {
+    return null;
+  }
+  return null;
+};
+
 export const identityAwsAuthServiceFactory = ({
   identityAccessTokenDAL,
   identityAwsAuthDAL,
@@ -60,6 +85,9 @@ export const identityAwsAuthServiceFactory = ({
     const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
     const body: string = Buffer.from(iamRequestBody, "base64").toString();
 
+    const region = headers.Authorization ? awsRegionFromHeader(headers.Authorization) : null;
+    const url = region ? `https://sts.${region}.amazonaws.com` : identityAwsAuth.stsEndpoint;
+
     const {
       data: {
         GetCallerIdentityResponse: {
@@ -68,7 +96,7 @@ export const identityAwsAuthServiceFactory = ({
       }
     }: { data: TGetCallerIdentityResponse } = await axios({
       method: iamHttpRequestMethod,
-      url: headers?.Host ? `https://${headers.Host}` : identityAwsAuth.stsEndpoint,
+      url,
       headers,
       data: body
     });

backend/src/services/identity-ua/identity-ua-service.ts

@@ -471,6 +471,7 @@ export const identityUaServiceFactory = ({
     const clientSecretHash = await bcrypt.hash(clientSecret, appCfg.SALT_ROUNDS);
 
     const identityUaAuth = await identityUaDAL.findOne({ identityId: identityMembershipOrg.identityId });
+    if (!identityUaAuth) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
     const identityUaClientSecret = await identityUaClientSecretDAL.create({
       identityUAId: identityUaAuth.id,
@@ -567,6 +568,12 @@ export const identityUaServiceFactory = ({
       });
     }
 
+    const identityUa = await identityUaDAL.findOne({ identityId });
+    if (!identityUa) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    const clientSecret = await identityUaClientSecretDAL.findOne({ id: clientSecretId, identityUAId: identityUa.id });
+    if (!clientSecret) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
     const { permission, membership } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -601,7 +608,6 @@ export const identityUaServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
     return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
   };
 
@@ -622,6 +628,12 @@ export const identityUaServiceFactory = ({
       });
     }
 
+    const identityUa = await identityUaDAL.findOne({ identityId });
+    if (!identityUa) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    const clientSecret = await identityUaClientSecretDAL.findOne({ id: clientSecretId, identityUAId: identityUa.id });
+    if (!clientSecret) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
     const { permission, membership } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -658,11 +670,11 @@ export const identityUaServiceFactory = ({
       });
     }
 
-    const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
+    const updatedClientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
       isClientSecretRevoked: true
     });
 
-    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
+    return { ...updatedClientSecret, identityId, orgId: identityMembershipOrg.orgId };
   };
 
   return {

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -3595,7 +3595,10 @@ const syncSecretsTeamCity = async ({
           `${integrationAuth.url}/app/rest/buildTypes/${integration.targetEnvironmentId}/parameters`,
           {
             name: `env.${key}`,
-            value: secrets[key].value
+            value: secrets[key].value,
+            type: {
+              rawValue: "password display='hidden'"
+            }
           },
           {
             headers: {
@@ -3652,7 +3655,10 @@ const syncSecretsTeamCity = async ({
           `${integrationAuth.url}/app/rest/projects/id:${integration.appId}/parameters`,
           {
             name: `env.${key}`,
-            value: secrets[key].value
+            value: secrets[key].value,
+            type: {
+              rawValue: "password display='hidden'"
+            }
           },
           {
             headers: {

backend/src/services/org-admin/org-admin-service.ts

@@ -12,17 +12,22 @@ import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
+import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TAccessProjectDTO, TListOrgProjectsDTO } from "./org-admin-types";
 
 type TOrgAdminServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   projectDAL: Pick<TProjectDALFactory, "find" | "findById" | "findProjectGhostUser">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findOne" | "create" | "transaction" | "delete">;
+  projectMembershipDAL: Pick<
+    TProjectMembershipDALFactory,
+    "findOne" | "create" | "transaction" | "delete" | "findAllProjectMembers"
+  >;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "create">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
   userDAL: Pick<TUserDALFactory, "findUserEncKeyByUserId">;
   projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "create" | "delete">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TOrgAdminServiceFactory = ReturnType<typeof orgAdminServiceFactory>;
@@ -34,7 +39,8 @@ export const orgAdminServiceFactory = ({
   projectKeyDAL,
   projectBotDAL,
   userDAL,
-  projectUserMembershipRoleDAL
+  projectUserMembershipRoleDAL,
+  smtpService
 }: TOrgAdminServiceFactoryDep) => {
   const listOrgProjects = async ({
     actor,
@@ -184,6 +190,23 @@ export const orgAdminServiceFactory = ({
       );
       return newProjectMembership;
     });
+
+    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
+    const filteredProjectMembers = projectMembers
+      .filter(
+        (member) => member.roles.some((role) => role.role === ProjectMembershipRole.Admin) && member.userId !== actorId
+      )
+      .map((el) => el.user.email!);
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.OrgAdminProjectDirectAccess,
+      recipients: filteredProjectMembers,
+      subjectLine: "Organization Admin Project Direct Access Issued",
+      substitutions: {
+        projectName: project.name,
+        email: projectMembers.find((el) => el.userId === actorId)?.user?.username
+      }
+    });
     return { isExistingMember: false, membership: updatedMembership };
   };
 

backend/src/services/org/org-service.ts

@@ -231,7 +231,7 @@ export const orgServiceFactory = ({
 
   const findAllWorkspaces = async ({ actor, actorId, orgId, type }: TFindAllWorkspacesDTO) => {
     if (actor === ActorType.USER) {
-      const workspaces = await projectDAL.findAllProjects(actorId, orgId, type || "all");
+      const workspaces = await projectDAL.findUserProjects(actorId, orgId, type || "all");
       return workspaces;
     }
 

backend/src/services/project-membership/project-membership-service.ts

@@ -423,7 +423,7 @@ export const projectMembershipServiceFactory = ({
     const usernamesAndEmails = [...emails, ...usernames];
 
     const projectMembers = await projectMembershipDAL.findMembershipsByUsername(projectId, [
-      ...new Set(usernamesAndEmails.map((element) => element.toLowerCase()))
+      ...new Set(usernamesAndEmails.map((element) => element))
     ]);
 
     if (projectMembers.length !== usernamesAndEmails.length) {

backend/src/services/project/project-dal.ts

@@ -6,20 +6,23 @@ import {
   ProjectType,
   ProjectUpgradeStatus,
   ProjectVersion,
+  SortDirection,
   TableName,
+  TProjects,
   TProjectsUpdate
 } from "@app/db/schemas";
 import { BadRequestError, DatabaseError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 
-import { Filter, ProjectFilterType } from "./project-types";
+import { ActorType } from "../auth/auth-type";
+import { Filter, ProjectFilterType, SearchProjectSortBy } from "./project-types";
 
 export type TProjectDALFactory = ReturnType<typeof projectDALFactory>;
 
 export const projectDALFactory = (db: TDbClient) => {
   const projectOrm = ormify(db, TableName.Project);
 
-  const findAllProjects = async (userId: string, orgId: string, projectType: ProjectType | "all") => {
+  const findUserProjects = async (userId: string, orgId: string, projectType: ProjectType | "all") => {
     try {
       const workspaces = await db
         .replicaNode()(TableName.ProjectMembership)
@@ -352,9 +355,79 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
+  const searchProjects = async (dto: {
+    orgId: string;
+    actor: ActorType;
+    actorId: string;
+    type?: ProjectType;
+    limit?: number;
+    offset?: number;
+    name?: string;
+    sortBy?: SearchProjectSortBy;
+    sortDir?: SortDirection;
+  }) => {
+    const { limit = 20, offset = 0, sortBy = SearchProjectSortBy.NAME, sortDir = SortDirection.ASC } = dto;
+
+    const userMembershipSubquery = db(TableName.ProjectMembership).where({ userId: dto.actorId }).select("projectId");
+    const groups = db(TableName.UserGroupMembership).where({ userId: dto.actorId }).select("groupId");
+    const groupMembershipSubquery = db(TableName.GroupProjectMembership).whereIn("groupId", groups).select("projectId");
+
+    const identityMembershipSubQuery = db(TableName.IdentityProjectMembership)
+      .where({ identityId: dto.actorId })
+      .select("projectId");
+
+    // Get the SQL strings for the subqueries
+    const userMembershipSql = userMembershipSubquery.toQuery();
+    const groupMembershipSql = groupMembershipSubquery.toQuery();
+    const identityMembershipSql = identityMembershipSubQuery.toQuery();
+
+    const query = db
+      .replicaNode()(TableName.Project)
+      .where(`${TableName.Project}.orgId`, dto.orgId)
+      .select(selectAllTableCols(TableName.Project))
+      .select(db.raw("COUNT(*) OVER() AS count"))
+      .select<(TProjects & { isMember: boolean; count: number })[]>(
+        dto.actor === ActorType.USER
+          ? db.raw(
+              `
+          CASE
+            WHEN ${TableName.Project}.id IN (?) THEN TRUE
+            WHEN ${TableName.Project}.id IN (?) THEN TRUE
+            ELSE FALSE
+          END as "isMember"
+        `,
+              [db.raw(userMembershipSql), db.raw(groupMembershipSql)]
+            )
+          : db.raw(
+              `
+          CASE
+            WHEN ${TableName.Project}.id IN (?) THEN TRUE
+            ELSE FALSE
+          END as "isMember"
+        `,
+              [db.raw(identityMembershipSql)]
+            )
+      )
+      .limit(limit)
+      .offset(offset);
+    if (sortBy === SearchProjectSortBy.NAME) {
+      void query.orderBy([{ column: `${TableName.Project}.name`, order: sortDir }]);
+    }
+
+    if (dto.type) {
+      void query.where(`${TableName.Project}.type`, dto.type);
+    }
+    if (dto.name) {
+      void query.whereILike(`${TableName.Project}.name`, `%${dto.name}%`);
+    }
+    const docs = await query;
+
+    return { docs, totalCount: Number(docs?.[0]?.count ?? 0) };
+  };
+
   return {
     ...projectOrm,
-    findAllProjects,
+    findUserProjects,
     setProjectUpgradeStatus,
     findAllProjectsByIdentity,
     findProjectGhostUser,
@@ -363,6 +436,7 @@ export const projectDALFactory = (db: TDbClient) => {
     findProjectBySlug,
     findProjectWithOrg,
     checkProjectUpgradeStatus,
-    getProjectFromSplitId
+    getProjectFromSplitId,
+    searchProjects
   };
 };

backend/src/services/project/project-service.ts

@@ -23,6 +23,7 @@ import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-cer
 import { TSshCertificateDALFactory } from "@app/ee/services/ssh-certificate/ssh-certificate-dal";
 import { TSshCertificateTemplateDALFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-dal";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -57,6 +58,7 @@ import { ROOT_FOLDER_NAME, TSecretFolderDALFactory } from "../secret-folder/secr
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TProjectSlackConfigDALFactory } from "../slack/project-slack-config-dal";
 import { TSlackIntegrationDALFactory } from "../slack/slack-integration-dal";
+import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TProjectDALFactory } from "./project-dal";
 import { assignWorkspaceKeysToMembers, createProjectKey } from "./project-fns";
@@ -76,6 +78,8 @@ import {
   TListProjectSshCertificatesDTO,
   TListProjectSshCertificateTemplatesDTO,
   TLoadProjectKmsBackupDTO,
+  TProjectAccessRequestDTO,
+  TSearchProjectsDTO,
   TToggleProjectAutoCapitalizationDTO,
   TUpdateAuditLogsRetentionDTO,
   TUpdateProjectDTO,
@@ -106,7 +110,10 @@ type TProjectServiceFactoryDep = {
   identityProjectDAL: TIdentityProjectDALFactory;
   identityProjectMembershipRoleDAL: Pick<TIdentityProjectMembershipRoleDALFactory, "create">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "create" | "findLatestProjectKey" | "delete" | "find" | "insertMany">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "create" | "findProjectGhostUser" | "findOne" | "delete">;
+  projectMembershipDAL: Pick<
+    TProjectMembershipDALFactory,
+    "create" | "findProjectGhostUser" | "findOne" | "delete" | "findAllProjectMembers"
+  >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "delete">;
   projectSlackConfigDAL: Pick<TProjectSlackConfigDALFactory, "findOne" | "transaction" | "updateById" | "create">;
   slackIntegrationDAL: Pick<TSlackIntegrationDALFactory, "findById" | "findByIdWithWorkflowIntegrationDetails">;
@@ -123,6 +130,7 @@ type TProjectServiceFactoryDep = {
   orgService: Pick<TOrgServiceFactory, "addGhostUser">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   queueService: Pick<TQueueServiceFactory, "stopRepeatableJob">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 
   orgDAL: Pick<TOrgDALFactory, "findOne">;
   keyStore: Pick<TKeyStoreFactory, "deleteItem">;
@@ -177,7 +185,8 @@ export const projectServiceFactory = ({
   projectSlackConfigDAL,
   slackIntegrationDAL,
   projectTemplateService,
-  groupProjectDAL
+  groupProjectDAL,
+  smtpService
 }: TProjectServiceFactoryDep) => {
   /*
    * Create workspace. Make user the admin
@@ -506,7 +515,7 @@ export const projectServiceFactory = ({
     actorOrgId,
     type = ProjectType.SecretManager
   }: TListProjectsDTO) => {
-    const workspaces = await projectDAL.findAllProjects(actorId, actorOrgId, type);
+    const workspaces = await projectDAL.findUserProjects(actorId, actorOrgId, type);
 
     if (includeRoles) {
       const { permission } = await permissionService.getUserOrgPermission(
@@ -1339,6 +1348,85 @@ export const projectServiceFactory = ({
     });
   };
 
+  const searchProjects = async ({
+    name,
+    offset,
+    permission,
+    limit,
+    type,
+    orderBy,
+    orderDirection
+  }: TSearchProjectsDTO) => {
+    // check user belong to org
+    await permissionService.getOrgPermission(
+      permission.type,
+      permission.id,
+      permission.orgId,
+      permission.authMethod,
+      permission.orgId
+    );
+
+    return projectDAL.searchProjects({
+      limit,
+      offset,
+      name,
+      type,
+      orgId: permission.orgId,
+      actor: permission.type,
+      actorId: permission.id,
+      sortBy: orderBy,
+      sortDir: orderDirection
+    });
+  };
+
+  const requestProjectAccess = async ({ permission, comment, projectId }: TProjectAccessRequestDTO) => {
+    // check user belong to org
+    await permissionService.getOrgPermission(
+      permission.type,
+      permission.id,
+      permission.orgId,
+      permission.authMethod,
+      permission.orgId
+    );
+
+    const projectMember = await permissionService
+      .getProjectPermission({
+        actor: permission.type,
+        actorId: permission.id,
+        projectId,
+        actionProjectType: ActionProjectType.Any,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId
+      })
+      .catch(() => {
+        return null;
+      });
+    if (projectMember) throw new BadRequestError({ message: "User already has access to the project" });
+
+    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
+    const filteredProjectMembers = projectMembers
+      .filter((member) => member.roles.some((role) => role.role === ProjectMembershipRole.Admin))
+      .map((el) => el.user.email!);
+    const org = await orgDAL.findOne({ id: permission.orgId });
+    const project = await projectDAL.findById(projectId);
+    const userDetails = await userDAL.findById(permission.id);
+    const appCfg = getConfig();
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.ProjectAccessRequest,
+      recipients: filteredProjectMembers,
+      subjectLine: "Project Access Request",
+      substitutions: {
+        requesterName: `${userDetails.firstName} ${userDetails.lastName}`,
+        requesterEmail: userDetails.email,
+        projectName: project?.name,
+        orgName: org?.name,
+        note: comment,
+        callback_url: `${appCfg.SITE_URL}/${project.type}/${project.id}/access-management?selectedTab=members&requesterEmail=${userDetails.email}`
+      }
+    });
+  };
+
   return {
     createProject,
     deleteProject,
@@ -1364,6 +1452,8 @@ export const projectServiceFactory = ({
     loadProjectKmsBackup,
     getProjectKmsKeys,
     getProjectSlackConfig,
-    updateProjectSlackConfig
+    updateProjectSlackConfig,
+    requestProjectAccess,
+    searchProjects
   };
 };

backend/src/services/project/project-types.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
-import { ProjectType, TProjectKeys } from "@app/db/schemas";
-import { TProjectPermission } from "@app/lib/types";
+import { ProjectType, SortDirection, TProjectKeys } from "@app/db/schemas";
+import { OrgServiceActor, TProjectPermission } from "@app/lib/types";
 
