fix github hostname check

feat: ldap auth for k8s operator

.env.example

@@ -123,8 +123,17 @@ INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
-INF_APP_CONNECTION_AZURE_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET=
+
+INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET=
+
+INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET=
+
+INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET=
 
 # datadog
 SHOULD_USE_DATADOG_TRACER=

.github/workflows/release_build_infisical_cli.yml

@@ -1,153 +0,0 @@
-name: Build and release CLI
-
-on:
-  workflow_dispatch:
-
-  push:
-    # run only against tags
-    tags:
-      - "infisical-cli/v*.*.*"
-
-permissions:
-  contents: write
-
-jobs:
-  cli-integration-tests:
-    name: Run tests before deployment
-    uses: ./.github/workflows/run-cli-tests.yml
-    secrets:
-      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
-
-  npm-release:
-    runs-on: ubuntu-latest
-    env:
-      working-directory: ./npm
-    needs:
-      - cli-integration-tests
-      - goreleaser
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Extract version
-        run: |
-          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
-          echo "Version extracted: $VERSION"
-          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
-
-      - name: Print version
-        run: echo ${{ env.CLI_VERSION }}
-
-      - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
-        with:
-          node-version: 20
-          cache: "npm"
-          cache-dependency-path: ./npm/package-lock.json
-      - name: Install dependencies
-        working-directory: ${{ env.working-directory }}
-        run: npm install --ignore-scripts
-
-      - name: Set NPM version
-        working-directory: ${{ env.working-directory }}
-        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
-
-      - name: Setup NPM
-        working-directory: ${{ env.working-directory }}
-        run: |
-          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-
-          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Pack NPM
-        working-directory: ${{ env.working-directory }}
-        run: npm pack
-
-      - name: Publish NPM
-        working-directory: ${{ env.working-directory }}
-        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-  goreleaser:
-    runs-on: ubuntu-latest-8-cores
-    needs: [cli-integration-tests]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ">=1.19.3"
-          cache: true
-          cache-dependency-path: cli/go.sum
-      - name: Setup for libssl1.0-dev
-        run: |
-          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-          sudo apt update
-          sudo apt-get install -y libssl1.0-dev
-      - name: OSXCross for CGO Support
-        run: |
-          mkdir ../../osxcross
-          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
-        with:
-          distribution: goreleaser-pro
-          version: v1.26.2-pro
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - uses: actions/setup-python@v4
-      - run: pip install --upgrade cloudsmith-cli
-      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
-        with:
-          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
-          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-      - name: Install deb-s3
-        run: gem install deb-s3
-      - name: Configure GPG Key
-        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
-        env:
-          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
-          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
-      - name: Publish to CloudSmith
-        run: sh cli/upload_to_cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
-          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
-          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-      - name: Invalidate Cloudfront cache
-        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

.github/workflows/run-cli-tests.yml

@@ -1,55 +0,0 @@
-name: Go CLI Tests
-
-on:
-    pull_request:
-        types: [opened, synchronize]
-        paths:
-            - "cli/**"
-
-    workflow_dispatch:
-
-    workflow_call:
-        secrets:
-            CLI_TESTS_UA_CLIENT_ID:
-                required: true
-            CLI_TESTS_UA_CLIENT_SECRET:
-                required: true
-            CLI_TESTS_SERVICE_TOKEN:
-                required: true
-            CLI_TESTS_PROJECT_ID:
-                required: true
-            CLI_TESTS_ENV_SLUG:
-                required: true
-            CLI_TESTS_USER_EMAIL:
-                required: true
-            CLI_TESTS_USER_PASSWORD:
-                required: true
-            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
-                required: true
-jobs:
-    test:
-        defaults:
-            run:
-                working-directory: ./cli
-        runs-on: ubuntu-latest
-
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup Go
-              uses: actions/setup-go@v4
-              with:
-                  go-version: "1.21.x"
-            - name: Install dependencies
-              run: go get .
-            - name: Test with the Go CLI
-              env:
-                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
-
-              run: go test -v -count=1 ./test

.goreleaser.yaml

@@ -1,241 +0,0 @@
-# This is an example .goreleaser.yml file with some sensible defaults.
-# Make sure to check the documentation at https://goreleaser.com
-# before:
-#   hooks:
-#     # You may remove this if you don't use go modules.
-#     - cd cli && go mod tidy
-#     # you may remove this if you don't need go generate
-#     - cd cli && go generate ./...
-before:
-  hooks:
-    - ./cli/scripts/completions.sh
-    - ./cli/scripts/manpages.sh
-
-monorepo:
-  tag_prefix: infisical-cli/
-  dir: cli
-
-builds:
-  - id: darwin-build
-    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-    flags:
-      - -trimpath
-    env:
-      - CGO_ENABLED=1
-      - CC=/home/runner/work/osxcross/target/bin/o64-clang
-      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
-    goos:
-      - darwin
-    ignore:
-      - goos: darwin
-        goarch: "386"
-    dir: ./cli
-
-  - id: all-other-builds
-    env:
-      - CGO_ENABLED=0
-    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-    flags:
-      - -trimpath
-    goos:
-      - freebsd
-      - linux
-      - netbsd
-      - openbsd
-      - windows
-    goarch:
-      - "386"
-      - amd64
-      - arm
-      - arm64
-    goarm:
-      - "6"
-      - "7"
-    ignore:
-      - goos: windows
-        goarch: "386"
-      - goos: freebsd
-        goarch: "386"
-    dir: ./cli
-
-archives:
-  - format_overrides:
-      - goos: windows
-        format: zip
-    files:
-      - ../README*
-      - ../LICENSE*
-      - ../manpages/*
-      - ../completions/*
-
-release:
-  replace_existing_draft: true
-  mode: "replace"
-
-checksum:
-  name_template: "checksums.txt"
-
-snapshot:
-  name_template: "{{ .Version }}-devel"
-
-# publishers:
-#   - name: fury.io
-#     ids:
-#       - infisical
-#     dir: "{{ dir .ArtifactPath }}"
-#     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
-
-brews:
-  - name: infisical
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-  - name: "infisical@{{.Version}}"
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-
-nfpms:
-  - id: infisical
-    package_name: infisical
-    builds:
-      - all-other-builds
-    vendor: Infisical, Inc
-    homepage: https://infisical.com/
-    maintainer: Infisical, Inc
-    description: The offical Infisical CLI
-    license: MIT
-    formats:
-      - rpm
-      - deb
-      - apk
-      - archlinux
-    bindir: /usr/bin
-    contents:
-      - src: ./completions/infisical.bash
-        dst: /etc/bash_completion.d/infisical
-      - src: ./completions/infisical.fish
-        dst: /usr/share/fish/vendor_completions.d/infisical.fish
-      - src: ./completions/infisical.zsh
-        dst: /usr/share/zsh/site-functions/_infisical
-      - src: ./manpages/infisical.1.gz
-        dst: /usr/share/man/man1/infisical.1.gz
-
-scoop:
-  bucket:
-    owner: Infisical
-    name: scoop-infisical
-  commit_author:
-    name: "Infisical"
-    email: ai@infisical.com
-  homepage: "https://infisical.com"
-  description: "The official Infisical CLI"
-  license: MIT
-
-winget:
-  - name: infisical
-    publisher: infisical
-    license: MIT
-    homepage: https://infisical.com
-    short_description: "The official Infisical CLI"
-    repository:
-      owner: infisical
-      name: winget-pkgs
-      branch: "infisical-{{.Version}}"
-      pull_request:
-        enabled: true
-        draft: false
-        base:
-          owner: microsoft
-          name: winget-pkgs
-          branch: master
-
-aurs:
-  - name: infisical-bin
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    maintainers:
-      - Infisical, Inc <support@infisical.com>
-    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
-    package: |-
-      # bin
-      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
-      # license
-      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
-      # completions
-      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
-      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
-      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
-      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
-      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
-      # man pages
-      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
-
-dockers:
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    use: buildx
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-      - "infisical/cli:latest-amd64"
-    build_flag_templates:
-      - "--pull"
-      - "--platform=linux/amd64"
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    use: buildx
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-      - "infisical/cli:latest-arm64"
-    build_flag_templates:
-      - "--pull"
-      - "--platform=linux/arm64"
-
-docker_manifests:
-  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-  - name_template: "infisical/cli:latest"
-    image_templates:
-      - "infisical/cli:latest-amd64"
-      - "infisical/cli:latest-arm64"

Dockerfile.fips.standalone-infisical

@@ -34,6 +34,8 @@ ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
 
+ENV NODE_OPTIONS="--max-old-space-size=8192"
+
 # Build
 RUN npm run build
 
@@ -145,7 +147,11 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips
+    && make install_fips \
+    && cd / \
+    && rm -rf /openssl-build \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
@@ -186,12 +192,11 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=1024"
+ENV NODE_OPTIONS="--max-old-space-size=8192 --force-fips"
 
 # FIPS mode of operation:
 ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV NODE_OPTIONS=--force-fips
 ENV FIPS_ENABLED=true
   
 
@@ -206,6 +211,11 @@ EXPOSE 443
 RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
     mv dist/main.mjs.tmp dist/main.mjs
 
+# The OpenSSL library is installed in different locations in different architectures (x86_64 and arm64).
+# This is a workaround to avoid errors when the library is not found.
+RUN ln -sf /usr/local/lib64/ossl-modules /usr/local/lib/ossl-modules || \
+    ln -sf /usr/local/lib/ossl-modules /usr/local/lib64/ossl-modules
+
 USER non-root-user
 
 CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -55,6 +55,8 @@ USER non-root-user
 ##
 FROM base AS backend-build
 
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
 WORKDIR /app
 
 # Install all required dependencies for build
@@ -84,6 +86,8 @@ RUN npm run build
 # Production stage
 FROM base AS backend-runner
 
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
+
 WORKDIR /app
 
 # Install all required dependencies for runtime
@@ -112,6 +116,11 @@ RUN mkdir frontend-build
 FROM base AS production
 
 RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    libtool \
+    libssl-dev \
     ca-certificates \
     bash \
     curl \
@@ -171,6 +180,7 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"
+ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 
 WORKDIR /backend
 

backend/Dockerfile.dev.fips

@@ -59,7 +59,11 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips
+    && make install_fips \
+    && cd / \
+    && rm -rf /openssl-build \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # ? App setup
 

backend/e2e-test/mocks/queue.ts

@@ -24,6 +24,7 @@ export const mockQueue = (): TQueueServiceFactory => {
       events[name] = event;
     },
     getRepeatableJobs: async () => [],
+    getDelayedJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
     stopJobByIdPg: async () => {},

backend/package-lock.json

@@ -33,11 +33,12 @@
         "@gitbeaker/rest": "^42.5.0",
         "@google-cloud/kms": "^4.5.0",
         "@infisical/quic": "^1.0.8",
-        "@node-saml/passport-saml": "^5.0.1",
+        "@node-saml/passport-saml": "^5.1.0",
         "@octokit/auth-app": "^7.1.1",
         "@octokit/core": "^5.2.1",
         "@octokit/plugin-paginate-graphql": "^4.0.1",
         "@octokit/plugin-retry": "^5.0.5",
+        "@octokit/request": "8.4.1",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
         "@octopusdeploy/api-client": "^3.4.1",
@@ -61,7 +62,7 @@
         "ajv": "^8.12.0",
         "argon2": "^0.31.2",
         "aws-sdk": "^2.1553.0",
-        "axios": "^1.6.7",
+        "axios": "^1.11.0",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
         "botbuilder": "^4.23.2",
@@ -9573,20 +9574,20 @@
       }
     },
     "node_modules/@node-saml/node-saml": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.0.1.tgz",
-      "integrity": "sha512-YQzFPEC+CnsfO9AFYnwfYZKIzOLx3kITaC1HrjHVLTo6hxcQhc+LgHODOMvW4VCV95Gwrz1MshRUWCPzkDqmnA==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.1.0.tgz",
+      "integrity": "sha512-t3cJnZ4aC7HhPZ6MGylGZULvUtBOZ6FzuUndaHGXjmIZHXnLfC/7L8a57O9Q9V7AxJGKAiRM5zu2wNm9EsvQpw==",
       "license": "MIT",
       "dependencies": {
         "@types/debug": "^4.1.12",
-        "@types/qs": "^6.9.11",
+        "@types/qs": "^6.9.18",
         "@types/xml-encryption": "^1.2.4",
         "@types/xml2js": "^0.4.14",
         "@xmldom/is-dom-node": "^1.0.1",
         "@xmldom/xmldom": "^0.8.10",
-        "debug": "^4.3.4",
-        "xml-crypto": "^6.0.1",
-        "xml-encryption": "^3.0.2",
+        "debug": "^4.4.0",
+        "xml-crypto": "^6.1.2",
+        "xml-encryption": "^3.1.0",
         "xml2js": "^0.6.2",
         "xmlbuilder": "^15.1.1",
         "xpath": "^0.0.34"
@@ -9596,9 +9597,9 @@
       }
     },
     "node_modules/@node-saml/node-saml/node_modules/debug": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
+      "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==",
       "license": "MIT",
       "dependencies": {
         "ms": "^2.1.3"
@@ -9635,14 +9636,14 @@
       }
     },
     "node_modules/@node-saml/passport-saml": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.0.1.tgz",
-      "integrity": "sha512-fMztg3zfSnjLEgxvpl6HaDMNeh0xeQX4QHiF9e2Lsie2dc4qFE37XYbQZhVmn8XJ2awPpSWLQ736UskYgGU8lQ==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.1.0.tgz",
+      "integrity": "sha512-pBm+iFjv9eihcgeJuSUs4c0AuX1QEFdHwP8w1iaWCfDzXdeWZxUBU5HT2bY2S4dvNutcy+A9hYsH7ZLBGtgwDg==",
       "license": "MIT",
       "dependencies": {
-        "@node-saml/node-saml": "^5.0.1",
-        "@types/express": "^4.17.21",
-        "@types/passport": "^1.0.16",
+        "@node-saml/node-saml": "^5.1.0",
+        "@types/express": "^4.17.23",
+        "@types/passport": "^1.0.17",
         "@types/passport-strategy": "^0.2.38",
         "passport": "^0.7.0",
         "passport-strategy": "^1.0.0"
@@ -9777,18 +9778,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/auth-app/node_modules/@octokit/endpoint": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
-      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
-      "dependencies": {
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
     "node_modules/@octokit/auth-app/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9835,11 +9824,6 @@
         "node": "14 || >=16.14"
       }
     },
-    "node_modules/@octokit/auth-app/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
-    },
     "node_modules/@octokit/auth-oauth-app": {
       "version": "8.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-8.1.1.tgz",
@@ -9855,18 +9839,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/endpoint": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
-      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
-      "dependencies": {
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
     "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9905,11 +9877,6 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
-    "node_modules/@octokit/auth-oauth-app/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
-    },
     "node_modules/@octokit/auth-oauth-device": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-7.1.1.tgz",
@@ -9924,18 +9891,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/endpoint": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
-      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
-      "dependencies": {
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
     "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9974,11 +9929,6 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
-    "node_modules/@octokit/auth-oauth-device/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
-    },
     "node_modules/@octokit/auth-oauth-user": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-5.1.1.tgz",
@@ -9994,18 +9944,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/endpoint": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
-      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
-      "dependencies": {
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
     "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -10044,11 +9982,6 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
-    "node_modules/@octokit/auth-oauth-user/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
-    },
     "node_modules/@octokit/auth-token": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
@@ -10102,32 +10035,38 @@
         "@octokit/openapi-types": "^24.2.0"
       }
     },
+    "node_modules/@octokit/core/node_modules/universal-user-agent": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
+      "license": "ISC"
+    },
     "node_modules/@octokit/endpoint": {
-      "version": "9.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
-      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
+      "version": "10.1.4",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.4.tgz",
+      "integrity": "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.1.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/types": "^14.0.0",
+        "universal-user-agent": "^7.0.2"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/endpoint/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "version": "25.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
+      "integrity": "sha512-idsIggNXUKkk0+BExUn1dQ92sfysJrje03Q0bv0e+KPLrvyqZF8MnBpFz8UNfYDwB3Ie7Z0TByjWfzxt7vseaA==",
       "license": "MIT"
     },
     "node_modules/@octokit/endpoint/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "version": "14.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.1.0.tgz",
+      "integrity": "sha512-1y6DgTy8Jomcpu33N+p5w58l6xyt55Ar2I91RPiIA0xCJBXyUAhXCcmZaDWSANiha7R9a6qJJ2CRomGPZ6f46g==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
+        "@octokit/openapi-types": "^25.1.0"
       }
     },
     "node_modules/@octokit/graphql": {
@@ -10159,6 +10098,12 @@
         "@octokit/openapi-types": "^24.2.0"
       }
     },
+    "node_modules/@octokit/graphql/node_modules/universal-user-agent": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
+      "license": "ISC"
+    },
     "node_modules/@octokit/oauth-authorization-url": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz",
@@ -10181,18 +10126,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/@octokit/oauth-methods/node_modules/@octokit/endpoint": {
-      "version": "10.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
-      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
-      "dependencies": {
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 18"
-      }
-    },
     "node_modules/@octokit/oauth-methods/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -10231,11 +10164,6 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
-    "node_modules/@octokit/oauth-methods/node_modules/universal-user-agent": {
-      "version": "7.0.2",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
-      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
-    },
     "node_modules/@octokit/openapi-types": {
       "version": "19.1.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.1.0.tgz",
@@ -10376,31 +10304,54 @@
       }
     },
     "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
-      "version": "22.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
-      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
     },
     "node_modules/@octokit/request-error/node_modules/@octokit/types": {
-      "version": "13.6.1",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
-      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^22.2.0"
+        "@octokit/openapi-types": "^24.2.0"
+      }
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/endpoint": {
+      "version": "9.0.6",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
+      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
       }
     },
     "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
-      "version": "22.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
-      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
     },
     "node_modules/@octokit/request/node_modules/@octokit/types": {
-      "version": "13.6.1",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
-      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^22.2.0"
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
+    "node_modules/@octokit/request/node_modules/universal-user-agent": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
+      "license": "ISC"
+    },
     "node_modules/@octokit/rest": {
       "version": "20.0.2",
       "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-20.0.2.tgz",
@@ -13350,9 +13301,10 @@
       "license": "MIT"
     },
     "node_modules/@types/express": {
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.21.tgz",
-      "integrity": "sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.23.tgz",
+      "integrity": "sha512-Crp6WY9aTYP3qPi2wGDo9iUe/rceX01UMhnF1jmwDcKCFM6cx7YhGP/Mpr3y9AASpfHixIG0E6azCcL5OcDHsQ==",
+      "license": "MIT",
       "dependencies": {
         "@types/body-parser": "*",
         "@types/express-serve-static-core": "^4.17.33",
@@ -13522,9 +13474,10 @@
       }
     },
     "node_modules/@types/passport": {
-      "version": "1.0.16",
-      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.16.tgz",
-      "integrity": "sha512-FD0qD5hbPWQzaM0wHUnJ/T0BBCJBxCeemtnCwc/ThhTg3x9jfrAcRUmj5Dopza+MfFS9acTe3wk7rcVnRIp/0A==",
+      "version": "1.0.17",
+      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.17.tgz",
+      "integrity": "sha512-aciLyx+wDwT2t2/kJGJR2AEeBz0nJU4WuRX04Wu9Dqc5lSUtwu0WERPHYsLhF9PtseiAMPBGNUOtFjxZ56prsg==",
+      "license": "MIT",
       "dependencies": {
         "@types/express": "*"
       }
@@ -13699,14 +13652,16 @@
       }
     },
     "node_modules/@types/request/node_modules/form-data": {
-      "version": "2.5.2",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.2.tgz",
-      "integrity": "sha512-GgwY0PS7DbXqajuGf4OYlsrIu3zgxD6Vvql43IBhm6MahqA5SK/7mwhtNj2AdH2z35YR34ujJ7BN+3fFC3jP5Q==",
+      "version": "2.5.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.5.tgz",
+      "integrity": "sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==",
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.6",
-        "mime-types": "^2.1.12",
+        "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.35",
         "safe-buffer": "^5.2.1"
       },
       "engines": {
@@ -15230,13 +15185,13 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.7.9",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.9.tgz",
-      "integrity": "sha512-LhLcE7Hbiryz8oMDdDptSrWowmB4Bl6RCt6sIJKpRB4XtVf0iEgewX3au/pJqm+Py1kCASkb/FFKjxQaLtxJvw==",
+      "version": "1.11.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.11.0.tgz",
+      "integrity": "sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==",
       "license": "MIT",
       "dependencies": {
         "follow-redirects": "^1.15.6",
-        "form-data": "^4.0.0",
+        "form-data": "^4.0.4",
         "proxy-from-env": "^1.1.0"
       }
     },
@@ -18284,7 +18239,8 @@
     "node_modules/fast-content-type-parse": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-1.1.0.tgz",
-      "integrity": "sha512-fBHHqSTFLVnR61C+gltJuE5GkVQMV0S2nqUO8TJ+5Z3qAKG8vAx4FKai1s5jq/inV1+sREynIWSuQ6HgoSXpDQ=="
+      "integrity": "sha512-fBHHqSTFLVnR61C+gltJuE5GkVQMV0S2nqUO8TJ+5Z3qAKG8vAx4FKai1s5jq/inV1+sREynIWSuQ6HgoSXpDQ==",
+      "license": "MIT"
     },
     "node_modules/fast-copy": {
       "version": "3.0.1",
@@ -18761,13 +18717,15 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz",
-      "integrity": "sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
+      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
+      "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
         "mime-types": "^2.1.12"
       },
       "engines": {
@@ -24770,6 +24728,12 @@
         "jsonwebtoken": "^9.0.2"
       }
     },
+    "node_modules/octokit-auth-probot/node_modules/universal-user-agent": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
+      "license": "ISC"
+    },
     "node_modules/odbc": {
       "version": "2.4.9",
       "resolved": "https://registry.npmjs.org/odbc/-/odbc-2.4.9.tgz",
@@ -30699,9 +30663,10 @@
       "integrity": "sha512-G5o6f95b5BggDGuUfKDApKaCgNYy2x7OdHY0zSMF081O0EJobw+1130VONhrA7ezGSV2FNOGyM+KQpQZAr9bIQ=="
     },
     "node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ=="
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
+      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
+      "license": "ISC"
     },
     "node_modules/universalify": {
       "version": "2.0.1",
@@ -31948,9 +31913,9 @@
       "license": "MIT"
     },
     "node_modules/xml-crypto": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
-      "integrity": "sha512-v05aU7NS03z4jlZ0iZGRFeZsuKO1UfEbbYiaeRMiATBFs6Jq9+wqKquEMTn4UTrYZ9iGD8yz3KT4L9o2iF682w==",
+      "version": "6.1.2",
+      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.1.2.tgz",
+      "integrity": "sha512-leBOVQdVi8FvPJrMYoum7Ici9qyxfE4kVi+AkpUoYCSXaQF4IlBm1cneTK9oAxR61LpYxTx7lNcsnBIeRpGW2w==",
       "license": "MIT",
       "dependencies": {
         "@xmldom/is-dom-node": "^1.0.1",

backend/package.json

@@ -153,11 +153,12 @@
     "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.0.1",
+    "@node-saml/passport-saml": "^5.1.0",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/core": "^5.2.1",
     "@octokit/plugin-paginate-graphql": "^4.0.1",
     "@octokit/plugin-retry": "^5.0.5",
+    "@octokit/request": "8.4.1",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
@@ -181,7 +182,7 @@
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",
-    "axios": "^1.6.7",
+    "axios": "^1.11.0",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
     "botbuilder": "^4.23.2",

backend/src/@types/fastify.d.ts

@@ -12,6 +12,8 @@ import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certifi
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-types";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-types";
+import { TEventBusService } from "@app/ee/services/event/event-bus-service";
+import { TServerSentEventsService } from "@app/ee/services/event/event-sse-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
@@ -93,6 +95,7 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -125,6 +128,15 @@ declare module "@fastify/request-context" {
         namespace: string;
         name: string;
       };
+      aws?: {
+        accountId: string;
+        arn: string;
+        userId: string;
+        partition: string;
+        service: string;
+        resourceType: string;
+        resourceName: string;
+      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -285,6 +297,9 @@ declare module "fastify" {
       secretScanningV2: TSecretScanningV2ServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
       pkiTemplate: TPkiTemplatesServiceFactory;
+      reminder: TReminderServiceFactory;
+      bus: TEventBusService;
+      sse: TServerSentEventsService;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -489,6 +489,11 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
+import {
+  TAccessApprovalPoliciesEnvironments,
+  TAccessApprovalPoliciesEnvironmentsInsert,
+  TAccessApprovalPoliciesEnvironmentsUpdate
+} from "@app/db/schemas/access-approval-policies-environments";
 import {
   TIdentityLdapAuths,
   TIdentityLdapAuthsInsert,
@@ -504,6 +509,17 @@ import {
   TProjectMicrosoftTeamsConfigsInsert,
   TProjectMicrosoftTeamsConfigsUpdate
 } from "@app/db/schemas/project-microsoft-teams-configs";
+import { TReminders, TRemindersInsert, TRemindersUpdate } from "@app/db/schemas/reminders";
+import {
+  TRemindersRecipients,
+  TRemindersRecipientsInsert,
+  TRemindersRecipientsUpdate
+} from "@app/db/schemas/reminders-recipients";
+import {
+  TSecretApprovalPoliciesEnvironments,
+  TSecretApprovalPoliciesEnvironmentsInsert,
+  TSecretApprovalPoliciesEnvironmentsUpdate
+} from "@app/db/schemas/secret-approval-policies-environments";
 import {
   TSecretReminderRecipients,
   TSecretReminderRecipientsInsert,
@@ -881,6 +897,12 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesBypassersUpdate
     >;
 
