Fix secret rotation defaults

fix: resolved project deletion not working for secret scanning on missing plan

backend/src/db/migrations/20250718133527_project-unify-revert.ts

@@ -0,0 +1,432 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+import { v4 as uuidV4 } from "uuid";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { ProjectType, TableName } from "../schemas";
+
+/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
+
+// Single query to get all projects that need any kind of kickout
+const getProjectsNeedingKickouts = async (
+  knex: Knex
+): Promise<
+  Array<{
+    id: string;
+    defaultProduct: string;
+    needsSecretManager: boolean;
+    needsCertManager: boolean;
+    needsSecretScanning: boolean;
+    needsKms: boolean;
+    needsSsh: boolean;
+  }>
+> => {
+  const result = await knex.raw(
+    `
+SELECT DISTINCT
+  p.id,
+  p."defaultProduct",
+  
+  -- Use CASE with direct joins instead of EXISTS subqueries
+  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
+  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
+  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
+  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
+  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
+
+FROM projects p
+LEFT JOIN (
+  SELECT DISTINCT e."projectId", 1 as secret_exists
+  FROM secrets_v2 s
+  JOIN secret_folders sf ON sf.id = s."folderId"
+  JOIN project_environments e ON e.id = sf."envId"
+) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ca_exists
+  FROM certificate_authorities
+) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ssds_exists
+  FROM secret_scanning_data_sources
+) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as kms_exists
+  FROM kms_keys
+  WHERE "isReserved" = false
+) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
+
+LEFT JOIN (
+  SELECT DISTINCT sca."projectId", 1 as ssh_exists
+  FROM ssh_certificates sc
+  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
+) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
+
+WHERE p."defaultProduct" IS NOT NULL
+  AND (
+    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
+  )
+    `
+  );
+
+  return result.rows;
+};
+
+const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
+  const newProjectId = uuidV4();
+  const project = await knex(TableName.Project).where("id", projectId).first();
+  await knex(TableName.Project).insert({
+    ...project,
+    type: projectType,
+    defaultProduct: null,
+    // @ts-ignore id is required
+    id: newProjectId,
+    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
+  });
+
+  const customRoleMapping: Record<string, string> = {};
+  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
+  if (projectCustomRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectRoles,
+      projectCustomRoles.map((el) => {
+        const id = uuidV4();
+        customRoleMapping[el.id] = id;
+        return {
+          ...el,
+          id,
+          projectId: newProjectId,
+          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
+        };
+      })
+    );
+  }
+  const groupMembershipMapping: Record<string, string> = {};
+  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
+  if (groupMemberships.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembership,
+      groupMemberships.map((el) => {
+        const id = uuidV4();
+        groupMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    groupMemberships.map((el) => el.id)
+  );
+  if (groupMembershipRoles.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembershipRole,
+      groupMembershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const identityProjectMembershipMapping: Record<string, string> = {};
+  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
+  if (identities.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembership,
+      identities.map((el) => {
+        const id = uuidV4();
+        identityProjectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    identities.map((el) => el.id)
+  );
+  if (identitiesRoles.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identitiesRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const projectMembershipMapping: Record<string, string> = {};
+  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
+  if (projectUserMembers.length) {
+    await knex.batchInsert(
+      TableName.ProjectMembership,
+      projectUserMembers.map((el) => {
+        const id = uuidV4();
+        projectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
+    "projectMembershipId",
+    projectUserMembers.map((el) => el.id)
+  );
+  if (membershipRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      membershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
+  if (kmsKeys.length) {
+    await knex.batchInsert(
+      TableName.KmsKey,
+      kmsKeys.map((el) => {
+        const id = uuidV4();
+        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
+        return { ...el, id, slug, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
+  if (projectBot) {
+    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
+    await knex(TableName.ProjectBot).insert(newProjectBot);
+  }
+
+  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
+  if (projectKeys.length) {
+    await knex.batchInsert(
+      TableName.ProjectKeys,
+      projectKeys.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
+  if (projectGateways.length) {
+    await knex.batchInsert(
+      TableName.ProjectGateway,
+      projectGateways.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
+  if (projectSlackConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectSlackConfigs,
+      projectSlackConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
+  if (projectMicrosoftTeamsConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectMicrosoftTeamsConfigs,
+      projectMicrosoftTeamsConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
+  if (trustedIps.length) {
+    await knex.batchInsert(
+      TableName.TrustedIps,
+      trustedIps.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  return newProjectId;
+};
+
+const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
+  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
+  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
+  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
+  await knex(TableName.KmsKey)
+    .where("projectId", oldProjectId)
+    .andWhere("isReserved", false)
+    .update("projectId", newProjectId);
+  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
+  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const BATCH_SIZE = 1000;
+const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
+
+export async function up(knex: Knex): Promise<void> {
+  const result = await knex.raw("SHOW statement_timeout");
+  const originalTimeout = result.rows[0].statement_timeout;
+
+  try {
+    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
+
+    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+    if (hasTemplateTypeColumn) {
+      await knex(TableName.ProjectTemplates).whereNull("type").update({
+        type: ProjectType.SecretManager
+      });
+      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
+      });
+    }
+
+    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+    if (hasTypeColumn && hasDefaultTypeColumn) {
+      await knex(TableName.Project).update({
+        // eslint-disable-next-line
+        // @ts-ignore this is because this field is created later
+        type: knex.raw(`"defaultProduct"`)
+      });
+
+      await knex.schema.alterTable(TableName.Project, (t) => {
+        t.string("type").notNullable().alter();
+        t.string("defaultProduct").nullable().alter();
+      });
+
+      // Get all projects that need kickouts in a single query
+      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
+
+      // Process projects in batches to avoid overwhelming the database
+      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
+        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
+        const processedIds: string[] = [];
+
+        for (const project of batch) {
+          const kickoutPromises: Promise<void>[] = [];
+
+          // Only add kickouts that are actually needed (flags are pre-computed)
+          if (project.needsSecretManager) {
+            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
+          }
+          if (project.needsCertManager) {
+            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
+          }
+          if (project.needsKms) {
+            kickoutPromises.push(kickOutKmsProject(knex, project.id));
+          }
+          if (project.needsSsh) {
+            kickoutPromises.push(kickOutSshProject(knex, project.id));
+          }
+          if (project.needsSecretScanning) {
+            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
+          }
+
+          // Execute all kickouts in parallel and handle any failures gracefully
+          if (kickoutPromises.length > 0) {
+            const results = await Promise.allSettled(kickoutPromises);
+
+            // Log any failures for debugging
+            results.forEach((res) => {
+              if (res.status === "rejected") {
+                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
+              }
+            });
+          }
+
+          processedIds.push(project.id);
+        }
+
+        // Clear defaultProduct for the processed batch
+        if (processedIds.length > 0) {
+          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
+        }
+      }
+    }
+  } finally {
+    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+  if (hasTypeColumn && hasDefaultTypeColumn) {
+    await knex(TableName.Project).update({
+      // eslint-disable-next-line
+      // @ts-ignore this is because this field is created later
+      defaultProduct: knex.raw(`
+    CASE 
+      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
+      ELSE "type" 
+    END
+  `)
+    });
+
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type").nullable().alter();
+      t.string("defaultProduct").notNullable().alter();
+    });
+  }
+
+  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+  if (hasTemplateTypeColumn) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      t.string("type").nullable().alter();
+    });
+  }
+}

backend/src/db/schemas/models.ts

@@ -267,6 +267,16 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  SecretScanning = ProjectType.SecretScanning,
+  // project operations that happen on all types
+  Any = "any"
+}
+
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().nullable().optional()
+  type: z.string().default("secret-manager")
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,12 +25,12 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string().nullable().optional(),
+  type: z.string(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().default("secret-manager")
+  defaultProduct: z.string().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
+      querystring: z.object({
+        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
+      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,10 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
+        req.permission,
+        req.query.type
+      );
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -191,6 +197,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
+        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -315,10 +315,12 @@ export const registerSecretRotationEndpoints = <
       querystring: z.object({
         deleteSecrets: z
           .enum(["true", "false"])
+          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).deleteSecrets),
         revokeGeneratedCredentials: z
           .enum(["true", "false"])
+          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
       }),

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -116,7 +117,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -272,7 +274,8 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
@@ -337,7 +340,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -533,7 +537,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -583,7 +588,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -622,7 +628,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -107,7 +107,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -216,7 +217,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -289,7 +290,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -335,7 +337,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (!membership) {
@@ -551,7 +554,7 @@ export const accessApprovalRequestServiceFactory = ({
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
                   environment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
+                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -582,7 +585,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -37,7 +38,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (targetActorType === ActorType.USER) {
@@ -58,7 +60,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     const appCfg = getConfig();

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -37,7 +38,8 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -77,7 +78,8 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -84,7 +85,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -200,7 +202,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -297,7 +300,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -385,7 +389,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -432,7 +437,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -78,7 +79,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -207,7 +209,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -358,7 +361,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -423,7 +427,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -487,7 +492,8 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       // verify user has access to each env in request
@@ -530,7 +536,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -578,7 +585,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -615,7 +623,8 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -659,7 +668,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/gateway/gateway-service.ts

@@ -566,6 +566,14 @@ export const gatewayServiceFactory = ({
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
     const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
+
+    const orgLicensePlan = await licenseService.getPlan(orgGatewayConfig.orgId);
+    if (!orgLicensePlan.gateway) {
+      throw new BadRequestError({
+        message: "Please upgrade your instance to Infisical's Enterprise plan to use gateways."
+      });
+    }
+
     const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: orgGatewayConfig.orgId

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -158,7 +160,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -169,7 +172,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -256,7 +260,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -267,7 +272,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -315,7 +321,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -349,7 +356,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -384,7 +392,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -85,7 +87,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -172,7 +175,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -185,7 +189,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -288,7 +293,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -300,7 +306,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -359,7 +366,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -401,7 +409,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
@@ -78,7 +79,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -131,7 +133,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -162,7 +165,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -195,7 +199,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -216,7 +221,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -252,7 +258,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,6 +1,7 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionSet } from "./org-permission";
@@ -20,6 +21,7 @@ export type TGetUserProjectPermissionArg = {
   userId: string;
   projectId: string;
   authMethod: ActorAuthMethod;
+  actionProjectType: ActionProjectType;
   userOrgId?: string;
 };
 