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 
@@ -158,3 +158,23 @@ export type TUpdateProjectSlackConfig = {
   isSecretRequestNotificationEnabled: boolean;
   secretRequestChannels: string;
 } & TProjectPermission;
+
+export enum SearchProjectSortBy {
+  NAME = "name"
+}
+
+export type TSearchProjectsDTO = {
+  permission: OrgServiceActor;
+  name?: string;
+  type?: ProjectType;
+  limit?: number;
+  offset?: number;
+  orderBy?: SearchProjectSortBy;
+  orderDirection?: SortDirection;
+};
+
+export type TProjectAccessRequestDTO = {
+  permission: OrgServiceActor;
+  projectId: string;
+  comment?: string;
+};

backend/src/services/secret-folder/secret-folder-service.ts

@@ -402,7 +402,8 @@ export const secretFolderServiceFactory = ({
     orderDirection,
     limit,
     offset,
-    recursive
+    recursive,
+    lastSecretModified
   }: TGetFolderDTO) => {
     // folder list is allowed to be read by anyone
     // permission to check does user has access
@@ -425,7 +426,16 @@ export const secretFolderServiceFactory = ({
       const recursiveFolders = await folderDAL.findByEnvsDeep({ parentIds: [parentFolder.id] });
       // remove the parent folder
       return recursiveFolders
-        .filter((folder) => folder.id !== parentFolder.id)
+        .filter((folder) => {
+          if (lastSecretModified) {
+            if (!folder.lastSecretModified) return false;
+
+            if (folder.lastSecretModified < new Date(lastSecretModified)) {
+              return false;
+            }
+          }
+          return folder.id !== parentFolder.id;
+        })
         .map((folder) => ({
           ...folder,
           relativePath: folder.path
@@ -445,6 +455,11 @@ export const secretFolderServiceFactory = ({
         offset
       }
     );
+    if (lastSecretModified) {
+      return folders.filter((el) =>
+        el.lastSecretModified ? el.lastSecretModified >= new Date(lastSecretModified) : false
+      );
+    }
     return folders;
   };
 
@@ -619,10 +634,29 @@ export const secretFolderServiceFactory = ({
         const relevantFolders = folders.filter((folder) => folder.envId === env.id);
         const foldersMap = Object.fromEntries(relevantFolders.map((folder) => [folder.id, folder]));
 
-        const foldersWithPath = relevantFolders.map((folder) => ({
-          ...folder,
-          path: buildFolderPath(folder, foldersMap)
-        }));
+        const foldersWithPath = relevantFolders
+          .map((folder) => {
+            try {
+              return {
+                ...folder,
+                path: buildFolderPath(folder, foldersMap)
+              };
+            } catch (error) {
+              return null;
+            }
+          })
+          .filter(Boolean) as {
+          path: string;
+          id: string;
+          createdAt: Date;
+          updatedAt: Date;
+          name: string;
+          envId: string;
+          version?: number | null | undefined;
+          parentId?: string | null | undefined;
+          isReserved?: boolean | undefined;
+          description?: string | undefined;
+        }[];
 
         return [env.slug, { ...env, folders: foldersWithPath }];
       })

backend/src/services/secret-folder/secret-folder-types.ts

@@ -46,6 +46,7 @@ export type TGetFolderDTO = {
   limit?: number;
   offset?: number;
   recursive?: boolean;
+  lastSecretModified?: string;
 } & TProjectPermission;
 
 export type TGetFolderByIdDTO = {

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -356,7 +356,7 @@ export const fnSecretBulkDelete = async ({
 interface FolderMap {
   [parentId: string]: TSecretFolders[];
 }
-const buildHierarchy = (folders: TSecretFolders[]): FolderMap => {
+export const buildHierarchy = (folders: TSecretFolders[]): FolderMap => {
   const map: FolderMap = {};
   map.null = []; // Initialize mapping for root directory
 
@@ -371,7 +371,7 @@ const buildHierarchy = (folders: TSecretFolders[]): FolderMap => {
   return map;
 };
 
-const generatePaths = (
+export const generatePaths = (
   map: FolderMap,
   parentId: string = "null",
   basePath: string = "",

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -44,10 +44,12 @@ import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import {
+  buildHierarchy,
   expandSecretReferencesFactory,
   fnSecretBulkDelete,
   fnSecretBulkInsert,
   fnSecretBulkUpdate,
+  generatePaths,
   getAllSecretReferences,
   recursivelyGetSecretPaths,
   reshapeBridgeSecret
@@ -2620,7 +2622,8 @@ export const secretV2BridgeServiceFactory = ({
     actorId,
     actor,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    recursive
   }: TGetAccessibleSecretsDTO) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -2635,10 +2638,38 @@ export const secretV2BridgeServiceFactory = ({
       secretPath
     });
 
+    const folders = [];
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder) return { secrets: [] };
+    folders.push({ ...folder, parentId: null });
 
-    const secrets = await secretDAL.findByFolderIds([folder.id]);
+    const env = await projectEnvDAL.findOne({
+      projectId,
+      slug: environment
+    });
+
+    if (!env) {
+      throw new NotFoundError({
+        message: `Environment with slug '${environment}' in project with ID ${projectId} not found`
+      });
+    }
+
+    if (recursive) {
+      const subFolders = await folderDAL.find({
+        envId: env.id,
+        isReserved: false
+      });
+      folders.push(...subFolders);
+    }
+
+    if (folders.length === 0) return { secrets: [] };
+
+    const folderMap = buildHierarchy(folders);
+    const paths = Object.fromEntries(
+      generatePaths(folderMap).map(({ folderId, path }) => [folderId, path === "/" ? path : path.substring(1)])
+    );
+
+    const secrets = await secretDAL.findByFolderIds(folders.map((f) => f.id));
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
@@ -2650,7 +2681,7 @@ export const secretV2BridgeServiceFactory = ({
         if (
           !hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret, {
             environment,
-            secretPath,
+            secretPath: paths[el.folderId],
             secretName: el.key,
             secretTags: el.tags.map((i) => i.slug)
           })
@@ -2661,7 +2692,7 @@ export const secretV2BridgeServiceFactory = ({
         if (filterByAction === ProjectPermissionSecretActions.ReadValue) {
           return hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
             environment,
-            secretPath,
+            secretPath: paths[el.folderId],
             secretName: el.key,
             secretTags: el.tags.map((i) => i.slug)
           });
@@ -2674,7 +2705,7 @@ export const secretV2BridgeServiceFactory = ({
           filterByAction === ProjectPermissionSecretActions.DescribeSecret &&
           !hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
             environment,
-            secretPath,
+            secretPath: paths[secret.folderId],
             secretName: secret.key,
             secretTags: secret.tags.map((i) => i.slug)
           });
@@ -2682,7 +2713,7 @@ export const secretV2BridgeServiceFactory = ({
         return reshapeBridgeSecret(
           projectId,
           environment,
-          secretPath,
+          paths[secret.folderId],
           {
             ...secret,
             value: secret.encryptedValue

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -356,5 +356,6 @@ export type TGetAccessibleSecretsDTO = {
   environment: string;
   projectId: string;
   secretPath: string;
+  recursive?: boolean;
   filterByAction: ProjectPermissionSecretActions.DescribeSecret | ProjectPermissionSecretActions.ReadValue;
 } & TProjectPermission;

backend/src/services/secret/secret-queue.ts

@@ -646,6 +646,10 @@ export const secretQueueFactory = ({
       }
     );
 
+    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
+    if (!folder) return;
+    await folderDAL.updateById(folder.id, { lastSecretModified: new Date() });
+
     await secretSyncQueue.queueSecretSyncsSyncSecretsByPath({ projectId, environmentSlug: environment, secretPath });
 
     await syncIntegrations({ secretPath, projectId, environment, deDupeQueue, isManual: false });

backend/src/services/secret/secret-service.ts

@@ -1321,7 +1321,8 @@ export const secretServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     environment,
-    filterByAction
+    filterByAction,
+    recursive
   }: TGetAccessibleSecretsDTO) => {
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
 
@@ -1340,7 +1341,8 @@ export const secretServiceFactory = ({
       actor,
       actorId,
       actorOrgId,
-      actorAuthMethod
+      actorAuthMethod,
+      recursive
     });
 
     return secrets;

backend/src/services/secret/secret-types.ts

@@ -184,6 +184,7 @@ export enum SecretsOrderBy {
 export type TGetAccessibleSecretsDTO = {
   secretPath: string;
   environment: string;
+  recursive?: boolean;
   filterByAction: ProjectPermissionSecretActions.DescribeSecret | ProjectPermissionSecretActions.ReadValue;
 } & TProjectPermission;
 

backend/src/services/smtp/smtp-service.ts

@@ -40,7 +40,9 @@ export enum SmtpTemplates {
   ExternalImportSuccessful = "externalImportSuccessful.handlebars",
   ExternalImportFailed = "externalImportFailed.handlebars",
   ExternalImportStarted = "externalImportStarted.handlebars",
-  SecretRequestCompleted = "secretRequestCompleted.handlebars"
+  SecretRequestCompleted = "secretRequestCompleted.handlebars",
+  ProjectAccessRequest = "projectAccess.handlebars",
+  OrgAdminProjectDirectAccess = "orgAdminProjectGrantAccess.handlebars"
 }
 
 export enum SmtpHost {

backend/src/services/smtp/templates/accessApprovalRequest.handlebars

@@ -49,4 +49,4 @@
     {{emailFooter}}
   </body>
 
-</html>
+</html>

backend/src/services/smtp/templates/orgAdminProjectGrantAccess.handlebars

@@ -0,0 +1,16 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Organization admin issued direct access to project</title>
+  </head>
+
+  <body>
+    <h2>Infisical</h2>
+		<p>The organization admin {{email}} has granted direct access to the project "{{projectName}}".</p>
+
+    {{emailFooter}}
+  </body>
+
+</html>

backend/src/services/smtp/templates/projectAccess.handlebars

@@ -0,0 +1,26 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Project Access Request</title> 
+  </head>
+
+  <body>
+    <h2>Infisical</h2>
+    <h2>You have a new project access request!</h2>
+    <ul>
+				<li>Requester Name: "{{requesterName}}"</li>
+				<li>Requester Email: "{{requesterEmail}}"</li>
+				<li>Project Name: "{{projectName}}"</li>
+				<li>Organization Name: "{{orgName}}"</li>
+				<li>User Note: "{{note}}"</li>
+		</ul>
+		<p>
+		 Please click on the link below to grant access
+		</p>
+    <a href="{{callback_url}}">Grant Access</a>
+    {{emailFooter}}
+  </body>
+
+</html>

backend/src/services/telemetry/telemetry-types.ts

@@ -17,7 +17,9 @@ export enum PostHogEventTypes {
   SecretRequestCreated = "Secret Request Created",
   SecretRequestDeleted = "Secret Request Deleted",
   SignSshKey = "Sign SSH Key",
-  IssueSshCreds = "Issue SSH Credentials"
+  IssueSshCreds = "Issue SSH Credentials",
+  SignCert = "Sign PKI Certificate",
+  IssueCert = "Issue PKI Certificate"
 }
 
 export type TSecretModifiedEvent = {
@@ -159,6 +161,26 @@ export type TIssueSshCredsEvent = {
   };
 };
 
+export type TSignCertificateEvent = {
+  event: PostHogEventTypes.SignCert;
+  properties: {
+    caId?: string;
+    certificateTemplateId?: string;
+    commonName: string;
+    userAgent?: string;
+  };
+};
+
+export type TIssueCertificateEvent = {
+  event: PostHogEventTypes.IssueCert;
+  properties: {
+    caId?: string;
+    certificateTemplateId?: string;
+    commonName: string;
+    userAgent?: string;
+  };
+};
+
 export type TPostHogEvent = { distinctId: string } & (
   | TSecretModifiedEvent
   | TAdminInitEvent
@@ -173,4 +195,6 @@ export type TPostHogEvent = { distinctId: string } & (
   | TSecretRequestDeletedEvent
   | TSignSshKeyEvent
   | TIssueSshCredsEvent
+  | TSignCertificateEvent
+  | TIssueCertificateEvent
 );

cli/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.4.8
+	github.com/infisical/go-sdk v0.5.1
 	github.com/infisical/infisical-kmip v0.3.5
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
@@ -34,6 +34,7 @@ require (
 	golang.org/x/sys v0.31.0
 	golang.org/x/term v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -125,7 +126,6 @@ require (
 	google.golang.org/grpc v1.64.1 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (

cli/go.sum

@@ -277,8 +277,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.4.8 h1:aphRnaauC5//PkP1ZbY9RSK2RiT1LjPS5o4CbX0x5OQ=
-github.com/infisical/go-sdk v0.4.8/go.mod h1:bMO9xSaBeXkDBhTIM4FkkREAfw2V8mv5Bm7lvo4+uDk=
+github.com/infisical/go-sdk v0.5.1 h1:bl0D4A6CmvfL8RwEQTcZh39nsxC6q3HSs76/4J8grWY=
+github.com/infisical/go-sdk v0.5.1/go.mod h1:ExjqFLRz7LSpZpGluqDLvFl6dFBLq5LKyLW7GBaMAIs=
 github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BAJM2scIeiE=
 github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
@@ -858,4 +858,4 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

cli/packages/cmd/agent.go

@@ -29,7 +29,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )
 
@@ -514,7 +513,10 @@ type NewAgentMangerOptions struct {
 }
 
 func NewAgentManager(options NewAgentMangerOptions) *AgentManager {
-
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
 	return &AgentManager{
 		filePaths: options.FileDeposits,
 		templates: options.Templates,
@@ -529,6 +531,7 @@ func NewAgentManager(options NewAgentMangerOptions) *AgentManager {
 			SiteUrl:          config.INFISICAL_URL,
 			UserAgent:        api.USER_AGENT, // ? Should we perhaps use a different user agent for the Agent for better analytics?
 			AutoTokenRefresh: false,
+			CustomHeaders:    customHeaders,
 		}),
 	}
 
@@ -716,7 +719,11 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 
 // Refreshes the existing access token
 func (tm *AgentManager) RefreshAccessToken() error {
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return err
+	}
+
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)

cli/packages/cmd/bootstrap.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/go-resty/resty/v2"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@@ -70,8 +69,12 @@ var bootstrapCmd = &cobra.Command{
 			return
 		}
 
-		httpClient := resty.New().
-			SetHeader("Accept", "application/json")
+		httpClient, err := util.GetRestyClientWithCustomHeaders()
+		if err != nil {
+			log.Error().Msgf("Failed to get resty client with custom headers: %v", err)
+			return
+		}
+		httpClient.SetHeader("Accept", "application/json")
 
 		bootstrapResponse, err := api.CallBootstrapInstance(httpClient, api.BootstrapInstanceRequest{
 			Domain:       util.AppendAPIEndpoint(domain),

cli/packages/cmd/dynamic_secrets.go

@@ -14,7 +14,6 @@ import (
 	// "github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	// "github.com/Infisical/infisical-merge/packages/visualize"
-	"github.com/go-resty/resty/v2"
 	"github.com/posthog/posthog-go"
 	"github.com/spf13/cobra"
 
@@ -56,7 +55,10 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		util.HandleError(err, "Unable to get resty client with custom headers")
+	}
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -85,10 +87,16 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -164,7 +172,10 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		util.HandleError(err, "Unable to get resty client with custom headers")
+	}
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -193,10 +204,16 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -286,7 +303,10 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		util.HandleError(err, "Unable to get resty client with custom headers")
+	}
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -315,10 +335,16 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -384,7 +410,10 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		util.HandleError(err, "Unable to get resty client with custom headers")
+	}
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -413,10 +442,16 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -481,7 +516,10 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		util.HandleError(err, "Unable to get resty client with custom headers")
+	}
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -510,10 +548,16 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 

cli/packages/cmd/init.go

@@ -10,7 +10,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/go-resty/resty/v2"
 	"github.com/manifoldco/promptui"
 	"github.com/posthog/posthog-go"
 	"github.com/rs/zerolog/log"
@@ -50,7 +49,10 @@ var initCmd = &cobra.Command{
 			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
 		}
 
-		httpClient := resty.New()
+		httpClient, err := util.GetRestyClientWithCustomHeaders()
+		if err != nil {
+			util.HandleError(err, "Unable to get resty client with custom headers")
+		}
 		httpClient.SetAuthToken(userCreds.UserCredentials.JTWToken)
 
 		organizationResponse, err := api.CallGetAllOrganizations(httpClient)
@@ -81,7 +83,10 @@ var initCmd = &cobra.Command{
 			for i < 6 {
 				mfaVerifyCode := askForMFACode(tokenResponse.MfaMethod)
 
-				httpClient := resty.New()
+				httpClient, err := util.GetRestyClientWithCustomHeaders()
+				if err != nil {
+					util.HandleError(err, "Unable to get resty client with custom headers")
+				}
 				httpClient.SetAuthToken(tokenResponse.Token)
 				verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
 					Email:     userCreds.UserCredentials.Email,

cli/packages/cmd/login.go

@@ -27,7 +27,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/srp"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/fatih/color"
-	"github.com/go-resty/resty/v2"
 	"github.com/manifoldco/promptui"
 	"github.com/posthog/posthog-go"
 	"github.com/rs/cors"
@@ -178,10 +177,16 @@ var loginCmd = &cobra.Command{
 			return
 		}
 
+		customHeaders, err := util.GetInfisicalCustomHeadersMap()
+		if err != nil {
+			util.HandleError(err, "Unable to get custom headers")
+		}
+
 		infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 			SiteUrl:          config.INFISICAL_URL,
 			UserAgent:        api.USER_AGENT,
 			AutoTokenRefresh: false,
+			CustomHeaders:    customHeaders,
 		})
 
 		loginMethod, err := cmd.Flags().GetString("method")
@@ -359,7 +364,10 @@ func cliDefaultLogin(userCredentialsToBeStored *models.UserCredentials) {
 		for i < 6 {
 			mfaVerifyCode := askForMFACode("email")
 