+    [TableName.AccessApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
+      TAccessApprovalPoliciesEnvironments,
+      TAccessApprovalPoliciesEnvironmentsInsert,
+      TAccessApprovalPoliciesEnvironmentsUpdate
+    >;
+
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -929,6 +951,11 @@ declare module "knex/types/tables" {
       TSecretApprovalRequestSecretTagsInsert,
       TSecretApprovalRequestSecretTagsUpdate
     >;
+    [TableName.SecretApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
+      TSecretApprovalPoliciesEnvironments,
+      TSecretApprovalPoliciesEnvironmentsInsert,
+      TSecretApprovalPoliciesEnvironmentsUpdate
+    >;
     [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
       TSecretRotations,
       TSecretRotationsInsert,
@@ -1211,5 +1238,11 @@ declare module "knex/types/tables" {
       TSecretScanningConfigsInsert,
       TSecretScanningConfigsUpdate
     >;
+    [TableName.Reminder]: KnexOriginal.CompositeTableType<TReminders, TRemindersInsert, TRemindersUpdate>;
+    [TableName.ReminderRecipient]: KnexOriginal.CompositeTableType<
+      TRemindersRecipients,
+      TRemindersRecipientsInsert,
+      TRemindersRecipientsUpdate
+    >;
   }
 }

backend/src/db/migrations/20250701202824_add-reminder-table.ts

@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.Reminder))) {
+    await knex.schema.createTable(TableName.Reminder, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("secretId").nullable();
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      t.string("message", 1024).nullable();
+      t.integer("repeatDays").checkPositive().nullable();
+      t.timestamp("nextReminderDate").notNullable();
+      t.timestamps(true, true, true);
+      t.unique("secretId");
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ReminderRecipient))) {
+    await knex.schema.createTable(TableName.ReminderRecipient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("reminderId").notNullable();
+      t.foreign("reminderId").references("id").inTable(TableName.Reminder).onDelete("CASCADE");
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.index("reminderId");
+      t.index("userId");
+      t.unique(["reminderId", "userId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.Reminder);
+  await createOnUpdateTrigger(knex, TableName.ReminderRecipient);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.Reminder);
+  await dropOnUpdateTrigger(knex, TableName.ReminderRecipient);
+  await knex.schema.dropTableIfExists(TableName.ReminderRecipient);
+  await knex.schema.dropTableIfExists(TableName.Reminder);
+}

backend/src/db/migrations/20250718133527_project-unify-revert.ts

@@ -0,0 +1,432 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+import { v4 as uuidV4 } from "uuid";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { ProjectType, TableName } from "../schemas";
+
+/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
+
+// Single query to get all projects that need any kind of kickout
+const getProjectsNeedingKickouts = async (
+  knex: Knex
+): Promise<
+  Array<{
+    id: string;
+    defaultProduct: string;
+    needsSecretManager: boolean;
+    needsCertManager: boolean;
+    needsSecretScanning: boolean;
+    needsKms: boolean;
+    needsSsh: boolean;
+  }>
+> => {
+  const result = await knex.raw(
+    `
+SELECT DISTINCT
+  p.id,
+  p."defaultProduct",
+  
+  -- Use CASE with direct joins instead of EXISTS subqueries
+  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
+  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
+  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
+  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
+  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
+
+FROM projects p
+LEFT JOIN (
+  SELECT DISTINCT e."projectId", 1 as secret_exists
+  FROM secrets_v2 s
+  JOIN secret_folders sf ON sf.id = s."folderId"
+  JOIN project_environments e ON e.id = sf."envId"
+) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ca_exists
+  FROM certificate_authorities
+) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ssds_exists
+  FROM secret_scanning_data_sources
+) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as kms_exists
+  FROM kms_keys
+  WHERE "isReserved" = false
+) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
+
+LEFT JOIN (
+  SELECT DISTINCT sca."projectId", 1 as ssh_exists
+  FROM ssh_certificates sc
+  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
+) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
+
+WHERE p."defaultProduct" IS NOT NULL
+  AND (
+    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
+  )
+    `
+  );
+
+  return result.rows;
+};
+
+const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
+  const newProjectId = uuidV4();
+  const project = await knex(TableName.Project).where("id", projectId).first();
+  await knex(TableName.Project).insert({
+    ...project,
+    type: projectType,
+    defaultProduct: null,
+    // @ts-ignore id is required
+    id: newProjectId,
+    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
+  });
+
+  const customRoleMapping: Record<string, string> = {};
+  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
+  if (projectCustomRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectRoles,
+      projectCustomRoles.map((el) => {
+        const id = uuidV4();
+        customRoleMapping[el.id] = id;
+        return {
+          ...el,
+          id,
+          projectId: newProjectId,
+          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
+        };
+      })
+    );
+  }
+  const groupMembershipMapping: Record<string, string> = {};
+  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
+  if (groupMemberships.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembership,
+      groupMemberships.map((el) => {
+        const id = uuidV4();
+        groupMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    groupMemberships.map((el) => el.id)
+  );
+  if (groupMembershipRoles.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembershipRole,
+      groupMembershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const identityProjectMembershipMapping: Record<string, string> = {};
+  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
+  if (identities.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembership,
+      identities.map((el) => {
+        const id = uuidV4();
+        identityProjectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    identities.map((el) => el.id)
+  );
+  if (identitiesRoles.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identitiesRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const projectMembershipMapping: Record<string, string> = {};
+  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
+  if (projectUserMembers.length) {
+    await knex.batchInsert(
+      TableName.ProjectMembership,
+      projectUserMembers.map((el) => {
+        const id = uuidV4();
+        projectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
+    "projectMembershipId",
+    projectUserMembers.map((el) => el.id)
+  );
+  if (membershipRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      membershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
+  if (kmsKeys.length) {
+    await knex.batchInsert(
+      TableName.KmsKey,
+      kmsKeys.map((el) => {
+        const id = uuidV4();
+        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
+        return { ...el, id, slug, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
+  if (projectBot) {
+    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
+    await knex(TableName.ProjectBot).insert(newProjectBot);
+  }
+
+  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
+  if (projectKeys.length) {
+    await knex.batchInsert(
+      TableName.ProjectKeys,
+      projectKeys.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
+  if (projectGateways.length) {
+    await knex.batchInsert(
+      TableName.ProjectGateway,
+      projectGateways.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
+  if (projectSlackConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectSlackConfigs,
+      projectSlackConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
+  if (projectMicrosoftTeamsConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectMicrosoftTeamsConfigs,
+      projectMicrosoftTeamsConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
+  if (trustedIps.length) {
+    await knex.batchInsert(
+      TableName.TrustedIps,
+      trustedIps.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  return newProjectId;
+};
+
+const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
+  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
+  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
+  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
+  await knex(TableName.KmsKey)
+    .where("projectId", oldProjectId)
+    .andWhere("isReserved", false)
+    .update("projectId", newProjectId);
+  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
+  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const BATCH_SIZE = 1000;
+const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
+
+export async function up(knex: Knex): Promise<void> {
+  const result = await knex.raw("SHOW statement_timeout");
+  const originalTimeout = result.rows[0].statement_timeout;
+
+  try {
+    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
+
+    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+    if (hasTemplateTypeColumn) {
+      await knex(TableName.ProjectTemplates).whereNull("type").update({
+        type: ProjectType.SecretManager
+      });
+      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
+      });
+    }
+
+    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+    if (hasTypeColumn && hasDefaultTypeColumn) {
+      await knex(TableName.Project).update({
+        // eslint-disable-next-line
+        // @ts-ignore this is because this field is created later
+        type: knex.raw(`"defaultProduct"`)
+      });
+
+      await knex.schema.alterTable(TableName.Project, (t) => {
+        t.string("type").notNullable().alter();
+        t.string("defaultProduct").nullable().alter();
+      });
+
+      // Get all projects that need kickouts in a single query
+      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
+
+      // Process projects in batches to avoid overwhelming the database
+      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
+        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
+        const processedIds: string[] = [];
+
+        for (const project of batch) {
+          const kickoutPromises: Promise<void>[] = [];
+
+          // Only add kickouts that are actually needed (flags are pre-computed)
+          if (project.needsSecretManager) {
+            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
+          }
+          if (project.needsCertManager) {
+            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
+          }
+          if (project.needsKms) {
+            kickoutPromises.push(kickOutKmsProject(knex, project.id));
+          }
+          if (project.needsSsh) {
+            kickoutPromises.push(kickOutSshProject(knex, project.id));
+          }
+          if (project.needsSecretScanning) {
+            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
+          }
+
+          // Execute all kickouts in parallel and handle any failures gracefully
+          if (kickoutPromises.length > 0) {
+            const results = await Promise.allSettled(kickoutPromises);
+
+            // Log any failures for debugging
+            results.forEach((res) => {
+              if (res.status === "rejected") {
+                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
+              }
+            });
+          }
+
+          processedIds.push(project.id);
+        }
+
+        // Clear defaultProduct for the processed batch
+        if (processedIds.length > 0) {
+          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
+        }
+      }
+    }
+  } finally {
+    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+  if (hasTypeColumn && hasDefaultTypeColumn) {
+    await knex(TableName.Project).update({
+      // eslint-disable-next-line
+      // @ts-ignore this is because this field is created later
+      defaultProduct: knex.raw(`
+    CASE 
+      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
+      ELSE "type" 
+    END
+  `)
+    });
+
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type").nullable().alter();
+      t.string("defaultProduct").notNullable().alter();
+    });
+  }
+
+  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+  if (hasTemplateTypeColumn) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      t.string("type").nullable().alter();
+    });
+  }
+}

backend/src/db/migrations/20250722152841_add-policies-environments-table.ts

@@ -0,0 +1,96 @@
+import { Knex } from "knex";
+
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicyEnvironment, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment);
+      t.timestamps(true, true, true);
+      t.unique(["policyId", "envId"]);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
+
+    const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
+      .select(selectAllTableCols(TableName.AccessApprovalPolicy))
+      .whereNotNull(`${TableName.AccessApprovalPolicy}.envId`);
+
+    const accessApprovalPolicies = existingAccessApprovalPolicies.map(async (policy) => {
+      await knex(TableName.AccessApprovalPolicyEnvironment).insert({
+        policyId: policy.id,
+        envId: policy.envId
+      });
+    });
+
+    await Promise.all(accessApprovalPolicies);
+  }
+  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment))) {
+    await knex.schema.createTable(TableName.SecretApprovalPolicyEnvironment, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment);
+      t.timestamps(true, true, true);
+      t.unique(["policyId", "envId"]);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
+
+    const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
+      .select(selectAllTableCols(TableName.SecretApprovalPolicy))
+      .whereNotNull(`${TableName.SecretApprovalPolicy}.envId`);
+
+    const secretApprovalPolicies = existingSecretApprovalPolicies.map(async (policy) => {
+      await knex(TableName.SecretApprovalPolicyEnvironment).insert({
+        policyId: policy.id,
+        envId: policy.envId
+      });
+    });
+
+    await Promise.all(secretApprovalPolicies);
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+    t.dropForeign(["envId"]);
+
+    // Add the new foreign key constraint with ON DELETE SET NULL
+    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
+  });
+
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+    t.dropForeign(["envId"]);
+
+    // Add the new foreign key constraint with ON DELETE SET NULL
+    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment)) {
+    await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyEnvironment);
+    await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
+  }
+  if (await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment)) {
+    await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyEnvironment);
+    await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
+  }
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+    t.dropForeign(["envId"]);
+    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+  });
+
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+    t.dropForeign(["envId"]);
+    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+  });
+}

backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts

@@ -0,0 +1,111 @@
+/* eslint-disable no-await-in-loop */
+import { Knex } from "knex";
+
+import { chunkArray } from "@app/lib/fn";
+import { logger } from "@app/lib/logger";
+
+import { TableName } from "../schemas";
+import { TReminders, TRemindersInsert } from "../schemas/reminders";
+
+export async function up(knex: Knex): Promise<void> {
+  logger.info("Initializing secret reminders migration");
+  const hasReminderTable = await knex.schema.hasTable(TableName.Reminder);
+
+  if (hasReminderTable) {
+    const secretsWithLatestVersions = await knex(TableName.SecretV2)
+      .whereNotNull(`${TableName.SecretV2}.reminderRepeatDays`)
+      .whereRaw(`"${TableName.SecretV2}"."reminderRepeatDays" > 0`)
+      .innerJoin(TableName.SecretVersionV2, (qb) => {
+        void qb
+          .on(`${TableName.SecretVersionV2}.secretId`, "=", `${TableName.SecretV2}.id`)
+          .andOn(`${TableName.SecretVersionV2}.reminderRepeatDays`, "=", `${TableName.SecretV2}.reminderRepeatDays`);
+      })
+      .whereIn([`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretVersionV2}.version`], (qb) => {
+        void qb
+          .select(["v2.secretId", knex.raw("MIN(v2.version) as version")])
+          .from(`${TableName.SecretVersionV2} as v2`)
+          .innerJoin(`${TableName.SecretV2} as s2`, "v2.secretId", "s2.id")
+          .whereRaw(`v2."reminderRepeatDays" = s2."reminderRepeatDays"`)
+          .whereNotNull("v2.reminderRepeatDays")
+          .whereRaw(`v2."reminderRepeatDays" > 0`)
+          .groupBy("v2.secretId");
+      })
+      // Add LEFT JOIN with Reminder table to check for existing reminders
+      .leftJoin(TableName.Reminder, `${TableName.Reminder}.secretId`, `${TableName.SecretV2}.id`)
+      // Only include secrets that don't already have reminders
+      .whereNull(`${TableName.Reminder}.secretId`)
+      .select(
+        knex.ref("id").withSchema(TableName.SecretV2).as("secretId"),
+        knex.ref("reminderRepeatDays").withSchema(TableName.SecretV2).as("reminderRepeatDays"),
+        knex.ref("reminderNote").withSchema(TableName.SecretV2).as("reminderNote"),
+        knex.ref("createdAt").withSchema(TableName.SecretVersionV2).as("createdAt")
+      );
+
+    logger.info(`Found ${secretsWithLatestVersions.length} reminders to migrate`);
+
+    const reminderInserts: TRemindersInsert[] = [];
+    if (secretsWithLatestVersions.length > 0) {
+      secretsWithLatestVersions.forEach((secret) => {
+        if (!secret.reminderRepeatDays) return;
+
+        const now = new Date();
+        const createdAt = new Date(secret.createdAt);
+        let nextReminderDate = new Date(createdAt);
+        nextReminderDate.setDate(nextReminderDate.getDate() + secret.reminderRepeatDays);
+
+        // If the next reminder date is in the past, calculate the proper next occurrence
+        if (nextReminderDate < now) {
+          const daysSinceCreation = Math.floor((now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24));
+          const daysIntoCurrentCycle = daysSinceCreation % secret.reminderRepeatDays;
+          const daysUntilNextReminder = secret.reminderRepeatDays - daysIntoCurrentCycle;
+
+          nextReminderDate = new Date(now);
+          nextReminderDate.setDate(now.getDate() + daysUntilNextReminder);
+        }
+
+        reminderInserts.push({
+          secretId: secret.secretId,
+          message: secret.reminderNote,
+          repeatDays: secret.reminderRepeatDays,
+          nextReminderDate
+        });
+      });
+
+      const commitBatches = chunkArray(reminderInserts, 2000);
+      for (const commitBatch of commitBatches) {
+        const insertedReminders = (await knex
+          .batchInsert(TableName.Reminder, commitBatch)
+          .returning("*")) as TReminders[];
+
+        const insertedReminderSecretIds = insertedReminders.map((reminder) => reminder.secretId).filter(Boolean);
+
+        const recipients = await knex(TableName.SecretReminderRecipients)
+          .whereRaw(`??.?? IN (${insertedReminderSecretIds.map(() => "?").join(",")})`, [
+            TableName.SecretReminderRecipients,
+            "secretId",
+            ...insertedReminderSecretIds
+          ])
+          .select(
+            knex.ref("userId").withSchema(TableName.SecretReminderRecipients).as("userId"),
+            knex.ref("secretId").withSchema(TableName.SecretReminderRecipients).as("secretId")
+          );
+        const reminderRecipients = recipients.map((recipient) => ({
+          reminderId: insertedReminders.find((reminder) => reminder.secretId === recipient.secretId)?.id,
+          userId: recipient.userId
+        }));
+
+        const filteredRecipients = reminderRecipients.filter((recipient) => Boolean(recipient.reminderId));
+        await knex.batchInsert(TableName.ReminderRecipient, filteredRecipients);
+      }
+      logger.info(`Successfully migrated ${reminderInserts.length} secret reminders`);
+    }
+
+    logger.info("Secret reminders migration completed");
+  } else {
+    logger.warn("Reminder table does not exist, skipping migration");
+  }
+}
+
+export async function down(): Promise<void> {
+  logger.info("Rollback not implemented for secret reminders fix migration");
+}

backend/src/db/migrations/20250725171821_add-secret-detection-ignore-values.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues"))) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.specificType("secretDetectionIgnoreValues", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues")) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("secretDetectionIgnoreValues");
+    });
+  }
+}

backend/src/db/migrations/20250730162101_add-start-from-reminder.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Reminder, "fromDate"))) {
+    await knex.schema.alterTable(TableName.Reminder, (t) => {
+      t.timestamp("fromDate", { useTz: true }).nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Reminder, "fromDate")) {
+    await knex.schema.alterTable(TableName.Reminder, (t) => {
+      t.dropColumn("fromDate");
+    });
+  }
+}

backend/src/db/migrations/utils/env-config.ts

@@ -53,7 +53,7 @@ export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory
 
   let envCfg = Object.freeze(parsedEnv.data);
 
-  const fipsEnabled = await crypto.initialize(superAdminDAL);
+  const fipsEnabled = await crypto.initialize(superAdminDAL, envCfg);
 
   // Fix for 128-bit entropy encryption key expansion issue:
   // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.