@@ -27,12 +29,14 @@ export type TGetIdentityProjectPermissionArg = {
   identityId: string;
   projectId: string;
   identityOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetServiceTokenProjectPermissionArg = {
   serviceTokenId: string;
   projectId: string;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetProjectPermissionArg = {
@@ -41,6 +45,7 @@ export type TGetProjectPermissionArg = {
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TPermissionServiceFactory = {
@@ -138,7 +143,13 @@ export type TPermissionServiceFactory = {
         };
       }
   >;
-  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({
+    userId,
+    projectId,
+    authMethod,
+    userOrgId,
+    actionProjectType
+  }: TGetUserProjectPermissionArg) => Promise<{
     permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
     membership: {
       id: string;

backend/src/ee/services/permission/permission-service.ts

@@ -5,6 +5,7 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
+  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
   ServiceTokenScopes,
@@ -213,7 +214,8 @@ export const permissionServiceFactory = ({
     userId,
     projectId,
     authMethod,
-    userOrgId
+    userOrgId,
+    actionProjectType
   }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -240,6 +242,12 @@ export const permissionServiceFactory = ({
       userProjectPermission.orgRole
     );
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -287,7 +295,8 @@ export const permissionServiceFactory = ({
   const getIdentityProjectPermission = async ({
     identityId,
     projectId,
-    identityOrgId
+    identityOrgId,
+    actionProjectType
   }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
@@ -307,6 +316,12 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -361,7 +376,8 @@ export const permissionServiceFactory = ({
   const getServiceTokenProjectPermission = async ({
     serviceTokenId,
     projectId,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetServiceTokenProjectPermissionArg) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -386,6 +402,12 @@ export const permissionServiceFactory = ({
       });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
+      throw new BadRequestError({
+        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -537,7 +559,8 @@ export const permissionServiceFactory = ({
     actorId: inputActorId,
     projectId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
     let actor = inputActor;
     let actorId = inputActorId;
@@ -558,19 +581,22 @@ export const permissionServiceFactory = ({
           userId: actorId,
           projectId,
           authMethod: actorAuthMethod,
-          userOrgId: actorOrgId
+          userOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
         return getServiceTokenProjectPermission({
           serviceTokenId: actorId,
           projectId,
-          actorOrgId
+          actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
         return getIdentityProjectPermission({
           identityId: actorId,
           projectId,
-          identityOrgId: actorOrgId
+          identityOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({

backend/src/ee/services/pit/pit-service.ts

@@ -1,6 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -348,7 +349,8 @@ export const pitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(userPermission).throwUnlessCan(

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   InfisicalProjectTemplate,
   TUnpackedPermission
@@ -6,18 +7,21 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"
 
 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
 
-export const getDefaultProjectTemplate = (orgId: string) => ({
+export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
   id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
+  type,
   name: InfisicalProjectTemplate.Default,
   createdAt: new Date(),
   updatedAt: new Date(),
-  description: `Infisical's default project template`,
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
-    name: string;
-    slug: string;
-    permissions: TUnpackedPermission[];
-  }>,
+  description: `Infisical's ${type} default project template`,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
+    ({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })
+  ),
   orgId
 });
 

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -29,11 +29,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
   ...rest,
   environments: environments as TProjectTemplateEnvironment[],
   roles: [
-    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
+      ({ name, slug, permissions }) => ({
+        name,
+        slug,
+        permissions: permissions as TUnpackedPermission[]
+      })
+    ),
     ...(roles as TProjectTemplateRole[]).map((role) => ({
       ...role,
       permissions: unpackPermissions(role.permissions)
@@ -46,7 +48,10 @@ export const projectTemplateServiceFactory = ({
   permissionService,
   projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
+    actor,
+    type
+  ) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.projectTemplates)
@@ -65,11 +70,14 @@ export const projectTemplateServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
 
     const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
+      ...(type ? { type } : {})
     });
 
     return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
+        ? [getDefaultProjectTemplate(actor.orgId, type)]
+        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
       ...projectTemplates.map((template) => $unpackProjectTemplate(template))
     ];
   };
@@ -134,7 +142,7 @@ export const projectTemplateServiceFactory = ({
   };
 
   const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, ...params },
+    { roles, environments, type, ...params },
     actor
   ) => {
     const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +162,10 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
 
+    if (environments && type !== ProjectType.SecretManager) {
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+    }
+
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({
         // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -176,8 +188,10 @@ export const projectTemplateServiceFactory = ({
     const projectTemplate = await projectTemplateDAL.create({
       ...params,
       roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId
+      environments:
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId,
+      type
     });
 
     return $unpackProjectTemplate(projectTemplate);
@@ -208,6 +222,11 @@ export const projectTemplateServiceFactory = ({
     );
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
+    if (projectTemplate.type !== ProjectType.SecretManager && environments)
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+
+    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
+      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
 
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -15,6 +15,7 @@ export type TProjectTemplateRole = {
 
 export type TCreateProjectTemplateDTO = {
   name: string;
+  type: ProjectType;
   description?: string;
   roles: TProjectTemplateRole[];
   environments?: TProjectTemplateEnvironment[] | null;
@@ -29,11 +30,15 @@ export enum InfisicalProjectTemplate {
 }
 
 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
+  listProjectTemplatesByOrg: (
+    actor: OrgServiceActor,
+    type?: ProjectType
+  ) => Promise<
     (
       | {
           id: string;
           name: InfisicalProjectTemplate;
+          type: string;
           createdAt: Date;
           updatedAt: Date;
           description: string;
@@ -58,6 +63,7 @@ export type TProjectTemplateServiceFactory = {
         }
       | {
           environments: TProjectTemplateEnvironment[];
+          type: string;
           roles: {
             permissions: {
               action: string[];
@@ -94,6 +100,7 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
+    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -118,6 +125,7 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
+    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -140,6 +148,7 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
+    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -162,6 +171,7 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
+    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -184,6 +194,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@@ -69,7 +70,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -164,7 +166,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@@ -172,7 +175,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -272,7 +276,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -317,7 +322,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -343,7 +349,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -110,7 +111,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -304,7 +306,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -459,7 +462,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -498,7 +502,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
@@ -542,7 +547,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
@@ -568,7 +574,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -3,6 +3,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 
 import {
+  ActionProjectType,
   ProjectMembershipRole,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
@@ -184,7 +185,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
@@ -211,7 +213,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -263,7 +266,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -412,7 +416,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -481,7 +486,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -537,7 +543,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (
@@ -955,7 +962,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
+          approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
@@ -1089,7 +1096,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@@ -1380,7 +1388,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";
 
-import { SecretType, TableName } from "@app/db/schemas";
+import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -223,7 +223,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -274,7 +274,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -320,7 +320,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -385,7 +385,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -429,7 +429,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -631,7 +631,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -781,7 +781,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1113,7 +1113,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1160,7 +1160,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1212,7 +1212,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1328,7 +1328,8 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -66,7 +66,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -97,7 +98,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -213,7 +215,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -263,7 +266,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Edit,
@@ -283,7 +287,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: doc.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Delete,

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { join } from "path";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -94,7 +95,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -156,7 +157,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -201,7 +202,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -235,7 +236,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: payload.projectId
     });
 
@@ -348,7 +349,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -401,6 +402,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -474,7 +476,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -538,7 +540,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -583,7 +585,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -626,7 +628,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -669,7 +671,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -702,7 +704,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -736,7 +738,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -776,7 +778,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: finding.projectId
     });
 
@@ -807,7 +809,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -842,7 +844,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -2,7 +2,7 @@
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
 import { ForbiddenError } from "@casl/ability";
 
-import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -103,7 +103,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
@@ -139,7 +140,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
@@ -167,7 +169,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId: snapshot.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
@@ -391,7 +394,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId: snapshot.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -58,7 +59,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -130,7 +132,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -198,7 +201,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -224,7 +228,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
@@ -79,7 +80,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
@@ -171,7 +173,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -267,7 +270,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -290,7 +294,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
@@ -316,7 +321,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -354,7 +360,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -393,7 +400,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);

backend/src/ee/services/ssh-host/ssh-host-fns.ts

@@ -1,5 +1,6 @@
 import { Knex } from "knex";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -62,7 +63,8 @@ export const createSshLoginMappings = async ({
             userId: user.id,
             projectId,
             authMethod: actorAuthMethod,
-            userOrgId: actorOrgId
+            userOrgId: actorOrgId,
+            actionProjectType: ActionProjectType.SSH
           });
         }
 

backend/src/ee/services/ssh-host/ssh-host-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -111,7 +112,8 @@ export const sshHostServiceFactory = ({
           actorId,
           projectId: project.id,
           actorAuthMethod,
-          actorOrgId
+          actorOrgId,
+          actionProjectType: ActionProjectType.SSH
         });
 
         const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
@@ -144,7 +146,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -273,7 +276,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -334,7 +338,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -362,7 +367,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -401,7 +407,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     const internalPrincipals = await convertActorToPrincipals({
@@ -520,7 +527,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ssh/ssh-certificate-authority-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -72,7 +73,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -107,7 +109,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -175,7 +178,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -213,7 +217,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -254,7 +259,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -375,7 +381,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -472,7 +479,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/trusted-ip/trusted-ip-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -35,7 +36,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
     const trustedIps = await trustedIpDAL.find({
@@ -59,7 +61,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
@@ -104,7 +107,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
@@ -149,7 +153,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 

backend/src/lib/api-docs/constants.ts

@@ -2290,6 +2290,9 @@ export const AppConnections = {
       accessKey: "The Key used to access Supabase.",
       instanceUrl: "The URL used to access Supabase."
     },
+    DIGITAL_OCEAN_APP_PLATFORM: {
+      apiToken: "The API token used to authenticate with Digital Ocean App Platform."
+    },
     OKTA: {
       instanceUrl: "The URL used to access your Okta organization.",
       apiToken: "The API token used to authenticate with Okta."
@@ -2506,6 +2509,11 @@ export const SecretSyncs = {
     SUPABASE: {
       projectId: "The ID of the Supabase project to sync secrets to.",
       projectName: "The name of the Supabase project to sync secrets to."
+    },
+    BITBUCKET: {
+      workspaceSlug: "The Bitbucket Workspace slug to sync secrets to.",
+      repositorySlug: "The Bitbucket Repository slug to sync secrets to.",
+      environmentId: "The Bitbucket Deployment Environment uuid to sync secrets to."
     }
   }
 };

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -51,6 +51,10 @@ import {
   DatabricksConnectionListItemSchema,
   SanitizedDatabricksConnectionSchema
 } from "@app/services/app-connection/databricks";
+import {
+  DigitalOceanConnectionListItemSchema,
+  SanitizedDigitalOceanConnectionSchema
+} from "@app/services/app-connection/digital-ocean";
 import { FlyioConnectionListItemSchema, SanitizedFlyioConnectionSchema } from "@app/services/app-connection/flyio";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
@@ -140,6 +144,7 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedRailwayConnectionSchema.options,
   ...SanitizedChecklyConnectionSchema.options,
   ...SanitizedSupabaseConnectionSchema.options,
+  ...SanitizedDigitalOceanConnectionSchema.options,
   ...SanitizedOktaConnectionSchema.options
 ]);
 
@@ -178,6 +183,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   RailwayConnectionListItemSchema,
   ChecklyConnectionListItemSchema,
   SupabaseConnectionListItemSchema,
+  DigitalOceanConnectionListItemSchema,
   OktaConnectionListItemSchema
 ]);
 

backend/src/server/routes/v1/app-connection-routers/bitbucket-connection-router.ts