-			httpClient := resty.New()
+			httpClient, err := util.GetRestyClientWithCustomHeaders()
+			if err != nil {
+				util.HandleError(err, "Unable to get resty client with custom headers")
+			}
 			httpClient.SetAuthToken(loginTwoResponse.Token)
 			verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
 				Email:    email,
@@ -726,7 +734,10 @@ func askForLoginCredentials() (email string, password string, err error) {
 
 func getFreshUserCredentials(email string, password string) (*api.GetLoginOneV2Response, *api.GetLoginTwoV2Response, error) {
 	log.Debug().Msg(fmt.Sprint("getFreshUserCredentials: ", "email", email, "password: ", password))
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, nil, err
+	}
 	httpClient.SetRetryCount(5)
 
 	params := srp.GetParams(4096)
@@ -776,7 +787,10 @@ func getFreshUserCredentials(email string, password string) (*api.GetLoginOneV2R
 func GetJwtTokenWithOrganizationId(oldJwtToken string, email string) string {
 	log.Debug().Msg(fmt.Sprint("GetJwtTokenWithOrganizationId: ", "oldJwtToken", oldJwtToken))
 
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		util.HandleError(err, "Unable to get resty client with custom headers")
+	}
 	httpClient.SetAuthToken(oldJwtToken)
 
 	organizationResponse, err := api.CallGetAllOrganizations(httpClient)
@@ -811,7 +825,10 @@ func GetJwtTokenWithOrganizationId(oldJwtToken string, email string) string {
 		for i < 6 {
 			mfaVerifyCode := askForMFACode(selectedOrgRes.MfaMethod)
 
-			httpClient := resty.New()
+			httpClient, err := util.GetRestyClientWithCustomHeaders()
+			if err != nil {
+				util.HandleError(err, "Unable to get resty client with custom headers")
+			}
 			httpClient.SetAuthToken(selectedOrgRes.Token)
 			verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
 				Email:     email,
@@ -913,7 +930,14 @@ func askToPasteJwtToken(success chan models.UserCredentials, failure chan error)
 	}
 
 	// verify JTW
-	httpClient := resty.New().
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		failure <- err
+		fmt.Println("Error getting resty client with custom headers", err)
+		os.Exit(1)
+	}
+
+	httpClient.
 		SetAuthToken(userCredentials.JTWToken).
 		SetHeader("Accept", "application/json")
 

cli/packages/cmd/secrets.go

@@ -14,7 +14,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/Infisical/infisical-merge/packages/visualize"
-	"github.com/go-resty/resty/v2"
 	"github.com/posthog/posthog-go"
 	"github.com/spf13/cobra"
 )
@@ -299,8 +298,12 @@ var secretsDeleteCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		httpClient := resty.New().
-			SetHeader("Accept", "application/json")
+		httpClient, err := util.GetRestyClientWithCustomHeaders()
+		if err != nil {
+			util.HandleError(err, "Unable to get resty client with custom headers")
+		}
+
+		httpClient.SetHeader("Accept", "application/json")
 
 		if projectId == "" {
 			workspaceFile, err := util.GetWorkSpaceFromFile()

cli/packages/cmd/ssh.go

@@ -315,10 +315,16 @@ func issueCredentials(cmd *cobra.Command, args []string) {
 		}
 	}
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -555,10 +561,16 @@ func signKey(cmd *cobra.Command, args []string) {
 		signedKeyPath = outFilePath
 	}
 
+	customHeaders, err := util.GetInfisicalCustomHeadersMap()
+	if err != nil {
+		util.HandleError(err, "Unable to get custom headers")
+	}
+
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
+		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 

cli/packages/cmd/tokens.go

@@ -13,7 +13,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/crypto"
 	"github.com/Infisical/infisical-merge/packages/util"
-	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )
 
@@ -136,7 +135,11 @@ var tokensCreateCmd = &cobra.Command{
 		}
 
 		// make a call to the api to save the encrypted symmetric key details
-		httpClient := resty.New()
+		httpClient, err := util.GetRestyClientWithCustomHeaders()
+		if err != nil {
+			util.HandleError(err, "Unable to get resty client with custom headers")
+		}
+
 		httpClient.SetAuthToken(loggedInUserDetails.UserCredentials.JTWToken).
 			SetHeader("Accept", "application/json")
 

cli/packages/gateway/gateway.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/systemd"
+	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/go-resty/resty/v2"
 	"github.com/pion/dtls/v3"
 	"github.com/pion/logging"
@@ -40,7 +41,11 @@ type Gateway struct {
 }
 
 func NewGateway(identityToken string) (Gateway, error) {
-	httpClient := resty.New()
+	httpClient, err := util.GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return Gateway{}, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
+	}
+
 	httpClient.SetAuthToken(identityToken)
 
 	return Gateway{

cli/packages/util/common.go

@@ -4,8 +4,11 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
+	"unicode"
 
 	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/go-resty/resty/v2"
 )
 
 func GetHomeDir() (string, error) {
@@ -27,3 +30,88 @@ func ValidateInfisicalAPIConnection() (ok bool) {
 	_, err := http.Get(fmt.Sprintf("%v/status", config.INFISICAL_URL))
 	return err == nil
 }
+
+func GetRestyClientWithCustomHeaders() (*resty.Client, error) {
+	httpClient := resty.New()
+	customHeaders := os.Getenv("INFISICAL_CUSTOM_HEADERS")
+	if customHeaders != "" {
+		headers, err := GetInfisicalCustomHeadersMap()
+		if err != nil {
+			return nil, err
+		}
+
+		httpClient.SetHeaders(headers)
+	}
+	return httpClient, nil
+}
+
+func GetInfisicalCustomHeadersMap() (map[string]string, error) {
+	customHeaders := os.Getenv("INFISICAL_CUSTOM_HEADERS")
+	if customHeaders == "" {
+		return nil, nil
+	}
+
+	headers := map[string]string{}
+
+	pos := 0
+	for pos < len(customHeaders) {
+		for pos < len(customHeaders) && unicode.IsSpace(rune(customHeaders[pos])) {
+			pos++
+		}
+
+		if pos >= len(customHeaders) {
+			break
+		}
+
+		keyStart := pos
+		for pos < len(customHeaders) && customHeaders[pos] != '=' && !unicode.IsSpace(rune(customHeaders[pos])) {
+			pos++
+		}
+
+		if pos >= len(customHeaders) || customHeaders[pos] != '=' {
+			return nil, fmt.Errorf("invalid custom header format. Expected \"headerKey1=value1 headerKey2=value2 ....\" but got %v", customHeaders)
+		}
+
+		key := customHeaders[keyStart:pos]
+		pos++
+
+		for pos < len(customHeaders) && unicode.IsSpace(rune(customHeaders[pos])) {
+			pos++
+		}
+
+		var value string
+
+		if pos < len(customHeaders) {
+			if customHeaders[pos] == '"' || customHeaders[pos] == '\'' {
+				quoteChar := customHeaders[pos]
+				pos++
+				valueStart := pos
+
+				for pos < len(customHeaders) &&
+					(customHeaders[pos] != quoteChar ||
+						(pos > 0 && customHeaders[pos-1] == '\\')) {
+					pos++
+				}
+
+				if pos < len(customHeaders) {
+					value = customHeaders[valueStart:pos]
+					pos++
+				} else {
+					value = customHeaders[valueStart:]
+				}
+			} else {
+				valueStart := pos
+				for pos < len(customHeaders) && !unicode.IsSpace(rune(customHeaders[pos])) {
+					pos++
+				}
+				value = customHeaders[valueStart:pos]
+			}
+		}
+
+		if key != "" && !strings.EqualFold(key, "User-Agent") && !strings.EqualFold(key, "Accept") {
+			headers[key] = value
+		}
+	}
+
+	return headers, nil
+}

cli/packages/util/credentials.go

@@ -9,7 +9,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/Infisical/infisical-merge/packages/models"
-	"github.com/go-resty/resty/v2"
 	"github.com/zalando/go-keyring"
 )
 
@@ -85,7 +84,12 @@ func GetCurrentLoggedInUserDetails(setConfigVariables bool) (LoggedInUserDetails
 		}
 
 		// check to to see if the JWT is still valid
-		httpClient := resty.New().
+		httpClient, err := GetRestyClientWithCustomHeaders()
+		if err != nil {
+			return LoggedInUserDetails{}, fmt.Errorf("getCurrentLoggedInUserDetails: unable to get client with custom headers [err=%s]", err)
+		}
+
+		httpClient.
 			SetAuthToken(userCreds.JTWToken).
 			SetHeader("Accept", "application/json")
 

cli/packages/util/folders.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
-	"github.com/go-resty/resty/v2"
 	"github.com/rs/zerolog/log"
 )
 
@@ -65,7 +64,11 @@ func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder
 
 func GetFoldersViaJTW(JTWToken string, workspaceId string, environmentName string, foldersPath string) ([]models.SingleFolder, error) {
 	// set up resty client
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, err
+	}
+
 	httpClient.SetAuthToken(JTWToken).
 		SetHeader("Accept", "application/json")
 
@@ -100,7 +103,10 @@ func GetFoldersViaServiceToken(fullServiceToken string, workspaceId string, envi
 
 	serviceToken := fmt.Sprintf("%v.%v.%v", serviceTokenParts[0], serviceTokenParts[1], serviceTokenParts[2])
 
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
+	}
 
 	httpClient.SetAuthToken(serviceToken).
 		SetHeader("Accept", "application/json")
@@ -143,7 +149,11 @@ func GetFoldersViaServiceToken(fullServiceToken string, workspaceId string, envi
 }
 
 func GetFoldersViaMachineIdentity(accessToken string, workspaceId string, envSlug string, foldersPath string) ([]models.SingleFolder, error) {
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, err
+	}
+
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -191,9 +201,12 @@ func CreateFolder(params models.CreateFolderParameters) (models.SingleFolder, er
 	}
 
 	// set up resty client
-	httpClient := resty.New()
-	httpClient.
-		SetAuthToken(params.InfisicalToken).
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return models.SingleFolder{}, err
+	}
+
+	httpClient.SetAuthToken(params.InfisicalToken).
 		SetHeader("Accept", "application/json").
 		SetHeader("Content-Type", "application/json")
 
@@ -238,9 +251,12 @@ func DeleteFolder(params models.DeleteFolderParameters) ([]models.SingleFolder,
 	}
 
 	// set up resty client
-	httpClient := resty.New()
-	httpClient.
-		SetAuthToken(params.InfisicalToken).
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, err
+	}
+
+	httpClient.SetAuthToken(params.InfisicalToken).
 		SetHeader("Accept", "application/json").
 		SetHeader("Content-Type", "application/json")
 

cli/packages/util/helper.go

@@ -16,7 +16,6 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
-	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )
 
@@ -120,7 +119,11 @@ func GetInfisicalToken(cmd *cobra.Command) (token *models.TokenDetails, err erro
 }
 
 func UniversalAuthLogin(clientId string, clientSecret string) (api.UniversalAuthLoginResponse, error) {
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return api.UniversalAuthLoginResponse{}, err
+	}
+
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)
@@ -135,7 +138,11 @@ func UniversalAuthLogin(clientId string, clientSecret string) (api.UniversalAuth
 
 func RenewMachineIdentityAccessToken(accessToken string) (string, error) {
 
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return "", err
+	}
+
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)

cli/packages/util/secrets.go

@@ -14,7 +14,6 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/crypto"
 	"github.com/Infisical/infisical-merge/packages/models"
-	"github.com/go-resty/resty/v2"
 	"github.com/rs/zerolog/log"
 	"github.com/zalando/go-keyring"
 	"gopkg.in/yaml.v3"
@@ -28,7 +27,10 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 
 	serviceToken := fmt.Sprintf("%v.%v.%v", serviceTokenParts[0], serviceTokenParts[1], serviceTokenParts[2])
 
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
+	}
 
 	httpClient.SetAuthToken(serviceToken).
 		SetHeader("Accept", "application/json")
@@ -79,7 +81,11 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 }
 
 func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentName string, secretsPath string, includeImports bool, recursive bool, tagSlugs string, expandSecretReferences bool) (models.PlaintextSecretResult, error) {
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return models.PlaintextSecretResult{}, err
+	}
+
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -122,7 +128,11 @@ func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentNa
 }
 
 func GetSinglePlainTextSecretByNameV3(accessToken string, workspaceId string, environmentName string, secretsPath string, secretName string) (models.SingleEnvironmentVariable, string, error) {
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return models.SingleEnvironmentVariable{}, "", err
+	}
+
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -153,7 +163,11 @@ func GetSinglePlainTextSecretByNameV3(accessToken string, workspaceId string, en
 }
 
 func CreateDynamicSecretLease(accessToken string, projectSlug string, environmentName string, secretsPath string, slug string, ttl string) (models.DynamicSecretLease, error) {
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return models.DynamicSecretLease{}, err
+	}
+
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -525,7 +539,11 @@ func GetEnvelopmentBasedOnGitBranch(workspaceFile models.WorkspaceConfigFile) st
 }
 
 func GetPlainTextWorkspaceKey(authenticationToken string, receiverPrivateKey string, workspaceId string) ([]byte, error) {
-	httpClient := resty.New()
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, fmt.Errorf("GetPlainTextWorkspaceKey: unable to get client with custom headers [err=%v]", err)
+	}
+
 	httpClient.SetAuthToken(authenticationToken).
 		SetHeader("Accept", "application/json")
 
@@ -672,9 +690,12 @@ func SetRawSecrets(secretArgs []string, secretType string, environmentName strin
 		getAllEnvironmentVariablesRequest.InfisicalToken = tokenDetails.Token
 	}
 
-	httpClient := resty.New().
-		SetAuthToken(tokenDetails.Token).
-		SetHeader("Accept", "application/json")
+	httpClient, err := GetRestyClientWithCustomHeaders()
+	if err != nil {
+		return nil, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
+	}
+	httpClient.SetAuthToken(tokenDetails.Token)
+	httpClient.SetHeader("Accept", "application/json")
 
 	// pull current secrets
 	secrets, err := GetAllEnvironmentVariables(getAllEnvironmentVariablesRequest, "")

docker-compose.dev.yml

@@ -132,6 +132,8 @@ services:
   pgadmin:
     image: dpage/pgadmin4
     restart: always
+    volumes:
+      - ./servers.json:/pgadmin4/servers.json
     environment:
       PGADMIN_DEFAULT_EMAIL: admin@example.com
       PGADMIN_DEFAULT_PASSWORD: pass