backend/src/db/schemas/access-approval-policies-environments.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalPoliciesEnvironmentsSchema = z.object({
+  id: z.string().uuid(),
+  policyId: z.string().uuid(),
+  envId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalPoliciesEnvironments = z.infer<typeof AccessApprovalPoliciesEnvironmentsSchema>;
+export type TAccessApprovalPoliciesEnvironmentsInsert = Omit<
+  z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalPoliciesEnvironmentsUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -100,6 +100,7 @@ export enum TableName {
   AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
+  AccessApprovalPolicyEnvironment = "access_approval_policies_environments",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
@@ -107,6 +108,7 @@ export enum TableName {
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
   SecretApprovalRequestSecretTag = "secret_approval_request_secret_tags",
+  SecretApprovalPolicyEnvironment = "secret_approval_policies_environments",
   SecretRotation = "secret_rotations",
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
@@ -160,7 +162,7 @@ export enum TableName {
   SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
-  SecretReminderRecipients = "secret_reminder_recipients",
+  SecretReminderRecipients = "secret_reminder_recipients", // TODO(Carlos): Remove this in the future after migrating to the new reminder recipients table
   GithubOrgSyncConfig = "github_org_sync_configs",
   FolderCommit = "folder_commits",
   FolderCommitChanges = "folder_commit_changes",
@@ -172,7 +174,10 @@ export enum TableName {
   SecretScanningResource = "secret_scanning_resources",
   SecretScanningScan = "secret_scanning_scans",
   SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs"
+  SecretScanningConfig = "secret_scanning_configs",
+  // reminders
+  Reminder = "reminders",
+  ReminderRecipient = "reminders_recipients"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -267,6 +272,16 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  SecretScanning = ProjectType.SecretScanning,
+  // project operations that happen on all types
+  Any = "any"
+}
+
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().nullable().optional()
+  type: z.string().default("secret-manager")
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,12 +25,13 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string().nullable().optional(),
+  type: z.string(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().default("secret-manager")
+  defaultProduct: z.string().nullable().optional(),
+  secretDetectionIgnoreValues: z.string().array().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/reminders-recipients.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RemindersRecipientsSchema = z.object({
+  id: z.string().uuid(),
+  reminderId: z.string().uuid(),
+  userId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TRemindersRecipients = z.infer<typeof RemindersRecipientsSchema>;
+export type TRemindersRecipientsInsert = Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>;
+export type TRemindersRecipientsUpdate = Partial<Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/reminders.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RemindersSchema = z.object({
+  id: z.string().uuid(),
+  secretId: z.string().uuid().nullable().optional(),
+  message: z.string().nullable().optional(),
+  repeatDays: z.number().nullable().optional(),
+  nextReminderDate: z.date(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  fromDate: z.date().nullable().optional()
+});
+
+export type TReminders = z.infer<typeof RemindersSchema>;
+export type TRemindersInsert = Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>;
+export type TRemindersUpdate = Partial<Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-policies-environments.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretApprovalPoliciesEnvironmentsSchema = z.object({
+  id: z.string().uuid(),
+  policyId: z.string().uuid(),
+  envId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretApprovalPoliciesEnvironments = z.infer<typeof SecretApprovalPoliciesEnvironmentsSchema>;
+export type TSecretApprovalPoliciesEnvironmentsInsert = Omit<
+  z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>,
+  TImmutableDBKeys
+>;
+export type TSecretApprovalPoliciesEnvironmentsUpdate = Partial<
+  Omit<z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
+>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -17,52 +17,66 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z.object({
-        projectSlug: z.string().trim(),
-        name: z.string().optional(),
-        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
-        environment: z.string(),
-        approvers: z
-          .discriminatedUnion("type", [
-            z.object({
-              type: z.literal(ApproverType.Group),
-              id: z.string(),
-              sequence: z.number().int().default(1)
-            }),
-            z.object({
-              type: z.literal(ApproverType.User),
-              id: z.string().optional(),
-              username: z.string().optional(),
-              sequence: z.number().int().default(1)
+      body: z
+        .object({
+          projectSlug: z.string().trim(),
+          name: z.string().optional(),
+          secretPath: z
+            .string()
+            .trim()
+            .min(1, { message: "Secret path cannot be empty" })
+            .transform(removeTrailingSlash),
+          environment: z.string().optional(),
+          environments: z.string().array().optional(),
+          approvers: z
+            .discriminatedUnion("type", [
+              z.object({
+                type: z.literal(ApproverType.Group),
+                id: z.string(),
+                sequence: z.number().int().default(1)
+              }),
+              z.object({
+                type: z.literal(ApproverType.User),
+                id: z.string().optional(),
+                username: z.string().optional(),
+                sequence: z.number().int().default(1)
+              })
+            ])
+            .array()
+            .max(100, "Cannot have more than 100 approvers")
+            .min(1, { message: "At least one approver should be provided" })
+            .refine(
+              // @ts-expect-error this is ok
+              (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
+              "Must provide either username or id"
+            ),
+          bypassers: z
+            .discriminatedUnion("type", [
+              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+              z.object({
+                type: z.literal(BypasserType.User),
+                id: z.string().optional(),
+                username: z.string().optional()
+              })
+            ])
+            .array()
+            .max(100, "Cannot have more than 100 bypassers")
+            .optional(),
+          approvalsRequired: z
+            .object({
+              numberOfApprovals: z.number().int(),
+              stepNumber: z.number().int()
             })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 approvers")
-          .min(1, { message: "At least one approver should be provided" })
-          .refine(
-            // @ts-expect-error this is ok
-            (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
-            "Must provide either username or id"
-          ),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
-        approvalsRequired: z
-          .object({
-            numberOfApprovals: z.number().int(),
-            stepNumber: z.number().int()
-          })
-          .array()
-          .optional(),
-        approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-        allowedSelfApprovals: z.boolean().default(true)
-      }),
+            .array()
+            .optional(),
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+          allowedSelfApprovals: z.boolean().default(true)
+        })
+        .refine(
+          (val) => Boolean(val.environment) || Boolean(val.environments),
+          "Must provide either environment or environments"
+        ),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -78,7 +92,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
+        name:
+          req.body.name ?? `${req.body.environment || req.body.environments?.join("-").substring(0, 250)}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -211,6 +226,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true),
+        environments: z.array(z.string()).optional(),
         approvalsRequired: z
           .object({
             numberOfApprovals: z.number().int(),

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
+      querystring: z.object({
+        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
+      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,10 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
+        req.permission,
+        req.query.type
+      );
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -191,6 +197,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
+        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -17,34 +17,45 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z.object({
-        workspaceId: z.string(),
-        name: z.string().optional(),
-        environment: z.string(),
-        secretPath: z
-          .string()
-          .min(1, { message: "Secret path cannot be empty" })
-          .transform((val) => removeTrailingSlash(val)),
-        approvers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .min(1, { message: "At least one approver should be provided" })
-          .max(100, "Cannot have more than 100 approvers"),
-        bypassers: z
-          .discriminatedUnion("type", [
-            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
-          ])
-          .array()
-          .max(100, "Cannot have more than 100 bypassers")
-          .optional(),
-        approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-        allowedSelfApprovals: z.boolean().default(true)
-      }),
+      body: z
+        .object({
+          workspaceId: z.string(),
+          name: z.string().optional(),
+          environment: z.string().optional(),
+          environments: z.string().array().optional(),
+          secretPath: z
+            .string()
+            .min(1, { message: "Secret path cannot be empty" })
+            .transform((val) => removeTrailingSlash(val)),
+          approvers: z
+            .discriminatedUnion("type", [
+              z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+              z.object({
+                type: z.literal(ApproverType.User),
+                id: z.string().optional(),
+                username: z.string().optional()
+              })
+            ])
+            .array()
+            .min(1, { message: "At least one approver should be provided" })
+            .max(100, "Cannot have more than 100 approvers"),
+          bypassers: z
+            .discriminatedUnion("type", [
+              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+              z.object({
+                type: z.literal(BypasserType.User),
+                id: z.string().optional(),
+                username: z.string().optional()
+              })
+            ])
+            .array()
+            .max(100, "Cannot have more than 100 bypassers")
+            .optional(),
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+          allowedSelfApprovals: z.boolean().default(true)
+        })
+        .refine((data) => data.environment || data.environments, "At least one environment should be provided"),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -60,7 +71,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment || req.body.environments?.join(",")}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -103,7 +114,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .optional()
           .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
-        allowedSelfApprovals: z.boolean().default(true)
+        allowedSelfApprovals: z.boolean().default(true),
+        environments: z.array(z.string()).optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -315,10 +315,12 @@ export const registerSecretRotationEndpoints = <
       querystring: z.object({
         deleteSecrets: z
           .enum(["true", "false"])
+          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).deleteSecrets),
         revokeGeneratedCredentials: z
           .enum(["true", "false"])
+          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
       }),

backend/src/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router.ts

@@ -0,0 +1,16 @@
+import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
+import {
+  CreateGitLabDataSourceSchema,
+  GitLabDataSourceSchema,
+  UpdateGitLabDataSourceSchema
+} from "@app/ee/services/secret-scanning-v2/gitlab";
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+
+export const registerGitLabSecretScanningRouter = async (server: FastifyZodProvider) =>
+  registerSecretScanningEndpoints({
+    type: SecretScanningDataSource.GitLab,
+    server,
+    responseSchema: GitLabDataSourceSchema,
+    createSchema: CreateGitLabDataSourceSchema,
+    updateSchema: UpdateGitLabDataSourceSchema
+  });

backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts

@@ -1,3 +1,4 @@
+import { registerGitLabSecretScanningRouter } from "@app/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router";
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 
 import { registerBitbucketSecretScanningRouter } from "./bitbucket-secret-scanning-router";
@@ -10,5 +11,6 @@ export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
   (server: FastifyZodProvider) => Promise<void>
 > = {
   [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter,
-  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter
+  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter,
+  [SecretScanningDataSource.GitLab]: registerGitLabSecretScanningRouter
 };

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -4,6 +4,7 @@ import { SecretScanningConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { BitbucketDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
+import { GitLabDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/gitlab";
 import {
   SecretScanningFindingStatus,
   SecretScanningScanStatus
@@ -24,7 +25,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [
   GitHubDataSourceListItemSchema,
-  BitbucketDataSourceListItemSchema
+  BitbucketDataSourceListItemSchema,
+  GitLabDataSourceListItemSchema
 ]);
 
 export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -26,6 +26,7 @@ export interface TAccessApprovalPolicyDALFactory
     >,
     customFilter?: {
       policyId?: string;
+      envId?: string;
     },
     tx?: Knex
   ) => Promise<
@@ -55,11 +56,6 @@ export interface TAccessApprovalPolicyDALFactory
       allowedSelfApprovals: boolean;
       secretPath: string;
       deletedAt?: Date | null | undefined;
-      environment: {
-        id: string;
-        name: string;
-        slug: string;
-      };
       projectId: string;
       bypassers: (
         | {
@@ -72,6 +68,11 @@ export interface TAccessApprovalPolicyDALFactory
             type: BypasserType.Group;
           }
       )[];
+      environments: {
+        id: string;
+        name: string;
+        slug: string;
+      }[];
     }[]
   >;
   findById: (
@@ -95,11 +96,11 @@ export interface TAccessApprovalPolicyDALFactory
         allowedSelfApprovals: boolean;
         secretPath: string;
         deletedAt?: Date | null | undefined;
-        environment: {
+        environments: {
           id: string;
           name: string;
           slug: string;
-        };
+        }[];
         projectId: string;
       }
     | undefined
@@ -143,6 +144,26 @@ export interface TAccessApprovalPolicyDALFactory
       }
     | undefined
   >;
+  findPolicyByEnvIdAndSecretPath: (
+    { envIds, secretPath }: { envIds: string[]; secretPath: string },
+    tx?: Knex
+  ) => Promise<{
+    name: string;
+    id: string;
+    createdAt: Date;
+    updatedAt: Date;
+    approvals: number;
+    enforcementLevel: string;
+    allowedSelfApprovals: boolean;
+    secretPath: string;
+    deletedAt?: Date | null | undefined;
+    environments: {
+      id: string;
+      name: string;
+      slug: string;
+    }[];
+    projectId: string;
+  }>;
 }
 
 export interface TAccessApprovalPolicyServiceFactory {
@@ -367,6 +388,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
     customFilter?: {
       policyId?: string;
+      envId?: string;
     }
   ) => {
     const result = await tx(TableName.AccessApprovalPolicy)
@@ -377,7 +399,17 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
         }
       })
-      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+      .join(
+        TableName.AccessApprovalPolicyEnvironment,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
+      )
+      .join(TableName.Environment, `${TableName.AccessApprovalPolicyEnvironment}.envId`, `${TableName.Environment}.id`)
+      .where((qb) => {
+        if (customFilter?.envId) {
+          void qb.where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", customFilter.envId);
+        }
+      })
       .leftJoin(
         TableName.AccessApprovalPolicyApprover,
         `${TableName.AccessApprovalPolicy}.id`,
@@ -404,7 +436,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
       .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
+      .select(tx.ref("id").withSchema(TableName.Environment).as("environmentId"))
       .select(tx.ref("projectId").withSchema(TableName.Environment))
       .select(selectAllTableCols(TableName.AccessApprovalPolicy));
 
@@ -448,6 +480,15 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               sequence: approverSequence,
               approvalsRequired
             })
+          },
+          {
+            key: "environmentId",
+            label: "environments" as const,
+            mapper: ({ environmentId: id, envName, envSlug }) => ({
+              id,
+              name: envName,
+              slug: envSlug
+            })
           }
         ]
       });
@@ -470,11 +511,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
         data: docs,
         key: "id",
         parentMapper: (data) => ({
-          environment: {
-            id: data.envId,
-            name: data.envName,
-            slug: data.envSlug
-          },
           projectId: data.projectId,
           ...AccessApprovalPoliciesSchema.parse(data)
           // secretPath: data.secretPath || undefined,
@@ -517,6 +553,15 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               id,
               type: BypasserType.Group as const
             })
+          },
+          {
+            key: "environmentId",
+            label: "environments" as const,
+            mapper: ({ environmentId: id, envName, envSlug }) => ({
+              id,
+              name: envName,
+              slug: envSlug
+            })
           }
         ]
       });
@@ -545,14 +590,20 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           // eslint-disable-next-line @typescript-eslint/no-misused-promises
           buildFindFilter(
             {
-              envId,
               secretPath
             },
             TableName.AccessApprovalPolicy
           )
         )
+        .join(
+          TableName.AccessApprovalPolicyEnvironment,
+          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
+          `${TableName.AccessApprovalPolicy}.id`
+        )
+        .where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", envId)
         .orderBy("deletedAt", "desc")
         .orderByRaw(`"deletedAt" IS NULL`)
+        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
         .first();
 
       return result;
@@ -561,5 +612,81 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     }
   };
 
-  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
+  const findPolicyByEnvIdAndSecretPath: TAccessApprovalPolicyDALFactory["findPolicyByEnvIdAndSecretPath"] = async (
+    { envIds, secretPath },
+    tx
+  ) => {
+    try {
+      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
+        .join(
+          TableName.AccessApprovalPolicyEnvironment,
+          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
+          `${TableName.AccessApprovalPolicy}.id`
+        )
+        .join(
+          TableName.Environment,
+          `${TableName.AccessApprovalPolicyEnvironment}.envId`,
+          `${TableName.Environment}.id`
+        )
+        .where(
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          buildFindFilter(
+            {
+              $in: {
+                envId: envIds
+              }
+            },
+            TableName.AccessApprovalPolicyEnvironment
+          )
+        )
+        .where(
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          buildFindFilter(
+            {
+              secretPath
+            },
+            TableName.AccessApprovalPolicy
+          )
+        )
+        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
+        .orderBy("deletedAt", "desc")
+        .orderByRaw(`"deletedAt" IS NULL`)
+        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
+        .select(db.ref("name").withSchema(TableName.Environment).as("envName"))
+        .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
+        .select(db.ref("id").withSchema(TableName.Environment).as("environmentId"))
+        .select(db.ref("projectId").withSchema(TableName.Environment));
+      const formattedDocs = sqlNestRelationships({
+        data: docs,
+        key: "id",
+        parentMapper: (data) => ({
+          projectId: data.projectId,
+          ...AccessApprovalPoliciesSchema.parse(data)
+        }),
+        childrenMapper: [
+          {
+            key: "environmentId",
+            label: "environments" as const,
+            mapper: ({ environmentId: id, envName, envSlug }) => ({
+              id,
+              name: envName,
+              slug: envSlug
+            })
+          }
+        ]
+      });
+      return formattedDocs?.[0];
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findPolicyByEnvIdAndSecretPath" });
+    }
+  };
+
+  return {
+    ...accessApprovalPolicyOrm,
+    find,
+    findById,
+    softDeleteById,
+    findLastValidPolicy,
+    findPolicyByEnvIdAndSecretPath
+  };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-environment-dal.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TAccessApprovalPolicyEnvironmentDALFactory = ReturnType<typeof accessApprovalPolicyEnvironmentDALFactory>;
+
+export const accessApprovalPolicyEnvironmentDALFactory = (db: TDbClient) => {
+  const accessApprovalPolicyEnvironmentOrm = ormify(db, TableName.AccessApprovalPolicyEnvironment);
+
+  const findAvailablePoliciesByEnvId = async (envId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicyEnvironment)
+        .join(
+          TableName.AccessApprovalPolicy,
+          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
+          `${TableName.AccessApprovalPolicy}.id`
+        )
+        // eslint-disable-next-line @typescript-eslint/no-misused-promises
+        .where(buildFindFilter({ envId }, TableName.AccessApprovalPolicyEnvironment))
+        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
+        .select(selectAllTableCols(TableName.AccessApprovalPolicyEnvironment));
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findAvailablePoliciesByEnvId" });
+    }
+  };
+
+  return { ...accessApprovalPolicyEnvironmentOrm, findAvailablePoliciesByEnvId };
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -20,6 +21,7 @@ import {
   TAccessApprovalPolicyBypasserDALFactory
 } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
+import { TAccessApprovalPolicyEnvironmentDALFactory } from "./access-approval-policy-environment-dal";
 import {
   ApproverType,
   BypasserType,
@@ -44,12 +46,14 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update" | "delete">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
+  accessApprovalPolicyEnvironmentDAL: TAccessApprovalPolicyEnvironmentDALFactory;
 };
 
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
   accessApprovalPolicyBypasserDAL,
+  accessApprovalPolicyEnvironmentDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -62,21 +66,22 @@ export const accessApprovalPolicyServiceFactory = ({
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
   const $policyExists = async ({
     envId,
+    envIds,
     secretPath,
     policyId
   }: {
-    envId: string;
+    envId?: string;
+    envIds?: string[];
     secretPath: string;
     policyId?: string;
   }) => {
-    const policy = await accessApprovalPolicyDAL
-      .findOne({
-        envId,
-        secretPath,
-        deletedAt: null
-      })
-      .catch(() => null);
-
+    if (!envId && !envIds) {
+      throw new BadRequestError({ message: "Must provide either envId or envIds" });
+    }
+    const policy = await accessApprovalPolicyDAL.findPolicyByEnvIdAndSecretPath({
+      secretPath,
+      envIds: envId ? [envId] : (envIds as string[])
+    });
     return policyId ? policy && policy.id !== policyId : Boolean(policy);
   };
 
@@ -92,6 +97,7 @@ export const accessApprovalPolicyServiceFactory = ({
     bypassers,
     projectSlug,
     environment,
+    environments,
     enforcementLevel,
     allowedSelfApprovals,
     approvalsRequired
@@ -116,20 +122,31 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
-    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
+    const mergedEnvs = (environment ? [environment] : environments) || [];
+    if (mergedEnvs.length === 0) {
+      throw new BadRequestError({ message: "Must provide either environment or environments" });
+    }
+    const envs = await projectEnvDAL.find({ $in: { slug: mergedEnvs }, projectId: project.id });
+    if (!envs.length || envs.length !== mergedEnvs.length) {
+      const notFoundEnvs = mergedEnvs.filter((env) => !envs.find((el) => el.slug === env));
+      throw new NotFoundError({ message: `One or more environments not found: ${notFoundEnvs.join(", ")}` });
+    }
 
-    if (await $policyExists({ envId: env.id, secretPath })) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
-      });
+    for (const env of envs) {
+      // eslint-disable-next-line no-await-in-loop
+      if (await $policyExists({ envId: env.id, secretPath })) {
+        throw new BadRequestError({
+          message: `A policy for secret path '${secretPath}' already exists in environment '${env.slug}'`
+        });
+      }
     }
 
     let approverUserIds = userApprovers;
@@ -197,7 +214,7 @@ export const accessApprovalPolicyServiceFactory = ({
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
-          envId: env.id,
+          envId: envs[0].id,
           approvals,
           secretPath,
           name,
@@ -206,6 +223,10 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
+      await accessApprovalPolicyEnvironmentDAL.insertMany(
+        envs.map((el) => ({ policyId: doc.id, envId: el.id })),
+        tx
+      );
 
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
@@ -258,7 +279,7 @@ export const accessApprovalPolicyServiceFactory = ({
       return doc;
     });
 
-    return { ...accessApproval, environment: env, projectId: project.id };
+    return { ...accessApproval, environments: envs, projectId: project.id, environment: envs[0] };
   };
 
   const getAccessApprovalPolicyByProjectSlug: TAccessApprovalPolicyServiceFactory["getAccessApprovalPolicyByProjectSlug"] =
@@ -272,11 +293,15 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
-      return accessApprovalPolicies;
+      return accessApprovalPolicies.map((policy) => ({
+        ...policy,
+        environment: policy.environments[0]
+      }));
     };
 
   const updateAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["updateAccessApprovalPolicy"] = async ({
@@ -292,7 +317,8 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    environments
   }: TUpdateAccessApprovalPolicy) => {
     const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);
 
@@ -320,16 +346,27 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
+    let envs = accessApprovalPolicy.environments;
     if (
-      await $policyExists({
-        envId: accessApprovalPolicy.envId,
-        secretPath: secretPath || accessApprovalPolicy.secretPath,
-        policyId: accessApprovalPolicy.id
-      })
+      environments &&
+      (environments.length !== envs.length || environments.some((env) => !envs.find((el) => el.slug === env)))
     ) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
-      });
+      envs = await projectEnvDAL.find({ $in: { slug: environments }, projectId: accessApprovalPolicy.projectId });
+    }
+
+    for (const env of envs) {
+      if (
+        // eslint-disable-next-line no-await-in-loop
+        await $policyExists({
+          envId: env.id,
+          secretPath: secretPath || accessApprovalPolicy.secretPath,
+          policyId: accessApprovalPolicy.id
+        })
+      ) {
+        throw new BadRequestError({
+          message: `A policy for secret path '${secretPath || accessApprovalPolicy.secretPath}' already exists in environment '${env.slug}'`
+        });
+      }
     }
 
     const { permission } = await permissionService.getProjectPermission({
@@ -337,7 +374,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -484,6 +522,14 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
+      if (environments) {
+        await accessApprovalPolicyEnvironmentDAL.delete({ policyId: doc.id }, tx);
+        await accessApprovalPolicyEnvironmentDAL.insertMany(
+          envs.map((env) => ({ policyId: doc.id, envId: env.id })),
+          tx
+        );
+      }
+
       await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
 
       if (bypasserUserIds.length) {
@@ -513,7 +559,8 @@ export const accessApprovalPolicyServiceFactory = ({
 
     return {
       ...updatedPolicy,
-      environment: accessApprovalPolicy.environment,
+      environments: accessApprovalPolicy.environments,
+      environment: accessApprovalPolicy.environments[0],
       projectId: accessApprovalPolicy.projectId
     };
   };
@@ -533,7 +580,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -563,7 +611,10 @@ export const accessApprovalPolicyServiceFactory = ({
       }
     });
 
-    return policy;
+    return {
+      ...policy,
+      environment: policy.environments[0]
+    };
   };
 
   const getAccessPolicyCountByEnvSlug: TAccessApprovalPolicyServiceFactory["getAccessPolicyCountByEnvSlug"] = async ({
@@ -583,7 +634,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -592,11 +644,13 @@ export const accessApprovalPolicyServiceFactory = ({
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policies = await accessApprovalPolicyDAL.find({
-      envId: environment.id,
-      projectId: project.id,
-      deletedAt: null
-    });
+    const policies = await accessApprovalPolicyDAL.find(
+      {
+        projectId: project.id,
+        deletedAt: null
+      },
+      { envId: environment.id }
+    );
     if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });
 
     return { count: policies.length };
@@ -622,12 +676,16 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
-    return policy;
+    return {
+      ...policy,
+      environment: policy.environments[0]
+    };
   };
 
   return {

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -26,7 +26,8 @@ export enum BypasserType {
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
-  environment: string;
+  environment?: string;
+  environments?: string[];
   approvers: (
     | { type: ApproverType.Group; id: string; sequence?: number }
     | { type: ApproverType.User; id?: string; username?: string; sequence?: number }
@@ -58,6 +59,7 @@ export type TUpdateAccessApprovalPolicy = {
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
+  environments?: string[];
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {
@@ -113,6 +115,15 @@ export interface TAccessApprovalPolicyServiceFactory {
       slug: string;
       position: number;
     };
+    environments: {
+      name: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      projectId: string;
+      slug: string;
+      position: number;
+    }[];
     projectId: string;
     name: string;
     id: string;
@@ -153,6 +164,11 @@ export interface TAccessApprovalPolicyServiceFactory {
       name: string;
       slug: string;
     };
+    environments: {
+      id: string;
+      name: string;
+      slug: string;
+    }[];
     projectId: string;
   }>;
   updateAccessApprovalPolicy: ({
@@ -168,13 +184,19 @@ export interface TAccessApprovalPolicyServiceFactory {
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    environments
   }: TUpdateAccessApprovalPolicy) => Promise<{
     environment: {
       id: string;
       name: string;
       slug: string;
     };
+    environments: {
+      id: string;
+      name: string;
+      slug: string;
+    }[];
     projectId: string;
     name: string;
     id: string;
@@ -225,6 +247,11 @@ export interface TAccessApprovalPolicyServiceFactory {
         name: string;
         slug: string;
       };
+      environments: {
+        id: string;
+        name: string;
+        slug: string;
+      }[];
       projectId: string;
       bypassers: (
         | {
@@ -276,6 +303,11 @@ export interface TAccessApprovalPolicyServiceFactory {
       name: string;
       slug: string;
     };
+    environments: {
+      id: string;
+      name: string;
+      slug: string;
+    }[];
     projectId: string;
     bypassers: (
       | {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -65,7 +65,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
           deletedAt: Date | null | undefined;
         };
         projectId: string;
-        environment: string;
+        environments: string[];
         requestedByUser: {
           userId: string;
           email: string | null | undefined;
@@ -515,7 +515,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         `accessApprovalReviewerUser.id`
       )
 