@@ -85,4 +85,40 @@ export const registerBitbucketConnectionRouter = async (server: FastifyZodProvid
       return { repositories };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/environments`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        workspaceSlug: z.string().min(1).max(255),
+        repositorySlug: z.string().min(1).max(255)
+      }),
+      response: {
+        200: z.object({
+          environments: z.object({ slug: z.string(), name: z.string(), uuid: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        params: { connectionId },
+        query: { workspaceSlug, repositorySlug }
+      } = req;
+
+      const environments = await server.services.appConnection.bitbucket.listEnvironments(
+        { connectionId, workspaceSlug, repositorySlug },
+        req.permission
+      );
+
+      return { environments };
+    }
+  });
 };

backend/src/server/routes/v1/app-connection-routers/digital-ocean-connection-router.ts

@@ -0,0 +1,57 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateDigitalOceanConnectionSchema,
+  SanitizedDigitalOceanConnectionSchema,
+  UpdateDigitalOceanConnectionSchema
+} from "@app/services/app-connection/digital-ocean";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerDigitalOceanConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.DigitalOcean,
+    server,
+    createSchema: CreateDigitalOceanConnectionSchema,
+    updateSchema: UpdateDigitalOceanConnectionSchema,
+    sanitizedResponseSchema: SanitizedDigitalOceanConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          apps: z
+            .object({
+              id: z.string(),
+              spec: z.object({
+                name: z.string()
+              })
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const apps = await server.services.appConnection.digitalOcean.listApps(connectionId, req.permission);
+
+      return { apps };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -14,6 +14,7 @@ import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerChecklyConnectionRouter } from "./checkly-connection-router";
 import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
+import { registerDigitalOceanConnectionRouter } from "./digital-ocean-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
@@ -74,5 +75,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Railway]: registerRailwayConnectionRouter,
     [AppConnection.Checkly]: registerChecklyConnectionRouter,
     [AppConnection.Supabase]: registerSupabaseConnectionRouter,
+    [AppConnection.DigitalOcean]: registerDigitalOceanConnectionRouter,
     [AppConnection.Okta]: registerOktaConnectionRouter
   };

backend/src/server/routes/v1/dashboard-router.ts

@@ -270,6 +270,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
               }
             }
           });
+
+          remainingLimit -= imports.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
         }
       }
 
@@ -312,7 +317,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!includeDynamicSecrets && !includeSecrets && !includeSecretRotations)
+      if (!includeDynamicSecrets && !includeSecrets)
         return {
           folders,
           totalFolderCount,
@@ -542,6 +547,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           (totalFolderCount ?? 0) +
           (totalDynamicSecretCount ?? 0) +
           (totalSecretCount ?? 0) +
+          (totalImportCount ?? 0) +
           (totalSecretRotationCount ?? 0)
       };
     }

backend/src/server/routes/v1/project-router.ts

@@ -158,7 +158,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         includeRoles: z
           .enum(["true", "false"])
           .default("false")
-          .transform((value) => value === "true")
+          .transform((value) => value === "true"),
+        type: z.nativeEnum(ProjectType).optional()
       }),
       response: {
         200: z.object({
@@ -177,7 +178,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        type: req.query.type
       });
       return { workspaces };
     }
@@ -1050,6 +1052,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         limit: z.number().default(100),
         offset: z.number().default(0),
+        type: z.nativeEnum(ProjectType).optional(),
         orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
         orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
         name: z

backend/src/server/routes/v1/secret-sync-routers/bitbucket-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  BitbucketSyncSchema,
+  CreateBitbucketSyncSchema,
+  UpdateBitbucketSyncSchema
+} from "@app/services/secret-sync/bitbucket";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerBitbucketSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Bitbucket,
+    server,
+    responseSchema: BitbucketSyncSchema,
+    createSchema: CreateBitbucketSyncSchema,
+    updateSchema: UpdateBitbucketSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/digital-ocean-app-platform-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateDigitalOceanAppPlatformSyncSchema,
+  DigitalOceanAppPlatformSyncSchema,
+  UpdateDigitalOceanAppPlatformSyncSchema
+} from "@app/services/secret-sync/digital-ocean-app-platform";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerDigitalOceanAppPlatformSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.DigitalOceanAppPlatform,
+    server,
+    responseSchema: DigitalOceanAppPlatformSyncSchema,
+    createSchema: CreateDigitalOceanAppPlatformSyncSchema,
+    updateSchema: UpdateDigitalOceanAppPlatformSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -7,11 +7,13 @@ import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-
 import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
+import { registerBitbucketSyncRouter } from "./bitbucket-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerChecklySyncRouter } from "./checkly-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
+import { registerDigitalOceanAppPlatformSyncRouter } from "./digital-ocean-app-platform-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
@@ -57,5 +59,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Supabase]: registerSupabaseSyncRouter,
   [SecretSync.Zabbix]: registerZabbixSyncRouter,
   [SecretSync.Railway]: registerRailwaySyncRouter,
-  [SecretSync.Checkly]: registerChecklySyncRouter
+  [SecretSync.Checkly]: registerChecklySyncRouter,
+  [SecretSync.DigitalOceanAppPlatform]: registerDigitalOceanAppPlatformSyncRouter,
+  [SecretSync.Bitbucket]: registerBitbucketSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -21,6 +21,7 @@ import {
 } from "@app/services/secret-sync/azure-app-configuration";
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
+import { BitbucketSyncListItemSchema, BitbucketSyncSchema } from "@app/services/secret-sync/bitbucket";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import { ChecklySyncListItemSchema, ChecklySyncSchema } from "@app/services/secret-sync/checkly/checkly-sync-schemas";
 import {
@@ -32,6 +33,10 @@ import {
   CloudflareWorkersSyncSchema
 } from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
+import {
+  DigitalOceanAppPlatformSyncListItemSchema,
+  DigitalOceanAppPlatformSyncSchema
+} from "@app/services/secret-sync/digital-ocean-app-platform";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
@@ -75,7 +80,9 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   SupabaseSyncSchema,
   ZabbixSyncSchema,
   RailwaySyncSchema,
-  ChecklySyncSchema
+  ChecklySyncSchema,
+  DigitalOceanAppPlatformSyncSchema,
+  BitbucketSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -102,11 +109,12 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   GitLabSyncListItemSchema,
   CloudflarePagesSyncListItemSchema,
   CloudflareWorkersSyncListItemSchema,
-
+  DigitalOceanAppPlatformSyncListItemSchema,
   ZabbixSyncListItemSchema,
   RailwaySyncListItemSchema,
   ChecklySyncListItemSchema,
-  SupabaseSyncListItemSchema
+  SupabaseSyncListItemSchema,
+  BitbucketSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -33,6 +33,7 @@ export enum AppConnection {
   Bitbucket = "bitbucket",
   Checkly = "checkly",
   Supabase = "supabase",
+  DigitalOcean = "digital-ocean",
   Okta = "okta"
 }
 

backend/src/services/app-connection/app-connection-fns.ts

@@ -68,6 +68,11 @@ import {
   getDatabricksConnectionListItem,
   validateDatabricksConnectionCredentials
 } from "./databricks";
+import {
+  DigitalOceanConnectionMethod,
+  getDigitalOceanConnectionListItem,
+  validateDigitalOceanConnectionCredentials
+} from "./digital-ocean";
 import { FlyioConnectionMethod, getFlyioConnectionListItem, validateFlyioConnectionCredentials } from "./flyio";
 import { GcpConnectionMethod, getGcpConnectionListItem, validateGcpConnectionCredentials } from "./gcp";
 import { getGitHubConnectionListItem, GitHubConnectionMethod, validateGitHubConnectionCredentials } from "./github";
@@ -157,6 +162,7 @@ export const listAppConnectionOptions = () => {
     getBitbucketConnectionListItem(),
     getChecklyConnectionListItem(),
     getSupabaseConnectionListItem(),
+    getDigitalOceanConnectionListItem(),
     getOktaConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -244,6 +250,7 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Checkly]: validateChecklyConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.DigitalOcean]: validateDigitalOceanConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
@@ -283,6 +290,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case CloudflareConnectionMethod.APIToken:
     case BitbucketConnectionMethod.ApiToken:
     case ZabbixConnectionMethod.ApiToken:
+    case DigitalOceanConnectionMethod.ApiToken:
     case OktaConnectionMethod.ApiToken:
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
@@ -372,6 +380,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
   [AppConnection.Checkly]: platformManagedCredentialsNotSupported,
   [AppConnection.Supabase]: platformManagedCredentialsNotSupported,
+  [AppConnection.DigitalOcean]: platformManagedCredentialsNotSupported,
   [AppConnection.Okta]: platformManagedCredentialsNotSupported
 };
 

backend/src/services/app-connection/app-connection-maps.ts

@@ -35,6 +35,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Bitbucket]: "Bitbucket",
   [AppConnection.Checkly]: "Checkly",
   [AppConnection.Supabase]: "Supabase",
+  [AppConnection.DigitalOcean]: "DigitalOcean App Platform",
   [AppConnection.Okta]: "Okta"
 };
 
@@ -73,5 +74,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
   [AppConnection.Checkly]: AppConnectionPlanType.Regular,
   [AppConnection.Supabase]: AppConnectionPlanType.Regular,
+  [AppConnection.DigitalOcean]: AppConnectionPlanType.Regular,
   [AppConnection.Okta]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -61,6 +61,8 @@ import { ValidateCloudflareConnectionCredentialsSchema } from "./cloudflare/clou
 import { cloudflareConnectionService } from "./cloudflare/cloudflare-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
 import { databricksConnectionService } from "./databricks/databricks-connection-service";
+import { ValidateDigitalOceanConnectionCredentialsSchema } from "./digital-ocean";
+import { digitalOceanAppPlatformConnectionService } from "./digital-ocean/digital-ocean-connection-service";
 import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
 import { flyioConnectionService } from "./flyio/flyio-connection-service";
 import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
@@ -145,6 +147,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
   [AppConnection.Checkly]: ValidateChecklyConnectionCredentialsSchema,
   [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema,
+  [AppConnection.DigitalOcean]: ValidateDigitalOceanConnectionCredentialsSchema,
   [AppConnection.Okta]: ValidateOktaConnectionCredentialsSchema
 };
 
@@ -607,6 +610,7 @@ export const appConnectionServiceFactory = ({
     bitbucket: bitbucketConnectionService(connectAppConnectionById),
     checkly: checklyConnectionService(connectAppConnectionById),
     supabase: supabaseConnectionService(connectAppConnectionById),
+    digitalOcean: digitalOceanAppPlatformConnectionService(connectAppConnectionById),
     okta: oktaConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -87,6 +87,12 @@ import {
   TDatabricksConnectionInput,
   TValidateDatabricksConnectionCredentialsSchema
 } from "./databricks";
+import {
+  TDigitalOceanConnection,
+  TDigitalOceanConnectionConfig,
+  TDigitalOceanConnectionInput,
+  TValidateDigitalOceanCredentialsSchema
+} from "./digital-ocean";
 import {
   TFlyioConnection,
   TFlyioConnectionConfig,
@@ -238,6 +244,7 @@ export type TAppConnection = { id: string } & (
   | TRailwayConnection
   | TChecklyConnection
   | TSupabaseConnection
+  | TDigitalOceanConnection
   | TOktaConnection
 );
 
@@ -280,6 +287,7 @@ export type TAppConnectionInput = { id: string } & (
   | TRailwayConnectionInput
   | TChecklyConnectionInput
   | TSupabaseConnectionInput
+  | TDigitalOceanConnectionInput
   | TOktaConnectionInput
 );
 