docs/cli/faq.mdx

@@ -33,3 +33,28 @@ Yes. This is simply a configuration file and contains no sensitive data.
     https://app.infisical.com/project/<your_project_id>/settings
   ```
 </Accordion>
+
+<Accordion title="How do I use custom headers with the Infisical CLI?">
+  
+  The Infisical CLI supports custom HTTP headers for requests to servers that require additional authentication. Set these headers using the `INFISICAL_CUSTOM_HEADERS` environment variable:
+  
+  ```bash
+  export INFISICAL_CUSTOM_HEADERS="Access-Client-Id=your-client-id Access-Client-Secret=your-client-secret"
+  ```
+  
+  After setting this environment variable, run your Infisical commands as usual.
+</Accordion>
+
+<Accordion title="Why would I need to use custom headers?">
+  
+  Custom headers are necessary when your Infisical server is protected by services like Cloudflare Access or other reverse proxies that require specific authentication headers. Without this feature, you would need to implement security workarounds that might compromise your security posture.
+</Accordion>
+
+<Accordion title="What format should I use for the custom headers?">
+  
+  Custom headers should be specified in the format `headername1=headervalue1 headername2=headervalue2`, with spaces separating each header-value pair. For example:
+  
+  ```bash
+  export INFISICAL_CUSTOM_HEADERS="Header1=value1 Header2=value2 Header3=value3"
+  ```
+</Accordion>

docs/cli/usage.mdx

@@ -120,6 +120,22 @@ The CLI is designed for a variety of secret management applications ranging from
   </Tab>
 </Tabs>
 
+<Tip>
+  ## Custom Request Headers
+
+  The Infisical CLI supports custom HTTP headers for requests to servers protected by authentication services such as Cloudflare Access. Configure these headers using the `INFISICAL_CUSTOM_HEADERS` environment variable:
+
+  ```bash
+  # Syntax: headername1=headervalue1 headername2=headervalue2
+  export INFISICAL_CUSTOM_HEADERS="Access-Client-Id=your-client-id Access-Client-Secret=your-client-secret"
+
+  # Execute Infisical commands after setting the environment variable
+  infisical secrets ls
+  ```
+
+  This functionality enables secure interaction with Infisical instances that require specific authentication headers.
+</Tip>
+
 ## History
 
 Your terminal keeps a history with the commands you run. When you create Infisical secrets directly from your terminal, they'll stay there for a while.

docs/documentation/platform/access-controls/project-access-requests.mdx

@@ -0,0 +1,36 @@
+---
+title: "Project Access Requests"
+description: "Learn how to request access to projects in Infisical."
+---
+
+The Project Access Request feature allows users to view all projects within organization, including those they don't currently have access to.
+Users can request access to these projects by submitting a request that automatically notifies project administrators via email, along with any comments provided by the user.
+
+# Viewing Available Projects
+
+From the Infisical dashboard, users can view all projects within the organization:
+
+1.  Navigate to the main dashboard after logging in
+2.  The overview page for each product displays two tabs:
+
+        		- **My Projects**: Projects you currently have access to
+        		- **All Projects**: Complete list of projects in the organization
+
+![all-project-view](/images/platform/project-access-requests/all-project-view.png)
+
+# Requesting Access to a Project
+
+To request access to a project you don't currently have access for:
+
+1. Click the **Request Access** button next to the project name
+   ![all-project-view](/images/platform/project-access-requests/request-access.png)
+
+2. Add a comment explaining why you need access
+   ![all-project-view](/images/platform/project-access-requests/access-comment.png)
+
+3. Click **Submit Request**
+
+<Info>
+  Project administrators will receive email notification with details regarding
+  the access request.
+</Info>

docs/documentation/platform/admin-panel/org-admin-console.mdx

@@ -4,13 +4,13 @@ description: "View and manage resources across your organization"
 ---
 
 <Note>
-    The Organization Admin Console can only be accessed by organization members with admin status.
+  The Organization Admin Console can only be accessed by organization members
+  with admin status.
 </Note>
 
-
 ## Accessing the Organization Admin Console
 
-On the sidebar, tap on your initials to access the settings dropdown and press the **Organization Admin Console** option.
+On the sidebar, hover over **Admin** to access the settings dropdown and press the **Organization Admin Console** option.
 
 ![Access Organization Admin Console](/images/platform/admin-panels/access-org-admin-console.png)
 
@@ -20,12 +20,9 @@ The Projects tab lists all the projects within your organization, including thos
 
 ![Projects Section](/images/platform/admin-panels/org-admin-console-projects.png)
 
-
 ### Accessing a Project in Your Organization
 
 You can access a project that you are not a member of by tapping on the options menu of the project row and pressing the **Access** button.
 Doing so will grant you admin permissions for the selected project and add you as a member.
 
 ![Access project](/images/platform/admin-panels/org-admin-console-access.png)
-
-

docs/documentation/platform/admin-panel/server-admin.mdx

@@ -13,7 +13,7 @@ customize settings and manage users for their entire Infisical instance.
 
 ## Accessing the Server Admin Console
 
-On the sidebar, tap on your initials to access the settings dropdown and press the **Server Admin Console** option.
+On the sidebar, hover over **Admin** to access the settings dropdown and press the **Server Admin Console** option.
 
 ![Access Server Admin Console](/images/platform/admin-panels/access-server-admin-panel.png)
 
@@ -40,7 +40,7 @@ If you're using SAML/LDAP/OIDC for only one organization on your instance, you c
 
 By default, users signing up through SAML/LDAP/OIDC will still need to verify their email address to prevent email spoofing. This requirement can be skipped by enabling the switch to trust logins through the respective method.
 
-### Notices
+### Broadcast Messages
 
 Auth consent content is displayed to users on the login page. They can be used to display important information to users, such as a maintenance message or a new feature announcement. Both HTML and Markdown formatting are supported, allowing for customized styling like below:
 

docs/documentation/platform/project.mdx

@@ -3,19 +3,21 @@ title: "Projects"
 description: "Learn more and understand the concept of Infisical projects."
 ---
 
-A project in Infisical belongs to an [organization](./organization) and contains a number of environments, folders, and secrets. 
-Only users and machine identities who belong to a project can access resources inside of it according to predefined permissions. 
+A project in Infisical belongs to an [organization](./organization) and contains a number of environments, folders, and secrets.
+Only users and machine identities who belong to a project can access resources inside of it according to predefined permissions.
+
+Infisical also allows users to request project access. Refer to the [project access request section](./access-controls/project-access-requests)
 
 ## Project environments
 
-For both visual and organizational structure, Infisical allows splitting up secrets into environments (e.g., development, staging, production). In project settings, such environments can be 
-customized depending on the intended use case. 
+For both visual and organizational structure, Infisical allows splitting up secrets into environments (e.g., development, staging, production). In project settings, such environments can be
+customized depending on the intended use case.
 
 ![project secrets overview](../../images/platform/project/project-environments.png)
 
 ## Secrets Overview
 
-The **Secrets Overview** page captures a birds-eye-view of secrets and [folders](./folder) across environments. 
+The **Secrets Overview** page captures a birds-eye-view of secrets and [folders](./folder) across environments.
 This is useful for comparing secrets, identifying if anything is missing, and making quick changes.
 
 ![project secrets overview](../../images/platform/project/project-secrets-overview-open.png)
@@ -98,7 +100,7 @@ Then:
 - If users B and C fetch the secret D back, they both get the value E.
 
 <Info>
-    Please keep in mind that secret reminders won't work with personal overrides.
+  Please keep in mind that secret reminders won't work with personal overrides.
 </Info>
 
 ![project override secret](../../images/platform/project/project-secrets-override.png)
@@ -112,4 +114,3 @@ To view the full details of each secret, you can hover over it and press on the
 This opens up a side-drawer:
 
 ![project secrets drawer](../../images/platform/project/project-secrets-drawer.png)
-

docs/documentation/platform/secret-reference.mdx

@@ -11,10 +11,11 @@ This means that updating the value of a base secret propagates directly to other
 
 ![secret referencing](../../images/platform/secret-references-imports/secret-reference.png)
 
-Since secret referencing works by reconstructing values back on the client side, the client, be it a user, service token, or a machine identity, fetching back secrets 
-must be permissioned access to all base and dependent secrets.
+Since secret referencing reconstructs values on the client side, any client (user, service token, or machine identity) fetching secrets must have proper permissions to access all base and dependent secrets. Without sufficient permissions, secret references will not resolve to their appropriate values.
 
-For example, to access some secret `A` whose values depend on secrets `B` and `C` from different scopes, a client must have `read` access to the scopes of secrets `A`, `B`, and `C`.
+For example, if secret A references values from secrets B and C located in different scopes, the client must have read access to all three scopes containing secrets A, B, and C. If permission to any referenced secret is missing, the reference will remain unresolved, potentially causing application errors or unexpected behavior.
+
+This is an important security consideration when planning your secret access strategy, especially when working with cross-environment or cross-folder references.
 
 ### Syntax
 
@@ -28,11 +29,11 @@ Then consider the following scenarios:
 
 Here are a few more helpful examples for how to reference secrets in different contexts:
 
-| Reference syntax                | Environment | Folder       | Secret Key |
-| --------------------- | ----------- | ------------ | ---------- |
-| `${KEY1}`               | same env    | same folder | KEY1       |
-| `${dev.KEY2}`           | `dev`         | `/` (root of dev environment)            | KEY2       |
-| `${prod.frontend.KEY2}` | `prod`        | `/frontend`    | KEY2       |
+| Reference syntax        | Environment | Folder                        | Secret Key |
+| ----------------------- | ----------- | ----------------------------- | ---------- |
+| `${KEY1}`               | same env    | same folder                   | KEY1       |
+| `${dev.KEY2}`           | `dev`       | `/` (root of dev environment) | KEY2       |
+| `${prod.frontend.KEY2}` | `prod`      | `/frontend`                   | KEY2       |
 
 ## Secret Imports
 
@@ -59,4 +60,12 @@ To reorder a secret import, hover over it and drag the arrows handle to the posi
 
 ![reorder secret import](../../images/platform/secret-references-imports/secret-import-reorder.png)
 
-<iframe width="560" height="315" src="https://www.youtube.com/embed/o11bMU0pXRs?si=dCprt3xLWPrSOJxy" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
+<iframe
+  width="560"
+  height="315"
+  src="https://www.youtube.com/embed/o11bMU0pXRs?si=dCprt3xLWPrSOJxy"
+  title="YouTube video player"
+  frameborder="0"
+  allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
+  allowfullscreen
+></iframe>

docs/integrations/platforms/kubernetes/infisical-push-secret-crd.mdx

@@ -401,6 +401,59 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
 </Accordion>
 
 
+## Using templating to push secrets
+
+Pushing secrets to Infisical from the operator may not always be enough.
+Templating is a useful utility of the Infisical secrets operator that allows you to use Go Templating to template the secrets you want to push to Infisical.
+Using Go templates, you can format, combine, and create new key-value pairs of secrets that you want to push to Infisical.
+
+<Accordion title="push.secret.template"/>
+<Accordion title="push.secret.template.includeAllSecrets">
+  This property controls what secrets are included in your push to Infisica.
+  When set to `true`, all secrets included in the `push.secret.secretName` Kubernetes secret will be pushed to Infisical.
+  **Use this option when you would like to push all secrets to Infisical from the secrets operator, but want to template a subset of them.**
+
+  When set to `false`, only secrets defined in the `push.secret.template.data` field of the template will be pushed to Infisical.
+  Use this option when you would like to push **only** a subset of secrets from the Kubernetes secret to Infisical.
+</Accordion>
+<Accordion title="push.secret.template.data">
+  Define secret keys and their corresponding templates. 
+  Each data value uses a Golang template with access to all secrets defined in the `push.secret.secretName` Kubernetes secret.
+
+  Secrets are structured as follows:
+
+  ```go
+  type TemplateSecret struct {
+      Value      string `json:"value"`
+      SecretPath string `json:"secretPath"`
+  }
+  ```
+
+  #### Example template configuration:
+
+  ```yaml
+  # This example assumes that the `push-secret-demo` Kubernetes secret contains the following secrets:
+  # SITE_URL = "https://example.com"
+  # REGION = "us-east-1"
+  # OTHER_SECRET = "other-secret"
+
+  push:
+    secret:
+      secretName: push-secret-demo
+      secretNamespace: default
+      template:
+        includeAllSecrets: true # Includes all secrets from the `push-secret-demo` Kubernetes secret
+        data:
+          SITE_URL: "{{ .SITE_URL.Value }}"
+          API_URL: "https://api.{{.SITE_URL.Value}}.{{.REGION.Value}}.com" # Will create a new secret in Infisical with the key `API_URL` with the value of the `SITE_URL` and `REGION` secrets
+  ```
+
+  To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
+
+  ### Available templating functions
+  Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
+</Accordion>
+
 ## Applying the InfisicalPushSecret CRD to your cluster
 
 Once you have configured the `InfisicalPushSecret` CRD with the required fields, you can apply it to your cluster.

docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx

@@ -654,30 +654,7 @@ To help transform your secrets further, the operator provides a set of built-in
 
 ### Available templating functions
 
-<Accordion title="decodeBase64ToBytes">
-  **Function name**: decodeBase64ToBytes
-
-**Description**:
-Given a base64 encoded string, this function will decodes the base64-encoded string.
-This function is useful when your secrets are already stored as base64 encoded value in Infisical.
-
-**Returns**: The decoded base64 string as bytes.
-
-**Example**:
-The example below assumes that the `BINARY_KEY_BASE64` secret is stored as a base64 encoded value in Infisical.
-The resulting managed secret will contain the decoded value of `BINARY_KEY_BASE64`.
-
-```yaml
-managedKubeSecretReferences:
-secretName: managed-secret
-secretNamespace: default
-template:
-  includeAllSecrets: true
-  data:
-    BINARY_KEY: "{{ decodeBase64ToBytes .BINARY_KEY_BASE64.Value }}"
-```
-
-</Accordion>
+Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
 
 </Accordion>
 
@@ -783,31 +760,8 @@ Using Go templates, you can format, combine, and create new key-value pairs from
   To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
 
   ### Available templating functions
-
-  <Accordion title="decodeBase64ToBytes">
-    **Function name**: decodeBase64ToBytes
-
-    **Description**:
-    Given a base64 encoded string, this function will decodes the base64-encoded string.
-    This function is useful when your Infisical secrets are already stored as base64 encoded value in Infisical.
-
-    **Returns**: The decoded base64 string as bytes.
-
-    **Example**:
-    The example below assumes that the `BINARY_KEY_BASE64` secret is stored as a base64 encoded value in Infisical.
-    The resulting managed config map will contain the decoded value of `BINARY_KEY_BASE64`.
-
-    ```yaml
-      managedKubeConfigMapReferences:
-        - configMapName: managed-configmap
-          configMapNamespace: default
-          template:
-            includeAllSecrets: true
-          data:
-            BINARY_KEY: "{{ decodeBase64ToBytes .BINARY_KEY_BASE64.Value }}"
-    ```
-
-  </Accordion>
+  
+  Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
 </Accordion>
 
 ## Applying CRD
@@ -854,39 +808,39 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
 <Accordion title="envFrom">
   This will take all the secrets from your managed secret and expose them to your container
 
-````yaml
-  envFrom:
-    - secretRef:
-        name: managed-secret # managed secret name
-  ```
+  ````yaml
+    envFrom:
+      - secretRef:
+          name: managed-secret # managed secret name
+    ```
 
-  Example usage in a deployment
-  ```yaml
-  apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+    Example usage in a deployment
+    ```yaml
+    apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:1.14.2
-        envFrom:
-        - secretRef:
-            name: managed-secret # <- name of managed secret
-        ports:
-        - containerPort: 80
-````
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+        - name: nginx
+          image: nginx:1.14.2
+          envFrom:
+          - secretRef:
+              name: managed-secret # <- name of managed secret
+          ports:
+          - containerPort: 80
+  ````
 
 </Accordion>
 
@@ -902,91 +856,90 @@ spec:
           key: SOME_SECRET_KEY # The name of the key which exists in the managed secret
   ```
 
-Example usage in a deployment
+  Example usage in a deployment
 
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+  ```yaml
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:1.14.2
-          env:
-            - name: STRIPE_API_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: managed-secret # <- name of managed secret
-                  key: STRIPE_API_SECRET
-          ports:
-            - containerPort: 80
-```
-
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+          - name: nginx
+            image: nginx:1.14.2
+            env:
+              - name: STRIPE_API_SECRET
+                valueFrom:
+                  secretKeyRef:
+                    name: managed-secret # <- name of managed secret
+                    key: STRIPE_API_SECRET
+            ports:
+              - containerPort: 80
+  ```
 </Accordion>
 
 <Accordion title="volumes">
-This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
-```yaml
-volumes:
-  - name: secrets-volume-name # The name of the volume under which secrets will be stored
-    secret:
-      secretName: managed-secret # managed secret name
-````
+  This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
+  ```yaml
+  volumes:
+    - name: secrets-volume-name # The name of the volume under which secrets will be stored
+      secret:
+        secretName: managed-secret # managed secret name
+  ````
 
-You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
+  You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
 
-```yaml
-volumeMounts:
-  - name: secrets-volume-name
-    mountPath: /etc/secrets
-    readOnly: true
-```
+  ```yaml
+  volumeMounts:
+    - name: secrets-volume-name
+      mountPath: /etc/secrets
+      readOnly: true
+  ```
 
-Example usage in a deployment
+  Example usage in a deployment
 
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+  ```yaml
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:1.14.2
-          volumeMounts:
-            - name: secrets-volume-name
-              mountPath: /etc/secrets
-              readOnly: true
-          ports:
-            - containerPort: 80
-      volumes:
-        - name: secrets-volume-name
-          secret:
-            secretName: managed-secret # <- managed secrets
-```
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+          - name: nginx
+            image: nginx:1.14.2
+            volumeMounts:
+              - name: secrets-volume-name
+                mountPath: /etc/secrets
+                readOnly: true
+            ports:
+              - containerPort: 80
+        volumes:
+          - name: secrets-volume-name
+            secret:
+              secretName: managed-secret # <- managed secrets
+  ```
 
 </Accordion>
 
@@ -1021,34 +974,34 @@ secrets.infisical.com/auto-reload: "true"
 ```
 
 <Accordion title="Deployment example with auto redeploy enabled">
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-  annotations: 
-    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+  ```yaml
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+    annotations: 
+      secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:1.14.2
-        envFrom:
-        - secretRef:
-            name: managed-secret
-        ports:
-        - containerPort: 80
-```
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+        - name: nginx
+          image: nginx:1.14.2
+          envFrom:
+          - secretRef:
+              name: managed-secret
+          ports:
+          - containerPort: 80
+  ```
 </Accordion>
 <Info>
   #### How it works 
@@ -1069,39 +1022,39 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
 <Accordion title="envFrom">
   This will take all the secrets from your managed ConfigMap and expose them to your container
 
-````yaml
-  envFrom:
-    - configMapRef:
-        name: managed-configmap # managed configmap name
-  ```
+  ````yaml
+    envFrom:
+      - configMapRef:
+          name: managed-configmap # managed configmap name
+    ```
 
-  Example usage in a deployment
-  ```yaml
-  apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+    Example usage in a deployment
+    ```yaml
+    apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx:1.14.2
-        envFrom:
-        - configMapRef:
-            name: managed-configmap # <- name of managed configmap
-        ports:
-        - containerPort: 80
-````
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+        - name: nginx
+          image: nginx:1.14.2
+          envFrom:
+          - configMapRef:
+              name: managed-configmap # <- name of managed configmap
+          ports:
+          - containerPort: 80
+  ````
 
 </Accordion>
 
@@ -1117,92 +1070,91 @@ spec:
           key: SOME_CONFIG_KEY # The name of the key which exists in the managed configmap
   ```
 
-Example usage in a deployment
+  Example usage in a deployment
 
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+  ```yaml
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:1.14.2
-          env:
-            - name: STRIPE_API_SECRET
-              valueFrom:
-                configMapKeyRef:
-                  name: managed-configmap # <- name of managed configmap
-                  key: STRIPE_API_SECRET
-          ports:
-            - containerPort: 80
-```
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+          - name: nginx
+            image: nginx:1.14.2
+            env:
+              - name: STRIPE_API_SECRET
+                valueFrom:
+                  configMapKeyRef:
+                    name: managed-configmap # <- name of managed configmap
+                    key: STRIPE_API_SECRET
+            ports:
+              - containerPort: 80
+  ```
 