-      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+      .leftJoin(
+        TableName.AccessApprovalPolicyEnvironment,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
+      )
+
+      .leftJoin(
+        TableName.Environment,
+        `${TableName.AccessApprovalPolicyEnvironment}.envId`,
+        `${TableName.Environment}.id`
+      )
       .select(selectAllTableCols(TableName.AccessApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
@@ -683,6 +693,11 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
               lastName,
               username
             })
+          },
+          {
+            key: "environment",
+            label: "environments" as const,
+            mapper: ({ environment }) => environment
           }
         ]
       });

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -86,6 +86,25 @@ export const accessApprovalRequestServiceFactory = ({
   projectMicrosoftTeamsConfigDAL,
   projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep): TAccessApprovalRequestServiceFactory => {
+  const $getEnvironmentFromPermissions = (permissions: unknown): string | null => {
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      return null;
+    }
+
+    const firstPermission = permissions[0] as unknown[];
+    if (!Array.isArray(firstPermission) || firstPermission.length < 3) {
+      return null;
+    }
+
+    const metadata = firstPermission[2] as Record<string, unknown>;
+    if (typeof metadata === "object" && metadata !== null && "environment" in metadata) {
+      const env = metadata.environment;
+      return typeof env === "string" ? env : null;
+    }
+
+    return null;
+  };
+
   const createAccessApprovalRequest: TAccessApprovalRequestServiceFactory["createAccessApprovalRequest"] = async ({
     isTemporary,
     temporaryRange,
@@ -107,7 +126,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -216,7 +236,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -289,7 +309,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -306,6 +327,15 @@ export const accessApprovalRequestServiceFactory = ({
       requests = requests.filter((request) => request.environment === envSlug);
     }
 
+    requests = requests.map((request) => {
+      const permissionEnvironment = $getEnvironmentFromPermissions(request.permissions);
+
+      if (permissionEnvironment) {
+        request.environmentName = permissionEnvironment;
+      }
+      return request;
+    });
+
     return { requests };
   };
 
@@ -323,19 +353,34 @@ export const accessApprovalRequestServiceFactory = ({
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy, environment } = accessApprovalRequest;
+    const { policy, environments, permissions } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
 
+    const permissionEnvironment = $getEnvironmentFromPermissions(permissions);
+    if (
+      !permissionEnvironment ||
+      (!environments.includes(permissionEnvironment) && status === ApprovalStatus.APPROVED)
+    ) {
+      throw new BadRequestError({
+        message: `The original policy ${policy.name} is not attached to environment '${permissionEnvironment}'.`
+      });
+    }
+    const environment = await projectEnvDAL.findOne({
+      projectId: accessApprovalRequest.projectId,
+      slug: permissionEnvironment
+    });
+
     const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (!membership) {
@@ -550,8 +595,8 @@ export const accessApprovalRequestServiceFactory = ({
                   requesterEmail: actingUser.email,
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
-                  environment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
+                  environment: environment?.name || permissionEnvironment,
+                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -582,7 +627,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -37,7 +38,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (targetActorType === ActorType.USER) {
@@ -58,7 +60,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     const appCfg = getConfig();

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -1,8 +1,10 @@
 // weird commonjs-related error in the CI requires us to do the import like this
 import knex from "knex";
+import { v4 as uuidv4 } from "uuid";
 
 import { TDbClient } from "@app/db";
 import { TableName, TAuditLogs } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, TOrmify } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
@@ -150,43 +152,70 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
   // delete all audit log that have expired
   const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async (tx) => {
-    const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
-    const MAX_RETRY_ON_FAILURE = 3;
+    const runPrune = async (dbClient: knex.Knex) => {
+      const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
+      const MAX_RETRY_ON_FAILURE = 3;
 
-    const today = new Date();
-    let deletedAuditLogIds: { id: string }[] = [];
-    let numberOfRetryOnFailure = 0;
-    let isRetrying = false;
+      const today = new Date();
+      let deletedAuditLogIds: { id: string }[] = [];
+      let numberOfRetryOnFailure = 0;
+      let isRetrying = false;
 
-    logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
-    do {
-      try {
-        const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
-          .where("expiresAt", "<", today)
-          .where("createdAt", "<", today) // to use audit log partition
-          .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
-          .select("id")
-          .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
+      logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
+      do {
+        try {
+          const findExpiredLogSubQuery = dbClient(TableName.AuditLog)
+            .where("expiresAt", "<", today)
+            .where("createdAt", "<", today) // to use audit log partition
+            .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
+            .select("id")
+            .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
 
-        // eslint-disable-next-line no-await-in-loop
-        deletedAuditLogIds = await (tx || db)(TableName.AuditLog)
-          .whereIn("id", findExpiredLogSubQuery)
-          .del()
-          .returning("id");
-        numberOfRetryOnFailure = 0; // reset
-      } catch (error) {
-        numberOfRetryOnFailure += 1;
-        logger.error(error, "Failed to delete audit log on pruning");
-      } finally {
-        // eslint-disable-next-line no-await-in-loop
-        await new Promise((resolve) => {
-          setTimeout(resolve, 10); // time to breathe for db
-        });
-      }
-      isRetrying = numberOfRetryOnFailure > 0;
-    } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
-    logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
+          // eslint-disable-next-line no-await-in-loop
+          deletedAuditLogIds = await dbClient(TableName.AuditLog)
+            .whereIn("id", findExpiredLogSubQuery)
+            .del()
+            .returning("id");
+          numberOfRetryOnFailure = 0; // reset
+        } catch (error) {
+          numberOfRetryOnFailure += 1;
+          logger.error(error, "Failed to delete audit log on pruning");
+        } finally {
+          // eslint-disable-next-line no-await-in-loop
+          await new Promise((resolve) => {
+            setTimeout(resolve, 10); // time to breathe for db
+          });
+        }
+        isRetrying = numberOfRetryOnFailure > 0;
+      } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
+      logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
+    };
+
+    if (tx) {
+      await runPrune(tx);
+    } else {
+      const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
+      await db.transaction(async (trx) => {
+        await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);
+        await runPrune(trx);
+      });
+    }
   };
 
-  return { ...auditLogOrm, pruneAuditLog, find };
+  const create: TAuditLogDALFactory["create"] = async (tx) => {
+    const config = getConfig();
+
+    if (config.DISABLE_AUDIT_LOG_STORAGE) {
+      return {
+        ...tx,
+        id: uuidv4(),
+        createdAt: new Date(),
+        updatedAt: new Date()
+      };
+    }
+
+    return auditLogOrm.create(tx);
+  };
+
+  return { ...auditLogOrm, create, pruneAuditLog, find };
 };

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,7 +1,8 @@
 import { AxiosError, RawAxiosRequestHeaders } from "axios";
 
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { TEventBusService } from "@app/ee/services/event/event-bus-service";
+import { TopicName, toPublishableEvent } from "@app/ee/services/event/types";
 import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
@@ -21,6 +22,7 @@ type TAuditLogQueueServiceFactoryDep = {
   queueService: TQueueServiceFactory;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  eventBusService: TEventBusService;
 };
 
 export type TAuditLogQueueServiceFactory = {
@@ -36,133 +38,17 @@ export const auditLogQueueServiceFactory = async ({
   queueService,
   projectDAL,
   licenseService,
-  auditLogStreamDAL
+  auditLogStreamDAL,
+  eventBusService
 }: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
-  const appCfg = getConfig();
-
   const pushToLog = async (data: TCreateAuditLogDTO) => {
-    if (appCfg.USE_PG_QUEUE && appCfg.SHOULD_INIT_PG_QUEUE) {
-      await queueService.queuePg<QueueName.AuditLog>(QueueJobs.AuditLog, data, {
-        retryLimit: 10,
-        retryBackoff: true
-      });
-    } else {
-      await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
-      });
-    }
-  };
-
-  if (appCfg.SHOULD_INIT_PG_QUEUE) {
-    await queueService.startPg<QueueName.AuditLog>(
-      QueueJobs.AuditLog,
-      async ([job]) => {
-        const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
-        let { orgId } = job.data;
-        const MS_IN_DAY = 24 * 60 * 60 * 1000;
-        let project;
-
-        if (!orgId) {
-          // it will never be undefined for both org and project id
-          // TODO(akhilmhdh): use caching here in dal to avoid db calls
-          project = await projectDAL.findById(projectId as string);
-          orgId = project.orgId;
-        }
-
-        const plan = await licenseService.getPlan(orgId);
-        if (plan.auditLogsRetentionDays === 0) {
-          // skip inserting if audit log retention is 0 meaning its not supported
-          return;
-        }
-
-        // For project actions, set TTL to project-level audit log retention config
-        // This condition ensures that the plan's audit log retention days cannot be bypassed
-        const ttlInDays =
-          project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
-            ? project.auditLogsRetentionDays
-            : plan.auditLogsRetentionDays;
-
-        const ttl = ttlInDays * MS_IN_DAY;
-
-        const auditLog = await auditLogDAL.create({
-          actor: actor.type,
-          actorMetadata: actor.metadata,
-          userAgent,
-          projectId,
-          projectName: project?.name,
-          ipAddress,
-          orgId,
-          eventType: event.type,
-          expiresAt: new Date(Date.now() + ttl),
-          eventMetadata: event.metadata,
-          userAgentType
-        });
-
-        const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
-        await Promise.allSettled(
-          logStreams.map(
-            async ({
-              url,
-              encryptedHeadersTag,
-              encryptedHeadersIV,
-              encryptedHeadersKeyEncoding,
-              encryptedHeadersCiphertext
-            }) => {
-              const streamHeaders =
-                encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
-                  ? (JSON.parse(
-                      crypto
-                        .encryption()
-                        .symmetric()
-                        .decryptWithRootEncryptionKey({
-                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                          iv: encryptedHeadersIV,
-                          tag: encryptedHeadersTag,
-                          ciphertext: encryptedHeadersCiphertext
-                        })
-                    ) as LogStreamHeaders[])
-                  : [];
-
-              const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-
-              if (streamHeaders.length)
-                streamHeaders.forEach(({ key, value }) => {
-                  headers[key] = value;
-                });
-
-              try {
-                const response = await request.post(
-                  url,
-                  { ...providerSpecificPayload(url), ...auditLog },
-                  {
-                    headers,
-                    // request timeout
-                    timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                    // connection timeout
-                    signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-                  }
-                );
-                return response;
-              } catch (error) {
-                logger.error(
-                  `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
-                );
-                return error;
-              }
-            }
-          )
-        );
+    await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
+      removeOnFail: {
+        count: 3
       },
-      {
-        batchSize: 1,
-        workerCount: 30,
-        pollingIntervalSeconds: 0.5
-      }
-    );
-  }
+      removeOnComplete: true
+    });
+  };
 
   queueService.start(QueueName.AuditLog, async (job) => {
     const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
@@ -178,88 +64,97 @@ export const auditLogQueueServiceFactory = async ({
     }
 
     const plan = await licenseService.getPlan(orgId);
-    if (plan.auditLogsRetentionDays === 0) {
-      // skip inserting if audit log retention is 0 meaning its not supported
-      return;
+
+    // skip inserting if audit log retention is 0 meaning its not supported
+    if (plan.auditLogsRetentionDays !== 0) {
+      // For project actions, set TTL to project-level audit log retention config
+      // This condition ensures that the plan's audit log retention days cannot be bypassed
+      const ttlInDays =
+        project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+          ? project.auditLogsRetentionDays
+          : plan.auditLogsRetentionDays;
+
+      const ttl = ttlInDays * MS_IN_DAY;
+
+      const auditLog = await auditLogDAL.create({
+        actor: actor.type,
+        actorMetadata: actor.metadata,
+        userAgent,
+        projectId,
+        projectName: project?.name,
+        ipAddress,
+        orgId,
+        eventType: event.type,
+        expiresAt: new Date(Date.now() + ttl),
+        eventMetadata: event.metadata,
+        userAgentType
+      });
+
+      const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
+      await Promise.allSettled(
+        logStreams.map(
+          async ({
+            url,
+            encryptedHeadersTag,
+            encryptedHeadersIV,
+            encryptedHeadersKeyEncoding,
+            encryptedHeadersCiphertext
+          }) => {
+            const streamHeaders =
+              encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
+                ? (JSON.parse(
+                    crypto
+                      .encryption()
+                      .symmetric()
+                      .decryptWithRootEncryptionKey({
+                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                        iv: encryptedHeadersIV,
+                        tag: encryptedHeadersTag,
+                        ciphertext: encryptedHeadersCiphertext
+                      })
+                  ) as LogStreamHeaders[])
+                : [];
+
+            const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
+
+            if (streamHeaders.length)
+              streamHeaders.forEach(({ key, value }) => {
+                headers[key] = value;
+              });
+
+            try {
+              const response = await request.post(
+                url,
+                { ...providerSpecificPayload(url), ...auditLog },
+                {
+                  headers,
+                  // request timeout
+                  timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                  // connection timeout
+                  signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+                }
+              );
+              return response;
+            } catch (error) {
+              logger.error(
+                `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+              );
+              return error;
+            }
+          }
+        )
+      );
     }
 
-    // For project actions, set TTL to project-level audit log retention config
-    // This condition ensures that the plan's audit log retention days cannot be bypassed
-    const ttlInDays =
-      project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
-        ? project.auditLogsRetentionDays
-        : plan.auditLogsRetentionDays;
+    const publishable = toPublishableEvent(event);
 
-    const ttl = ttlInDays * MS_IN_DAY;
-
-    const auditLog = await auditLogDAL.create({
-      actor: actor.type,
-      actorMetadata: actor.metadata,
-      userAgent,
-      projectId,
-      projectName: project?.name,
-      ipAddress,
-      orgId,
-      eventType: event.type,
-      expiresAt: new Date(Date.now() + ttl),
-      eventMetadata: event.metadata,
-      userAgentType
-    });
-
-    const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
-    await Promise.allSettled(
-      logStreams.map(
-        async ({
-          url,
-          encryptedHeadersTag,
-          encryptedHeadersIV,
-          encryptedHeadersKeyEncoding,
-          encryptedHeadersCiphertext
-        }) => {
-          const streamHeaders =
-            encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
-              ? (JSON.parse(
-                  crypto
-                    .encryption()
-                    .symmetric()
-                    .decryptWithRootEncryptionKey({
-                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                      iv: encryptedHeadersIV,
-                      tag: encryptedHeadersTag,
-                      ciphertext: encryptedHeadersCiphertext
-                    })
-                ) as LogStreamHeaders[])
-              : [];
-
-          const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-
-          if (streamHeaders.length)
-            streamHeaders.forEach(({ key, value }) => {
-              headers[key] = value;
-            });
-
-          try {
-            const response = await request.post(
-              url,
-              { ...providerSpecificPayload(url), ...auditLog },
-              {
-                headers,
-                // request timeout
-                timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                // connection timeout
-                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-              }
-            );
-            return response;
-          } catch (error) {
-            logger.error(
-              `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
-            );
-            return error;
-          }
-        }
-      )
-    );
+    if (publishable) {
+      await eventBusService.publish(TopicName.CoreServers, {
+        type: ProjectType.SecretManager,
+        source: "infiscal",
+        data: publishable.data
+      });
+    }
   });
 
   return {

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -37,7 +38,8 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -468,7 +468,11 @@ export enum EventType {
 
   CREATE_PROJECT = "create-project",
   UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project"
+  DELETE_PROJECT = "delete-project",
+
+  CREATE_SECRET_REMINDER = "create-secret-reminder",
+  GET_SECRET_REMINDER = "get-secret-reminder",
+  DELETE_SECRET_REMINDER = "delete-secret-reminder"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -3326,6 +3330,31 @@ interface SecretScanningConfigUpdateEvent {
   };
 }
 
+interface SecretReminderCreateEvent {
+  type: EventType.CREATE_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+    message?: string | null;
+    repeatDays?: number | null;
+    nextReminderDate?: string | null;
+    recipients?: string[] | null;
+  };
+}
+
+interface SecretReminderGetEvent {
+  type: EventType.GET_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+  };
+}
+
+interface SecretReminderDeleteEvent {
+  type: EventType.DELETE_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+  };
+}
+
 interface SecretScanningConfigReadEvent {
   type: EventType.SECRET_SCANNING_CONFIG_GET;
   metadata?: Record<string, never>; // not needed, based off projectId
@@ -3689,4 +3718,7 @@ export type Event =
   | OrgUpdateEvent
   | ProjectCreateEvent
   | ProjectUpdateEvent
-  | ProjectDeleteEvent;
+  | ProjectDeleteEvent
+  | SecretReminderCreateEvent
+  | SecretReminderGetEvent
+  | SecretReminderDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -77,7 +78,8 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -84,7 +85,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -200,7 +202,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -297,7 +300,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -385,7 +389,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -432,7 +437,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -78,7 +79,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -207,7 +209,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -358,7 +361,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -423,7 +427,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -487,7 +492,8 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       // verify user has access to each env in request
@@ -530,7 +536,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -578,7 +585,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -615,7 +623,8 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -659,7 +668,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/event/event-bus-service.ts

@@ -0,0 +1,83 @@
+import Redis from "ioredis";
+import { z } from "zod";
+
+import { logger } from "@app/lib/logger";
+
+import { EventSchema, TopicName } from "./types";
+
+export const eventBusFactory = (redis: Redis) => {
+  const publisher = redis.duplicate();
+  // Duplicate the publisher to create a subscriber.
+  // This is necessary because Redis does not allow a single connection to both publish and subscribe.
+  const subscriber = publisher.duplicate();
+
+  const init = async (topics: TopicName[] = Object.values(TopicName)) => {
+    subscriber.on("error", (e) => {
+      logger.error(e, "Event Bus subscriber error");
+    });
+
+    publisher.on("error", (e) => {
+      logger.error(e, "Event Bus publisher error");
+    });
+
+    await subscriber.subscribe(...topics);
+  };
+
+  /**
+   * Publishes an event to the specified topic.
+   * @param topic - The topic to publish the event to.
+   * @param event - The event data to publish.
+   */
+  const publish = async <T extends z.input<typeof EventSchema>>(topic: TopicName, event: T) => {
+    const json = JSON.stringify(event);
+
+    return publisher.publish(topic, json, (err) => {
+      if (err) {
+        return logger.error(err, `Error publishing to channel ${topic}`);
+      }
+    });
+  };
+
+  /**
+   * @param fn - The function to call when a message is received.
+   * It should accept the parsed event data as an argument.
+   * @template T - The type of the event data, which should match the schema defined in EventSchema.
+   * @returns A function that can be called to unsubscribe from the event bus.
+   */
+  const subscribe = <T extends z.infer<typeof EventSchema>>(fn: (data: T) => Promise<void> | void) => {
+    // Not using async await cause redis client's `on` method does not expect async listeners.
+    const listener = (channel: string, message: string) => {
+      try {
+        const parsed = JSON.parse(message) as T;
+        const thenable = fn(parsed);
+
+        // If the function returns a Promise, catch any errors that occur during processing.
+        if (thenable instanceof Promise) {
+          thenable.catch((error) => {
+            logger.error(error, `Error processing message from channel ${channel}`);
+          });
+        }
+      } catch (error) {
+        logger.error(error, `Error parsing message data from channel ${channel}`);
+      }
+    };
+    subscriber.on("message", listener);
+
+    return () => {
+      subscriber.off("message", listener);
+    };
+  };
+
+  const close = async () => {
+    try {
+      await publisher.quit();
+      await subscriber.quit();
+    } catch (error) {
+      logger.error(error, "Error closing event bus connections");
+    }
+  };
+
+  return { init, publish, subscribe, close };
+};
+
+export type TEventBusService = ReturnType<typeof eventBusFactory>;

backend/src/ee/services/event/event-sse-service.ts

@@ -0,0 +1,164 @@
+/* eslint-disable no-continue */
+import { subject } from "@casl/ability";
+import Redis from "ioredis";
+
+import { KeyStorePrefixes } from "@app/keystore/keystore";
+import { logger } from "@app/lib/logger";
+
+import { TEventBusService } from "./event-bus-service";
+import { createEventStreamClient, EventStreamClient, IEventStreamClientOpts } from "./event-sse-stream";
+import { EventData, RegisteredEvent, toBusEventName } from "./types";
+
+const AUTH_REFRESH_INTERVAL = 60 * 1000;
+const HEART_BEAT_INTERVAL = 15 * 1000;
+
+export const sseServiceFactory = (bus: TEventBusService, redis: Redis) => {
+  let heartbeatInterval: NodeJS.Timeout | null = null;
+
+  const clients = new Set<EventStreamClient>();
+
+  heartbeatInterval = setInterval(() => {
+    for (const client of clients) {
+      if (client.stream.closed) continue;
+      void client.ping();
+    }
+  }, HEART_BEAT_INTERVAL);
+
+  const refreshInterval = setInterval(() => {
+    for (const client of clients) {
+      if (client.stream.closed) continue;
+      void client.refresh();
+    }
+  }, AUTH_REFRESH_INTERVAL);
+
+  const removeActiveConnection = async (projectId: string, identityId: string, connectionId: string) => {
+    const set = KeyStorePrefixes.ActiveSSEConnectionsSet(projectId, identityId);
+    const key = KeyStorePrefixes.ActiveSSEConnections(projectId, identityId, connectionId);
+
+    await Promise.all([redis.lrem(set, 0, connectionId), redis.del(key)]);
+  };
+
+  const getActiveConnectionsCount = async (projectId: string, identityId: string) => {
+    const set = KeyStorePrefixes.ActiveSSEConnectionsSet(projectId, identityId);
+    const connections = await redis.lrange(set, 0, -1);
+
+    if (connections.length === 0) {
+      return 0; // No active connections
+    }
+
+    const keys = connections.map((c) => KeyStorePrefixes.ActiveSSEConnections(projectId, identityId, c));
+
+    const values = await redis.mget(...keys);
+
+    // eslint-disable-next-line no-plusplus
+    for (let i = 0; i < values.length; i++) {
+      if (values[i] === null) {
+        // eslint-disable-next-line no-await-in-loop
+        await removeActiveConnection(projectId, identityId, connections[i]);
+      }
+    }
+
+    return redis.llen(set);
+  };
+
+  const onDisconnect = async (client: EventStreamClient) => {
+    try {
+      client.close();
+      clients.delete(client);
+      await removeActiveConnection(client.auth.projectId, client.auth.actorId, client.id);
+    } catch (error) {
+      logger.error(error, "Error during SSE stream disconnection");
+    }
+  };
+
+  function filterEventsForClient(client: EventStreamClient, event: EventData, registered: RegisteredEvent[]) {
+    const eventType = toBusEventName(event.data.eventType);
+    const match = registered.find((r) => r.event === eventType);
+    if (!match) return;
+
+    const item = event.data.payload;
+
+    if (Array.isArray(item)) {
+      if (item.length === 0) return;
+
+      const baseSubject = {
+        eventType,
+        environment: undefined as string | undefined,
+        secretPath: undefined as string | undefined
+      };
+
+      const filtered = item.filter((ev) => {
+        baseSubject.secretPath = ev.secretPath ?? "/";
+        baseSubject.environment = ev.environment;
+
+        return client.matcher.can("subscribe", subject(event.type, baseSubject));
+      });
+
+      if (filtered.length === 0) return;
+
+      return client.send({
+        ...event,
+        data: {
+          ...event.data,
+          payload: filtered
+        }
+      });
+    }
+
+    // For single item
+    const baseSubject = {
+      eventType,
+      secretPath: item.secretPath ?? "/",
+      environment: item.environment
+    };
+
+    if (client.matcher.can("subscribe", subject(event.type, baseSubject))) {
+      client.send(event);
+    }
+  }
+
+  const subscribe = async (
+    opts: IEventStreamClientOpts & {
+      onClose?: () => void;
+    }
+  ) => {
+    const client = createEventStreamClient(redis, opts);
+
+    // Set up event listener on event bus
+    const unsubscribe = bus.subscribe((event) => {
+      if (event.type !== opts.type) return;
+      filterEventsForClient(client, event, opts.registered);
+    });
+
+    client.stream.on("close", () => {
+      unsubscribe();
+      void onDisconnect(client); // This will never throw
+    });
+
+    await client.open();
+
+    clients.add(client);
+
+    return client;
+  };
+
+  const close = () => {
+    if (heartbeatInterval) {
+      clearInterval(heartbeatInterval);
+    }
+
+    if (refreshInterval) {
+      clearInterval(refreshInterval);
+    }
+
+    for (const client of clients) {
+      client.close();
+    }
+
+    clients.clear();
+  };
+
+  return { subscribe, close, getActiveConnectionsCount };
+};
+
+export type TServerSentEventsService = ReturnType<typeof sseServiceFactory>;