@@ -330,6 +338,7 @@ export type TAppConnectionConfig =
   | TRailwayConnectionConfig
   | TChecklyConnectionConfig
   | TSupabaseConnectionConfig
+  | TDigitalOceanConnectionConfig
   | TOktaConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
@@ -367,6 +376,7 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateRailwayConnectionCredentialsSchema
   | TValidateChecklyConnectionCredentialsSchema
   | TValidateSupabaseConnectionCredentialsSchema
+  | TValidateDigitalOceanCredentialsSchema
   | TValidateOktaConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {

backend/src/services/app-connection/bitbucket/bitbucket-connection-fns.ts

@@ -9,6 +9,7 @@ import { BitbucketConnectionMethod } from "./bitbucket-connection-enums";
 import {
   TBitbucketConnection,
   TBitbucketConnectionConfig,
+  TBitbucketEnvironment,
   TBitbucketRepo,
   TBitbucketWorkspace
 } from "./bitbucket-connection-types";
@@ -21,11 +22,15 @@ export const getBitbucketConnectionListItem = () => {
   };
 };
 
+export const createAuthHeader = (email: string, apiToken: string): string => {
+  return `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`;
+};
+
 export const getBitbucketUser = async ({ email, apiToken }: { email: string; apiToken: string }) => {
   try {
     const { data } = await request.get<{ username: string }>(`${IntegrationUrls.BITBUCKET_API_URL}/2.0/user`, {
       headers: {
-        Authorization: `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`,
+        Authorization: createAuthHeader(email, apiToken),
         Accept: "application/json"
       }
     });
@@ -57,7 +62,7 @@ export const listBitbucketWorkspaces = async (appConnection: TBitbucketConnectio
   const { email, apiToken } = appConnection.credentials;
 
   const headers = {
-    Authorization: `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`,
+    Authorization: createAuthHeader(email, apiToken),
     Accept: "application/json"
   };
 
@@ -89,7 +94,7 @@ export const listBitbucketRepositories = async (appConnection: TBitbucketConnect
   const { email, apiToken } = appConnection.credentials;
 
   const headers = {
-    Authorization: `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`,
+    Authorization: createAuthHeader(email, apiToken),
     Accept: "application/json"
   };
 
@@ -115,3 +120,43 @@ export const listBitbucketRepositories = async (appConnection: TBitbucketConnect
 
   return allRepos;
 };
+
+export const listBitbucketEnvironments = async (
+  appConnection: TBitbucketConnection,
+  workspaceSlug: string,
+  repositorySlug: string
+) => {
+  const { email, apiToken } = appConnection.credentials;
+
+  const headers = {
+    Authorization: createAuthHeader(email, apiToken),
+    Accept: "application/json"
+  };
+
+  const environments: TBitbucketEnvironment[] = [];
+  let hasNextPage = true;
+
+  let environmentsUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${encodeURIComponent(workspaceSlug)}/${encodeURIComponent(repositorySlug)}/environments?pagelen=100`;
+
+  let iterationCount = 0;
+  // Limit to 10 iterations, fetching at most 10 * 100 = 1000 environments
+  while (hasNextPage && iterationCount < 10) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data }: { data: { values: TBitbucketEnvironment[]; next: string } } = await request.get(environmentsUrl, {
+      headers
+    });
+
+    if (data?.values.length > 0) {
+      environments.push(...data.values);
+    }
+
+    if (data.next) {
+      environmentsUrl = data.next;
+    } else {
+      hasNextPage = false;
+    }
+    iterationCount += 1;
+  }
+
+  return environments;
+};

backend/src/services/app-connection/bitbucket/bitbucket-connection-service.ts

@@ -1,8 +1,16 @@
 import { OrgServiceActor } from "@app/lib/types";
 
 import { AppConnection } from "../app-connection-enums";
-import { listBitbucketRepositories, listBitbucketWorkspaces } from "./bitbucket-connection-fns";
-import { TBitbucketConnection, TGetBitbucketRepositoriesDTO } from "./bitbucket-connection-types";
+import {
+  listBitbucketEnvironments,
+  listBitbucketRepositories,
+  listBitbucketWorkspaces
+} from "./bitbucket-connection-fns";
+import {
+  TBitbucketConnection,
+  TGetBitbucketEnvironmentsDTO,
+  TGetBitbucketRepositoriesDTO
+} from "./bitbucket-connection-types";
 
 type TGetAppConnectionFunc = (
   app: AppConnection,
@@ -26,8 +34,18 @@ export const bitbucketConnectionService = (getAppConnection: TGetAppConnectionFu
     return repositories;
   };
 
+  const listEnvironments = async (
+    { connectionId, workspaceSlug, repositorySlug }: TGetBitbucketEnvironmentsDTO,
+    actor: OrgServiceActor
+  ) => {
+    const appConnection = await getAppConnection(AppConnection.Bitbucket, connectionId, actor);
+    const environments = await listBitbucketEnvironments(appConnection, workspaceSlug, repositorySlug);
+    return environments;
+  };
+
   return {
     listWorkspaces,
-    listRepositories
+    listRepositories,
+    listEnvironments
   };
 };

backend/src/services/app-connection/bitbucket/bitbucket-connection-types.ts

@@ -38,3 +38,20 @@ export type TBitbucketRepo = {
   full_name: string; // workspace-slug/repo-slug
   slug: string;
 };
+
+export type TGetBitbucketEnvironmentsDTO = {
+  connectionId: string;
+  workspaceSlug: string;
+  repositorySlug: string;
+};
+
+export type TBitbucketEnvironment = {
+  uuid: string;
+  slug: string;
+  name: string;
+};
+
+export type TBitbucketEnvironmentsResponse = {
+  values: TBitbucketEnvironment[];
+  next?: string;
+};

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-constants.ts

@@ -0,0 +1,3 @@
+export enum DigitalOceanConnectionMethod {
+  ApiToken = "api-token"
+}

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-fns.ts

@@ -0,0 +1,37 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
+import { DigitalOceanAppPlatformPublicAPI } from "./digital-ocean-connection-public-client";
+import { DigitalOceanConnectionListItemSchema } from "./digital-ocean-connection-schemas";
+import { TDigitalOceanConnectionConfig } from "./digital-ocean-connection-types";
+
+export const getDigitalOceanConnectionListItem = () => {
+  return {
+    name: "Digital Ocean" as z.infer<typeof DigitalOceanConnectionListItemSchema>["name"],
+    app: AppConnection.DigitalOcean as const,
+    methods: Object.values(DigitalOceanConnectionMethod)
+  };
+};
+
+export const validateDigitalOceanConnectionCredentials = async (config: TDigitalOceanConnectionConfig) => {
+  try {
+    await DigitalOceanAppPlatformPublicAPI.healthcheck(config);
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+
+    throw new BadRequestError({
+      message: "Unable to validate connection - verify credentials"
+    });
+  }
+
+  return config.credentials;
+};

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-public-client.ts

@@ -0,0 +1,105 @@
+/* eslint-disable no-await-in-loop */
+/* eslint-disable class-methods-use-this */
+import { AxiosInstance } from "axios";
+
+import { createRequestClient } from "@app/lib/config/request";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
+import {
+  TDigitalOceanApp,
+  TDigitalOceanConnectionConfig,
+  TDigitalOceanVariable
+} from "./digital-ocean-connection-types";
+
+class DigitalOceanAppPlatformPublicClient {
+  private readonly client: AxiosInstance;
+
+  constructor() {
+    this.client = createRequestClient({
+      baseURL: `${IntegrationUrls.DIGITAL_OCEAN_API_URL}/v2`,
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      }
+    });
+  }
+
+  async healthcheck(connection: TDigitalOceanConnectionConfig) {
+    switch (connection.method) {
+      case DigitalOceanConnectionMethod.ApiToken:
+        await this.getApps(connection);
+        break;
+      default:
+        throw new Error(`Unsupported connection method`);
+    }
+  }
+
+  async getApps(connection: TDigitalOceanConnectionConfig) {
+    const response = await this.client.get<{ apps: TDigitalOceanApp[] }>(`/apps`, {
+      headers: {
+        Authorization: `Bearer ${connection.credentials.apiToken}`
+      }
+    });
+
+    return response.data.apps;
+  }
+
+  async getApp(connection: TDigitalOceanConnectionConfig, appId: string) {
+    const response = await this.client.get<{ app: TDigitalOceanApp }>(`/apps/${appId}`, {
+      headers: {
+        Authorization: `Bearer ${connection.credentials.apiToken}`
+      }
+    });
+
+    return response.data.app;
+  }
+
+  async getVariables(connection: TDigitalOceanConnectionConfig, appId: string): Promise<TDigitalOceanVariable[]> {
+    const app = await this.getApp(connection, appId);
+    return app.spec.envs || [];
+  }
+
+  async putVariables(connection: TDigitalOceanConnectionConfig, appId: string, ...input: TDigitalOceanVariable[]) {
+    const response = await this.getApp(connection, appId);
+
+    return this.client.put(
+      `/apps/${appId}`,
+      {
+        spec: {
+          ...response.spec,
+          envs: input
+        }
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${connection.credentials.apiToken}`
+        }
+      }
+    );
+  }
+
+  async deleteVariables(connection: TDigitalOceanConnectionConfig, appId: string, ...input: TDigitalOceanVariable[]) {
+    const response = await this.getApp(connection, appId);
+    const existing = response.spec.envs || [];
+
+    const variables = existing.filter((v) => input.find((i) => i.key === v.key));
+
+    return this.client.put(
+      `/apps/${appId}`,
+      {
+        spec: {
+          ...response.spec,
+          envs: variables
+        }
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${connection.credentials.apiToken}`
+        }
+      }
+    );
+  }
+}
+
+export const DigitalOceanAppPlatformPublicAPI = new DigitalOceanAppPlatformPublicClient();

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-schemas.ts

@@ -0,0 +1,67 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { DigitalOceanConnectionMethod } from "./digital-ocean-connection-constants";
+
+export const DigitalOceanConnectionMethodSchema = z
+  .nativeEnum(DigitalOceanConnectionMethod)
+  .describe(AppConnections.CREATE(AppConnection.DigitalOcean).method);
+
+export const DigitalOceanConnectionAccessTokenCredentialsSchema = z.object({
+  apiToken: z
+    .string()
+    .trim()
+    .min(1, "API Token required")
+    .max(255)
+    .describe(AppConnections.CREDENTIALS.DIGITAL_OCEAN_APP_PLATFORM.apiToken)
+});
+
+const BaseDigitalOceanConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.DigitalOcean)
+});
+
+export const DigitalOceanConnectionSchema = BaseDigitalOceanConnectionSchema.extend({
+  method: DigitalOceanConnectionMethodSchema,
+  credentials: DigitalOceanConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedDigitalOceanConnectionSchema = z.discriminatedUnion("method", [
+  BaseDigitalOceanConnectionSchema.extend({
+    method: DigitalOceanConnectionMethodSchema,
+    credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateDigitalOceanConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: DigitalOceanConnectionMethodSchema,
+    credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.DigitalOcean).credentials
+    )
+  })
+]);
+
+export const CreateDigitalOceanConnectionSchema = ValidateDigitalOceanConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.DigitalOcean)
+);
+
+export const UpdateDigitalOceanConnectionSchema = z
+  .object({
+    credentials: DigitalOceanConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.DigitalOcean).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.DigitalOcean));
+
+export const DigitalOceanConnectionListItemSchema = z.object({
+  name: z.literal("Digital Ocean"),
+  app: z.literal(AppConnection.DigitalOcean),
+  methods: z.nativeEnum(DigitalOceanConnectionMethod).array()
+});