 </Accordion>
 
 <Accordion title="volumes">
-This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
-```yaml
-volumes:
-  - name: configmaps-volume-name # The name of the volume under which configmaps will be stored
-    configMap:
-      name: managed-configmap # managed configmap name
-````
+  This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
+  ```yaml
+  volumes:
+    - name: configmaps-volume-name # The name of the volume under which configmaps will be stored
+      configMap:
+        name: managed-configmap # managed configmap name
+  ````
 
-You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
+  You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
 
-```yaml
-volumeMounts:
-  - name: configmaps-volume-name
-    mountPath: /etc/config
-    readOnly: true
-```
+  ```yaml
+  volumeMounts:
+    - name: configmaps-volume-name
+      mountPath: /etc/config
+      readOnly: true
+  ```
 
-Example usage in a deployment
+  Example usage in a deployment
 
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx-deployment
-  labels:
-    app: nginx
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
+  ```yaml
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: nginx-deployment
+    labels:
       app: nginx
-  template:
-    metadata:
-      labels:
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
         app: nginx
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:1.14.2
-          volumeMounts:
-            - name: configmaps-volume-name
-              mountPath: /etc/config
-              readOnly: true
-          ports:
-            - containerPort: 80
-      volumes:
-        - name: configmaps-volume-name
-          configMap:
-            name: managed-configmap # <- managed configmap
-```
-
+    template:
+      metadata:
+        labels:
+          app: nginx
+      spec:
+        containers:
+          - name: nginx
+            image: nginx:1.14.2
+            volumeMounts:
+              - name: configmaps-volume-name
+                mountPath: /etc/config
+                readOnly: true
+            ports:
+              - containerPort: 80
+        volumes:
+          - name: configmaps-volume-name
+            configMap:
+              name: managed-configmap # <- managed configmap
+  ```
 </Accordion>
 
 The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
@@ -1228,37 +1180,37 @@ The operator will transfer all labels & annotations present on the `InfisicalSec
 Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
 
 <Accordion title="Example propagation">
-```yaml
-apiVersion: secrets.infisical.com/v1alpha1
-kind: InfisicalSecret
-metadata:
-  name: infisicalsecret-sample
-  labels:
-    label-to-be-passed-to-managed-secret: sample-value
-  annotations:
-    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
-spec:
-  ..
-  authentication:
-    ...
-  managedKubeSecretReferences:
-    ...
-```
+  ```yaml
+  apiVersion: secrets.infisical.com/v1alpha1
+  kind: InfisicalSecret
+  metadata:
+    name: infisicalsecret-sample
+    labels:
+      label-to-be-passed-to-managed-secret: sample-value
+    annotations:
+      example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+  spec:
+    ..
+    authentication:
+      ...
+    managedKubeSecretReferences:
+      ...
+  ```
 
-This would result in the following managed secret to be created:
+  This would result in the following managed secret to be created:
 
-```yaml
-apiVersion: v1
-data: ...
-kind: Secret
-metadata:
-  annotations:
-    example.com/annotation-to-be-passed-to-managed-secret: sample-value
-    secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
-  labels:
-    label-to-be-passed-to-managed-secret: sample-value
-  name: managed-token
-  namespace: default
-type: Opaque
-```
+  ```yaml
+  apiVersion: v1
+  data: ...
+  kind: Secret
+  metadata:
+    annotations:
+      example.com/annotation-to-be-passed-to-managed-secret: sample-value
+      secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
+    labels:
+      label-to-be-passed-to-managed-secret: sample-value
+    name: managed-token
+    namespace: default
+  type: Opaque
+  ```
 </Accordion>