backend/src/ee/services/event/event-sse-stream.ts

@@ -0,0 +1,178 @@
+/* eslint-disable no-underscore-dangle */
+import { Readable } from "node:stream";
+
+import { MongoAbility, PureAbility } from "@casl/ability";
+import { MongoQuery } from "@ucast/mongo2js";
+import Redis from "ioredis";
+import { nanoid } from "nanoid";
+
+import { ProjectType } from "@app/db/schemas";
+import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
+import { KeyStorePrefixes } from "@app/keystore/keystore";
+import { conditionsMatcher } from "@app/lib/casl";
+import { logger } from "@app/lib/logger";
+
+import { EventData, RegisteredEvent } from "./types";
+
+export const getServerSentEventsHeaders = () =>
+  ({
+    "Cache-Control": "no-cache",
+    "Content-Type": "text/event-stream",
+    Connection: "keep-alive",
+    "X-Accel-Buffering": "no"
+  }) as const;
+
+type TAuthInfo = {
+  actorId: string;
+  projectId: string;
+  permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
+};
+
+export interface IEventStreamClientOpts {
+  type: ProjectType;
+  registered: RegisteredEvent[];
+  onAuthRefresh: (info: TAuthInfo) => Promise<void> | void;
+  getAuthInfo: () => Promise<TAuthInfo> | TAuthInfo;
+}
+
+interface EventMessage {
+  time?: string | number;
+  type: string;
+  data?: unknown;
+}
+
+function serializeSseEvent(chunk: EventMessage): string {
+  let payload = "";
+
+  if (chunk.time) payload += `id: ${chunk.time}\n`;
+  if (chunk.type) payload += `event: ${chunk.type}\n`;
+  if (chunk.data) payload += `data: ${JSON.stringify(chunk)}\n`;
+
+  return `${payload}\n`;
+}
+
+export type EventStreamClient = {
+  id: string;
+  stream: Readable;
+  open: () => Promise<void>;
+  send: (data: EventMessage | EventData) => void;
+  ping: () => Promise<void>;
+  refresh: () => Promise<void>;
+  close: () => void;
+  get auth(): TAuthInfo;
+  signal: AbortSignal;
+  abort: () => void;
+  matcher: PureAbility;
+};
+
+export function createEventStreamClient(redis: Redis, options: IEventStreamClientOpts): EventStreamClient {
+  const rules = options.registered.map((r) => ({
+    subject: options.type,
+    action: "subscribe",
+    conditions: {
+      eventType: r.event,
+      secretPath: r.conditions?.secretPath ?? "/",
+      environment: r.conditions?.environmentSlug
+    }
+  }));
+
+  const id = `sse-${nanoid()}`;
+  const control = new AbortController();
+  const matcher = new PureAbility(rules, { conditionsMatcher });
+
+  let auth: TAuthInfo | undefined;
+
+  const stream = new Readable({
+    objectMode: true
+  });
+
+  // We will manually push data to the stream
+  stream._read = () => {};
+
+  const send = (data: EventMessage | EventData) => {
+    const chunk = serializeSseEvent(data);
+    if (!stream.push(chunk)) {
+      logger.debug("Backpressure detected: dropped manual event");
+    }
+  };
+
+  stream.on("error", (error: Error) => stream.destroy(error));
+
+  const open = async () => {
+    auth = await options.getAuthInfo();
+    await options.onAuthRefresh(auth);
+
+    const { actorId, projectId } = auth;
+    const set = KeyStorePrefixes.ActiveSSEConnectionsSet(projectId, actorId);
+    const key = KeyStorePrefixes.ActiveSSEConnections(projectId, actorId, id);
+
+    await Promise.all([redis.rpush(set, id), redis.set(key, "1", "EX", 60)]);
+  };
+
+  const ping = async () => {
+    if (!auth) return; // Avoid race condition if ping is called before open
+
+    const { actorId, projectId } = auth;
+    const key = KeyStorePrefixes.ActiveSSEConnections(projectId, actorId, id);
+
+    await redis.set(key, "1", "EX", 60);
+
+    stream.push("1");
+  };
+
+  const close = () => {
+    if (stream.closed) return;
+    stream.push(null);
+    stream.destroy();
+  };
+
+  /**
+   * Refreshes the connection's auth permissions
+   * Must be called atleast once when connection is opened
+   */
+  const refresh = async () => {
+    try {
+      auth = await options.getAuthInfo();
+      await options.onAuthRefresh(auth);
+    } catch (error) {
+      if (error instanceof Error) {
+        send({
+          type: "error",
+          data: {
+            ...error
+          }
+        });
+        return close();
+      }
+      stream.emit("error", error);
+    }
+  };
+
+  const abort = () => {
+    try {
+      control.abort();
+    } catch (error) {
+      logger.debug(error, "Error aborting SSE stream");
+    }
+  };
+
+  return {
+    id,
+    stream,
+    open,
+    send,
+    ping,
+    refresh,
+    close,
+    signal: control.signal,
+    abort,
+    matcher,
+    get auth() {
+      if (!auth) {
+        throw new Error("Auth info not set");
+      }
+
+      return auth;
+    }
+  };
+}

backend/src/ee/services/event/types.ts

@@ -0,0 +1,125 @@
+import { z } from "zod";
+
+import { ProjectType } from "@app/db/schemas";
+import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
+
+export enum TopicName {
+  CoreServers = "infisical::core-servers"
+}
+
+export enum BusEventName {
+  CreateSecret = "secret:create",
+  UpdateSecret = "secret:update",
+  DeleteSecret = "secret:delete"
+}
+
+type PublisableEventTypes =
+  | EventType.CREATE_SECRET
+  | EventType.CREATE_SECRETS
+  | EventType.DELETE_SECRET
+  | EventType.DELETE_SECRETS
+  | EventType.UPDATE_SECRETS
+  | EventType.UPDATE_SECRET;
+
+export function toBusEventName(input: EventType) {
+  switch (input) {
+    case EventType.CREATE_SECRET:
+    case EventType.CREATE_SECRETS:
+      return BusEventName.CreateSecret;
+    case EventType.UPDATE_SECRET:
+    case EventType.UPDATE_SECRETS:
+      return BusEventName.UpdateSecret;
+    case EventType.DELETE_SECRET:
+    case EventType.DELETE_SECRETS:
+      return BusEventName.DeleteSecret;
+    default:
+      return null;
+  }
+}
+
+const isBulkEvent = (event: Event): event is Extract<Event, { metadata: { secrets: Array<unknown> } }> => {
+  return event.type.endsWith("-secrets"); // Feels so wrong
+};
+
+export const toPublishableEvent = (event: Event) => {
+  const name = toBusEventName(event.type);
+
+  if (!name) return null;
+
+  const e = event as Extract<Event, { type: PublisableEventTypes }>;
+
+  if (isBulkEvent(e)) {
+    return {
+      name,
+      isBulk: true,
+      data: {
+        eventType: e.type,
+        payload: e.metadata.secrets.map((s) => ({
+          environment: e.metadata.environment,
+          secretPath: e.metadata.secretPath,
+          ...s
+        }))
+      }
+    } as const;
+  }
+
+  return {
+    name,
+    isBulk: false,
+    data: {
+      eventType: e.type,
+      payload: {
+        ...e.metadata,
+        environment: e.metadata.environment
+      }
+    }
+  } as const;
+};
+
+export const EventName = z.nativeEnum(BusEventName);
+
+const EventSecretPayload = z.object({
+  secretPath: z.string().optional(),
+  secretId: z.string(),
+  secretKey: z.string(),
+  environment: z.string()
+});
+
+export type EventSecret = z.infer<typeof EventSecretPayload>;
+
+export const EventSchema = z.object({
+  datacontenttype: z.literal("application/json").optional().default("application/json"),
+  type: z.nativeEnum(ProjectType),
+  source: z.string(),
+  time: z
+    .string()
+    .optional()
+    .default(() => new Date().toISOString()),
+  data: z.discriminatedUnion("eventType", [
+    z.object({
+      specversion: z.number().optional().default(1),
+      eventType: z.enum([EventType.CREATE_SECRET, EventType.UPDATE_SECRET, EventType.DELETE_SECRET]),
+      payload: EventSecretPayload
+    }),
+    z.object({
+      specversion: z.number().optional().default(1),
+      eventType: z.enum([EventType.CREATE_SECRETS, EventType.UPDATE_SECRETS, EventType.DELETE_SECRETS]),
+      payload: EventSecretPayload.array()
+    })
+    // Add more event types as needed
+  ])
+});
+
+export type EventData = z.infer<typeof EventSchema>;
+
+export const EventRegisterSchema = z.object({
+  event: EventName,
+  conditions: z
+    .object({
+      secretPath: z.string().optional().default("/"),
+      environmentSlug: z.string()
+    })
+    .optional()
+});
+
+export type RegisteredEvent = z.infer<typeof EventRegisterSchema>;

backend/src/ee/services/gateway/gateway-service.ts

@@ -566,6 +566,14 @@ export const gatewayServiceFactory = ({
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
     const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
+
+    const orgLicensePlan = await licenseService.getPlan(orgGatewayConfig.orgId);
+    if (!orgLicensePlan.gateway) {
+      throw new BadRequestError({
+        message: "Please upgrade your instance to Infisical's Enterprise plan to use gateways."
+      });
+    }
+
     const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: orgGatewayConfig.orgId

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -158,7 +160,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -169,7 +172,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -256,7 +260,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -267,7 +272,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -315,7 +321,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -349,7 +356,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -384,7 +392,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -85,7 +87,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -172,7 +175,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -185,7 +189,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -288,7 +293,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -300,7 +306,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -359,7 +366,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -401,7 +409,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
@@ -78,7 +79,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -131,7 +133,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -162,7 +165,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -195,7 +199,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -216,7 +221,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -252,7 +258,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/license/license-fns.ts

@@ -59,7 +59,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   secretScanning: false,
   enterpriseSecretSyncs: false,
   enterpriseAppConnections: false,
-  fips: false
+  fips: false,
+  eventSubscriptions: false
 });
 
 export const setupLicenseRequestWithStore = (

backend/src/ee/services/license/license-service.ts

@@ -5,13 +5,14 @@
 // TODO(akhilmhdh): With tony find out the api structure and fill it here
 
 import { ForbiddenError } from "@casl/ability";
+import { AxiosError } from "axios";
 import { CronJob } from "cron";
 import { Knex } from "knex";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -603,10 +604,22 @@ export const licenseServiceFactory = ({
       });
     }
 
-    const { data } = await licenseServerCloudApi.request.delete(
-      `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
-    );
-    return data;
+    try {
+      const { data } = await licenseServerCloudApi.request.delete(
+        `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
+      );
+      return data;
+    } catch (error) {
+      if (error instanceof AxiosError) {
+        throw new BadRequestError({
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+          message: `Failed to remove payment method: ${error.response?.data?.message}`
+        });
+      }
+      throw new BadRequestError({
+        message: "Unable to remove payment method"
+      });
+    }
   };
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {

backend/src/ee/services/license/license-types.ts

@@ -76,6 +76,7 @@ export type TFeatureSet = {
   enterpriseSecretSyncs: false;
   enterpriseAppConnections: false;
   fips: false;
+  eventSubscriptions: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/default-roles.ts

@@ -161,7 +161,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
       ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete
+      ProjectPermissionSecretActions.Delete,
+      ProjectPermissionSecretActions.Subscribe
     ],
     ProjectPermissionSub.Secrets
   );
@@ -265,7 +266,8 @@ const buildMemberPermissionRules = () => {
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
       ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete
+      ProjectPermissionSecretActions.Delete,
+      ProjectPermissionSecretActions.Subscribe
     ],
     ProjectPermissionSub.Secrets
   );

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,6 +1,7 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionSet } from "./org-permission";
@@ -20,6 +21,7 @@ export type TGetUserProjectPermissionArg = {
   userId: string;
   projectId: string;
   authMethod: ActorAuthMethod;
+  actionProjectType: ActionProjectType;
   userOrgId?: string;
 };
 
@@ -27,12 +29,14 @@ export type TGetIdentityProjectPermissionArg = {
   identityId: string;
   projectId: string;
   identityOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetServiceTokenProjectPermissionArg = {
   serviceTokenId: string;
   projectId: string;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetProjectPermissionArg = {
@@ -41,6 +45,7 @@ export type TGetProjectPermissionArg = {
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TPermissionServiceFactory = {
@@ -138,7 +143,13 @@ export type TPermissionServiceFactory = {
         };
       }
   >;
-  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({
+    userId,
+    projectId,
+    authMethod,
+    userOrgId,
+    actionProjectType
+  }: TGetUserProjectPermissionArg) => Promise<{
     permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
     membership: {
       id: string;

backend/src/ee/services/permission/permission-service.ts

@@ -5,6 +5,7 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
+  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
   ServiceTokenScopes,
@@ -213,7 +214,8 @@ export const permissionServiceFactory = ({
     userId,
     projectId,
     authMethod,
-    userOrgId
+    userOrgId,
+    actionProjectType
   }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -240,6 +242,12 @@ export const permissionServiceFactory = ({
       userProjectPermission.orgRole
     );
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -287,7 +295,8 @@ export const permissionServiceFactory = ({
   const getIdentityProjectPermission = async ({
     identityId,
     projectId,
-    identityOrgId
+    identityOrgId,
+    actionProjectType
   }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
@@ -307,6 +316,12 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -361,7 +376,8 @@ export const permissionServiceFactory = ({
   const getServiceTokenProjectPermission = async ({
     serviceTokenId,
     projectId,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetServiceTokenProjectPermissionArg) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -386,6 +402,12 @@ export const permissionServiceFactory = ({
       });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
+      throw new BadRequestError({
+        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -537,7 +559,8 @@ export const permissionServiceFactory = ({
     actorId: inputActorId,
     projectId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
     let actor = inputActor;
     let actorId = inputActorId;
@@ -558,19 +581,22 @@ export const permissionServiceFactory = ({
           userId: actorId,
           projectId,
           authMethod: actorAuthMethod,
-          userOrgId: actorOrgId
+          userOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
         return getServiceTokenProjectPermission({
           serviceTokenId: actorId,
           projectId,
-          actorOrgId
+          actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
         return getIdentityProjectPermission({
           identityId: actorId,
           projectId,
-          identityOrgId: actorOrgId
+          identityOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({

backend/src/ee/services/permission/project-permission.ts

@@ -36,7 +36,8 @@ export enum ProjectPermissionSecretActions {
   ReadValue = "readValue",
   Create = "create",
   Edit = "edit",
-  Delete = "delete"
+  Delete = "delete",
+  Subscribe = "subscribe"
 }
 
 export enum ProjectPermissionCmekActions {
@@ -204,6 +205,7 @@ export type SecretSubjectFields = {
   secretPath: string;
   secretName?: string;
   secretTags?: string[];
+  eventType?: string;
 };
 
 export type SecretFolderSubjectFields = {
@@ -483,7 +485,17 @@ const SecretConditionV2Schema = z
       .object({
         [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
       })
-      .partial()
+      .partial(),
+    eventType: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ])
   })
   .partial();
 

backend/src/ee/services/pit/pit-service.ts

@@ -1,6 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -348,7 +349,8 @@ export const pitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(userPermission).throwUnlessCan(

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   InfisicalProjectTemplate,
   TUnpackedPermission
@@ -6,18 +7,21 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"
 
 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
 
-export const getDefaultProjectTemplate = (orgId: string) => ({
+export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
   id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
+  type,
   name: InfisicalProjectTemplate.Default,
   createdAt: new Date(),
   updatedAt: new Date(),
-  description: `Infisical's default project template`,
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
-    name: string;
-    slug: string;
-    permissions: TUnpackedPermission[];
-  }>,
+  description: `Infisical's ${type} default project template`,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
+    ({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })
+  ),
   orgId
 });
 

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -29,11 +29,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
   ...rest,
   environments: environments as TProjectTemplateEnvironment[],
   roles: [
-    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
+      ({ name, slug, permissions }) => ({
+        name,
+        slug,
+        permissions: permissions as TUnpackedPermission[]
+      })
+    ),
     ...(roles as TProjectTemplateRole[]).map((role) => ({
       ...role,
       permissions: unpackPermissions(role.permissions)
@@ -46,7 +48,10 @@ export const projectTemplateServiceFactory = ({
   permissionService,
   projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
+    actor,
+    type
+  ) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.projectTemplates)
@@ -65,11 +70,14 @@ export const projectTemplateServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
 
     const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
+      ...(type ? { type } : {})
     });
 
     return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
+        ? [getDefaultProjectTemplate(actor.orgId, type)]
+        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
       ...projectTemplates.map((template) => $unpackProjectTemplate(template))
     ];
   };
@@ -134,7 +142,7 @@ export const projectTemplateServiceFactory = ({
   };
 
   const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, ...params },
+    { roles, environments, type, ...params },
     actor
   ) => {
     const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +162,10 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
 
+    if (environments && type !== ProjectType.SecretManager) {
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+    }
+
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({
         // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -176,8 +188,10 @@ export const projectTemplateServiceFactory = ({
     const projectTemplate = await projectTemplateDAL.create({
       ...params,
       roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId
+      environments:
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId,
+      type
     });
 
     return $unpackProjectTemplate(projectTemplate);
@@ -208,6 +222,11 @@ export const projectTemplateServiceFactory = ({
     );
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
+    if (projectTemplate.type !== ProjectType.SecretManager && environments)
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+
+    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
+      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
 
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -15,6 +15,7 @@ export type TProjectTemplateRole = {
 
 export type TCreateProjectTemplateDTO = {
   name: string;
+  type: ProjectType;
   description?: string;
   roles: TProjectTemplateRole[];
   environments?: TProjectTemplateEnvironment[] | null;
@@ -29,11 +30,15 @@ export enum InfisicalProjectTemplate {
 }
 
 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
+  listProjectTemplatesByOrg: (
+    actor: OrgServiceActor,
+    type?: ProjectType
+  ) => Promise<
     (
       | {
           id: string;
           name: InfisicalProjectTemplate;
+          type: string;
           createdAt: Date;
           updatedAt: Date;
           description: string;
@@ -58,6 +63,7 @@ export type TProjectTemplateServiceFactory = {
         }
       | {
           environments: TProjectTemplateEnvironment[];
+          type: string;
           roles: {
             permissions: {
               action: string[];
@@ -94,6 +100,7 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
+    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -118,6 +125,7 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
+    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -140,6 +148,7 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
+    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -162,6 +171,7 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
+    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -184,6 +194,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@@ -69,7 +70,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -164,7 +166,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@@ -172,7 +175,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -272,7 +276,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -317,7 +322,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -343,7 +349,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 

backend/src/ee/services/scim/scim-service.ts

@@ -579,6 +579,9 @@ export const scimServiceFactory = ({
       });
 
     const serverCfg = await getServerCfg();
+    const hasEmailChanged = email?.toLowerCase() !== membership.email;
+    const defaultEmailVerified =
+      org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails;
     await userDAL.transaction(async (tx) => {
       await userAliasDAL.update(
         {
@@ -605,8 +608,7 @@ export const scimServiceFactory = ({
           firstName,
           email: email?.toLowerCase(),
           lastName,
-          isEmailVerified:
-            org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails
+          isEmailVerified: hasEmailChanged ? defaultEmailVerified : undefined
         },
         tx
       );

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -23,6 +23,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
     customFilter?: {
       sapId?: string;
+      envId?: string;
     }
   ) =>
     tx(TableName.SecretApprovalPolicy)
@@ -33,7 +34,17 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
           void qb.where(`${TableName.SecretApprovalPolicy}.id`, "=", customFilter.sapId);
         }
       })
-      .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
+      .join(
+        TableName.SecretApprovalPolicyEnvironment,
+        `${TableName.SecretApprovalPolicyEnvironment}.policyId`,
+        `${TableName.SecretApprovalPolicy}.id`
+      )
+      .join(TableName.Environment, `${TableName.SecretApprovalPolicyEnvironment}.envId`, `${TableName.Environment}.id`)
+      .where((qb) => {
+        if (customFilter?.envId) {
+          void qb.where(`${TableName.SecretApprovalPolicyEnvironment}.envId`, "=", customFilter.envId);
+        }
+      })
       .leftJoin(
         TableName.SecretApprovalPolicyApprover,
         `${TableName.SecretApprovalPolicy}.id`,
@@ -97,7 +108,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
       .select(
         tx.ref("name").withSchema(TableName.Environment).as("envName"),
         tx.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-        tx.ref("id").withSchema(TableName.Environment).as("envId"),
+        tx.ref("id").withSchema(TableName.Environment).as("environmentId"),
         tx.ref("projectId").withSchema(TableName.Environment)
       )
       .select(selectAllTableCols(TableName.SecretApprovalPolicy))
@@ -146,6 +157,15 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
               firstName,
               lastName
             })
+          },
+          {
+            key: "environmentId",
+            label: "environments" as const,
+            mapper: ({ environmentId, envName, envSlug }) => ({
+              id: environmentId,
+              name: envName,
+              slug: envSlug
+            })
           }
         ]
       });
@@ -160,6 +180,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
     customFilter?: {
       sapId?: string;
+      envId?: string;
     },
     tx?: Knex
   ) => {
@@ -221,6 +242,15 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
             mapper: ({ approverGroupUserId: userId }) => ({
               userId
             })
+          },
+          {
+            key: "environmentId",
+            label: "environments" as const,
+            mapper: ({ environmentId, envName, envSlug }) => ({
+              id: environmentId,
+              name: envName,
+              slug: envSlug
+            })
           }
         ]
       });
@@ -235,5 +265,74 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     return softDeletedPolicy;
   };
 