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-service.ts

@@ -0,0 +1,29 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { DigitalOceanAppPlatformPublicAPI } from "./digital-ocean-connection-public-client";
+import { TDigitalOceanConnection } from "./digital-ocean-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TDigitalOceanConnection>;
+
+export const digitalOceanAppPlatformConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listApps = async (connectionId: string, actor: OrgServiceActor) => {
+    const connection = await getAppConnection(AppConnection.DigitalOcean, connectionId, actor);
+    try {
+      const apps = await DigitalOceanAppPlatformPublicAPI.getApps(connection);
+      return apps;
+    } catch (error) {
+      logger.error(error, "Failed to list apps on Digital Ocean");
+      return [];
+    }
+  };
+
+  return {
+    listApps
+  };
+};

backend/src/services/app-connection/digital-ocean/digital-ocean-connection-types.ts

@@ -0,0 +1,42 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateDigitalOceanConnectionSchema,
+  DigitalOceanConnectionSchema,
+  ValidateDigitalOceanConnectionCredentialsSchema
+} from "./digital-ocean-connection-schemas";
+
+export type TDigitalOceanConnection = z.infer<typeof DigitalOceanConnectionSchema>;
+
+export type TDigitalOceanConnectionInput = z.infer<typeof CreateDigitalOceanConnectionSchema> & {
+  app: AppConnection.DigitalOcean;
+};
+
+export type TValidateDigitalOceanCredentialsSchema = typeof ValidateDigitalOceanConnectionCredentialsSchema;
+
+export type TDigitalOceanConnectionConfig = DiscriminativePick<
+  TDigitalOceanConnection,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TDigitalOceanVariable = {
+  key: string;
+  value: string;
+  type: "SECRET" | "GENERAL";
+};
+
+export type TDigitalOceanApp = {
+  id: string;
+  spec: {
+    name: string;
+    services: Array<{
+      name: string;
+    }>;
+    envs?: TDigitalOceanVariable[];
+  };
+};

backend/src/services/app-connection/digital-ocean/index.ts

@@ -0,0 +1,4 @@
+export * from "./digital-ocean-connection-constants";
+export * from "./digital-ocean-connection-fns";
+export * from "./digital-ocean-connection-schemas";
+export * from "./digital-ocean-connection-types";

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -100,7 +100,8 @@ export const certificateAuthorityServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -167,7 +168,8 @@ export const certificateAuthorityServiceFactory = ({
       actorId: actor.id,
       projectId: certificateAuthority.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -215,7 +217,8 @@ export const certificateAuthorityServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -268,7 +271,8 @@ export const certificateAuthorityServiceFactory = ({
       actorId: actor.id,
       projectId: certificateAuthority.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -341,7 +345,8 @@ export const certificateAuthorityServiceFactory = ({
       actorId: actor.id,
       projectId: certificateAuthority.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts

@@ -4,7 +4,7 @@ import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
-import { TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
+import { ActionProjectType, TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
   ProjectPermissionActions,
@@ -150,7 +150,8 @@ export const internalCertificateAuthorityServiceFactory = ({
         actorId: dto.actorId,
         projectId,
         actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
       });
 
       ForbiddenError.from(permission).throwUnlessCan(
@@ -333,7 +334,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -357,7 +359,8 @@ export const internalCertificateAuthorityServiceFactory = ({
         actorId: dto.actorId,
         projectId: ca.projectId,
         actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
       });
 
       ForbiddenError.from(permission).throwUnlessCan(
@@ -389,7 +392,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -414,7 +418,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -477,7 +482,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -763,7 +769,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -799,7 +806,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -879,7 +887,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -1026,7 +1035,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -1197,7 +1207,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -1553,7 +1564,8 @@ export const internalCertificateAuthorityServiceFactory = ({
         actorId: dto.actorId,
         projectId: ca.projectId,
         actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
       });
 
       ForbiddenError.from(permission).throwUnlessCan(
@@ -1920,7 +1932,8 @@ export const internalCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     const certificateTemplates = await certificateTemplateDAL.find({ caId });

backend/src/services/certificate-template/certificate-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
+import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -76,7 +76,8 @@ export const certificateTemplateServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -137,7 +138,8 @@ export const certificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -201,7 +203,8 @@ export const certificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -227,7 +230,8 @@ export const certificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -268,7 +272,8 @@ export const certificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -350,7 +355,8 @@ export const certificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -429,7 +435,8 @@ export const certificateTemplateServiceFactory = ({
         actorId: dto.actorId,
         projectId: certTemplate.projectId,
         actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId
+        actorOrgId: dto.actorOrgId,
+        actionProjectType: ActionProjectType.CertificateManager
       });
 
       ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/certificate/certificate-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -79,7 +80,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId: cert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -109,7 +111,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId: cert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -142,7 +145,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId: cert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -191,7 +195,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -239,7 +244,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId: cert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -319,7 +325,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -523,7 +530,8 @@ export const certificateServiceFactory = ({
       actorId,
       projectId: cert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/cmek/cmek-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { SigningAlgorithm } from "@app/lib/crypto/sign";
@@ -38,7 +39,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
 
@@ -77,7 +79,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
@@ -113,7 +116,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
@@ -129,7 +133,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -151,7 +156,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -172,7 +178,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -194,7 +201,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
@@ -221,7 +229,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -268,7 +277,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
@@ -291,7 +301,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Sign, ProjectPermissionSub.Cmek);
@@ -325,7 +336,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Verify, ProjectPermissionSub.Cmek);
@@ -360,7 +372,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
       actorId: actor.id,
       projectId: key.projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);

backend/src/services/folder-commit/folder-commit-service.ts

@@ -2,7 +2,13 @@
 import { ForbiddenError } from "@casl/ability";
 import { Knex } from "knex";
 
-import { TSecretFolders, TSecretFolderVersions, TSecretV2TagJunctionInsert, TSecretVersionsV2 } from "@app/db/schemas";
+import {
+  ActionProjectType,
+  TSecretFolders,
+  TSecretFolderVersions,
+  TSecretV2TagJunctionInsert,
+  TSecretVersionsV2
+} from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
@@ -219,7 +225,8 @@ export const folderCommitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCommitsActions.Read, ProjectPermissionSub.Commits);
@@ -2062,7 +2069,8 @@ export const folderCommitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/group-project/group-project-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
 import { TListProjectGroupUsersDTO } from "@app/ee/services/group/group-types";
 import {
   constructPermissionErrorMessage,
@@ -78,7 +78,8 @@ export const groupProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Create, ProjectPermissionSub.Groups);
 
@@ -271,7 +272,8 @@ export const groupProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Edit, ProjectPermissionSub.Groups);
 
@@ -384,7 +386,8 @@ export const groupProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Delete, ProjectPermissionSub.Groups);
 
@@ -428,7 +431,8 @@ export const groupProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
 
@@ -455,7 +459,8 @@ export const groupProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
 
@@ -496,7 +501,8 @@ export const groupProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
 

backend/src/services/identity-project/identity-project-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import {
   constructPermissionErrorMessage,
   validatePrivilegeChangeOperation
@@ -62,7 +62,8 @@ export const identityProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Create,
@@ -181,7 +182,8 @@ export const identityProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -291,7 +293,8 @@ export const identityProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Delete,
@@ -319,7 +322,8 @@ export const identityProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -352,7 +356,8 @@ export const identityProjectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -388,7 +393,8 @@ export const identityProjectServiceFactory = ({
       actorId,
       projectId: membership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/integration-auth/integration-auth-service.ts

@@ -4,7 +4,13 @@ import { Octokit } from "@octokit/rest";
 import { Client as OctopusClient, SpaceRepository as OctopusSpaceRepository } from "@octopusdeploy/api-client";
 import AWS from "aws-sdk";
 
-import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
+import {
+  ActionProjectType,
+  SecretEncryptionAlgo,
+  SecretKeyEncoding,
+  TIntegrationAuths,
+  TIntegrationAuthsInsert
+} from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
@@ -97,7 +103,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const authorizations = await integrationAuthDAL.find({ projectId });
@@ -115,7 +122,8 @@ export const integrationAuthServiceFactory = ({
             actorId,
             projectId: auth.projectId,
             actorAuthMethod,
-            actorOrgId
+            actorOrgId,
+            actionProjectType: ActionProjectType.SecretManager
           });
 
           return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations) ? auth : null;
@@ -138,7 +146,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     return integrationAuth;
@@ -163,7 +172,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
 
@@ -281,7 +291,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
 
@@ -435,7 +446,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
 
@@ -732,7 +744,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -766,7 +779,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -796,7 +810,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -837,7 +852,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -865,7 +881,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -939,7 +956,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -986,7 +1004,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1020,7 +1039,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1078,7 +1098,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1114,7 +1135,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1155,7 +1177,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1195,7 +1218,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1235,7 +1259,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1274,7 +1299,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1314,7 +1340,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1382,7 +1409,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1456,7 +1484,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1506,7 +1535,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1554,7 +1584,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1622,7 +1653,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1663,7 +1695,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1775,7 +1808,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
@@ -1798,7 +1832,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
@@ -1831,7 +1866,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(sourcePermission).throwUnlessCan(
@@ -1844,7 +1880,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(targetPermission).throwUnlessCan(
@@ -1877,7 +1914,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -1911,7 +1949,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -1951,7 +1990,8 @@ export const integrationAuthServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);

backend/src/services/integration/integration-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -90,7 +91,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId: integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
 
@@ -165,7 +167,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId: integration.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
 