docs/integrations/platforms/kubernetes/overview.mdx

@@ -114,6 +114,48 @@ spec:
 ```
 
 
+## Advanced Templating
+
+With the Infisical Secrets Operator, you can use templating to dynamically generate secrets in Kubernetes. The templating is built on top of [Go templates](https://pkg.go.dev/text/template), which is a powerful and flexible template engine built into Go.
+
+Please be aware that trying to reference non-existing keys will result in an error. Additionally, each template field is processed individually, which means one template field cannot reference another template field.
+
+<Note>
+  Please note that templating is currently only supported for the `InfisicalPushSecret` and `InfisicalSecret` CRDs.
+</Note>
+
+### Available helper functions
+
+The Infisical Secrets Operator exposes a wide range of helper functions to make it easier to work with secrets in Kubernetes.
+
+| Function | Description | Signature |
+| -------- | ----------- | --------- |
+| `decodeBase64ToBytes` | Given a base64 encoded string, this function will decode the base64-encoded string. | `decodeBase64ToBytes(encodedString string) string` |
+| `encodeBase64` | Given a string, this function will encode the string to a base64 encoded string. | `encodeBase64(plainString string) string` |
+| `pkcs12key`| Extracts all private keys from a PKCS#12 archive and encodes them in PKCS#8 PEM format. | `pkcs12key(input string) string` |
+| `pkcs12keyPass`|Same as pkcs12key. Uses the provided password to decrypt the PKCS#12 archive. | `pkcs12keyPass(pass string, input string) string` |
+| `pkcs12cert`      | Extracts all certificates from a PKCS#12 archive and orders them if possible. If disjunct or multiple leaf certs are provided they are returned as-is. Sort order: `leaf / intermediate(s) / root`. | `pkcs12cert(input string) string` |
+| `pkcs12certPass`  | Same as `pkcs12cert`. Uses the provided password to decrypt the PKCS#12 archive. | `pkcs12certPass(pass string, input string) string` |
+| `pemToPkcs12`     | Takes a PEM encoded certificate and key and creates a base64 encoded PKCS#12 archive. | `pemToPkcs12(cert string, key string) string` |
+| `pemToPkcs12Pass` | Same as `pemToPkcs12`. Uses the provided password to encrypt the PKCS#12 archive. | `pemToPkcs12Pass(cert string, key string, pass string) string` |
+| `fullPemToPkcs12` | Takes a PEM encoded certificates chain and key and creates a base64 encoded PKCS#12 archive. | `fullPemToPkcs12(cert string, key string) string` |
+| `fullPemToPkcs12Pass`   | Same as `fullPemToPkcs12`. Uses the provided password to encrypt the PKCS#12 archive. | `fullPemToPkcs12Pass(cert string, key string, pass string) string` |
+| `filterPEM`       | Filters PEM blocks with a specific type from a list of PEM blocks.. | `filterPEM(pemType string, input string) string` |
+| `filterCertChain`   | Filters PEM block(s) with a specific certificate type (`leaf`, `intermediate` or `root`) from a certificate chain of PEM blocks (PEM blocks with type `CERTIFICATE`). | `filterCertChain(certType string, input string) string` |
+| `jwkPublicKeyPem`   | Takes an json-serialized JWK and returns an PEM block of type `PUBLIC KEY` that contains the public key. [See here](https://golang.org/pkg/crypto/x509/#MarshalPKIXPublicKey) for details. | `jwkPublicKeyPem(jwkjson string) string` |
+| `jwkPrivateKeyPem`   | Takes an json-serialized JWK and returns an PEM block of type `PRIVATE KEY` that contains the private key. [See here](https://pkg.go.dev/crypto/x509#MarshalPKCS8PrivateKey) for details. | `jwkPrivateKeyPem(jwkjson string) string` |
+| `toYaml`   | Takes an interface, marshals it to yaml. It returns a string, even on marshal error (empty string). | `toYaml(v any) string` |
+| `fromYaml`   | Function converts a YAML document into a `map[string]any`. | `fromYaml(str string) map[string]any` |
+
+### Sprig functions
+
+The Infisical Secrets Operator integrates with the [Sprig library](https://github.com/Masterminds/sprig) to provide additional helper functions.
+
+<Note>
+  We've removed `expandEnv` and `env` from the supported functions for security reasons.
+</Note>
+
+
 ## Global configuration
 
 To configure global settings that will apply to all instances of `InfisicalSecret`, you can define these configurations in a Kubernetes ConfigMap.

docs/mint.json

@@ -161,6 +161,7 @@
             "documentation/platform/access-controls/additional-privileges",
             "documentation/platform/access-controls/temporary-access",
             "documentation/platform/access-controls/access-requests",
+            "documentation/platform/access-controls/project-access-requests",
             "documentation/platform/pr-workflows",
             "documentation/platform/groups"
           ]
@@ -210,7 +211,10 @@
         },
         {
           "group": "Gateway",
-          "pages": ["documentation/platform/gateways/overview", "documentation/platform/gateways/gateway-security"]
+          "pages": [
+            "documentation/platform/gateways/overview",
+            "documentation/platform/gateways/gateway-security"
+          ]
         },
         "documentation/platform/project-templates",
         {

docs/sdks/languages/go.mdx

@@ -99,6 +99,10 @@ client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
         <ParamField query="CacheExpiryInSeconds" type="number" default={0} optional>
             Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
         </ParamField>
+
+        <ParamField query="CustomHeaders" type="map[string]string" optional>
+            Allows you to pass custom headers to the HTTP requests made by the SDK. Expected format is a map of `Header1: Value1, Header2: Value 2`.
+        </ParamField>
     </Expandable>
 
 </ParamField>

frontend/src/components/permissions/AccessTree/AccessTree.tsx

@@ -1,7 +1,9 @@
-import { useCallback, useEffect } from "react";
+import { useCallback, useEffect, useState } from "react";
 import { MongoAbility, MongoQuery } from "@casl/ability";
 import {
+  faAnglesUp,
   faArrowUpRightFromSquare,
+  faDownLeftAndUpRightToCenter,
   faUpRightAndDownLeftFromCenter,
   faWindowRestore
 } from "@fortawesome/free-solid-svg-icons";
@@ -10,6 +12,7 @@ import {
   Background,
   BackgroundVariant,
   ConnectionLineType,
+  ControlButton,
   Controls,
   Node,
   NodeMouseHandler,
@@ -23,7 +26,9 @@ import { twMerge } from "tailwind-merge";
 import { Button, IconButton, Spinner, Tooltip } from "@app/components/v2";
 import { ProjectPermissionSet } from "@app/context/ProjectPermissionContext";
 
-import { AccessTreeErrorBoundary, AccessTreeProvider, PermissionSimulation } from "./components";
+import { AccessTreeSecretPathInput } from "./nodes/FolderNode/components/AccessTreeSecretPathInput";
+import { ShowMoreButtonNode } from "./nodes/ShowMoreButtonNode";
+import { AccessTreeErrorBoundary, AccessTreeProvider } from "./components";
 import { BasePermissionEdge } from "./edges";
 import { useAccessTree } from "./hooks";
 import { FolderNode, RoleNode } from "./nodes";
@@ -35,13 +40,30 @@ export type AccessTreeProps = {
 
 const EdgeTypes = { base: BasePermissionEdge };
 
-const NodeTypes = { role: RoleNode, folder: FolderNode };
+const NodeTypes = { role: RoleNode, folder: FolderNode, showMoreButton: ShowMoreButtonNode };
 
 const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
-  const accessTreeData = useAccessTree(permissions);
-  const { edges, nodes, isLoading, viewMode, setViewMode } = accessTreeData;
+  const [selectedPath, setSelectedPath] = useState<string>("/");
+  const accessTreeData = useAccessTree(permissions, selectedPath);
+  const { edges, nodes, isLoading, viewMode, setViewMode, environment } = accessTreeData;
+  const [initialRender, setInitialRender] = useState(true);
 
-  const { fitView, getViewport, setCenter } = useReactFlow();
+  useEffect(() => {
+    setSelectedPath("/");
+  }, [environment]);
+
+  const { getViewport, setCenter, fitView } = useReactFlow();
+
+  const goToRootNode = useCallback(() => {
+    const roleNode = nodes.find((node) => node.type === "role");
+    if (roleNode) {
+      setCenter(
+        roleNode.position.x + (roleNode.width ? roleNode.width / 2 : 0),
+        roleNode.position.y + (roleNode.height ? roleNode.height / 2 : 0),
+        { duration: 800, zoom: 1 }
+      );
+    }
+  }, [nodes, setCenter]);
 
   const onNodeClick: NodeMouseHandler<Node> = useCallback(
     (_, node) => {
@@ -55,14 +77,19 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
   );
 
   useEffect(() => {
-    setTimeout(() => {
-      fitView({
-        padding: 0.2,
-        duration: 1000,
-        maxZoom: 1
-      });
-    }, 1);
-  }, [fitView, nodes, edges, getViewport()]);
+    setInitialRender(true);
+  }, [selectedPath, environment]);
+
+  useEffect(() => {
+    let timer: NodeJS.Timeout;
+    if (initialRender) {
+      timer = setTimeout(() => {
+        goToRootNode();
+        setInitialRender(false);
+      }, 500);
+    }
+    return () => clearTimeout(timer);
+  }, [nodes, edges, getViewport(), initialRender, goToRootNode]);
 
   const handleToggleModalView = () =>
     setViewMode((prev) => (prev === ViewMode.Modal ? ViewMode.Docked : ViewMode.Modal));
@@ -133,13 +160,13 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
               edges={edges}
               edgeTypes={EdgeTypes}
               nodeTypes={NodeTypes}
-              fitView
               onNodeClick={onNodeClick}
               colorMode="dark"
               nodesDraggable={false}
               edgesReconnectable={false}
               nodesConnectable={false}
               connectionLineType={ConnectionLineType.SmoothStep}
+              minZoom={0.001}
               proOptions={{
                 hideAttribution: false // we need pro license if we want to hide
               }}
@@ -151,9 +178,17 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
               )}
               {viewMode !== ViewMode.Docked && (
                 <Panel position="top-right" className="flex gap-1.5">
+                  {viewMode !== ViewMode.Undocked && (
+                    <AccessTreeSecretPathInput
+                      placeholder="Provide a path, default is /"
+                      environment={environment}
+                      value={selectedPath}
+                      onChange={setSelectedPath}
+                    />
+                  )}
                   <Tooltip position="bottom" align="center" content={undockButtonLabel}>
                     <IconButton
-                      className="mr-1 rounded"
+                      className="ml-1 w-10 rounded"
                       colorSchema="secondary"
                       variant="plain"
                       onClick={handleToggleUndockedView}
@@ -170,7 +205,7 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
                   </Tooltip>
                   <Tooltip align="end" position="bottom" content={windowButtonLabel}>
                     <IconButton
-                      className="rounded"
+                      className="w-10 rounded"
                       colorSchema="secondary"
                       variant="plain"
                       onClick={handleToggleModalView}
@@ -179,7 +214,7 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
                       <FontAwesomeIcon
                         icon={
                           viewMode === ViewMode.Modal
-                            ? faArrowUpRightFromSquare
+                            ? faDownLeftAndUpRightToCenter
                             : faUpRightAndDownLeftFromCenter
                         }
                       />
@@ -187,9 +222,28 @@ const AccessTreeContent = ({ permissions }: AccessTreeProps) => {
                   </Tooltip>
                 </Panel>
               )}
-              <PermissionSimulation {...accessTreeData} />
+              {viewMode === ViewMode.Docked && (
+                <Panel position="top-right" className="flex gap-1.5">
+                  <AccessTreeSecretPathInput
+                    placeholder="Provide a path, default is /"
+                    environment={environment}
+                    value={selectedPath}
+                    onChange={setSelectedPath}
+                  />
+                </Panel>
+              )}
               <Background color="#5d5f64" bgColor="#111419" variant={BackgroundVariant.Dots} />
-              <Controls position="bottom-left" />
+              <Controls
+                position="bottom-left"
+                showInteractive={false}
+                onFitView={() => fitView({ duration: 800 })}
+              >
+                <ControlButton onClick={goToRootNode}>
+                  <Tooltip position="right" content="Go to root folder">
+                    <FontAwesomeIcon icon={faAnglesUp} />
+                  </Tooltip>
+                </ControlButton>
+              </Controls>
             </ReactFlow>
           </div>
         </div>

frontend/src/components/permissions/AccessTree/components/PermissionSimulation.tsx

@@ -46,6 +46,12 @@ export const PermissionSimulation = ({
           className="mr-1 rounded"
           colorSchema="secondary"
           onClick={handlePermissionSimulation}
+          rightIcon={
+            <FontAwesomeIcon
+              className="pl-1 text-sm text-bunker-300 hover:text-primary hover:opacity-80"
+              icon={faChevronDown}
+            />
+          }
         >
           Permission Simulation
         </Button>

frontend/src/components/permissions/AccessTree/hooks/index.ts

@@ -5,6 +5,7 @@ import { Edge, Node, useEdgesState, useNodesState } from "@xyflow/react";
 import { ProjectPermissionSub, useWorkspace } from "@app/context";
 import { ProjectPermissionSet } from "@app/context/ProjectPermissionContext";
 import { useListProjectEnvironmentsFolders } from "@app/hooks/api/secretFolders/queries";
+import { TSecretFolderWithPath } from "@app/hooks/api/secretFolders/types";
 
 import { useAccessTreeContext } from "../components";
 import { PermissionAccess } from "../types";
@@ -15,8 +16,24 @@ import {
   getSubjectActionRuleMap,
   positionElements
 } from "../utils";
+import { createShowMoreNode } from "../utils/createShowMoreNode";
 
-export const useAccessTree = (permissions: MongoAbility<ProjectPermissionSet, MongoQuery>) => {
+const INITIAL_FOLDERS_PER_LEVEL = 10;
+const FOLDERS_INCREMENT = 10;
+
+type LevelFolderMap = Record<
+  string,
+  {
+    folders: TSecretFolderWithPath[];
+    visibleCount: number;
+    hasMore: boolean;
+  }
+>;
+
+export const useAccessTree = (
+  permissions: MongoAbility<ProjectPermissionSet, MongoQuery>,
+  searchPath: string
+) => {
   const { currentWorkspace } = useWorkspace();
   const { secretName, setSecretName, setViewMode, viewMode } = useAccessTreeContext();
   const [nodes, setNodes] = useNodesState<Node>([]);
@@ -27,19 +44,124 @@ export const useAccessTree = (permissions: MongoAbility<ProjectPermissionSet, Mo
     currentWorkspace.id
   );
 
+  const [levelFolderMap, setLevelFolderMap] = useState<LevelFolderMap>({});
+  const [totalFolderCount, setTotalFolderCount] = useState(0);
+
+  const showMoreFolders = (parentId: string) => {
+    setLevelFolderMap((prevMap) => {
+      const level = prevMap[parentId];
+      if (!level) return prevMap;
+
+      const newVisibleCount = Math.min(
+        level.visibleCount + FOLDERS_INCREMENT,
+        level.folders.length
+      );
+
+      return {
+        ...prevMap,
+        [parentId]: {
+          ...level,
+          visibleCount: newVisibleCount,
+          hasMore: newVisibleCount < level.folders.length
+        }
+      };
+    });
+  };
+
+  const levelsWithMoreFolders = Object.entries(levelFolderMap)
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    .filter(([_, level]) => level.hasMore)
+    .map(([parentId]) => parentId);
+
+  const getLevelCounts = (parentId: string) => {
+    const level = levelFolderMap[parentId];
+    if (!level) return { visibleCount: 0, totalCount: 0, hasMore: false };
+
+    return {
+      visibleCount: level.visibleCount,
+      totalCount: level.folders.length,
+      hasMore: level.hasMore
+    };
+  };
+
   useEffect(() => {
     if (!environmentsFolders || !permissions || !environmentsFolders[environment]) return;
 
-    const { folders, name } = environmentsFolders[environment];
+    const { folders } = environmentsFolders[environment];
+    setTotalFolderCount(folders.length);
+    const groupedFolders: Record<string, TSecretFolderWithPath[]> = {};
+
+    const filteredFolders = folders.filter((folder) => {
+      if (folder.path.startsWith(searchPath)) {
+        return true;
+      }
+
+      if (
+        searchPath.startsWith(folder.path) &&
+        (folder.path === "/" ||
+          searchPath === folder.path ||
+          searchPath.indexOf("/", folder.path.length) === folder.path.length)
+      ) {
+        return true;
+      }
+
+      return false;
+    });
+
+    filteredFolders.forEach((folder) => {
+      const parentId = folder.parentId || "";
+      if (!groupedFolders[parentId]) {
+        groupedFolders[parentId] = [];
+      }
+      groupedFolders[parentId].push(folder);
+    });
+
+    const newLevelFolderMap: LevelFolderMap = {};
+
+    Object.entries(groupedFolders).forEach(([parentId, folderList]) => {
+      const key = parentId;
+      newLevelFolderMap[key] = {
+        folders: folderList,
+        visibleCount: Math.min(INITIAL_FOLDERS_PER_LEVEL, folderList.length),
+        hasMore: folderList.length > INITIAL_FOLDERS_PER_LEVEL
+      };
+    });
+
+    setLevelFolderMap(newLevelFolderMap);
+  }, [permissions, environmentsFolders, environment, subject, secretName, searchPath]);
+
+  useEffect(() => {
+    if (
+      !environmentsFolders ||
+      !permissions ||
+      !environmentsFolders[environment] ||
+      Object.keys(levelFolderMap).length === 0
+    )
+      return;
+
+    const { slug } = environmentsFolders[environment];
 
     const roleNode = createRoleNode({
       subject,
-      environment: name
+      environment: slug,
+      environments: environmentsFolders,
+      onSubjectChange: setSubject,
+      onEnvironmentChange: setEnvironment
     });
 
     const actionRuleMap = getSubjectActionRuleMap(subject, permissions);
 
-    const folderNodes = folders.map((folder) =>
+    const visibleFolders: TSecretFolderWithPath[] = [];
+    Object.entries(levelFolderMap).forEach(([key, levelData]) => {
+      if (key !== "__rootFolderId") {
+        visibleFolders.push(...levelData.folders.slice(0, levelData.visibleCount));
+      }
+    });
+
+    // eslint-disable-next-line no-underscore-dangle
+    const rootFolder = levelFolderMap.__rootFolderId?.folders[0];
+
+    const folderNodes = visibleFolders.map((folder) =>
       createFolderNode({
         folder,
         permissions,
@@ -50,10 +172,45 @@ export const useAccessTree = (permissions: MongoAbility<ProjectPermissionSet, Mo
       })
     );
 
-    const folderEdges = folderNodes.map(({ data: folder }) => {
-      const actions = Object.values(folder.actions);
+    const folderEdges: Edge[] = [];
 
+    if (rootFolder) {
+      const rootFolderNode = folderNodes.find(
+        (node) => node.data.id === rootFolder.id || node.data.path === rootFolder.path
+      );
+
+      if (rootFolderNode) {
+        const rootActions = Object.values(rootFolderNode.data.actions);
+        let rootAccess: PermissionAccess;
+
+        if (Object.values(rootActions).some((action) => action === PermissionAccess.Full)) {
+          rootAccess = PermissionAccess.Full;
+        } else if (
+          Object.values(rootActions).some((action) => action === PermissionAccess.Partial)
+        ) {
+          rootAccess = PermissionAccess.Partial;
+        } else {
+          rootAccess = PermissionAccess.None;
+        }
+
+        folderEdges.push(
+          createBaseEdge({
+            source: roleNode.id,
+            target: rootFolderNode.id,
+            access: rootAccess
+          })
+        );
+      }
+    }
+
+    folderNodes.forEach(({ data: folder }) => {
+      if (rootFolder && (folder.id === rootFolder.id || folder.path === rootFolder.path)) {
+        return;
+      }
+
+      const actions = Object.values(folder.actions);
       let access: PermissionAccess;
+
       if (Object.values(actions).some((action) => action === PermissionAccess.Full)) {
         access = PermissionAccess.Full;
       } else if (Object.values(actions).some((action) => action === PermissionAccess.Partial)) {
@@ -62,17 +219,55 @@ export const useAccessTree = (permissions: MongoAbility<ProjectPermissionSet, Mo
         access = PermissionAccess.None;
       }
 
-      return createBaseEdge({
-        source: folder.parentId ?? roleNode.id,
-        target: folder.id,
-        access
-      });
+      folderEdges.push(
+        createBaseEdge({
+          source: folder.parentId ?? roleNode.id,
+          target: folder.id,
+          access
+        })
+      );
     });
 
-    const init = positionElements([roleNode, ...folderNodes], [...folderEdges]);
+    const addMoreButtons: Node[] = [];
+
+    Object.entries(levelFolderMap).forEach(([parentId, levelData]) => {
+      if (parentId === "__rootFolderId") return;
+
+      const key = parentId === "null" ? null : parentId;
+
+      if (key && levelData.hasMore) {
+        const showMoreButtonNode = createShowMoreNode({
+          parentId: key,
+          onClick: () => showMoreFolders(key),