-  return { ...secretApprovalPolicyOrm, findById, find, softDeleteById };
+  const findPolicyByEnvIdAndSecretPath = async (
+    { envIds, secretPath }: { envIds: string[]; secretPath: string },
+    tx?: Knex
+  ) => {
+    try {
+      const docs = await (tx || db.replicaNode())(TableName.SecretApprovalPolicy)
+        .join(
+          TableName.SecretApprovalPolicyEnvironment,
+          `${TableName.SecretApprovalPolicyEnvironment}.policyId`,
+          `${TableName.SecretApprovalPolicy}.id`
+        )
+        .join(
+          TableName.Environment,
+          `${TableName.SecretApprovalPolicyEnvironment}.envId`,
+          `${TableName.Environment}.id`
+        )
+        .where(
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          buildFindFilter(
+            {
+              $in: {
+                envId: envIds
+              }
+            },
+            TableName.SecretApprovalPolicyEnvironment
+          )
+        )
+        .where(
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          buildFindFilter(
+            {
+              secretPath
+            },
+            TableName.SecretApprovalPolicy
+          )
+        )
+        .whereNull(`${TableName.SecretApprovalPolicy}.deletedAt`)
+        .orderBy("deletedAt", "desc")
+        .orderByRaw(`"deletedAt" IS NULL`)
+        .select(selectAllTableCols(TableName.SecretApprovalPolicy))
+        .select(db.ref("name").withSchema(TableName.Environment).as("envName"))
+        .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
+        .select(db.ref("id").withSchema(TableName.Environment).as("environmentId"))
+        .select(db.ref("projectId").withSchema(TableName.Environment));
+      const formattedDocs = sqlNestRelationships({
+        data: docs,
+        key: "id",
+        parentMapper: (data) => ({
+          projectId: data.projectId,
+          ...SecretApprovalPoliciesSchema.parse(data)
+        }),
+        childrenMapper: [
+          {
+            key: "environmentId",
+            label: "environments" as const,
+            mapper: ({ environmentId: id, envName, envSlug }) => ({
+              id,
+              name: envName,
+              slug: envSlug
+            })
+          }
+        ]
+      });
+      return formattedDocs?.[0];
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findPolicyByEnvIdAndSecretPath" });
+    }
+  };
+
+  return { ...secretApprovalPolicyOrm, findById, find, softDeleteById, findPolicyByEnvIdAndSecretPath };
 };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-environment-dal.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TSecretApprovalPolicyEnvironmentDALFactory = ReturnType<typeof secretApprovalPolicyEnvironmentDALFactory>;
+
+export const secretApprovalPolicyEnvironmentDALFactory = (db: TDbClient) => {
+  const secretApprovalPolicyEnvironmentOrm = ormify(db, TableName.SecretApprovalPolicyEnvironment);
+
+  const findAvailablePoliciesByEnvId = async (envId: string, tx?: Knex) => {
+    try {
+      const docs = await (tx || db.replicaNode())(TableName.SecretApprovalPolicyEnvironment)
+        .join(
+          TableName.SecretApprovalPolicy,
+          `${TableName.SecretApprovalPolicyEnvironment}.policyId`,
+          `${TableName.SecretApprovalPolicy}.id`
+        )
+        // eslint-disable-next-line @typescript-eslint/no-misused-promises
+        .where(buildFindFilter({ envId }, TableName.SecretApprovalPolicyEnvironment))
+        .whereNull(`${TableName.SecretApprovalPolicy}.deletedAt`)
+        .select(selectAllTableCols(TableName.SecretApprovalPolicyEnvironment));
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findAvailablePoliciesByEnvId" });
+    }
+  };
+
+  return { ...secretApprovalPolicyEnvironmentOrm, findAvailablePoliciesByEnvId };
+};

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -18,6 +19,7 @@ import {
   TSecretApprovalPolicyBypasserDALFactory
 } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
+import { TSecretApprovalPolicyEnvironmentDALFactory } from "./secret-approval-policy-environment-dal";
 import {
   TCreateSapDTO,
   TDeleteSapDTO,
@@ -35,12 +37,13 @@ const getPolicyScore = (policy: { secretPath?: string | null }) =>
 type TSecretApprovalPolicyServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   secretApprovalPolicyDAL: TSecretApprovalPolicyDALFactory;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne" | "find">;
   userDAL: Pick<TUserDALFactory, "find">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
   secretApprovalPolicyBypasserDAL: TSecretApprovalPolicyBypasserDALFactory;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "update">;
+  secretApprovalPolicyEnvironmentDAL: TSecretApprovalPolicyEnvironmentDALFactory;
 };
 
 export type TSecretApprovalPolicyServiceFactory = ReturnType<typeof secretApprovalPolicyServiceFactory>;
@@ -50,27 +53,30 @@ export const secretApprovalPolicyServiceFactory = ({
   permissionService,
   secretApprovalPolicyApproverDAL,
   secretApprovalPolicyBypasserDAL,
+  secretApprovalPolicyEnvironmentDAL,
   projectEnvDAL,
   userDAL,
   licenseService,
   secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
   const $policyExists = async ({
+    envIds,
     envId,
     secretPath,
     policyId
   }: {
-    envId: string;
+    envIds?: string[];
+    envId?: string;
     secretPath: string;
     policyId?: string;
   }) => {
-    const policy = await secretApprovalPolicyDAL
-      .findOne({
-        envId,
-        secretPath,
-        deletedAt: null
-      })
-      .catch(() => null);
+    if (!envIds && !envId) {
+      throw new BadRequestError({ message: "At least one environment should be provided" });
+    }
+    const policy = await secretApprovalPolicyDAL.findPolicyByEnvIdAndSecretPath({
+      envIds: envId ? [envId] : envIds || [],
+      secretPath
+    });
 
     return policyId ? policy && policy.id !== policyId : Boolean(policy);
   };
@@ -87,6 +93,7 @@ export const secretApprovalPolicyServiceFactory = ({
     projectId,
     secretPath,
     environment,
+    environments,
     enforcementLevel,
     allowedSelfApprovals
   }: TCreateSapDTO) => {
@@ -110,7 +117,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -125,17 +133,23 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) {
-      throw new NotFoundError({
-        message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
-      });
+    const mergedEnvs = (environment ? [environment] : environments) || [];
+    if (mergedEnvs.length === 0) {
+      throw new BadRequestError({ message: "Must provide either environment or environments" });
+    }
+    const envs = await projectEnvDAL.find({ $in: { slug: mergedEnvs }, projectId });
+    if (!envs.length || envs.length !== mergedEnvs.length) {
+      const notFoundEnvs = mergedEnvs.filter((env) => !envs.find((el) => el.slug === env));
+      throw new NotFoundError({ message: `One or more environments not found: ${notFoundEnvs.join(", ")}` });
     }
 
-    if (await $policyExists({ envId: env.id, secretPath })) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
-      });
+    for (const env of envs) {
+      // eslint-disable-next-line no-await-in-loop
+      if (await $policyExists({ envId: env.id, secretPath })) {
+        throw new BadRequestError({
+          message: `A policy for secret path '${secretPath}' already exists in environment '${env.slug}'`
+        });
+      }
     }
 
     let groupBypassers: string[] = [];
@@ -179,7 +193,7 @@ export const secretApprovalPolicyServiceFactory = ({
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.create(
         {
-          envId: env.id,
+          envId: envs[0].id,
           approvals,
           secretPath,
           name,
@@ -188,6 +202,13 @@ export const secretApprovalPolicyServiceFactory = ({
         },
         tx
       );
+      await secretApprovalPolicyEnvironmentDAL.insertMany(
+        envs.map((env) => ({
+          envId: env.id,
+          policyId: doc.id
+        })),
+        tx
+      );
 
       let userApproverIds = userApprovers;
       if (userApproverNames.length) {
@@ -251,12 +272,13 @@ export const secretApprovalPolicyServiceFactory = ({
       return doc;
     });
 
-    return { ...secretApproval, environment: env, projectId };
+    return { ...secretApproval, environments: envs, projectId, environment: envs[0] };
   };
 
   const updateSecretApprovalPolicy = async ({
     approvers,
     bypassers,
+    environments,
     secretPath,
     name,
     actorId,
@@ -286,17 +308,26 @@ export const secretApprovalPolicyServiceFactory = ({
         message: `Secret approval policy with ID '${secretPolicyId}' not found`
       });
     }
-
+    let envs = secretApprovalPolicy.environments;
     if (
-      await $policyExists({
-        envId: secretApprovalPolicy.envId,
-        secretPath: secretPath || secretApprovalPolicy.secretPath,
-        policyId: secretApprovalPolicy.id
-      })
+      environments &&
+      (environments.length !== envs.length || environments.some((env) => !envs.find((el) => el.slug === env)))
     ) {
-      throw new BadRequestError({
-        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
-      });
+      envs = await projectEnvDAL.find({ $in: { slug: environments }, projectId: secretApprovalPolicy.projectId });
+    }
+    for (const env of envs) {
+      if (
+        // eslint-disable-next-line no-await-in-loop
+        await $policyExists({
+          envId: env.id,
+          secretPath: secretPath || secretApprovalPolicy.secretPath,
+          policyId: secretApprovalPolicy.id
+        })
+      ) {
+        throw new BadRequestError({
+          message: `A policy for secret path '${secretPath || secretApprovalPolicy.secretPath}' already exists in environment '${env.slug}'`
+        });
+      }
     }
 
     const { permission } = await permissionService.getProjectPermission({
@@ -304,7 +335,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -412,6 +444,17 @@ export const secretApprovalPolicyServiceFactory = ({
         );
       }
 
+      if (environments) {
+        await secretApprovalPolicyEnvironmentDAL.delete({ policyId: doc.id }, tx);
+        await secretApprovalPolicyEnvironmentDAL.insertMany(
+          envs.map((env) => ({
+            envId: env.id,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       await secretApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
 
       if (bypasserUserIds.length) {
@@ -438,7 +481,8 @@ export const secretApprovalPolicyServiceFactory = ({
     });
     return {
       ...updatedSap,
-      environment: secretApprovalPolicy.environment,
+      environments: secretApprovalPolicy.environments,
+      environment: secretApprovalPolicy.environments[0],
       projectId: secretApprovalPolicy.projectId
     };
   };
@@ -459,7 +503,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -483,7 +528,12 @@ export const secretApprovalPolicyServiceFactory = ({
       const updatedPolicy = await secretApprovalPolicyDAL.softDeleteById(secretPolicyId, tx);
       return updatedPolicy;
     });
-    return { ...deletedPolicy, projectId: sapPolicy.projectId, environment: sapPolicy.environment };
+    return {
+      ...deletedPolicy,
+      projectId: sapPolicy.projectId,
+      environments: sapPolicy.environments,
+      environment: sapPolicy.environments[0]
+    };
   };
 
   const getSecretApprovalPolicyByProjectId = async ({
@@ -498,7 +548,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
@@ -515,7 +566,7 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const policies = await secretApprovalPolicyDAL.find({ envId: env.id, deletedAt: null });
+    const policies = await secretApprovalPolicyDAL.find({ deletedAt: null }, { envId: env.id });
     if (!policies.length) return;
     // this will filter policies either without scoped to secret path or the one that matches with secret path
     const policiesFilteredByPath = policies.filter(
@@ -542,7 +593,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
@@ -568,7 +620,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -5,7 +5,8 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app
 export type TCreateSapDTO = {
   approvals: number;
   secretPath: string;
-  environment: string;
+  environment?: string;
+  environments?: string[];
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
     | { type: BypasserType.Group; id: string }
@@ -29,6 +30,7 @@ export type TUpdateSapDTO = {
   name?: string;
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals?: boolean;
+  environments?: string[];
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteSapDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -40,6 +40,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.policyId`,
         `${TableName.SecretApprovalPolicy}.id`
       )
+      .leftJoin(TableName.SecretApprovalPolicyEnvironment, (bd) => {
+        bd.on(
+          `${TableName.SecretApprovalPolicy}.id`,
+          "=",
+          `${TableName.SecretApprovalPolicyEnvironment}.policyId`
+        ).andOn(`${TableName.SecretApprovalPolicyEnvironment}.envId`, "=", `${TableName.SecretFolder}.envId`);
+      })
       .leftJoin<TUsers>(
         db(TableName.Users).as("statusChangedByUser"),
         `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
@@ -146,7 +153,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
-        tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
+        tx.ref("envId").withSchema(TableName.SecretApprovalPolicyEnvironment).as("policyEnvId"),
         tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -3,6 +3,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 
 import {
+  ActionProjectType,
   ProjectMembershipRole,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
@@ -64,10 +65,14 @@ import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
-import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
+import {
+  hasSecretReadValueOrDescribePermission,
+  throwIfMissingSecretReadValueOrDescribePermission
+} from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
+import { scanSecretPolicyViolations } from "../secret-scanning-v2/secret-scanning-v2-fns";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
 import { sendApprovalEmailsFn } from "./secret-approval-request-fns";
@@ -184,7 +189,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
@@ -211,7 +217,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -263,7 +270,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -272,13 +280,19 @@ export const secretApprovalRequestServiceFactory = ({
     ) {
       throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
     }
-
-    const hasSecretReadAccess = permission.can(
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSub.Secrets
-    );
+    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
+      const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
+        environment,
+        secretPath: secretPath || "/",
+        secretTags: tags.map((i) => i.slug)
+      });
+      return canRead;
+    };
 
     let secrets;
+    const secretPath = await folderDAL.findSecretPathByFolderIds(secretApprovalRequest.projectId, [
+      secretApprovalRequest.folderId
+    ]);
     if (shouldUseSecretV2Bridge) {
       const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
         type: KmsDataKey.SecretManager,
@@ -294,8 +308,8 @@ export const secretApprovalRequestServiceFactory = ({
         version: el.version,
         secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !hasSecretReadAccess,
-        secretValue: !hasSecretReadAccess
+        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
           ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
           : el.secret && el.secret.isRotatedSecret
             ? undefined
@@ -310,8 +324,12 @@ export const secretApprovalRequestServiceFactory = ({
               secretKey: el.secret.key,
               id: el.secret.id,
               version: el.secret.version,
-              secretValueHidden: !hasSecretReadAccess,
-              secretValue: !hasSecretReadAccess
+              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              ),
+              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
                 ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                 : el.secret.encryptedValue
                   ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -326,8 +344,12 @@ export const secretApprovalRequestServiceFactory = ({
               secretKey: el.secretVersion.key,
               id: el.secretVersion.id,
               version: el.secretVersion.version,
-              secretValueHidden: !hasSecretReadAccess,
-              secretValue: !hasSecretReadAccess
+              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              ),
+              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
                 ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                 : el.secretVersion.encryptedValue
                   ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -345,7 +367,7 @@ export const secretApprovalRequestServiceFactory = ({
       const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
       secrets = encryptedSecrets.map((el) => ({
         ...el,
-        secretValueHidden: !hasSecretReadAccess,
+        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
         ...decryptSecretWithBot(el, botKey),
         secret: el.secret
           ? {
@@ -365,9 +387,6 @@ export const secretApprovalRequestServiceFactory = ({
           : undefined
       }));
     }
-    const secretPath = await folderDAL.findSecretPathByFolderIds(secretApprovalRequest.projectId, [
-      secretApprovalRequest.folderId
-    ]);
 
     return { ...secretApprovalRequest, secretPath: secretPath?.[0]?.path || "/", commits: secrets };
   };
@@ -412,7 +431,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -481,7 +501,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -531,13 +552,19 @@ export const secretApprovalRequestServiceFactory = ({
         message: "The policy associated with this secret approval request has been deleted."
       });
     }
+    if (!policy.envId) {
+      throw new BadRequestError({
+        message: "The policy associated with this secret approval request is not linked to the environment."
+      });
+    }
 
     const { hasRole } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (
@@ -955,7 +982,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
+          approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
@@ -1089,7 +1116,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@@ -1380,7 +1408,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -1398,6 +1427,20 @@ export const secretApprovalRequestServiceFactory = ({
       projectId
     });
 
+    const project = await projectDAL.findById(projectId);
+    await scanSecretPolicyViolations(
+      projectId,
+      secretPath,
+      [
+        ...(data[SecretOperations.Create] || []),
+        ...(data[SecretOperations.Update] || []).filter((el) => el.secretValue)
+      ].map((el) => ({
+        secretKey: el.secretKey,
+        secretValue: el.secretValue as string
+      })),
+      project.secretDetectionIgnoreValues || []
+    );
+
     // for created secret approval change
     const createdSecrets = data[SecretOperations.Create];
     if (createdSecrets && createdSecrets?.length) {

backend/src/ee/services/secret-rotation-v2/azure-client-secret/azure-client-secret-rotation-fns.ts

@@ -21,6 +21,8 @@ const GRAPH_API_BASE = "https://graph.microsoft.com/v1.0";
 
 type AzureErrorResponse = { error: { message: string } };
 
+const EXPIRY_PADDING_IN_DAYS = 3;
+
 const sleep = async () =>
   new Promise((resolve) => {
     setTimeout(resolve, 1000);
@@ -33,7 +35,8 @@ export const azureClientSecretRotationFactory: TRotationFactory<
   const {
     connection,
     parameters: { objectId, clientId: clientIdParam },
-    secretsMapping
+    secretsMapping,
+    rotationInterval
   } = secretRotation;
 
   /**
@@ -50,7 +53,7 @@ export const azureClientSecretRotationFactory: TRotationFactory<
     )}-${now.getFullYear()}`;
 
     const endDateTime = new Date();
-    endDateTime.setFullYear(now.getFullYear() + 5);
+    endDateTime.setDate(now.getDate() + rotationInterval * 2 + EXPIRY_PADDING_IN_DAYS); // give 72 hour buffer
 
     try {
       const { data } = await request.post<AzureAddPasswordResponse>(
@@ -195,6 +198,12 @@ export const azureClientSecretRotationFactory: TRotationFactory<
     callback
   ) => {
     const credentials = await $rotateClientSecret();
+
+    // 2.5 years as expiry is set to x2 interval for the inactive period of credential
+    if (rotationInterval > Math.floor(365 * 2.5) - EXPIRY_PADDING_IN_DAYS) {
+      throw new BadRequestError({ message: "Azure does not support token duration over 5 years" });
+    }
+
     return callback(credentials);
   };
 

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-dal.ts

@@ -51,6 +51,7 @@ const baseSecretRotationV2Query = ({
       db.ref("encryptedCredentials").withSchema(TableName.AppConnection).as("connectionEncryptedCredentials"),
       db.ref("description").withSchema(TableName.AppConnection).as("connectionDescription"),
       db.ref("version").withSchema(TableName.AppConnection).as("connectionVersion"),
+      db.ref("gatewayId").withSchema(TableName.AppConnection).as("connectionGatewayId"),
       db.ref("createdAt").withSchema(TableName.AppConnection).as("connectionCreatedAt"),
       db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt"),
       db
@@ -104,6 +105,7 @@ const expandSecretRotation = <T extends Awaited<ReturnType<typeof baseSecretRota
     connectionCreatedAt,
     connectionUpdatedAt,
     connectionVersion,
+    connectionGatewayId,
     connectionIsPlatformManagedCredentials,
     ...el
   } = secretRotation;
@@ -123,6 +125,7 @@ const expandSecretRotation = <T extends Awaited<ReturnType<typeof baseSecretRota
       createdAt: connectionCreatedAt,
       updatedAt: connectionUpdatedAt,
       version: connectionVersion,
+      gatewayId: connectionGatewayId,
       isPlatformManagedCredentials: connectionIsPlatformManagedCredentials
     },
     folder: {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts

@@ -167,7 +167,7 @@ export const secretRotationV2QueueServiceFactory = async ({
             environment: environment.name,
             projectName: project.name,
             rotationUrl: encodeURI(
-              `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
+              `${appCfg.SITE_URL}/projects/secret-management/${projectId}/secrets/${environment.slug}`
             )
           }
         });

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";
 
-import { SecretType, TableName } from "@app/db/schemas";
+import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -223,7 +223,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -274,7 +274,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -320,7 +320,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -385,7 +385,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -429,7 +429,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -631,7 +631,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -781,7 +781,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1113,7 +1113,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1160,7 +1160,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1212,7 +1212,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1328,7 +1328,8 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -7,12 +7,13 @@ import {
   TRotationFactoryRevokeCredentials,
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   executeWithPotentialGateway,
   SQL_CONNECTION_ALTER_LOGIN_STATEMENT
 } from "@app/services/app-connection/shared/sql";
 
-import { generatePassword } from "../utils";
+import { DEFAULT_PASSWORD_REQUIREMENTS, generatePassword } from "../utils";
 import {
   TSqlCredentialsRotationGeneratedCredentials,
   TSqlCredentialsRotationWithConnection
@@ -32,6 +33,11 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
   return redactedMessage;
 };
 
+const ORACLE_PASSWORD_REQUIREMENTS = {
+  ...DEFAULT_PASSWORD_REQUIREMENTS,
+  length: 30
+};
+
 export const sqlCredentialsRotationFactory: TRotationFactory<
   TSqlCredentialsRotationWithConnection,
   TSqlCredentialsRotationGeneratedCredentials
@@ -43,6 +49,9 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     secretsMapping
   } = secretRotation;
 
+  const passwordRequirement =
+    connection.app === AppConnection.OracleDB ? ORACLE_PASSWORD_REQUIREMENTS : DEFAULT_PASSWORD_REQUIREMENTS;
+
   const executeOperation = <T>(
     operation: (client: Knex) => Promise<T>,
     credentialsOverride?: TSqlCredentialsRotationGeneratedCredentials[number]
@@ -65,7 +74,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
   const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     try {
       await executeOperation(async (client) => {
-        await client.raw("SELECT 1");
+        await client.raw(connection.app === AppConnection.OracleDB ? `SELECT 1 FROM DUAL` : `Select 1`);
       }, credentials);
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
@@ -75,11 +84,13 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
   const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
     callback
   ) => {
+    // For SQL, since we get existing users, we change both their passwords
+    // on issue to invalidate their existing passwords
     // For SQL, since we get existing users, we change both their passwords
     // on issue to invalidate their existing passwords
     const credentialsSet = [
-      { username: username1, password: generatePassword() },
-      { username: username2, password: generatePassword() }
+      { username: username1, password: generatePassword(passwordRequirement) },
+      { username: username2, password: generatePassword(passwordRequirement) }
     ];
 
     try {
@@ -105,7 +116,10 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     credentialsToRevoke,
     callback
   ) => {
-    const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
+    const revokedCredentials = credentialsToRevoke.map(({ username }) => ({
+      username,
+      password: generatePassword(passwordRequirement)
+    }));
 
     try {
       await executeOperation(async (client) => {
@@ -128,7 +142,10 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     callback
   ) => {
     // generate new password for the next active user
-    const credentials = { username: activeIndex === 0 ? username2 : username1, password: generatePassword() };
+    const credentials = {
+      username: activeIndex === 0 ? username2 : username1,
+      password: generatePassword(passwordRequirement)
+    };
 
     try {
       await executeOperation(async (client) => {

backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts

@@ -11,7 +11,7 @@ type TPasswordRequirements = {
   allowedSymbols?: string;
 };
 