@@ -228,7 +231,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId: integration.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -255,7 +259,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId: integration.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -297,7 +302,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId: integration.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
@@ -333,7 +339,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -352,7 +359,8 @@ export const integrationServiceFactory = ({
       actorId,
       projectId: integration.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 

backend/src/services/org/org-service.ts

@@ -3,6 +3,7 @@ import slugify from "@sindresorhus/slugify";
 import { Knex } from "knex";
 
 import {
+  ActionProjectType,
   OrgMembershipRole,
   OrgMembershipStatus,
   ProjectMembershipRole,
@@ -980,7 +981,8 @@ export const orgServiceFactory = ({
           actorId,
           projectId,
           actorAuthMethod,
-          actorOrgId
+          actorOrgId,
+          actionProjectType: ActionProjectType.Any
         });
         ForbiddenError.from(projectPermission).throwUnlessCan(
           ProjectPermissionMemberActions.Create,

backend/src/services/pki-alert/pki-alert-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -78,7 +79,8 @@ export const pkiAlertServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.PkiAlerts);
@@ -107,7 +109,8 @@ export const pkiAlertServiceFactory = ({
       actorId,
       projectId: alert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
@@ -133,7 +136,8 @@ export const pkiAlertServiceFactory = ({
       actorId,
       projectId: alert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiAlerts);
@@ -165,7 +169,8 @@ export const pkiAlertServiceFactory = ({
       actorId,
       projectId: alert.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.PkiAlerts);

backend/src/services/pki-collection/pki-collection-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { TPkiCollectionItems } from "@app/db/schemas";
+import { ActionProjectType, TPkiCollectionItems } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -55,7 +55,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -87,7 +88,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId: pkiCollection.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
@@ -111,7 +113,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId: pkiCollection.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiCollections);
@@ -138,7 +141,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId: pkiCollection.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -167,7 +171,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId: pkiCollection.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
@@ -210,7 +215,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId: pkiCollection.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -297,7 +303,8 @@ export const pkiCollectionServiceFactory = ({
       actorId,
       projectId: pkiCollection.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/pki-subscriber/pki-subscriber-service.ts

@@ -2,6 +2,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -119,7 +120,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -181,7 +183,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -234,7 +237,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -296,7 +300,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -332,7 +337,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -387,7 +393,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -433,7 +440,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -691,7 +699,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -738,7 +747,8 @@ export const pkiSubscriberServiceFactory = ({
       actorId,
       projectId: subscriber.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/pki-templates/pki-templates-service.ts

@@ -3,6 +3,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import RE2 from "re2";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -118,7 +119,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -170,7 +172,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -233,7 +236,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -265,7 +269,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -290,7 +295,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     const certTemplate = await pkiTemplatesDAL.find({ projectId }, { limit, offset, count: true });
@@ -332,7 +338,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -378,7 +385,8 @@ export const pkiTemplatesServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/services/project-bot/project-bot-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ProjectVersion } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { crypto } from "@app/lib/crypto/cryptography";
@@ -45,7 +45,8 @@ export const projectBotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
@@ -115,7 +116,8 @@ export const projectBotServiceFactory = ({
       actorId,
       projectId: bot.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
 

backend/src/services/project-env/project-env-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -46,7 +47,8 @@ export const projectEnvServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);
 
@@ -134,7 +136,8 @@ export const projectEnvServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);
 
@@ -197,7 +200,8 @@ export const projectEnvServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);
 
@@ -252,7 +256,8 @@ export const projectEnvServiceFactory = ({
       actorId,
       projectId: environment.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);

backend/src/services/project-key/project-key-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionMemberActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";
@@ -36,7 +37,8 @@ export const projectKeyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -65,7 +67,8 @@ export const projectKeyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
     return latestKey;
@@ -83,7 +86,8 @@ export const projectKeyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
     return projectKeyDAL.findAllProjectUserPubKeys(projectId);

backend/src/services/project-membership/project-membership-service.ts

@@ -1,7 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
-import { ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import {
   constructPermissionErrorMessage,
@@ -90,7 +90,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -133,7 +134,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -155,7 +157,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -181,7 +184,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Create, ProjectPermissionSub.Member);
     const orgMembers = await orgDAL.findMembership({
@@ -261,7 +265,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -370,7 +375,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
 
@@ -412,7 +418,8 @@ export const projectMembershipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
 

backend/src/services/project-role/project-role-fns.ts

@@ -11,7 +11,7 @@ import {
 } from "@app/ee/services/permission/default-roles";
 import { TGetPredefinedRolesDTO } from "@app/services/project-role/project-role-types";
 
-export const getPredefinedRoles = ({ projectId, roleFilter }: TGetPredefinedRolesDTO) => {
+export const getPredefinedRoles = ({ projectId, projectType, roleFilter }: TGetPredefinedRolesDTO) => {
   return [
     {
       id: uuidv4(),
@@ -75,5 +75,5 @@ export const getPredefinedRoles = ({ projectId, roleFilter }: TGetPredefinedRole
       createdAt: new Date(),
       updatedAt: new Date()
     }
-  ].filter(({ slug }) => !roleFilter || roleFilter === slug);
+  ].filter(({ slug, type }) => (type ? type === projectType : true) && (!roleFilter || roleFilter === slug));
 };

backend/src/services/project-role/project-role-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import { requestContext } from "@fastify/request-context";
 
-import { ProjectMembershipRole, TableName, TProjects } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole, ProjectType, TableName, TProjects } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
   ProjectPermissionActions,
@@ -71,7 +71,8 @@ export const projectRoleServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Role);
     const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
@@ -111,12 +112,14 @@ export const projectRoleServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
     if (roleSlug !== "custom" && Object.values(ProjectMembershipRole).includes(roleSlug as ProjectMembershipRole)) {
       const [predefinedRole] = getPredefinedRoles({
         projectId: project.id,
+        projectType: project.type as ProjectType,
         roleFilter: roleSlug as ProjectMembershipRole
       });
 
@@ -139,7 +142,8 @@ export const projectRoleServiceFactory = ({
       actorId,
       projectId: projectRole.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
 
@@ -169,7 +173,8 @@ export const projectRoleServiceFactory = ({
       actorId,
       projectId: projectRole.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
 
@@ -210,14 +215,18 @@ export const projectRoleServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
     const customRoles = await projectRoleDAL.find(
       { projectId: project.id },
       { sort: [[`${TableName.ProjectRoles}.slug` as "slug", "asc"]] }
     );
-    const roles = [...getPredefinedRoles({ projectId: project.id }), ...(customRoles || [])];
+    const roles = [
+      ...getPredefinedRoles({ projectId: project.id, projectType: project.type as ProjectType }),
+      ...(customRoles || [])
+    ];
 
     return roles;
   };
@@ -233,7 +242,8 @@ export const projectRoleServiceFactory = ({
       actorId: userId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     // just to satisfy ts
     if (!("roles" in membership)) throw new BadRequestError({ message: "Service token not allowed" });

backend/src/services/project-role/project-role-types.ts

@@ -1,4 +1,4 @@
-import { ProjectMembershipRole, TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 
 export enum ProjectRoleServiceIdentifierType {
@@ -37,5 +37,6 @@ export type TListRolesDTO = {
 
 export type TGetPredefinedRolesDTO = {
   projectId: string;
+  projectType: ProjectType;
   roleFilter?: ProjectMembershipRole;
 };

backend/src/services/project/project-dal.ts

@@ -3,6 +3,7 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import {
   ProjectsSchema,
+  ProjectType,
   ProjectUpgradeStatus,
   ProjectVersion,
   SortDirection,
@@ -21,12 +22,17 @@ export type TProjectDALFactory = ReturnType<typeof projectDALFactory>;
 export const projectDALFactory = (db: TDbClient) => {
   const projectOrm = ormify(db, TableName.Project);
 
-  const findIdentityProjects = async (identityId: string, orgId: string) => {
+  const findIdentityProjects = async (identityId: string, orgId: string, projectType?: ProjectType) => {
     try {
       const workspaces = await db(TableName.IdentityProjectMembership)
         .where({ identityId })
         .join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
         .where(`${TableName.Project}.orgId`, orgId)
+        .andWhere((qb) => {
+          if (projectType) {
+            void qb.where(`${TableName.Project}.type`, projectType);
+          }
+        })
         .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
         .select(
           selectAllTableCols(TableName.Project),
@@ -66,13 +72,18 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findUserProjects = async (userId: string, orgId: string) => {
+  const findUserProjects = async (userId: string, orgId: string, projectType?: ProjectType) => {
     try {
       const workspaces = await db
         .replicaNode()(TableName.ProjectMembership)
         .where({ userId })
         .join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
         .where(`${TableName.Project}.orgId`, orgId)
+        .andWhere((qb) => {
+          if (projectType) {
+            void qb.where(`${TableName.Project}.type`, projectType);
+          }
+        })
         .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
         .select(
           selectAllTableCols(TableName.Project),
@@ -92,6 +103,11 @@ export const projectDALFactory = (db: TDbClient) => {
         .whereIn("groupId", groups)
         .join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
         .where(`${TableName.Project}.orgId`, orgId)
+        .andWhere((qb) => {
+          if (projectType) {
+            void qb.where(`${TableName.Project}.type`, projectType);
+          }
+        })
         .whereNotIn(
           `${TableName.Project}.id`,
           workspaces.map(({ id }) => id)
@@ -161,12 +177,17 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findAllProjectsByIdentity = async (identityId: string) => {
+  const findAllProjectsByIdentity = async (identityId: string, projectType?: ProjectType) => {
     try {
       const workspaces = await db
         .replicaNode()(TableName.IdentityProjectMembership)
         .where({ identityId })
         .join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
+        .andWhere((qb) => {
+          if (projectType) {
+            void qb.where(`${TableName.Project}.type`, projectType);
+          }
+        })
         .leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
         .select(
           selectAllTableCols(TableName.Project),
@@ -372,6 +393,7 @@ export const projectDALFactory = (db: TDbClient) => {
     orgId: string;
     actor: ActorType;
     actorId: string;
+    type?: ProjectType;
     limit?: number;
     offset?: number;
     name?: string;
@@ -426,6 +448,9 @@ export const projectDALFactory = (db: TDbClient) => {
       void query.orderBy([{ column: `${TableName.Project}.name`, order: sortDir }]);
     }
 
+    if (dto.type) {
+      void query.where(`${TableName.Project}.type`, dto.type);
+    }
     if (dto.name) {
       void query.whereILike(`${TableName.Project}.name`, `%${dto.name}%`);
     }

backend/src/services/project/project-service.ts

@@ -1,7 +1,14 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { ProjectMembershipRole, ProjectVersion, TableName, TProjectEnvironments } from "@app/db/schemas";
+import {
+  ActionProjectType,
+  ProjectMembershipRole,
+  ProjectType,
+  ProjectVersion,
+  TableName,
+  TProjectEnvironments
+} from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
@@ -242,7 +249,8 @@ export const projectServiceFactory = ({
     kmsKeyId,
     tx: trx,
     createDefaultEnvs = true,
-    template = InfisicalProjectTemplate.Default
+    template = InfisicalProjectTemplate.Default,
+    type = ProjectType.SecretManager
   }: TCreateProjectDTO) => {
     const organization = await orgDAL.findOne({ id: actorOrgId });
     const { permission, membership: orgMembership } = await permissionService.getOrgPermission(
@@ -258,7 +266,11 @@ export const projectServiceFactory = ({
       await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateProject(organization.id)]);
 
       const plan = await licenseService.getPlan(organization.id);
-      if (plan.workspaceLimit !== null && plan.workspacesUsed >= plan.workspaceLimit) {
+      if (
+        plan.workspaceLimit !== null &&
+        plan.workspacesUsed >= plan.workspaceLimit &&
+        type === ProjectType.SecretManager
+      ) {
         // case: limit imposed on number of workspaces allowed
         // case: number of workspaces used exceeds the number of workspaces allowed
         throw new BadRequestError({
@@ -295,6 +307,7 @@ export const projectServiceFactory = ({
       const project = await projectDAL.create(
         {
           name: workspaceName,
+          type,
           description: workspaceDescription,
           orgId: organization.id,
           slug: projectSlug || slugify(`${workspaceName}-${alphaNumericNanoId(4)}`),
@@ -305,14 +318,16 @@ export const projectServiceFactory = ({
         tx
       );
 