+          remaining: levelData.folders.length - levelData.visibleCount,
+          subject
+        });
+
+        addMoreButtons.push(showMoreButtonNode);
+
+        folderEdges.push(
+          createBaseEdge({
+            source: key,
+            target: showMoreButtonNode.id,
+            access: PermissionAccess.Partial
+          })
+        );
+      }
+    });
+
+    const init = positionElements([roleNode, ...folderNodes, ...addMoreButtons], [...folderEdges]);
     setNodes(init.nodes);
     setEdges(init.edges);
-  }, [permissions, environmentsFolders, environment, subject, secretName, setNodes, setEdges]);
+  }, [
+    levelFolderMap,
+    permissions,
+    environmentsFolders,
+    environment,
+    subject,
+    secretName,
+    setNodes,
+    setEdges
+  ]);
 
   return {
     nodes,
@@ -86,6 +281,11 @@ export const useAccessTree = (permissions: MongoAbility<ProjectPermissionSet, Mo
     secretName,
     setSecretName,
     viewMode,
-    setViewMode
+    setViewMode,
+    levelFolderMap,
+    showMoreFolders,
+    levelsWithMoreFolders,
+    getLevelCounts,
+    totalFolderCount
   };
 };

frontend/src/components/permissions/AccessTree/nodes/FolderNode/components/AccessTreeSecretPathInput.tsx

@@ -0,0 +1,123 @@
+import { useEffect, useRef, useState } from "react";
+import { faSearch } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
+
+import { Tooltip } from "@app/components/v2";
+import { SecretPathInput } from "@app/components/v2/SecretPathInput";
+
+type AccessTreeSecretPathInputProps = {
+  placeholder: string;
+  environment: string;
+  value: string;
+  onChange: (path: string) => void;
+};
+
+export const AccessTreeSecretPathInput = ({
+  placeholder,
+  environment,
+  value,
+  onChange
+}: AccessTreeSecretPathInputProps) => {
+  const [isFocused, setIsFocused] = useState(false);
+  const [isExpanded, setIsExpanded] = useState(false);
+  const wrapperRef = useRef<HTMLDivElement>(null);
+  const inputRef = useRef<HTMLDivElement>(null);
+
+  const handleFocus = () => {
+    setIsFocused(true);
+  };
+
+  const handleBlur = () => {
+    const timeout: NodeJS.Timeout = setTimeout(() => {
+      setIsFocused(false);
+    }, 200);
+    return () => clearTimeout(timeout);
+  };
+
+  useEffect(() => {
+    if (!isFocused) {
+      setIsExpanded(false);
+    }
+  }, [isFocused]);
+
+  const focusInput = () => {
+    const inputElement = inputRef.current?.querySelector("input");
+    if (inputElement) {
+      inputElement.focus();
+    }
+  };
+
+  const toggleSearch = () => {
+    setIsExpanded(!isExpanded);
+    if (!isExpanded) {
+      const timeout: NodeJS.Timeout = setTimeout(focusInput, 300);
+      return () => clearTimeout(timeout);
+    }
+    return () => {};
+  };
+
+  return (
+    <div ref={wrapperRef} className="relative">
+      <div
+        className={twMerge(
+          "flex items-center overflow-hidden rounded transition-all duration-300 ease-in-out",
+          isFocused ? "bg-mineshaft-800 shadow-md" : "bg-mineshaft-700",
+          isExpanded ? "w-64" : "h-10 w-10"
+        )}
+      >
+        {isExpanded ? (
+          <div
+            className="flex h-10 w-10 cursor-pointer items-center justify-center text-mineshaft-300 hover:text-white"
+            onClick={toggleSearch}
+            role="button"
+            tabIndex={0}
+            onKeyDown={(e) => {
+              if (e.key === "Enter" || e.key === " ") {
+                toggleSearch();
+              }
+            }}
+          >
+            <FontAwesomeIcon icon={faSearch} />
+          </div>
+        ) : (
+          <Tooltip position="bottom" content="Search paths">
+            <div
+              className="flex h-10 w-10 cursor-pointer items-center justify-center text-mineshaft-300 hover:text-white"
+              onClick={toggleSearch}
+              role="button"
+              tabIndex={0}
+              onKeyDown={(e) => {
+                if (e.key === "Enter" || e.key === " ") {
+                  toggleSearch();
+                }
+              }}
+            >
+              <FontAwesomeIcon icon={faSearch} />
+            </div>
+          </Tooltip>
+        )}
+
+        <div
+          ref={inputRef}
+          className={twMerge(
+            "flex-1 transition-opacity duration-300",
+            isExpanded ? "opacity-100" : "hidden"
+          )}
+          onFocus={handleFocus}
+          onBlur={handleBlur}
+          role="search"
+        >
+          <div className="custom-input-wrapper">
+            <SecretPathInput
+              placeholder={placeholder}
+              environment={environment}
+              value={value}
+              onChange={onChange}
+            />
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+};

frontend/src/components/permissions/AccessTree/nodes/RoleNode.tsx

@@ -1,10 +1,42 @@
+import { Dispatch, SetStateAction } from "react";
+import { faFileImport, faFolder, faKey, faLock } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Handle, NodeProps, Position } from "@xyflow/react";
 
+import { Select, SelectItem } from "@app/components/v2";
+import { ProjectPermissionSub } from "@app/context";
+import { TProjectEnvironmentsFolders } from "@app/hooks/api/secretFolders/types";
+
 import { createRoleNode } from "../utils";
 
+const getSubjectIcon = (subject: ProjectPermissionSub) => {
+  switch (subject) {
+    case ProjectPermissionSub.Secrets:
+      return <FontAwesomeIcon icon={faLock} className="h-4 w-4 text-yellow-700" />;
+    case ProjectPermissionSub.SecretFolders:
+      return <FontAwesomeIcon icon={faFolder} className="h-4 w-4 text-yellow-700" />;
+    case ProjectPermissionSub.DynamicSecrets:
+      return <FontAwesomeIcon icon={faKey} className="h-4 w-4 text-yellow-700" />;
+    case ProjectPermissionSub.SecretImports:
+      return <FontAwesomeIcon icon={faFileImport} className="h-4 w-4 text-yellow-700" />;
+    default:
+      return <FontAwesomeIcon icon={faLock} className="h-4 w-4 text-yellow-700" />;
+  }
+};
+
+const formatLabel = (text: string) => {
+  return text.replace(/-/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
+};
+
 export const RoleNode = ({
-  data: { subject, environment }
-}: NodeProps & { data: ReturnType<typeof createRoleNode>["data"] }) => {
+  data: { subject, environment, onSubjectChange, onEnvironmentChange, environments }
+}: NodeProps & {
+  data: ReturnType<typeof createRoleNode>["data"] & {
+    onSubjectChange: Dispatch<SetStateAction<ProjectPermissionSub>>;
+    onEnvironmentChange: (value: string) => void;
+    environments: TProjectEnvironmentsFolders;
+  };
+}) => {
   return (
     <>
       <Handle
@@ -12,11 +44,60 @@ export const RoleNode = ({
         className="pointer-events-none !cursor-pointer opacity-0"
         position={Position.Top}
       />
-      <div className="flex h-full w-full flex-col items-center justify-center rounded-md border border-mineshaft bg-mineshaft-800 px-3 py-2 font-inter shadow-lg">
-        <div className="flex max-w-[14rem] flex-col items-center text-xs text-mineshaft-200">
-          <span className="capitalize">{subject.replace("-", " ")} Access</span>
-          <div className="max-w-[14rem] whitespace-nowrap text-xs text-mineshaft-300">
-            <p className="truncate capitalize">{environment}</p>
+      <div className="flex w-full flex-col items-center justify-center rounded-md border-2 border-mineshaft-500 bg-gradient-to-b from-mineshaft-700 to-mineshaft-800 px-5 py-4 font-inter shadow-2xl">
+        <div className="flex w-full min-w-[240px] flex-col gap-4">
+          <div className="flex w-full flex-col gap-1.5">
+            <div className="ml-1 text-xs font-semibold text-mineshaft-200">Subject</div>
+            <Select
+              value={subject}
+              onValueChange={(value) => onSubjectChange(value as ProjectPermissionSub)}
+              className="w-full rounded-md border border-mineshaft-600 bg-mineshaft-900/90 text-sm shadow-inner backdrop-blur-sm transition-all hover:border-amber-600/50 focus:border-amber-500"
+              position="popper"
+              dropdownContainerClassName="max-w-none"
+              aria-label="Subject"
+            >
+              {[
+                ProjectPermissionSub.Secrets,
+                ProjectPermissionSub.SecretFolders,
+                ProjectPermissionSub.DynamicSecrets,
+                ProjectPermissionSub.SecretImports
+              ].map((sub) => {
+                return (
+                  <SelectItem
+                    className="relative flex items-center gap-2 py-2 pl-8 pr-8 text-sm capitalize hover:bg-mineshaft-700"
+                    value={sub}
+                    key={sub}
+                  >
+                    <div className="flex items-center gap-3">
+                      {getSubjectIcon(sub)}
+                      <span className="font-medium">{formatLabel(sub)}</span>
+                    </div>
+                  </SelectItem>
+                );
+              })}
+            </Select>
+          </div>
+
+          <div className="flex w-full flex-col gap-1.5">
+            <div className="ml-1 text-xs font-semibold text-mineshaft-200">Environment</div>
+            <Select
+              value={environment}
+              onValueChange={onEnvironmentChange}
+              className="w-full rounded-md border border-mineshaft-600 bg-mineshaft-900/90 text-sm shadow-inner backdrop-blur-sm transition-all hover:border-amber-600/50 focus:border-amber-500"
+              position="popper"
+              dropdownContainerClassName="max-w-none"
+              aria-label="Environment"
+            >
+              {Object.values(environments).map((env) => (
+                <SelectItem
+                  key={env.slug}
+                  value={env.slug}
+                  className="relative py-2 pl-6 pr-8 text-sm hover:bg-mineshaft-700"
+                >
+                  <div className="ml-3 font-medium">{env.name}</div>
+                </SelectItem>
+              ))}
+            </Select>
           </div>
         </div>
       </div>

frontend/src/components/permissions/AccessTree/nodes/ShowMoreButtonNode.tsx

@@ -0,0 +1,37 @@
+import { faChevronRight } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { Handle, NodeProps, Position } from "@xyflow/react";
+
+import { Button, Tooltip } from "@app/components/v2";
+
+import { createShowMoreNode } from "../utils/createShowMoreNode";
+
+export const ShowMoreButtonNode = ({
+  data: { onClick, remaining }
+}: NodeProps & { data: ReturnType<typeof createShowMoreNode>["data"] }) => {
+  const tooltipText = `${remaining} ${remaining === 1 ? "folder is" : "folders are"} hidden. Click to show ${remaining > 10 ? "10 more" : ""}`;
+
+  return (
+    <div className="flex h-full w-full items-center justify-center rounded-md border border-mineshaft-600 bg-mineshaft-800 p-2">
+      <Handle
+        type="target"
+        className="pointer-events-none !cursor-pointer opacity-0"
+        position={Position.Top}
+      />
+
+      <div className="flex items-center justify-center">
+        <Tooltip position="right" content={tooltipText}>
+          <Button
+            colorSchema="secondary"
+            variant="plain"
+            size="xs"
+            onClick={onClick}
+            rightIcon={<FontAwesomeIcon icon={faChevronRight} className="ml-1" />}
+          >
+            Show More
+          </Button>
+        </Tooltip>
+      </div>
+    </div>
+  );
+};

frontend/src/components/permissions/AccessTree/types/index.ts

@@ -7,7 +7,8 @@ export enum PermissionAccess {
 export enum PermissionNode {
   Role = "role",
   Folder = "folder",
-  Environment = "environment"
+  Environment = "environment",
+  ShowMoreButton = "showMoreButton"
 }
 
 export enum PermissionEdge {

frontend/src/components/permissions/AccessTree/utils/createBaseEdge.ts

@@ -5,11 +5,13 @@ import { PermissionAccess, PermissionEdge } from "../types";
 export const createBaseEdge = ({
   source,
   target,
-  access
+  access,
+  hideEdge = false
 }: {
   source: string;
   target: string;
   access: PermissionAccess;
+  hideEdge?: boolean;
 }) => {
   const color = access === PermissionAccess.None ? "#707174" : "#ccccce";
   return {
@@ -17,10 +19,12 @@ export const createBaseEdge = ({
     source,
     target,
     type: PermissionEdge.Base,
-    markerEnd: {
-      type: MarkerType.ArrowClosed,
-      color
-    },
-    style: { stroke: color }
+    markerEnd: hideEdge
+      ? undefined
+      : {
+          type: MarkerType.ArrowClosed,
+          color
+        },
+    style: { stroke: hideEdge ? "transparent" : color }
   };
 };

frontend/src/components/permissions/AccessTree/utils/createRoleNode.ts

@@ -1,17 +1,31 @@
+import { Dispatch, SetStateAction } from "react";
+
+import { ProjectPermissionSub } from "@app/context";
+import { TProjectEnvironmentsFolders } from "@app/hooks/api/secretFolders/types";
+
 import { PermissionNode } from "../types";
 
 export const createRoleNode = ({
   subject,
-  environment
+  environment,
+  environments,
+  onSubjectChange,
+  onEnvironmentChange
 }: {
   subject: string;
   environment: string;
+  environments: TProjectEnvironmentsFolders;
+  onSubjectChange: Dispatch<SetStateAction<ProjectPermissionSub>>;
+  onEnvironmentChange: (value: string) => void;
 }) => ({
   id: `role-${subject}-${environment}`,
   position: { x: 0, y: 0 },
   data: {
     subject,
-    environment
+    environment,
+    environments,
+    onSubjectChange,
+    onEnvironmentChange
   },
   type: PermissionNode.Role,
   height: 48,

frontend/src/components/permissions/AccessTree/utils/createShowMoreNode.ts

@@ -0,0 +1,45 @@
+import { ProjectPermissionSub } from "@app/context";
+
+import { PermissionNode } from "../types";
+
+export const createShowMoreNode = ({
+  parentId,
+  onClick,
+  remaining,
+  subject
+}: {
+  parentId: string | null;
+  onClick: () => void;
+  remaining: number;
+  subject: ProjectPermissionSub;
+}) => {
+  let height: number;
+
+  switch (subject) {
+    case ProjectPermissionSub.DynamicSecrets:
+      height = 130;
+      break;
+    case ProjectPermissionSub.Secrets:
+      height = 85;
+      break;
+    default:
+      height = 64;
+  }
+  const id = `show-more-${parentId || "root"}`;
+  return {
+    id,
+    type: PermissionNode.ShowMoreButton,
+    position: { x: 0, y: 0 },
+    data: {
+      parentId,
+      onClick,
+      remaining
+    },
+    width: 150,
+    height,
+    style: {
+      background: "transparent",
+      border: "none"
+    }
+  };
+};

frontend/src/components/permissions/AccessTree/utils/positionElements.ts

@@ -2,27 +2,96 @@ import Dagre from "@dagrejs/dagre";
 import { Edge, Node } from "@xyflow/react";
 
 export const positionElements = (nodes: Node[], edges: Edge[]) => {
+  const showMoreNodes = nodes.filter((node) => node.type === "showMoreButton");
+  const showMoreParentIds = new Set(
+    showMoreNodes.map((node) => node.data.parentId).filter(Boolean)
+  );
+
+  const nodeMap: Record<string, Node> = {};
+  const childrenMap: Record<string, string[]> = {};
+
+  edges.forEach((edge) => {
+    if (!childrenMap[edge.source]) {
+      childrenMap[edge.source] = [];
+    }
+    childrenMap[edge.source].push(edge.target);
+  });
+
   const dagre = new Dagre.graphlib.Graph({ directed: true })
     .setDefaultEdgeLabel(() => ({}))
-    .setGraph({ rankdir: "TB" });
+    .setGraph({
+      rankdir: "TB",
+      nodesep: 50,
+      ranksep: 70
+    });
+
+  nodes.forEach((node) => {
+    dagre.setNode(node.id, {
+      width: node.width || 150,
+      height: node.height || 40
+    });
+  });
 
   edges.forEach((edge) => dagre.setEdge(edge.source, edge.target));
-  nodes.forEach((node) => dagre.setNode(node.id, node));
 
   Dagre.layout(dagre, {});
 
-  return {
-    nodes: nodes.map((node) => {
-      const { x, y } = dagre.node(node.id);
+  const positionedNodes = nodes.map((node) => {
+    const { x, y } = dagre.node(node.id);
 
+    if (node.type === "role") {
       return {
         ...node,
         position: {
           x: x - (node.width ? node.width / 2 : 0),
-          y: y - (node.height ? node.height / 2 : 0)
+          y: y - 150
         }
       };
-    }),
+    }
+
+    return {
+      ...node,
+      position: {
+        x: x - (node.width ? node.width / 2 : 0),
+        y: y - (node.height ? node.height / 2 : 0)
+      },
+      style: node.type === "showMoreButton" ? { ...node.style, zIndex: 10 } : node.style
+    };
+  });
+
+  positionedNodes.forEach((node) => {
+    nodeMap[node.id] = node;
+  });
+
+  Array.from(showMoreParentIds).forEach((parentId) => {
+    const showMoreNodeIndex = positionedNodes.findIndex(
+      (node) => node.type === "showMoreButton" && node.data.parentId === parentId
+    );
+
+    if (showMoreNodeIndex !== -1) {
+      const siblings = positionedNodes.filter(
+        (node) => node.data?.parentId === parentId && node.type !== "showMoreButton"
+      );
+
+      if (siblings.length > 0) {
+        const rightmostSibling = siblings.reduce(
+          (rightmost, current) => (current.position.x > rightmost.position.x ? current : rightmost),
+          siblings[0]
+        );
+
+        positionedNodes[showMoreNodeIndex] = {
+          ...positionedNodes[showMoreNodeIndex],
+          position: {
+            x: rightmostSibling.position.x + (rightmostSibling.width || 150) + 30,
+            y: rightmostSibling.position.y
+          }
+        };
+      }
+    }
+  });
+
+  return {
+    nodes: positionedNodes,
     edges
   };
 };

frontend/src/components/v2/FilterableSelect/FilterableSelect.tsx

@@ -1,81 +1,118 @@
 import Select, { Props } from "react-select";
 import { twMerge } from "tailwind-merge";
 
-import { ClearIndicator, DropdownIndicator, MultiValueRemove, Option } from "../Select/components";
+import {
+  ClearIndicator,
+  DropdownIndicator,
+  Group,
+  MultiValueRemove,
+  Option
+} from "../Select/components";
 
 export const FilterableSelect = <T,>({
   isMulti,
   closeMenuOnSelect,
   tabSelectsValue = false,
+  groupBy = null,
+  getGroupHeaderLabel = null,
+  options = [],
   ...props
-}: Props<T>) => (
-  <Select
-    isMulti={isMulti}
-    closeMenuOnSelect={closeMenuOnSelect ?? !isMulti}
-    hideSelectedOptions={false}
-    unstyled
-    styles={{
-      input: (base) => ({
-        ...base,
-        "input:focus": {
-          boxShadow: "none"
-        }
-      }),
-      multiValueLabel: (base) => ({
-        ...base,
-        whiteSpace: "normal",
-        overflow: "visible"
-      }),
-      control: (base) => ({
-        ...base,
-        transition: "none"
-      })
-    }}
-    tabSelectsValue={tabSelectsValue}
-    components={{
-      DropdownIndicator,
-      ClearIndicator,
-      MultiValueRemove,
-      Option,
-      ...props.components
-    }}
-    classNames={{
-      container: ({ isDisabled }) =>
-        twMerge("w-full font-inter text-sm", isDisabled && "!pointer-events-auto opacity-50"),
-      control: ({ isFocused, isDisabled }) =>
-        twMerge(
-          isFocused ? "border-primary-400/50" : "border-mineshaft-600",
-          `w-full rounded-md border bg-mineshaft-900 p-0.5 font-inter text-mineshaft-200 ${
-            isDisabled ? "!cursor-not-allowed" : "hover:cursor-pointer hover:border-gray-400"
-          } `
-        ),
-      placeholder: () =>
-        `${isMulti ? "py-[0.22rem]" : "leading-7"} text-mineshaft-400 text-sm pl-1`,
-      input: () => "pl-1",
-      valueContainer: () =>
-        `px-1 max-h-[8.2rem] ${
-          isMulti ? "!overflow-y-auto thin-scrollbar py-1" : "py-[0.1rem]"
-        } gap-1`,
-      singleValue: () => "leading-7 ml-1",
-      multiValue: () => "bg-mineshaft-600 text-sm rounded items-center py-0.5 px-2 gap-1.5",
-      multiValueLabel: () => "leading-6 text-sm",
-      multiValueRemove: () => "hover:text-red text-bunker-400",
-      indicatorsContainer: () => "p-1 gap-1",
-      clearIndicator: () => "p-1 hover:text-red text-bunker-400",
-      indicatorSeparator: () => "bg-bunker-400",
-      dropdownIndicator: () => "text-bunker-200 p-1",
-      menuList: () => "flex flex-col gap-1",
-      menu: () =>
-        "my-2 p-2 border text-sm text-mineshaft-200 thin-scrollbar bg-mineshaft-900 border-mineshaft-600 rounded-md",
-      groupHeading: () => "ml-3 mt-2 mb-1 text-mineshaft-400 text-sm",
-      option: ({ isFocused, isSelected }) =>
-        twMerge(
-          isFocused && "bg-mineshaft-700 active:bg-mineshaft-600",
-          isSelected && "text-mineshaft-200",
-          "rounded px-3 py-2 text-xs hover:cursor-pointer"
-        ),
-      noOptionsMessage: () => "text-mineshaft-400 p-2 rounded-md"
-    }}
-    {...props}
-  />
-);
+}: Props<T> & {
+  groupBy?: string | null;
+  getGroupHeaderLabel?: ((groupValue: any) => string) | null;
+}) => {
+  let processedOptions = options;
+
+  if (groupBy && Array.isArray(options)) {
+    const groupedOptions = options.reduce((acc, option) => {
+      const groupValue = option[groupBy];
+      const groupKey = groupValue?.toString() || "undefined";
+
+      if (!acc[groupKey]) {
+        acc[groupKey] = {
+          label: getGroupHeaderLabel ? getGroupHeaderLabel(groupValue) : groupValue,
+          options: []
+        };
+      }
+
+      acc[groupKey].options.push(option);
+      return acc;
+    }, {});
+
+    processedOptions = Object.values(groupedOptions);
+  }
+
+  return (
+    <Select
+      isMulti={isMulti}
+      closeMenuOnSelect={closeMenuOnSelect ?? !isMulti}