-const DEFAULT_PASSWORD_REQUIREMENTS: TPasswordRequirements = {
+export const DEFAULT_PASSWORD_REQUIREMENTS: TPasswordRequirements = {
   length: 48,
   required: {
     lowercase: 1,

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -66,7 +66,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -97,7 +98,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -213,7 +215,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -263,7 +266,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Edit,
@@ -283,7 +287,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: doc.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Delete,

backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-factory.ts

@@ -18,7 +18,8 @@ import {
   TSecretScanningFactoryInitialize,
   TSecretScanningFactoryListRawResources,
   TSecretScanningFactoryPostInitialization,
-  TSecretScanningFactoryTeardown
+  TSecretScanningFactoryTeardown,
+  TSecretScanningFactoryValidateConfigUpdate
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
@@ -302,6 +303,13 @@ export const BitbucketSecretScanningFactory = () => {
     );
   };
 
+  const validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<
+    TBitbucketDataSourceInput["config"],
+    TBitbucketDataSourceWithConnection
+  > = async () => {
+    // no validation required
+  };
+
   return {
     initialize,
     postInitialization,
@@ -309,6 +317,7 @@ export const BitbucketSecretScanningFactory = () => {
     getFullScanPath,
     getDiffScanResourcePayload,
     getDiffScanFindingsPayload,
-    teardown
+    teardown,
+    validateConfigUpdate
   };
 };

backend/src/ee/services/secret-scanning-v2/github/github-secret-scanning-factory.ts

@@ -20,7 +20,8 @@ import {
   TSecretScanningFactoryInitialize,
   TSecretScanningFactoryListRawResources,
   TSecretScanningFactoryPostInitialization,
-  TSecretScanningFactoryTeardown
+  TSecretScanningFactoryTeardown,
+  TSecretScanningFactoryValidateConfigUpdate
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
@@ -64,7 +65,14 @@ export const GitHubSecretScanningFactory = () => {
   };
 
   const teardown: TSecretScanningFactoryTeardown<TGitHubDataSourceWithConnection> = async () => {
-    // no termination required
+    // no teardown required
+  };
+
+  const validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<
+    TGitHubDataSourceInput["config"],
+    TGitHubDataSourceWithConnection
+  > = async () => {
+    // no validation required
   };
 
   const listRawResources: TSecretScanningFactoryListRawResources<TGitHubDataSourceWithConnection> = async (
@@ -238,6 +246,7 @@ export const GitHubSecretScanningFactory = () => {
     getFullScanPath,
     getDiffScanResourcePayload,
     getDiffScanFindingsPayload,
-    teardown
+    teardown,
+    validateConfigUpdate
   };
 };

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-constants.ts

@@ -0,0 +1,9 @@
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { TSecretScanningDataSourceListItem } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const GITLAB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION: TSecretScanningDataSourceListItem = {
+  name: "GitLab",
+  type: SecretScanningDataSource.GitLab,
+  connection: AppConnection.GitLab
+};

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums.ts

@@ -0,0 +1,8 @@
+export enum GitLabDataSourceScope {
+  Project = "project",
+  Group = "group"
+}
+
+export enum GitLabWebHookEvent {
+  Push = "Push Hook"
+}

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-factory.ts

@@ -0,0 +1,409 @@
+import { Camelize, GitbeakerRequestError, GroupHookSchema, ProjectHookSchema } from "@gitbeaker/rest";
+import { join } from "path";
+
+import { scanContentAndGetFindings } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
+import { SecretMatch } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
+import {
+  SecretScanningFindingSeverity,
+  SecretScanningResource
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import {
+  cloneRepository,
+  convertPatchLineToFileLineNumber,
+  replaceNonChangesWithNewlines
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-fns";
+import {
+  TSecretScanningFactoryGetDiffScanFindingsPayload,
+  TSecretScanningFactoryGetDiffScanResourcePayload,
+  TSecretScanningFactoryGetFullScanPath,
+  TSecretScanningFactoryInitialize,
+  TSecretScanningFactoryListRawResources,
+  TSecretScanningFactoryParams,
+  TSecretScanningFactoryPostInitialization,
+  TSecretScanningFactoryTeardown,
+  TSecretScanningFactoryValidateConfigUpdate
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { titleCaseToCamelCase } from "@app/lib/fn";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { GitLabProjectRegex } from "@app/lib/regex";
+import {
+  getGitLabConnectionClient,
+  getGitLabInstanceUrl,
+  TGitLabConnection
+} from "@app/services/app-connection/gitlab";
+
+import { GitLabDataSourceScope } from "./gitlab-secret-scanning-enums";
+import {
+  TGitLabDataSourceCredentials,
+  TGitLabDataSourceInput,
+  TGitLabDataSourceWithConnection,
+  TQueueGitLabResourceDiffScan
+} from "./gitlab-secret-scanning-types";
+
+const getMainDomain = (instanceUrl: string) => {
+  const url = new URL(instanceUrl);
+  const { hostname } = url;
+  const parts = hostname.split(".");
+
+  if (parts.length >= 2) {
+    return parts.slice(-2).join(".");
+  }
+
+  return hostname;
+};
+
+export const GitLabSecretScanningFactory = ({ appConnectionDAL, kmsService }: TSecretScanningFactoryParams) => {
+  const initialize: TSecretScanningFactoryInitialize<
+    TGitLabDataSourceInput,
+    TGitLabConnection,
+    TGitLabDataSourceCredentials
+  > = async ({ payload: { config, name }, connection }, callback) => {
+    const token = alphaNumericNanoId(64);
+
+    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
+    const appCfg = getConfig();
+
+    if (config.scope === GitLabDataSourceScope.Project) {
+      const { projectId } = config;
+      const project = await client.Projects.show(projectId);
+
+      if (!project) {
+        throw new BadRequestError({ message: `Could not find project with ID ${projectId}.` });
+      }
+
+      let hook: Camelize<ProjectHookSchema>;
+      try {
+        hook = await client.ProjectHooks.add(projectId, `${appCfg.SITE_URL}/secret-scanning/webhooks/gitlab`, {
+          token,
+          pushEvents: true,
+          enableSslVerification: true,
+          // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
+          name: `Infisical Secret Scanning - ${name}`
+        });
+      } catch (error) {
+        if (error instanceof GitbeakerRequestError) {
+          throw new BadRequestError({ message: `${error.message}: ${error.cause?.description ?? "Unknown Error"}` });
+        }
+
+        throw error;
+      }
+
+      try {
+        return await callback({
+          credentials: {
+            token,
+            hookId: hook.id
+          }
+        });
+      } catch (error) {
+        try {
+          await client.ProjectHooks.remove(projectId, hook.id);
+        } catch {
+          // do nothing, just try to clean up webhook
+        }
+
+        throw error;
+      }
+    }
+
+    // group scope
+    const { groupId } = config;
+
+    const group = await client.Groups.show(groupId);
+
+    if (!group) {
+      throw new BadRequestError({ message: `Could not find group with ID ${groupId}.` });
+    }
+
+    let hook: Camelize<GroupHookSchema>;
+    try {
+      hook = await client.GroupHooks.add(groupId, `${appCfg.SITE_URL}/secret-scanning/webhooks/gitlab`, {
+        token,
+        pushEvents: true,
+        enableSslVerification: true,
+        // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
+        name: `Infisical Secret Scanning - ${name}`
+      });
+    } catch (error) {
+      if (error instanceof GitbeakerRequestError) {
+        throw new BadRequestError({ message: `${error.message}: ${error.cause?.description ?? "Unknown Error"}` });
+      }
+
+      throw error;
+    }
+
+    try {
+      return await callback({
+        credentials: {
+          token,
+          hookId: hook.id
+        }
+      });
+    } catch (error) {
+      try {
+        await client.GroupHooks.remove(groupId, hook.id);
+      } catch {
+        // do nothing, just try to clean up webhook
+      }
+
+      throw error;
+    }
+  };
+
+  const postInitialization: TSecretScanningFactoryPostInitialization<
+    TGitLabDataSourceInput,
+    TGitLabConnection,
+    TGitLabDataSourceCredentials
+  > = async ({ connection, dataSourceId, credentials, payload: { config } }) => {
+    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
+    const appCfg = getConfig();
+
+    const hookUrl = `${appCfg.SITE_URL}/secret-scanning/webhooks/gitlab`;
+    const { hookId } = credentials;
+
+    if (config.scope === GitLabDataSourceScope.Project) {
+      const { projectId } = config;
+
+      try {
+        await client.ProjectHooks.edit(projectId, hookId, hookUrl, {
+          // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
+          name: `Infisical Secret Scanning - ${dataSourceId}`,
+          custom_headers: [{ key: "x-data-source-id", value: dataSourceId }]
+        });
+      } catch (error) {
+        try {
+          await client.ProjectHooks.remove(projectId, hookId);
+        } catch {
+          // do nothing, just try to clean up webhook
+        }
+
+        throw error;
+      }
+
+      return;
+    }
+
+    // group-scope
+    const { groupId } = config;
+
+    try {
+      await client.GroupHooks.edit(groupId, hookId, hookUrl, {
+        // @ts-expect-error gitbeaker is outdated, and the types don't support this field yet
+        name: `Infisical Secret Scanning - ${dataSourceId}`,
+        custom_headers: [{ key: "x-data-source-id", value: dataSourceId }]
+      });
+    } catch (error) {
+      try {
+        await client.GroupHooks.remove(groupId, hookId);
+      } catch {
+        // do nothing, just try to clean up webhook
+      }
+
+      throw error;
+    }
+  };
+
+  const listRawResources: TSecretScanningFactoryListRawResources<TGitLabDataSourceWithConnection> = async (
+    dataSource
+  ) => {
+    const { connection, config } = dataSource;
+
+    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
+
+    if (config.scope === GitLabDataSourceScope.Project) {
+      const { projectId } = config;
+
+      const project = await client.Projects.show(projectId);
+
+      if (!project) {
+        throw new BadRequestError({ message: `Could not find project with ID ${projectId}.` });
+      }
+
+      // scott: even though we have this data we want to get potentially updated name
+      return [
+        {
+          name: project.pathWithNamespace,
+          externalId: project.id.toString(),
+          type: SecretScanningResource.Project
+        }
+      ];
+    }
+
+    // group-scope
+
+    const { groupId, includeProjects } = config;
+
+    const projects = await client.Groups.allProjects(groupId, {
+      archived: false
+    });
+
+    const filteredProjects: typeof projects = [];
+    if (!includeProjects || includeProjects.includes("*")) {
+      filteredProjects.push(...projects);
+    } else {
+      filteredProjects.push(...projects.filter((project) => includeProjects.includes(project.pathWithNamespace)));
+    }
+
+    return filteredProjects.map(({ id, pathWithNamespace }) => ({
+      name: pathWithNamespace,
+      externalId: id.toString(),
+      type: SecretScanningResource.Project
+    }));
+  };
+
+  const getFullScanPath: TSecretScanningFactoryGetFullScanPath<TGitLabDataSourceWithConnection> = async ({
+    dataSource,
+    resourceName,
+    tempFolder
+  }) => {
+    const { connection } = dataSource;
+
+    const instanceUrl = await getGitLabInstanceUrl(connection.credentials.instanceUrl);
+
+    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
+
+    const user = await client.Users.showCurrentUser();
+
+    const repoPath = join(tempFolder, "repo.git");
+
+    if (!GitLabProjectRegex.test(resourceName)) {
+      throw new Error("Invalid GitLab project name");
+    }
+
+    await cloneRepository({
+      cloneUrl: `https://${user.username}:${connection.credentials.accessToken}@${getMainDomain(instanceUrl)}/${resourceName}.git`,
+      repoPath
+    });
+
+    return repoPath;
+  };
+
+  const teardown: TSecretScanningFactoryTeardown<
+    TGitLabDataSourceWithConnection,
+    TGitLabDataSourceCredentials
+  > = async ({ dataSource: { connection, config }, credentials: { hookId } }) => {
+    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
+
+    if (config.scope === GitLabDataSourceScope.Project) {
+      const { projectId } = config;
+      try {
+        await client.ProjectHooks.remove(projectId, hookId);
+      } catch (error) {
+        // do nothing, just try to clean up webhook
+      }
+      return;
+    }
+
+    const { groupId } = config;
+    try {
+      await client.GroupHooks.remove(groupId, hookId);
+    } catch (error) {
+      // do nothing, just try to clean up webhook
+    }
+  };
+
+  const getDiffScanResourcePayload: TSecretScanningFactoryGetDiffScanResourcePayload<
+    TQueueGitLabResourceDiffScan["payload"]
+  > = ({ project }) => {
+    return {
+      name: project.path_with_namespace,
+      externalId: project.id.toString(),
+      type: SecretScanningResource.Project
+    };
+  };
+
+  const getDiffScanFindingsPayload: TSecretScanningFactoryGetDiffScanFindingsPayload<
+    TGitLabDataSourceWithConnection,
+    TQueueGitLabResourceDiffScan["payload"]
+  > = async ({ dataSource, payload, resourceName, configPath }) => {
+    const { connection } = dataSource;
+
+    const client = await getGitLabConnectionClient(connection, appConnectionDAL, kmsService);
+
+    const { commits, project } = payload;
+
+    const allFindings: SecretMatch[] = [];
+
+    for (const commit of commits) {
+      // eslint-disable-next-line no-await-in-loop
+      const commitDiffs = await client.Commits.showDiff(project.id, commit.id);
+
+      for (const commitDiff of commitDiffs) {
+        // eslint-disable-next-line no-continue
+        if (commitDiff.deletedFile) continue;
+
+        // eslint-disable-next-line no-await-in-loop
+        const findings = await scanContentAndGetFindings(
+          replaceNonChangesWithNewlines(`\n${commitDiff.diff}`),
+          configPath
+        );
+
+        const adjustedFindings = findings.map((finding) => {
+          const startLine = convertPatchLineToFileLineNumber(commitDiff.diff, finding.StartLine);
+          const endLine =
+            finding.StartLine === finding.EndLine
+              ? startLine
+              : convertPatchLineToFileLineNumber(commitDiff.diff, finding.EndLine);
+          const startColumn = finding.StartColumn - 1; // subtract 1 for +
+          const endColumn = finding.EndColumn - 1; // subtract 1 for +
+          const authorName = commit.author.name;
+          const authorEmail = commit.author.email;
+
+          return {
+            ...finding,
+            StartLine: startLine,
+            EndLine: endLine,
+            StartColumn: startColumn,
+            EndColumn: endColumn,
+            File: commitDiff.newPath,
+            Commit: commit.id,
+            Author: authorName,
+            Email: authorEmail,
+            Message: commit.message,
+            Fingerprint: `${commit.id}:${commitDiff.newPath}:${finding.RuleID}:${startLine}:${startColumn}`,
+            Date: commit.timestamp,
+            Link: `https://gitlab.com/${resourceName}/blob/${commit.id}/${commitDiff.newPath}#L${startLine}`
+          };
+        });
+
+        allFindings.push(...adjustedFindings);
+      }
+    }
+
+    return allFindings.map(
+      ({
+        // discard match and secret as we don't want to store
+        Match,
+        Secret,
+        ...finding
+      }) => ({
+        details: titleCaseToCamelCase(finding),
+        fingerprint: finding.Fingerprint,
+        severity: SecretScanningFindingSeverity.High,
+        rule: finding.RuleID
+      })
+    );
+  };
+
+  const validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<
+    TGitLabDataSourceInput["config"],
+    TGitLabDataSourceWithConnection
+  > = async ({ config, dataSource }) => {
+    if (dataSource.config.scope !== config.scope) {
+      throw new BadRequestError({ message: "Cannot change Data Source scope after creation." });
+    }
+  };
+
+  return {
+    listRawResources,
+    getFullScanPath,
+    initialize,
+    postInitialization,
+    teardown,
+    getDiffScanResourcePayload,
+    getDiffScanFindingsPayload,
+    validateConfigUpdate
+  };
+};

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-schemas.ts

@@ -0,0 +1,101 @@
+import { z } from "zod";
+
+import { GitLabDataSourceScope } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums";
+import {
+  SecretScanningDataSource,
+  SecretScanningResource
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import {
+  BaseCreateSecretScanningDataSourceSchema,
+  BaseSecretScanningDataSourceSchema,
+  BaseSecretScanningFindingSchema,
+  BaseUpdateSecretScanningDataSourceSchema,
+  GitRepositoryScanFindingDetailsSchema
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-schemas";
+import { SecretScanningDataSources } from "@app/lib/api-docs";
+import { GitLabProjectRegex } from "@app/lib/regex";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const GitLabDataSourceConfigSchema = z.discriminatedUnion("scope", [
+  z.object({
+    scope: z.literal(GitLabDataSourceScope.Group).describe(SecretScanningDataSources.CONFIG.GITLAB.scope),
+    groupId: z.number().describe(SecretScanningDataSources.CONFIG.GITLAB.groupId),
+    groupName: z.string().trim().max(256).optional().describe(SecretScanningDataSources.CONFIG.GITLAB.groupName),
+    includeProjects: z
+      .array(
+        z
+          .string()
+          .min(1)
+          .max(256)
+          .refine((value) => value === "*" || GitLabProjectRegex.test(value), "Invalid project name format")
+      )
+      .nonempty("One or more projects required")
+      .max(100, "Cannot configure more than 100 projects")
+      .default(["*"])
+      .describe(SecretScanningDataSources.CONFIG.GITLAB.includeProjects)
+  }),
+  z.object({
+    scope: z.literal(GitLabDataSourceScope.Project).describe(SecretScanningDataSources.CONFIG.GITLAB.scope),
+    projectName: z.string().trim().max(256).optional().describe(SecretScanningDataSources.CONFIG.GITLAB.projectName),
+    projectId: z.number().describe(SecretScanningDataSources.CONFIG.GITLAB.projectId)
+  })
+]);
+
+export const GitLabDataSourceSchema = BaseSecretScanningDataSourceSchema({
+  type: SecretScanningDataSource.GitLab,
+  isConnectionRequired: true
+})
+  .extend({
+    config: GitLabDataSourceConfigSchema
+  })
+  .describe(
+    JSON.stringify({
+      title: "GitLab"
+    })
+  );
+
+export const CreateGitLabDataSourceSchema = BaseCreateSecretScanningDataSourceSchema({
+  type: SecretScanningDataSource.GitLab,
+  isConnectionRequired: true
+})
+  .extend({
+    config: GitLabDataSourceConfigSchema
+  })
+  .describe(
+    JSON.stringify({
+      title: "GitLab"
+    })
+  );
+
+export const UpdateGitLabDataSourceSchema = BaseUpdateSecretScanningDataSourceSchema(SecretScanningDataSource.GitLab)
+  .extend({
+    config: GitLabDataSourceConfigSchema.optional()
+  })
+  .describe(
+    JSON.stringify({
+      title: "GitLab"
+    })
+  );
+
+export const GitLabDataSourceListItemSchema = z
+  .object({
+    name: z.literal("GitLab"),
+    connection: z.literal(AppConnection.GitLab),
+    type: z.literal(SecretScanningDataSource.GitLab)
+  })
+  .describe(
+    JSON.stringify({
+      title: "GitLab"
+    })
+  );
+
+export const GitLabFindingSchema = BaseSecretScanningFindingSchema.extend({
+  resourceType: z.literal(SecretScanningResource.Project),
+  dataSourceType: z.literal(SecretScanningDataSource.GitLab),
+  details: GitRepositoryScanFindingDetailsSchema
+});
+
+export const GitLabDataSourceCredentialsSchema = z.object({
+  token: z.string(),
+  hookId: z.number()
+});

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-service.ts

@@ -0,0 +1,94 @@
+import { GitLabDataSourceScope } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-enums";
+import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { TSecretScanningV2QueueServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-queue";
+import { logger } from "@app/lib/logger";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import {
+  TGitLabDataSource,
+  TGitLabDataSourceCredentials,
+  THandleGitLabPushEvent
+} from "./gitlab-secret-scanning-types";
+
+export const gitlabSecretScanningService = (
+  secretScanningV2DAL: TSecretScanningV2DALFactory,
+  secretScanningV2Queue: Pick<TSecretScanningV2QueueServiceFactory, "queueResourceDiffScan">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const handlePushEvent = async ({ payload, token, dataSourceId }: THandleGitLabPushEvent) => {
+    if (!payload.total_commits_count || !payload.project) {
+      logger.warn(
+        `secretScanningV2PushEvent: GitLab - Insufficient data [changes=${
+          payload.total_commits_count ?? 0
+        }] [projectName=${payload.project?.path_with_namespace ?? "unknown"}] [projectId=${payload.project?.id ?? "unknown"}]`
+      );
+      return;
+    }
+
+    const dataSource = (await secretScanningV2DAL.dataSources.findOne({
+      id: dataSourceId,
+      type: SecretScanningDataSource.GitLab
+    })) as TGitLabDataSource | undefined;
+
+    if (!dataSource) {
+      logger.error(
+        `secretScanningV2PushEvent: GitLab - Could not find data source [dataSourceId=${dataSourceId}] [projectId=${payload.project.id}]`
+      );
+      return;
+    }
+
+    const { isAutoScanEnabled, config, encryptedCredentials, projectId } = dataSource;
+
+    if (!encryptedCredentials) {
+      logger.info(
+        `secretScanningV2PushEvent: GitLab - Could not find encrypted credentials [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
+      );
+      return;
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId
+    });
+
+    const decryptedCredentials = decryptor({ cipherTextBlob: encryptedCredentials });
+
+    const credentials = JSON.parse(decryptedCredentials.toString()) as TGitLabDataSourceCredentials;
+
+    if (token !== credentials.token) {
+      logger.error(
+        `secretScanningV2PushEvent: GitLab - Invalid webhook token [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
+      );
+      return;
+    }
+
+    if (!isAutoScanEnabled) {
+      logger.info(
+        `secretScanningV2PushEvent: GitLab - ignoring due to auto scan disabled [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
+      );
+      return;
+    }
+
+    if (
+      config.scope === GitLabDataSourceScope.Project
+        ? config.projectId.toString() === payload.project_id.toString()
+        : config.includeProjects.includes("*") || config.includeProjects.includes(payload.project.path_with_namespace)
+    ) {
+      await secretScanningV2Queue.queueResourceDiffScan({
+        dataSourceType: SecretScanningDataSource.GitLab,
+        payload,
+        dataSourceId: dataSource.id
+      });
+    } else {
+      logger.info(
+        `secretScanningV2PushEvent: GitLab - ignoring due to repository not being present in config [dataSourceId=${dataSource.id}] [projectId=${payload.project.id}]`
+      );
+    }
+  };
+
+  return {
+    handlePushEvent
+  };
+};

backend/src/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-types.ts

@@ -0,0 +1,97 @@
+import { z } from "zod";
+
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { TGitLabConnection } from "@app/services/app-connection/gitlab";
+
+import {
+  CreateGitLabDataSourceSchema,
+  GitLabDataSourceCredentialsSchema,
+  GitLabDataSourceListItemSchema,
+  GitLabDataSourceSchema,
+  GitLabFindingSchema
+} from "./gitlab-secret-scanning-schemas";
+
+export type TGitLabDataSource = z.infer<typeof GitLabDataSourceSchema>;
+
+export type TGitLabDataSourceInput = z.infer<typeof CreateGitLabDataSourceSchema>;
+
+export type TGitLabDataSourceListItem = z.infer<typeof GitLabDataSourceListItemSchema>;
+
+export type TGitLabFinding = z.infer<typeof GitLabFindingSchema>;
+
+export type TGitLabDataSourceWithConnection = TGitLabDataSource & {
+  connection: TGitLabConnection;
+};
+
+export type TGitLabDataSourceCredentials = z.infer<typeof GitLabDataSourceCredentialsSchema>;
+
+export type TGitLabDataSourcePushEventPayload = {
+  object_kind: "push";
+  event_name: "push";
+  before: string;
+  after: string;
+  ref: string;
+  ref_protected: boolean;
+  checkout_sha: string;
+  user_id: number;
+  user_name: string;
+  user_username: string;
+  user_email: string;
+  user_avatar: string;
+  project_id: number;
+  project: {
+    id: number;
+    name: string;
+    description: string;
+    web_url: string;
+    avatar_url: string | null;
+    git_ssh_url: string;
+    git_http_url: string;
+    namespace: string;
+    visibility_level: number;
+    path_with_namespace: string;
+    default_branch: string;
+    homepage: string;
+    url: string;
+    ssh_url: string;
+    http_url: string;
+  };
+  repository: {
+    name: string;
+    url: string;
+    description: string;
+    homepage: string;
+    git_http_url: string;
+    git_ssh_url: string;
+    visibility_level: number;
+  };
+  commits: {
+    id: string;
+    message: string;
+    title: string;
+    timestamp: string;
+    url: string;
+    author: {
+      name: string;
+      email: string;
+    };
+    added: string[];
+    modified: string[];
+    removed: string[];
+  }[];
+  total_commits_count: number;
+};
+
+export type THandleGitLabPushEvent = {
+  payload: TGitLabDataSourcePushEventPayload;
+  dataSourceId: string;
+  token: string;
+};
+
+export type TQueueGitLabResourceDiffScan = {
+  dataSourceType: SecretScanningDataSource.GitLab;
+  payload: TGitLabDataSourcePushEventPayload;
+  dataSourceId: string;
+  resourceId: string;
+  scanId: string;
+};

backend/src/ee/services/secret-scanning-v2/gitlab/index.ts

@@ -0,0 +1,3 @@
+export * from "./gitlab-secret-scanning-constants";
+export * from "./gitlab-secret-scanning-schemas";
+export * from "./gitlab-secret-scanning-types";