-      await bootstrapSshProject({
-        projectId: project.id,
-        sshCertificateAuthorityDAL,
-        sshCertificateAuthoritySecretDAL,
-        kmsService,
-        projectSshConfigDAL,
-        tx
-      });
+      if (type === ProjectType.SSH) {
+        await bootstrapSshProject({
+          projectId: project.id,
+          sshCertificateAuthorityDAL,
+          sshCertificateAuthoritySecretDAL,
+          kmsService,
+          projectSshConfigDAL,
+          tx
+        });
+      }
 
       // set ghost user as admin of project
       const projectMembership = await projectMembershipDAL.create(
@@ -512,7 +527,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
 
@@ -570,11 +586,11 @@ export const projectServiceFactory = ({
     return deletedProject;
   };
 
-  const getProjects = async ({ actorId, actor, includeRoles, actorAuthMethod, actorOrgId }: TListProjectsDTO) => {
+  const getProjects = async ({ actorId, actor, includeRoles, actorAuthMethod, actorOrgId, type }: TListProjectsDTO) => {
     const workspaces =
       actor === ActorType.IDENTITY
-        ? await projectDAL.findIdentityProjects(actorId, actorOrgId)
-        : await projectDAL.findUserProjects(actorId, actorOrgId);
+        ? await projectDAL.findIdentityProjects(actorId, actorOrgId, type)
+        : await projectDAL.findUserProjects(actorId, actorOrgId, type);
 
     if (includeRoles) {
       const { permission } = await permissionService.getUserOrgPermission(
@@ -598,7 +614,10 @@ export const projectServiceFactory = ({
         workspaces.map(async (workspace) => {
           return {
             ...workspace,
-            roles: [...(workspaceMappedToRoles[workspace.id] || []), ...getPredefinedRoles({ projectId: workspace.id })]
+            roles: [
+              ...(workspaceMappedToRoles[workspace.id] || []),
+              ...getPredefinedRoles({ projectId: workspace.id, projectType: workspace.type as ProjectType })
+            ]
           };
         })
       );
@@ -617,7 +636,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     return project;
   };
@@ -630,7 +650,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
 
@@ -674,7 +695,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
 
@@ -699,7 +721,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
 
@@ -728,7 +751,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (!hasRole(ProjectMembershipRole.Admin))
@@ -759,7 +783,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (!hasRole(ProjectMembershipRole.Admin)) {
@@ -791,7 +816,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
 
@@ -812,7 +838,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
@@ -882,7 +909,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret);
 
@@ -920,7 +948,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -966,7 +995,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -1010,7 +1040,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
@@ -1037,7 +1068,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
@@ -1064,7 +1096,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     const allowedSubscribers = [];
@@ -1102,7 +1135,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     const certificateTemplates = await certificateTemplateDAL.getCertTemplatesByProjectId(projectId);
@@ -1132,7 +1166,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -1165,7 +1200,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     const allowedHosts = [];
@@ -1204,7 +1240,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -1231,7 +1268,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
@@ -1269,7 +1307,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -1303,7 +1342,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
@@ -1330,7 +1370,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
@@ -1359,7 +1400,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
@@ -1381,7 +1423,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (!membership) {
@@ -1413,7 +1456,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
@@ -1452,7 +1496,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
@@ -1535,7 +1580,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
@@ -1607,7 +1653,8 @@ export const projectServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
       });
 
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
@@ -1684,7 +1731,8 @@ export const projectServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
       });
 
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
@@ -1807,7 +1855,8 @@ export const projectServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Settings);
@@ -1835,7 +1884,15 @@ export const projectServiceFactory = ({
     });
   };
 
-  const searchProjects = async ({ name, offset, permission, limit, orderBy, orderDirection }: TSearchProjectsDTO) => {
+  const searchProjects = async ({
+    name,
+    offset,
+    permission,
+    limit,
+    type,
+    orderBy,
+    orderDirection
+  }: TSearchProjectsDTO) => {
     // check user belong to org
     await permissionService.getOrgPermission(
       permission.type,
@@ -1849,6 +1906,7 @@ export const projectServiceFactory = ({
       limit,
       offset,
       name,
+      type,
       orgId: permission.orgId,
       actor: permission.type,
       actorId: permission.id,
@@ -1872,7 +1930,7 @@ export const projectServiceFactory = ({
         actor: permission.type,
         actorId: permission.id,
         projectId,
-
+        actionProjectType: ActionProjectType.Any,
         actorAuthMethod: permission.authMethod,
         actorOrgId: permission.orgId
       })

backend/src/services/project/project-types.ts

@@ -108,7 +108,7 @@ export type TDeleteProjectDTO = {
 
 export type TListProjectsDTO = {
   includeRoles: boolean;
-  type?: ProjectType | "all";
+  type?: ProjectType;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpgradeProjectDTO = {

backend/src/services/secret-blind-index/secret-blind-index-service.ts

@@ -1,4 +1,4 @@
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 
@@ -36,7 +36,8 @@ export const secretBlindIndexServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const secretCount = await secretBlindIndexDAL.countOfSecretsWithNullSecretBlindIndex(projectId);
@@ -55,7 +56,8 @@ export const secretBlindIndexServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!hasRole(ProjectMembershipRole.Admin)) {
       throw new ForbiddenRequestError({ message: "Insufficient privileges, user must be admin" });
@@ -78,7 +80,8 @@ export const secretBlindIndexServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!hasRole(ProjectMembershipRole.Admin)) {
       throw new ForbiddenRequestError({ message: "Insufficient privileges, user must be admin" });

backend/src/services/secret-folder/secret-folder-service.ts

@@ -4,7 +4,7 @@ import { Knex } from "knex";
 import path from "path";
 import { v4 as uuidv4, validate as uuidValidate } from "uuid";
 
-import { TProjectEnvironments, TSecretFolders, TSecretFoldersInsert } from "@app/db/schemas";
+import { ActionProjectType, TProjectEnvironments, TSecretFolders, TSecretFoldersInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -78,7 +78,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -269,7 +270,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     folders.forEach(({ environment, path: secretPath }) => {
@@ -411,7 +413,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -612,7 +615,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -718,7 +722,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const env = await projectEnvDAL.findOne({ projectId, slug: environment });
@@ -786,7 +791,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const envs = await projectEnvDAL.findBySlugs(projectId, environments);
@@ -827,7 +833,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const envs = await projectEnvDAL.findBySlugs(projectId, environments);
@@ -862,7 +869,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId: folder.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(folder.projectId, [folder.id]);
@@ -890,7 +898,8 @@ export const secretFolderServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const envs = await projectEnvDAL.findBySlugs(projectId, environments);
@@ -917,7 +926,8 @@ export const secretFolderServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const environments = await projectEnvDAL.find({ projectId });
@@ -1019,7 +1029,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     folders.forEach(({ environment, path: secretPath }) => {
@@ -1230,7 +1241,8 @@ export const secretFolderServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     folders.forEach(({ environment, path: secretPath }) => {

backend/src/services/secret-import/secret-import-service.ts

@@ -2,7 +2,7 @@ import path from "node:path";
 
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import {
   hasSecretReadValueOrDescribePermission,
@@ -87,7 +87,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     // check if user has permission to import into destination  path
@@ -204,7 +205,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -301,7 +303,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -375,7 +378,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     // check if user has permission to import into destination  path
@@ -451,7 +455,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -484,7 +489,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     const filteredEnvironments = [];
     for (const environment of environments) {
@@ -537,7 +543,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -586,7 +593,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId: folder.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -634,7 +642,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -669,7 +678,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -752,7 +762,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     const filteredEnvironments = [];
     for (const environment of environments) {
@@ -804,7 +815,8 @@ export const secretImportServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       permission.cannot(

backend/src/services/secret-sync/bitbucket/bitbucket-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const BITBUCKET_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Bitbucket",
+  destination: SecretSync.Bitbucket,
+  connection: AppConnection.Bitbucket,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/bitbucket/bitbucket-sync-fns.ts