+      hideSelectedOptions={false}
+      unstyled
+      options={processedOptions}
+      styles={{
+        input: (base) => ({
+          ...base,
+          "input:focus": {
+            boxShadow: "none"
+          }
+        }),
+        multiValueLabel: (base) => ({
+          ...base,
+          whiteSpace: "normal",
+          overflow: "visible"
+        }),
+        control: (base) => ({
+          ...base,
+          transition: "none"
+        })
+      }}
+      tabSelectsValue={tabSelectsValue}
+      components={{
+        DropdownIndicator,
+        ClearIndicator,
+        MultiValueRemove,
+        Option,
+        Group,
+        ...props.components
+      }}
+      classNames={{
+        container: ({ isDisabled }) =>
+          twMerge("w-full font-inter text-sm", isDisabled && "!pointer-events-auto opacity-50"),
+        control: ({ isFocused, isDisabled }) =>
+          twMerge(
+            isFocused ? "border-primary-400/50" : "border-mineshaft-600",
+            `w-full rounded-md border bg-mineshaft-900 p-0.5 font-inter text-mineshaft-200 ${
+              isDisabled ? "!cursor-not-allowed" : "hover:cursor-pointer hover:border-gray-400"
+            } `
+          ),
+        placeholder: () =>
+          `${isMulti ? "py-[0.22rem]" : "leading-7"} text-mineshaft-400 text-sm pl-1`,
+        input: () => "pl-1",
+        valueContainer: () =>
+          `px-1 max-h-[8.2rem] ${
+            isMulti ? "!overflow-y-auto thin-scrollbar py-1" : "py-[0.1rem]"
+          } gap-1`,
+        singleValue: () => "leading-7 ml-1",
+        multiValue: () => "bg-mineshaft-600 text-sm rounded items-center py-0.5 px-2 gap-1.5",
+        multiValueLabel: () => "leading-6 text-sm",
+        multiValueRemove: () => "hover:text-red text-bunker-400",
+        indicatorsContainer: () => "p-1 gap-1",
+        clearIndicator: () => "p-1 hover:text-red text-bunker-400",
+        indicatorSeparator: () => "bg-bunker-400",
+        dropdownIndicator: () => "text-bunker-200 p-1",
+        menuList: () => "flex flex-col gap-1",
+        menu: () =>
+          "my-2 p-2 border text-sm text-mineshaft-200 thin-scrollbar bg-mineshaft-900 border-mineshaft-600 rounded-md",
+        groupHeading: () => "ml-3 mt-2 mb-1 text-mineshaft-400 text-sm",
+        option: ({ isFocused, isSelected }) =>
+          twMerge(
+            isFocused && "bg-mineshaft-700 active:bg-mineshaft-600",
+            isSelected && "text-mineshaft-200",
+            "rounded px-3 py-2 text-xs hover:cursor-pointer"
+          ),
+        noOptionsMessage: () => "text-mineshaft-400 p-2 rounded-md"
+      }}
+      {...props}
+    />
+  );
+};

frontend/src/components/v2/PageHeader/PageHeader.tsx

@@ -9,12 +9,12 @@ type Props = {
 };
 
 export const PageHeader = ({ title, description, children, className }: Props) => (
-  <div className={twMerge("mb-4", className)}>
+  <div className={twMerge("mb-4 w-full", className)}>
     <div className="flex w-full justify-between">
       <div className="w-full">
         <h1 className="mr-4 text-3xl font-semibold capitalize text-white">{title}</h1>
       </div>
-      <div>{children}</div>
+      <div className="flex items-center">{children}</div>
     </div>
     <div className="mt-2 text-gray-400">{description}</div>
   </div>

frontend/src/components/v2/PasswordGenerator/PasswordGenerator.tsx

@@ -0,0 +1,273 @@
+import { useEffect, useMemo, useRef, useState } from "react";
+import { faCheck, faCopy, faKey, faRefresh } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { Button, Checkbox, IconButton, Slider } from "@app/components/v2";
+import { useTimedReset } from "@app/hooks";
+
+type PasswordOptionsType = {
+  length: number;
+  useUppercase: boolean;
+  useLowercase: boolean;
+  useNumbers: boolean;
+  useSpecialChars: boolean;
+};
+
+type PasswordGeneratorModalProps = {
+  isOpen: boolean;
+  onClose: () => void;
+  onUsePassword?: (password: string) => void;
+  minLength?: number;
+  maxLength?: number;
+};
+
+const PasswordGeneratorModal = ({
+  isOpen,
+  onClose,
+  onUsePassword,
+  minLength = 12,
+  maxLength = 64
+}: PasswordGeneratorModalProps) => {
+  const [copyText, isCopying, setCopyText] = useTimedReset<string>({
+    initialState: "Copy"
+  });
+  const [refresh, setRefresh] = useState(false);
+  const [passwordOptions, setPasswordOptions] = useState<PasswordOptionsType>({
+    length: minLength,
+    useUppercase: true,
+    useLowercase: true,
+    useNumbers: true,
+    useSpecialChars: true
+  });
+
+  const modalRef = useRef<HTMLDivElement>(null);
+
+  const generatePassword = () => {
+    const charset = {
+      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+      lowercase: "abcdefghijklmnopqrstuvwxyz",
+      numbers: "0123456789",
+      specialChars: "-_.~!*"
+    };
+
+    let availableChars = "";
+    if (passwordOptions.useUppercase) availableChars += charset.uppercase;
+    if (passwordOptions.useLowercase) availableChars += charset.lowercase;
+    if (passwordOptions.useNumbers) availableChars += charset.numbers;
+    if (passwordOptions.useSpecialChars) availableChars += charset.specialChars;
+
+    if (availableChars === "") availableChars = charset.lowercase + charset.numbers;
+
+    let newPassword = "";
+    for (let i = 0; i < passwordOptions.length; i += 1) {
+      const randomIndex = Math.floor(Math.random() * availableChars.length);
+      newPassword += availableChars[randomIndex];
+    }
+
+    return newPassword;
+  };
+
+  useEffect(() => {
+    if (isOpen) {
+      const handleClickOutside = (event: MouseEvent) => {
+        if (modalRef.current && !modalRef.current.contains(event.target as Node)) {
+          onClose();
+        }
+      };
+
+      document.addEventListener("mousedown", handleClickOutside);
+      return () => document.removeEventListener("mousedown", handleClickOutside);
+    }
+    return () => {};
+  }, [isOpen, onClose]);
+
+  const password = useMemo(() => {
+    return generatePassword();
+  }, [passwordOptions, refresh]);
+
+  const copyToClipboard = () => {
+    navigator.clipboard
+      .writeText(password)
+      .then(() => {
+        setCopyText("Copied");
+      })
+      .catch(() => {
+        setCopyText("Copy failed");
+      });
+  };
+
+  const usePassword = () => {
+    if (onUsePassword) {
+      onUsePassword(password);
+      onClose();
+    }
+  };
+
+  if (!isOpen) return null;
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black bg-opacity-50 p-4">
+      <div
+        ref={modalRef}
+        className="w-full max-w-lg rounded-lg border border-mineshaft-600 bg-mineshaft-800 shadow-xl"
+      >
+        <div className="p-6">
+          <h2 className="mb-1 text-xl font-semibold text-bunker-200">Password Generator</h2>
+          <p className="mb-6 text-sm text-bunker-400">Generate strong unique passwords</p>
+
+          <div className="relative mb-4 rounded-md bg-mineshaft-900 p-4">
+            <div className="flex items-center justify-between">
+              <div className="w-4/5 select-all break-all pr-2 font-mono text-lg">{password}</div>
+              <div className="flex flex-col gap-1">
+                <Button
+                  size="xs"
+                  colorSchema="secondary"
+                  variant="outline_bg"
+                  onClick={() => setRefresh((prev) => !prev)}
+                  className="w-full text-bunker-300 hover:text-bunker-100"
+                >
+                  <FontAwesomeIcon icon={faRefresh} className="mr-1 h-3 w-3" />
+                  Refresh
+                </Button>
+
+                <Button
+                  size="xs"
+                  colorSchema="secondary"
+                  variant="outline_bg"
+                  onClick={copyToClipboard}
+                  className="w-full text-bunker-300 hover:text-bunker-100"
+                >
+                  <FontAwesomeIcon icon={isCopying ? faCheck : faCopy} className="mr-1 h-3 w-3" />
+                  {copyText}
+                </Button>
+              </div>
+            </div>
+          </div>
+
+          <div className="mb-6">
+            <div className="mb-1 flex items-center justify-between">
+              <label htmlFor="password-length" className="text-sm text-bunker-300">
+                Password length: {passwordOptions.length}
+              </label>
+            </div>
+            <Slider
+              id="password-length"
+              min={minLength}
+              max={maxLength}
+              value={passwordOptions.length}
+              onChange={(value) => setPasswordOptions({ ...passwordOptions, length: value })}
+              className="mb-1"
+              aria-labelledby="password-length-label"
+            />
+          </div>
+
+          <div className="mb-6 flex flex-row justify-between gap-2">
+            <Checkbox
+              id="useUppercase"
+              className="mr-2 data-[state=checked]:bg-primary"
+              isChecked={passwordOptions.useUppercase}
+              onCheckedChange={(checked) =>
+                setPasswordOptions({ ...passwordOptions, useUppercase: checked as boolean })
+              }
+            >
+              A-Z
+            </Checkbox>
+
+            <Checkbox
+              id="useLowercase"
+              className="mr-2 data-[state=checked]:bg-primary"
+              isChecked={passwordOptions.useLowercase}
+              onCheckedChange={(checked) =>
+                setPasswordOptions({ ...passwordOptions, useLowercase: checked as boolean })
+              }
+            >
+              a-z
+            </Checkbox>
+
+            <Checkbox
+              id="useNumbers"
+              className="mr-2 data-[state=checked]:bg-primary"
+              isChecked={passwordOptions.useNumbers}
+              onCheckedChange={(checked) =>
+                setPasswordOptions({ ...passwordOptions, useNumbers: checked as boolean })
+              }
+            >
+              0-9
+            </Checkbox>
+
+            <Checkbox
+              id="useSpecialChars"
+              className="mr-2 data-[state=checked]:bg-primary"
+              isChecked={passwordOptions.useSpecialChars}
+              onCheckedChange={(checked) =>
+                setPasswordOptions({ ...passwordOptions, useSpecialChars: checked as boolean })
+              }
+            >
+              -_.~!*
+            </Checkbox>
+          </div>
+
+          <div className="flex justify-end">
+            <Button size="sm" colorSchema="primary" variant="outline_bg" onClick={onClose}>
+              Close
+            </Button>
+            {onUsePassword && (
+              <Button
+                size="sm"
+                colorSchema="primary"
+                variant="outline_bg"
+                onClick={usePassword}
+                className="ml-2"
+              >
+                Use Password
+              </Button>
+            )}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+};
+
+export type PasswordGeneratorProps = {
+  onUsePassword?: (password: string) => void;
+  isDisabled?: boolean;
+  minLength?: number;
+  maxLength?: number;
+};
+
+export const PasswordGenerator = ({
+  onUsePassword,
+  isDisabled = false,
+  minLength = 12,
+  maxLength = 64
+}: PasswordGeneratorProps) => {
+  const [showGenerator, setShowGenerator] = useState(false);
+
+  const toggleGenerator = () => {
+    setShowGenerator(!showGenerator);
+  };
+
+  return (
+    <>
+      <IconButton
+        ariaLabel="generate password"
+        colorSchema="secondary"
+        size="sm"
+        onClick={toggleGenerator}
+        isDisabled={isDisabled}
+        className="rounded text-bunker-400 transition-colors duration-150 hover:bg-mineshaft-700 hover:text-bunker-200"
+      >
+        <FontAwesomeIcon icon={faKey} />
+      </IconButton>
+
+      <PasswordGeneratorModal
+        isOpen={showGenerator}
+        onClose={() => setShowGenerator(false)}
+        onUsePassword={onUsePassword}
+        minLength={minLength}
+        maxLength={maxLength}
+      />
+    </>
+  );
+};

frontend/src/components/v2/PasswordGenerator/index.tsx

@@ -0,0 +1,2 @@
+export type { PasswordGeneratorProps } from "./PasswordGenerator";
+export { PasswordGenerator } from "./PasswordGenerator";

frontend/src/components/v2/SecretPathInput/SecretPathInput.tsx

@@ -48,7 +48,6 @@ export const SecretPathInput = ({
   }, [propValue]);
 
   useEffect(() => {
-    // update secret path if input is valid
     if (
       (debouncedInputValue.length > 0 &&
         debouncedInputValue[debouncedInputValue.length - 1] === "/") ||
@@ -59,7 +58,6 @@ export const SecretPathInput = ({
   }, [debouncedInputValue]);
 
   useEffect(() => {
-    // filter suggestions based on matching
     const searchFragment = debouncedInputValue.split("/").pop() || "";
     const filteredSuggestions = folders
       .filter((suggestionEntry) =>
@@ -78,7 +76,6 @@ export const SecretPathInput = ({
     const validPaths = inputValue.split("/");
     validPaths.pop();
 
-    // removed trailing slash
     const newValue = `${validPaths.join("/")}/${suggestions[selectedIndex]}`;
     onChange?.(newValue);
     setInputValue(newValue);
@@ -102,7 +99,6 @@ export const SecretPathInput = ({
   };
 
   const handleInputChange = (e: any) => {
-    // propagate event to react-hook-form onChange
     if (onChange) {
       onChange(e.target.value);
     }
@@ -141,7 +137,7 @@ export const SecretPathInput = ({
           maxHeight: "var(--radix-select-content-available-height)"
         }}
       >
-        <div className="h-full w-full flex-col items-center justify-center rounded-md text-white">
+        <div className="max-h-[25vh] w-full flex-col items-center justify-center overflow-y-scroll rounded-md text-white">
           {suggestions.map((suggestion, i) => (
             <div
               tabIndex={0}

frontend/src/components/v2/Select/components/index.tsx

@@ -2,6 +2,7 @@ import {
   ClearIndicatorProps,
   components,
   DropdownIndicatorProps,
+  GroupProps,
   MultiValueRemoveProps,
   OptionProps
 } from "react-select";
@@ -45,3 +46,7 @@ export const Option = <T,>({ isSelected, children, ...props }: OptionProps<T>) =
     </components.Option>
   );
 };
+
+export const Group = <T,>(props: GroupProps<T>) => {
+  return <components.Group {...props} />;
+};

frontend/src/components/v2/Slider/Slider.tsx

@@ -0,0 +1,237 @@
+import {
+  forwardRef,
+  InputHTMLAttributes,
+  useCallback,
+  useEffect,
+  useImperativeHandle,
+  useRef,
+  useState
+} from "react";
+import { cva, VariantProps } from "cva";
+import { twMerge } from "tailwind-merge";
+
+type Props = {
+  min: number;
+  max: number;
+  step?: number;
+  isDisabled?: boolean;
+  isRequired?: boolean;
+  showValue?: boolean;
+  valuePosition?: "top" | "right";
+  containerClassName?: string;
+  trackClassName?: string;
+  fillClassName?: string;
+  thumbClassName?: string;
+  onChange?: (value: number) => void;
+  onChangeComplete?: (value: number) => void;
+};
+
+const sliderTrackVariants = cva("h-1 w-full bg-mineshaft-600 rounded-full relative", {
+  variants: {
+    variant: {
+      default: "",
+      thin: "h-0.5",
+      thick: "h-1.5"
+    },
+    isDisabled: {
+      true: "opacity-50 cursor-not-allowed",
+      false: ""
+    }
+  }
+});
+
+const sliderFillVariants = cva("absolute h-full rounded-full", {
+  variants: {
+    variant: {
+      default: "bg-primary-500",
+      secondary: "bg-secondary-500",
+      danger: "bg-red-500"
+    },
+    isDisabled: {
+      true: "opacity-50",
+      false: ""
+    }
+  }
+});
+
+const sliderThumbVariants = cva(
+  "absolute w-4 h-4 rounded-full shadow transform -translate-x-1/2 -mt-1.5 focus:outline-none",
+  {
+    variants: {
+      variant: {
+        default: "bg-primary-500 focus:ring-2 focus:ring-primary-400/50",
+        secondary: "bg-secondary-500 focus:ring-2 focus:ring-secondary-400/50",
+        danger: "bg-red-500 focus:ring-2 focus:ring-red-400/50"
+      },
+      isDisabled: {
+        true: "opacity-50 cursor-not-allowed",
+        false: "cursor-pointer"
+      },
+      size: {
+        sm: "w-3 h-3 -mt-1",
+        md: "w-4 h-4 -mt-1.5",
+        lg: "w-5 h-5 -mt-2"
+      }
+    }
+  }
+);
+
+const sliderContainerVariants = cva("relative inline-flex font-inter", {
+  variants: {
+    isFullWidth: {
+      true: "w-full",
+      false: ""
+    }
+  }
+});
+
+export type SliderProps = Omit<InputHTMLAttributes<HTMLInputElement>, "size" | "onChange"> &
+  VariantProps<typeof sliderTrackVariants> &
+  VariantProps<typeof sliderThumbVariants> &
+  VariantProps<typeof sliderContainerVariants> &
+  Props;
+
+export const Slider = forwardRef<HTMLInputElement, SliderProps>(
+  (
+    {
+      className,
+      containerClassName,
+      trackClassName,
+      fillClassName,
+      thumbClassName,
+      min = 0,
+      max = 100,
+      step = 1,
+      value,
+      defaultValue,
+      isDisabled = false,
+      isFullWidth = true,
+      isRequired = false,
+      showValue = false,
+      valuePosition = "top",
+      variant = "default",
+      size = "md",
+      onChange,
+      onChangeComplete,
+      ...props
+    },
+    ref
+  ): JSX.Element => {
+    let initialValue = min;
+    if (value !== undefined) {
+      initialValue = Number(value);
+    } else if (defaultValue !== undefined) {
+      initialValue = Number(defaultValue);
+    }
+
+    const [currentValue, setCurrentValue] = useState<number>(initialValue);
+    const [isDragging, setIsDragging] = useState(false);
+    const inputRef = useRef<HTMLInputElement>(null);
+    const percentage = Math.max(0, Math.min(100, ((currentValue - min) / (max - min)) * 100));
+
+    useImperativeHandle(ref, () => inputRef.current as HTMLInputElement, []);
+
+    useEffect(() => {
+      if (value !== undefined && Number(value) !== currentValue) {
+        setCurrentValue(Number(value));
+      }
+    }, [value, currentValue]);
+
+    const handleChange = useCallback(
+      (e: React.ChangeEvent<HTMLInputElement>) => {
+        const newValue = Number(e.target.value);
+        setCurrentValue(newValue);
+        onChange?.(newValue);
+      },
+      [onChange]
+    );
+
+    const handleMouseDown = useCallback(() => {
+      if (!isDisabled) {
+        setIsDragging(true);
+      }
+    }, [isDisabled]);
+
+    const handleChangeComplete = useCallback(() => {
+      if (isDragging) {
+        onChangeComplete?.(currentValue);
+        setIsDragging(false);
+      }
+    }, [isDragging, currentValue, onChangeComplete]);
+
+    useEffect(() => {
+      if (isDragging) {
+        const handleGlobalMouseUp = () => handleChangeComplete();
+
+        document.addEventListener("mouseup", handleGlobalMouseUp);
+        document.addEventListener("touchend", handleGlobalMouseUp);
+
+        return () => {
+          document.removeEventListener("mouseup", handleGlobalMouseUp);
+          document.removeEventListener("touchend", handleGlobalMouseUp);
+        };
+      }
+      return () => {};
+    }, [isDragging, handleChangeComplete]);
+
+    const ValueDisplay = showValue ? (
+      <div className="text-xs text-bunker-300">{currentValue}</div>
+    ) : null;
+
+    return (
+      <div
+        className={twMerge(
+          sliderContainerVariants({ isFullWidth, className: containerClassName }),
+          "my-2"
+        )}
+      >
+        {showValue && valuePosition === "top" && ValueDisplay}
+
+        <div className="relative flex w-full items-center">
+          <div
+            className={twMerge(
+              sliderTrackVariants({ variant, isDisabled, className: trackClassName })
+            )}
+          >
+            <div
+              className={twMerge(
+                sliderFillVariants({ variant, isDisabled, className: fillClassName }),
+                "left-0"
+              )}
+              style={{ width: `${percentage}%` }}
+            />
+
+            <div
+              className={twMerge(
+                sliderThumbVariants({ variant, isDisabled, size, className: thumbClassName })
+              )}
+              style={{ left: `${percentage}%` }}
+            />
+          </div>
+
+          <input
+            type="range"
+            min={min}
+            max={max}
+            step={step}
+            value={currentValue}
+            onChange={handleChange}
+            onMouseDown={handleMouseDown}
+            onTouchStart={handleMouseDown}
+            disabled={isDisabled}
+            required={isRequired}
+            ref={inputRef}
+            className="absolute inset-0 h-full w-full cursor-pointer opacity-0"
+            {...props}
+          />
+
+          {showValue && valuePosition === "right" && (
+            <div className="ml-2 text-xs text-bunker-300">{currentValue}</div>
+          )}
+        </div>
+      </div>
+    );
+  }
+);
+
+Slider.displayName = "Slider";

frontend/src/components/v2/Slider/index.tsx

@@ -0,0 +1,2 @@
+export type { SliderProps } from "./Slider";
+export { Slider } from "./Slider";

frontend/src/components/v2/index.tsx

@@ -24,10 +24,12 @@ export * from "./Modal";
 export * from "./NoticeBanner";
 export * from "./PageHeader";
 export * from "./Pagination";
+export * from "./PasswordGenerator";
 export * from "./Popoverv2";
 export * from "./SecretInput";
 export * from "./Select";
 export * from "./Skeleton";
+export * from "./Slider";
 export * from "./Spinner";
 export * from "./Stepper";
 export * from "./Switch";