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-dal.ts

@@ -49,6 +49,7 @@ const baseSecretScanningDataSourceQuery = ({
       db.ref("encryptedCredentials").withSchema(TableName.AppConnection).as("connectionEncryptedCredentials"),
       db.ref("description").withSchema(TableName.AppConnection).as("connectionDescription"),
       db.ref("version").withSchema(TableName.AppConnection).as("connectionVersion"),
+      db.ref("gatewayId").withSchema(TableName.AppConnection).as("connectionGatewayId"),
       db.ref("createdAt").withSchema(TableName.AppConnection).as("connectionCreatedAt"),
       db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt"),
       db
@@ -82,6 +83,7 @@ const expandSecretScanningDataSource = <
     connectionUpdatedAt,
     connectionVersion,
     connectionIsPlatformManagedCredentials,
+    connectionGatewayId,
     ...el
   } = dataSource;
 
@@ -100,7 +102,8 @@ const expandSecretScanningDataSource = <
           createdAt: connectionCreatedAt,
           updatedAt: connectionUpdatedAt,
           version: connectionVersion,
-          isPlatformManagedCredentials: connectionIsPlatformManagedCredentials
+          isPlatformManagedCredentials: connectionIsPlatformManagedCredentials,
+          gatewayId: connectionGatewayId
         }
       : undefined
   };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-enums.ts

@@ -1,6 +1,7 @@
 export enum SecretScanningDataSource {
   GitHub = "github",
-  Bitbucket = "bitbucket"
+  Bitbucket = "bitbucket",
+  GitLab = "gitlab"
 }
 
 export enum SecretScanningScanStatus {

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-factory.ts

@@ -1,5 +1,6 @@
 import { BitbucketSecretScanningFactory } from "@app/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-factory";
 import { GitHubSecretScanningFactory } from "@app/ee/services/secret-scanning-v2/github/github-secret-scanning-factory";
+import { GitLabSecretScanningFactory } from "@app/ee/services/secret-scanning-v2/gitlab/gitlab-secret-scanning-factory";
 
 import { SecretScanningDataSource } from "./secret-scanning-v2-enums";
 import {
@@ -19,5 +20,6 @@ type TSecretScanningFactoryImplementation = TSecretScanningFactory<
 
 export const SECRET_SCANNING_FACTORY_MAP: Record<SecretScanningDataSource, TSecretScanningFactoryImplementation> = {
   [SecretScanningDataSource.GitHub]: GitHubSecretScanningFactory as TSecretScanningFactoryImplementation,
-  [SecretScanningDataSource.Bitbucket]: BitbucketSecretScanningFactory as TSecretScanningFactoryImplementation
+  [SecretScanningDataSource.Bitbucket]: BitbucketSecretScanningFactory as TSecretScanningFactoryImplementation,
+  [SecretScanningDataSource.GitLab]: GitLabSecretScanningFactory as TSecretScanningFactoryImplementation
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts

@@ -1,11 +1,22 @@
 import { AxiosError } from "axios";
 import { exec } from "child_process";
+import { join } from "path";
+import picomatch from "picomatch";
 import RE2 from "re2";
 
-import { readFindingsFile } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
+import {
+  createTempFolder,
+  deleteTempFolder,
+  readFindingsFile,
+  writeTextToFile
+} from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
 import { SecretMatch } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
 import { BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GITHUB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/github";
+import { GITLAB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/gitlab";
+import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
+import { BadRequestError } from "@app/lib/errors";
 import { titleCaseToCamelCase } from "@app/lib/fn";
 
 import { SecretScanningDataSource, SecretScanningFindingSeverity } from "./secret-scanning-v2-enums";
@@ -13,7 +24,8 @@ import { TCloneRepository, TGetFindingsPayload, TSecretScanningDataSourceListIte
 
 const SECRET_SCANNING_SOURCE_LIST_OPTIONS: Record<SecretScanningDataSource, TSecretScanningDataSourceListItem> = {
   [SecretScanningDataSource.GitHub]: GITHUB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION,
-  [SecretScanningDataSource.Bitbucket]: BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION
+  [SecretScanningDataSource.Bitbucket]: BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION,
+  [SecretScanningDataSource.GitLab]: GITLAB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION
 };
 
 export const listSecretScanningDataSourceOptions = () => {
@@ -46,6 +58,19 @@ export function scanDirectory(inputPath: string, outputPath: string, configPath?
   });
 }
 
+export function scanFile(inputPath: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git`;
+    exec(command, (error) => {
+      if (error && error.code === 77) {
+        reject(error);
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
 export const scanGitRepositoryAndGetFindings = async (
   scanPath: string,
   findingsPath: string,
@@ -140,3 +165,47 @@ export const parseScanErrorMessage = (err: unknown): string => {
     ? errorMessage
     : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };
+
+export const scanSecretPolicyViolations = async (
+  projectId: string,
+  secretPath: string,
+  secrets: { secretKey: string; secretValue: string }[],
+  ignoreValues: string[]
+) => {
+  const appCfg = getConfig();
+
+  if (!appCfg.PARAMS_FOLDER_SECRET_DETECTION_ENABLED) {
+    return;
+  }
+
+  const match = appCfg.PARAMS_FOLDER_SECRET_DETECTION_PATHS?.find(
+    (el) => el.projectId === projectId && picomatch.isMatch(secretPath, el.secretPath, { strictSlashes: false })
+  );
+
+  if (!match) {
+    return;
+  }
+
+  const tempFolder = await createTempFolder();
+  try {
+    const scanPromises = secrets
+      .filter((secret) => !ignoreValues.includes(secret.secretValue))
+      .map(async (secret) => {
+        const secretFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        await writeTextToFile(secretFilePath, `${secret.secretKey}=${secret.secretValue}`);
+
+        try {
+          await scanFile(secretFilePath);
+        } catch (error) {
+          throw new BadRequestError({
+            message: `Secret value detected in ${secret.secretKey}. Please add this instead to the designated secrets path in the project.`,
+            name: "SecretPolicyViolation"
+          });
+        }
+      });
+
+    await Promise.all(scanPromises);
+  } finally {
+    await deleteTempFolder(tempFolder);
+  }
+};

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-maps.ts

@@ -3,15 +3,18 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 
 export const SECRET_SCANNING_DATA_SOURCE_NAME_MAP: Record<SecretScanningDataSource, string> = {
   [SecretScanningDataSource.GitHub]: "GitHub",
-  [SecretScanningDataSource.Bitbucket]: "Bitbucket"
+  [SecretScanningDataSource.Bitbucket]: "Bitbucket",
+  [SecretScanningDataSource.GitLab]: "GitLab"
 };
 
 export const SECRET_SCANNING_DATA_SOURCE_CONNECTION_MAP: Record<SecretScanningDataSource, AppConnection> = {
   [SecretScanningDataSource.GitHub]: AppConnection.GitHubRadar,
-  [SecretScanningDataSource.Bitbucket]: AppConnection.Bitbucket
+  [SecretScanningDataSource.Bitbucket]: AppConnection.Bitbucket,
+  [SecretScanningDataSource.GitLab]: AppConnection.GitLab
 };
 
 export const AUTO_SYNC_DESCRIPTION_HELPER: Record<SecretScanningDataSource, { verb: string; noun: string }> = {
   [SecretScanningDataSource.GitHub]: { verb: "push", noun: "repositories" },
-  [SecretScanningDataSource.Bitbucket]: { verb: "push", noun: "repositories" }
+  [SecretScanningDataSource.Bitbucket]: { verb: "push", noun: "repositories" },
+  [SecretScanningDataSource.GitLab]: { verb: "push", noun: "projects" }
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -16,6 +16,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnection } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -48,6 +49,7 @@ type TSecretRotationV2QueueServiceFactoryDep = {
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findAllProjectMembers">;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
   auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "getItem">;
 };
@@ -62,7 +64,8 @@ export const secretScanningV2QueueServiceFactory = async ({
   smtpService,
   kmsService,
   auditLogService,
-  keyStore
+  keyStore,
+  appConnectionDAL
 }: TSecretRotationV2QueueServiceFactoryDep) => {
   const queueDataSourceFullScan = async (
     dataSource: TSecretScanningDataSourceWithConnection,
@@ -71,7 +74,10 @@ export const secretScanningV2QueueServiceFactory = async ({
     try {
       const { type } = dataSource;
 
-      const factory = SECRET_SCANNING_FACTORY_MAP[type]();
+      const factory = SECRET_SCANNING_FACTORY_MAP[type]({
+        kmsService,
+        appConnectionDAL
+      });
 
       const rawResources = await factory.listRawResources(dataSource);
 
@@ -171,7 +177,10 @@ export const secretScanningV2QueueServiceFactory = async ({
         let connection: TAppConnection | null = null;
         if (dataSource.connection) connection = await decryptAppConnection(dataSource.connection, kmsService);
 
-        const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]();
+        const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]({
+          kmsService,
+          appConnectionDAL
+        });
 
         const findingsPath = join(tempFolder, "findings.json");
 
@@ -329,7 +338,10 @@ export const secretScanningV2QueueServiceFactory = async ({
     dataSourceId,
     dataSourceType
   }: Pick<TQueueSecretScanningResourceDiffScan, "payload" | "dataSourceId" | "dataSourceType">) => {
-    const factory = SECRET_SCANNING_FACTORY_MAP[dataSourceType as SecretScanningDataSource]();
+    const factory = SECRET_SCANNING_FACTORY_MAP[dataSourceType as SecretScanningDataSource]({
+      kmsService,
+      appConnectionDAL
+    });
 
     const resourcePayload = factory.getDiffScanResourcePayload(payload);
 
@@ -391,7 +403,10 @@ export const secretScanningV2QueueServiceFactory = async ({
 
       if (!resource) throw new Error(`Resource with ID "${resourceId}" not found`);
 
-      const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]();
+      const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type as SecretScanningDataSource]({
+        kmsService,
+        appConnectionDAL
+      });
 
       const tempFolder = await createTempFolder();
 
@@ -596,7 +611,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                   numberOfSecrets: payload.numberOfSecrets,
                   isDiffScan: payload.isDiffScan,
                   url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/findings?search=scanId:${payload.scanId}`
+                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/findings?search=scanId:${payload.scanId}`
                   ),
                   timestamp
                 }
@@ -607,7 +622,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                   timestamp,
                   errorMessage: payload.errorMessage,
                   url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/data-sources/${dataSource.type}/${dataSource.id}`
+                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/data-sources/${dataSource.type}/${dataSource.id}`
                   )
                 }
         });

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { join } from "path";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -45,6 +46,7 @@ import {
 import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAppConnection } from "@app/services/app-connection/app-connection-types";
@@ -52,12 +54,14 @@ import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { bitbucketSecretScanningService } from "./bitbucket/bitbucket-secret-scanning-service";
+import { gitlabSecretScanningService } from "./gitlab/gitlab-secret-scanning-service";
 import { TSecretScanningV2DALFactory } from "./secret-scanning-v2-dal";
 import { TSecretScanningV2QueueServiceFactory } from "./secret-scanning-v2-queue";
 
 export type TSecretScanningV2ServiceFactoryDep = {
   secretScanningV2DAL: TSecretScanningV2DALFactory;
   appConnectionService: Pick<TAppConnectionServiceFactory, "connectAppConnectionById">;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretScanningV2Queue: Pick<
@@ -75,6 +79,7 @@ export const secretScanningV2ServiceFactory = ({
   appConnectionService,
   licenseService,
   secretScanningV2Queue,
+  appConnectionDAL,
   kmsService
 }: TSecretScanningV2ServiceFactoryDep) => {
   const $checkListSecretScanningDataSourcesByProjectIdPermissions = async (
@@ -94,7 +99,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -156,7 +161,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -201,7 +206,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -235,7 +240,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: payload.projectId
     });
 
@@ -254,7 +259,10 @@ export const secretScanningV2ServiceFactory = ({
       );
     }
 
-    const factory = SECRET_SCANNING_FACTORY_MAP[payload.type]();
+    const factory = SECRET_SCANNING_FACTORY_MAP[payload.type]({
+      appConnectionDAL,
+      kmsService
+    });
 
     try {
       const createdDataSource = await factory.initialize(
@@ -348,7 +356,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -362,6 +370,31 @@ export const secretScanningV2ServiceFactory = ({
         message: `Secret Scanning Data Source with ID "${dataSourceId}" is not configured for ${SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type]}`
       });
 
+    let connection: TAppConnection | null = null;
+    if (dataSource.connectionId) {
+      // validates permission to connect and app is valid for data source
+      connection = await appConnectionService.connectAppConnectionById(
+        SECRET_SCANNING_DATA_SOURCE_CONNECTION_MAP[dataSource.type],
+        dataSource.connectionId,
+        actor
+      );
+    }
+
+    const factory = SECRET_SCANNING_FACTORY_MAP[dataSource.type]({
+      appConnectionDAL,
+      kmsService
+    });
+
+    if (payload.config) {
+      await factory.validateConfigUpdate({
+        dataSource: {
+          ...dataSource,
+          connection
+        } as TSecretScanningDataSourceWithConnection,
+        config: payload.config as TSecretScanningDataSourceWithConnection["config"]
+      });
+    }
+
     try {
       const updatedDataSource = await secretScanningV2DAL.dataSources.updateById(dataSourceId, payload);
 
@@ -401,6 +434,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -414,7 +448,10 @@ export const secretScanningV2ServiceFactory = ({
         message: `Secret Scanning Data Source with ID "${dataSourceId}" is not configured for ${SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type]}`
       });
 
-    const factory = SECRET_SCANNING_FACTORY_MAP[type]();
+    const factory = SECRET_SCANNING_FACTORY_MAP[type]({
+      appConnectionDAL,
+      kmsService
+    });
 
     let connection: TAppConnection | null = null;
     if (dataSource.connection) {
@@ -474,7 +511,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -538,7 +575,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -583,7 +620,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -626,7 +663,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -669,7 +706,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -702,7 +739,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -736,7 +773,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -776,7 +813,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: finding.projectId
     });
 
@@ -807,7 +844,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -842,7 +879,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -901,6 +938,7 @@ export const secretScanningV2ServiceFactory = ({
     findSecretScanningConfigByProjectId,
     upsertSecretScanningConfig,
     github: githubSecretScanningService(secretScanningV2DAL, secretScanningV2Queue),
-    bitbucket: bitbucketSecretScanningService(secretScanningV2DAL, secretScanningV2Queue, kmsService)
+    bitbucket: bitbucketSecretScanningService(secretScanningV2DAL, secretScanningV2Queue, kmsService),
+    gitlab: gitlabSecretScanningService(secretScanningV2DAL, secretScanningV2Queue, kmsService)
   };
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-types.ts

@@ -21,14 +21,25 @@ import {
   TGitHubFinding,
   TQueueGitHubResourceDiffScan
 } from "@app/ee/services/secret-scanning-v2/github";
+import {
+  TGitLabDataSource,
+  TGitLabDataSourceCredentials,
+  TGitLabDataSourceInput,
+  TGitLabDataSourceListItem,
+  TGitLabDataSourceWithConnection,
+  TGitLabFinding,
+  TQueueGitLabResourceDiffScan
+} from "@app/ee/services/secret-scanning-v2/gitlab";
 import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
 import {
   SecretScanningDataSource,
   SecretScanningFindingStatus,
   SecretScanningScanStatus
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
-export type TSecretScanningDataSource = TGitHubDataSource | TBitbucketDataSource;
+export type TSecretScanningDataSource = TGitHubDataSource | TBitbucketDataSource | TGitLabDataSource;
 
 export type TSecretScanningDataSourceWithDetails = TSecretScanningDataSource & {
   lastScannedAt?: Date | null;
@@ -52,15 +63,25 @@ export type TSecretScanningScanWithDetails = TSecretScanningScans & {
 
 export type TSecretScanningDataSourceWithConnection =
   | TGitHubDataSourceWithConnection
-  | TBitbucketDataSourceWithConnection;
+  | TBitbucketDataSourceWithConnection
+  | TGitLabDataSourceWithConnection;
 
-export type TSecretScanningDataSourceInput = TGitHubDataSourceInput | TBitbucketDataSourceInput;
+export type TSecretScanningDataSourceInput =
+  | TGitHubDataSourceInput
+  | TBitbucketDataSourceInput
+  | TGitLabDataSourceInput;
 
-export type TSecretScanningDataSourceListItem = TGitHubDataSourceListItem | TBitbucketDataSourceListItem;
+export type TSecretScanningDataSourceListItem =
+  | TGitHubDataSourceListItem
+  | TBitbucketDataSourceListItem
+  | TGitLabDataSourceListItem;
 
-export type TSecretScanningDataSourceCredentials = TBitbucketDataSourceCredentials | undefined;
+export type TSecretScanningDataSourceCredentials =
+  | TBitbucketDataSourceCredentials
+  | TGitLabDataSourceCredentials
+  | undefined;
 
-export type TSecretScanningFinding = TGitHubFinding | TBitbucketFinding;
+export type TSecretScanningFinding = TGitHubFinding | TBitbucketFinding | TGitLabFinding;
 
 export type TListSecretScanningDataSourcesByProjectId = {
   projectId: string;
@@ -112,7 +133,10 @@ export type TQueueSecretScanningDataSourceFullScan = {
   scanId: string;
 };
 
-export type TQueueSecretScanningResourceDiffScan = TQueueGitHubResourceDiffScan | TQueueBitbucketResourceDiffScan;
+export type TQueueSecretScanningResourceDiffScan =
+  | TQueueGitHubResourceDiffScan
+  | TQueueBitbucketResourceDiffScan
+  | TQueueGitLabResourceDiffScan;
 
 export type TQueueSecretScanningSendNotification = {
   dataSource: TSecretScanningDataSources;
@@ -170,6 +194,11 @@ export type TSecretScanningFactoryInitialize<
   callback: (parameters: { credentials?: C; externalId?: string }) => Promise<TSecretScanningDataSourceRaw>
 ) => Promise<TSecretScanningDataSourceRaw>;
 
+export type TSecretScanningFactoryValidateConfigUpdate<
+  C extends TSecretScanningDataSourceInput["config"],
+  T extends TSecretScanningDataSourceWithConnection
+> = (params: { config: C; dataSource: T }) => Promise<void>;
+
 export type TSecretScanningFactoryPostInitialization<
   P extends TSecretScanningDataSourceInput,
   T extends TSecretScanningDataSourceWithConnection["connection"] | undefined = undefined,
@@ -181,17 +210,23 @@ export type TSecretScanningFactoryTeardown<
   C extends TSecretScanningDataSourceCredentials = undefined
 > = (params: { dataSource: T; credentials: C }) => Promise<void>;
 
+export type TSecretScanningFactoryParams = {
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+};
+
 export type TSecretScanningFactory<
   T extends TSecretScanningDataSourceWithConnection,
   P extends TQueueSecretScanningResourceDiffScan["payload"],
   I extends TSecretScanningDataSourceInput,
   C extends TSecretScanningDataSourceCredentials | undefined = undefined
-> = () => {
+> = (params: TSecretScanningFactoryParams) => {
   listRawResources: TSecretScanningFactoryListRawResources<T>;
   getFullScanPath: TSecretScanningFactoryGetFullScanPath<T>;
   initialize: TSecretScanningFactoryInitialize<I, T["connection"] | undefined, C>;
   postInitialization: TSecretScanningFactoryPostInitialization<I, T["connection"] | undefined, C>;
   teardown: TSecretScanningFactoryTeardown<T, C>;
+  validateConfigUpdate: TSecretScanningFactoryValidateConfigUpdate<I["config"], T>;
   getDiffScanResourcePayload: TSecretScanningFactoryGetDiffScanResourcePayload<P>;
   getDiffScanFindingsPayload: TSecretScanningFactoryGetDiffScanFindingsPayload<T, P>;
 };

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-union-schemas.ts

@@ -2,10 +2,12 @@ import { z } from "zod";
 
 import { BitbucketDataSourceSchema, BitbucketFindingSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceSchema, GitHubFindingSchema } from "@app/ee/services/secret-scanning-v2/github";
+import { GitLabDataSourceSchema, GitLabFindingSchema } from "@app/ee/services/secret-scanning-v2/gitlab";
 
 export const SecretScanningDataSourceSchema = z.discriminatedUnion("type", [
   GitHubDataSourceSchema,
-  BitbucketDataSourceSchema
+  BitbucketDataSourceSchema,
+  GitLabDataSourceSchema
 ]);
 
 export const SecretScanningFindingSchema = z.discriminatedUnion("dataSourceType", [
@@ -18,5 +20,10 @@ export const SecretScanningFindingSchema = z.discriminatedUnion("dataSourceType"
     JSON.stringify({
       title: "Bitbucket"
     })
+  ),
+  GitLabFindingSchema.describe(
+    JSON.stringify({
+      title: "GitLab"
+    })
   )
 ]);