@@ -0,0 +1,222 @@
+import { request } from "@app/lib/config/request";
+import { createAuthHeader } from "@app/services/app-connection/bitbucket";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import {
+  TBitbucketListVariables,
+  TBitbucketSyncWithCredentials,
+  TBitbucketVariable,
+  TDeleteBitbucketVariable,
+  TPutBitbucketVariable
+} from "@app/services/secret-sync/bitbucket/bitbucket-sync-types";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+
+const buildVariablesUrl = (workspace: string, repository: string, environment?: string, uuid?: string): string => {
+  const baseUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${encodeURIComponent(workspace)}/${encodeURIComponent(repository)}`;
+
+  if (environment) {
+    return `${baseUrl}/deployments_config/environments/${environment}/variables/${uuid || ""}`;
+  }
+
+  return `${baseUrl}/pipelines_config/variables/${uuid || ""}`;
+};
+
+const listVariables = async ({
+  workspaceSlug,
+  repositorySlug,
+  environmentId,
+  authHeader
+}: TBitbucketListVariables): Promise<TBitbucketVariable[]> => {
+  const url = buildVariablesUrl(workspaceSlug, repositorySlug, environmentId);
+
+  const { data } = await request.get<{ values: TBitbucketVariable[] }>(url, {
+    headers: {
+      Authorization: authHeader,
+      Accept: "application/json"
+    }
+  });
+
+  return data.values;
+};
+
+const upsertVariable = async ({
+  workspaceSlug,
+  repositorySlug,
+  environmentId,
+  key,
+  value,
+  existingVariables,
+  authHeader
+}: {
+  workspaceSlug: string;
+  repositorySlug: string;
+  environmentId?: string;
+  key: string;
+  value: string;
+  existingVariables: TBitbucketVariable[];
+  authHeader: string;
+}) => {
+  const existingVariable = existingVariables.find((variable) => variable.key === key);
+  const requestData = { key, value, secured: true };
+  const headers = {
+    Authorization: authHeader,
+    "Content-Type": "application/json"
+  };
+
+  if (existingVariable) {
+    const url = buildVariablesUrl(workspaceSlug, repositorySlug, environmentId, existingVariable.uuid);
+    return request.put(url, requestData, { headers });
+  }
+
+  const url = buildVariablesUrl(workspaceSlug, repositorySlug, environmentId);
+  return request.post(url, requestData, { headers });
+};
+
+const putVariables = async ({
+  workspaceSlug,
+  repositorySlug,
+  environmentId,
+  secretMap,
+  authHeader
+}: TPutBitbucketVariable & { secretMap: TSecretMap; authHeader: string }) => {
+  const existingVariables = await listVariables({
+    workspaceSlug,
+    repositorySlug,
+    environmentId,
+    authHeader
+  });
+
+  const promises = Object.entries(secretMap).map(([key, { value }]) =>
+    upsertVariable({
+      workspaceSlug,
+      repositorySlug,
+      environmentId,
+      key,
+      value,
+      existingVariables,
+      authHeader
+    })
+  );
+
+  return Promise.all(promises);
+};
+
+const deleteVariables = async ({
+  workspaceSlug,
+  repositorySlug,
+  environmentId,
+  keys,
+  authHeader
+}: TDeleteBitbucketVariable) => {
+  const existingVariables = await listVariables({
+    workspaceSlug,
+    repositorySlug,
+    environmentId,
+    authHeader
+  });
+
+  const variablesToDelete = existingVariables.filter((variable) => keys.includes(variable.key));
+  const promises = variablesToDelete.map((variable) => {
+    const url = buildVariablesUrl(workspaceSlug, repositorySlug, environmentId, variable.uuid);
+    return request.delete(url, {
+      headers: { Authorization: authHeader }
+    });
+  });
+
+  return Promise.all(promises);
+};
+
+export const BitbucketSyncFns = {
+  syncSecrets: async (secretSync: TBitbucketSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      environment,
+      destinationConfig: { workspaceSlug, repositorySlug, environmentId }
+    } = secretSync;
+
+    const { email, apiToken } = connection.credentials;
+    const authHeader = createAuthHeader(email, apiToken);
+
+    try {
+      await putVariables({
+        workspaceSlug,
+        repositorySlug,
+        environmentId,
+        secretMap,
+        authHeader
+      });
+    } catch (error) {
+      throw new SecretSyncError({ error });
+    }
+
+    if (secretSync.syncOptions.disableSecretDeletion) return;
+
+    try {
+      const existingVariables = await listVariables({
+        workspaceSlug,
+        repositorySlug,
+        environmentId,
+        authHeader
+      });
+
+      const keysToDelete = existingVariables
+        .map((variable) => variable.key)
+        .filter(
+          (secret) =>
+            matchesSchema(secret, environment?.slug || "", secretSync.syncOptions.keySchema) && !(secret in secretMap)
+        );
+
+      if (keysToDelete.length > 0) {
+        await deleteVariables({
+          workspaceSlug,
+          repositorySlug,
+          environmentId,
+          keys: keysToDelete,
+          authHeader
+        });
+      }
+    } catch (error) {
+      throw new SecretSyncError({ error });
+    }
+  },
+
+  removeSecrets: async (secretSync: TBitbucketSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      destinationConfig: { workspaceSlug, repositorySlug, environmentId }
+    } = secretSync;
+
+    const { email, apiToken } = connection.credentials;
+    const authHeader = createAuthHeader(email, apiToken);
+
+    try {
+      const existingVariables = await listVariables({
+        workspaceSlug,
+        repositorySlug,
+        environmentId,
+        authHeader
+      });
+
+      const keysToRemove = existingVariables.map((variable) => variable.key).filter((secret) => secret in secretMap);
+
+      if (keysToRemove.length > 0) {
+        await deleteVariables({
+          workspaceSlug,
+          repositorySlug,
+          environmentId,
+          keys: keysToRemove,
+          authHeader
+        });
+      }
+    } catch (error) {
+      throw new SecretSyncError({ error });
+    }
+  },
+
+  getSecrets: async (secretSync: TBitbucketSyncWithCredentials): Promise<TSecretMap> => {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  }
+};

backend/src/services/secret-sync/bitbucket/bitbucket-sync-schemas.ts

@@ -0,0 +1,45 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const BitbucketSyncDestinationConfigSchema = z.object({
+  repositorySlug: z.string().describe(SecretSyncs.DESTINATION_CONFIG.BITBUCKET.repositorySlug),
+  environmentId: z.string().optional().describe(SecretSyncs.DESTINATION_CONFIG.BITBUCKET.environmentId),
+  workspaceSlug: z.string().describe(SecretSyncs.DESTINATION_CONFIG.BITBUCKET.workspaceSlug)
+});
+
+const BitbucketSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const BitbucketSyncSchema = BaseSecretSyncSchema(SecretSync.Bitbucket, BitbucketSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Bitbucket),
+  destinationConfig: BitbucketSyncDestinationConfigSchema
+});
+
+export const CreateBitbucketSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Bitbucket,
+  BitbucketSyncOptionsConfig
+).extend({
+  destinationConfig: BitbucketSyncDestinationConfigSchema
+});
+
+export const UpdateBitbucketSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Bitbucket,
+  BitbucketSyncOptionsConfig
+).extend({
+  destinationConfig: BitbucketSyncDestinationConfigSchema.optional()
+});
+
+export const BitbucketSyncListItemSchema = z.object({
+  name: z.literal("Bitbucket"),
+  connection: z.literal(AppConnection.Bitbucket),
+  destination: z.literal(SecretSync.Bitbucket),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/bitbucket/bitbucket-sync-types.ts

@@ -0,0 +1,50 @@
+import { z } from "zod";
+
+import { TBitbucketConnection } from "@app/services/app-connection/bitbucket";
+
+import { BitbucketSyncListItemSchema, BitbucketSyncSchema, CreateBitbucketSyncSchema } from "./bitbucket-sync-schemas";
+
+export type TBitbucketSync = z.infer<typeof BitbucketSyncSchema>;
+
+export type TBitbucketSyncInput = z.infer<typeof CreateBitbucketSyncSchema>;
+
+export type TBitbucketSyncListItem = z.infer<typeof BitbucketSyncListItemSchema>;
+
+export type TBitbucketSyncWithCredentials = TBitbucketSync & {
+  connection: TBitbucketConnection;
+};
+
+export type TBitbucketVariable = {
+  key: string;
+  value?: string;
+  // Secure variables values are not returned by the API neither are they shown in Bitbucket UI
+  secured: boolean;
+  uuid: string;
+  type: string;
+};
+
+export type TBitbucketListVariables = {
+  workspaceSlug: string;
+  repositorySlug: string;
+  environmentId?: string;
+  authHeader: string;
+};
+
+export type TPutBitbucketVariable = {
+  authHeader: string;
+  workspaceSlug: string;
+  repositorySlug: string;
+  environmentId?: string;
+};
+
+export type TDeleteBitbucketVariable = {
+  authHeader: string;
+  workspaceSlug: string;
+  repositorySlug: string;
+  environmentId?: string;
+  keys: string[];
+};
+
+export type TBitbucketConnectionCredentials = {
+  authHeader: string;
+};

backend/src/services/secret-sync/bitbucket/index.ts

@@ -0,0 +1,4 @@
+export * from "./bitbucket-sync-constants";
+export * from "./bitbucket-sync-fns";
+export * from "./bitbucket-sync-schemas";
+export * from "./bitbucket-sync-types";

backend/src/services/secret-sync/digital-ocean-app-platform/digital-ocean-app-platform-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const DIGITAL_OCEAN_APP_PLATFORM_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Digital Ocean App Platform" as const,
+  destination: SecretSync.DigitalOceanAppPlatform,
+  connection: AppConnection.DigitalOcean,
+  canImportSecrets: false
+};

backend/src/services/secret-sync/digital-ocean-app-platform/digital-ocean-app-platform-sync-fns.ts

@@ -0,0 +1,83 @@
+/* eslint-disable no-continue */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+
+import { TDigitalOceanVariable } from "@app/services/app-connection/digital-ocean";
+import { DigitalOceanAppPlatformPublicAPI } from "@app/services/app-connection/digital-ocean/digital-ocean-connection-public-client";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+
+import { SecretSyncError } from "../secret-sync-errors";
+import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
+import { TSecretMap } from "../secret-sync-types";
+import { TDigitalOceanAppPlatformSyncWithCredentials } from "./digital-ocean-app-platform-sync-types";
+
+export const DigitalOceanAppPlatformSyncFns = {
+  async getSecrets(secretSync: TDigitalOceanAppPlatformSyncWithCredentials) {
+    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
+  },
+
+  async syncSecrets(secretSync: TDigitalOceanAppPlatformSyncWithCredentials, secretMap: TSecretMap) {
+    const {
+      environment,
+      syncOptions: { disableSecretDeletion, keySchema }
+    } = secretSync;
+
+    const config = secretSync.destinationConfig;
+
+    const existing = await DigitalOceanAppPlatformPublicAPI.getVariables(secretSync.connection, config.appId);
+
+    const variables: Record<string, TDigitalOceanVariable> = Object.fromEntries(existing.map((v) => [v.key, v]));
+
+    for (const [key, value] of Object.entries(secretMap)) {
+      variables[key] = {
+        key,
+        value: value.value,
+        type: "SECRET"
+      } as TDigitalOceanVariable;
+    }
+
+    if (!disableSecretDeletion) {
+      for (const v of existing) {
+        if (!matchesSchema(v.key, environment?.slug || "", keySchema)) continue;
+        if (!(v.key in secretMap)) {
+          delete variables[v.key];
+        }
+      }
+    }
+
+    try {
+      const vars = Object.values(variables);
+      await DigitalOceanAppPlatformPublicAPI.putVariables(secretSync.connection, config.appId, ...vars);
+    } catch (error) {
+      throw new SecretSyncError({
+        error
+      });
+    }
+  },
+
+  async removeSecrets(secretSync: TDigitalOceanAppPlatformSyncWithCredentials, secretMap: TSecretMap) {
+    const config = secretSync.destinationConfig;
+
+    try {
+      const existingSecrets = await DigitalOceanAppPlatformPublicAPI.getVariables(secretSync.connection, config.appId);
+
+      const vars = Object.entries(existingSecrets)
+        .map(([key, v]) => {
+          if (!(key in secretMap)) return;
+
+          return {
+            key,
+            value: v.value,
+            type: "SECRET"
+          } as TDigitalOceanVariable;
+        })
+        .filter(Boolean) as TDigitalOceanVariable[];
+
+      await DigitalOceanAppPlatformPublicAPI.deleteVariables(secretSync.connection, config.appId, ...vars);
+    } catch (error) {
+      throw new SecretSyncError({
+        error
+      });
+    }
+  }
+};

backend/src/services/secret-sync/digital-ocean-app-platform/digital-ocean-app-platform-sync-schemas.ts

@@ -0,0 +1,46 @@
+import { z } from "zod";
+
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const DigitalOceanAppPlatformSyncDestinationConfigSchema = z.object({
+  appId: z.string().min(1, "Account ID is required").max(255, "Account ID must be less than 255 characters"),
+  appName: z.string().min(1, "Account Name is required").max(255, "Account Name must be less than 255 characters")
+});
+
+const DigitalOceanAppPlatformSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
+
+export const DigitalOceanAppPlatformSyncSchema = BaseSecretSyncSchema(
+  SecretSync.DigitalOceanAppPlatform,
+  DigitalOceanAppPlatformSyncOptionsConfig
+).extend({
+  destination: z.literal(SecretSync.DigitalOceanAppPlatform),
+  destinationConfig: DigitalOceanAppPlatformSyncDestinationConfigSchema
+});
+
+export const CreateDigitalOceanAppPlatformSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.DigitalOceanAppPlatform,
+  DigitalOceanAppPlatformSyncOptionsConfig
+).extend({
+  destinationConfig: DigitalOceanAppPlatformSyncDestinationConfigSchema
+});
+
+export const UpdateDigitalOceanAppPlatformSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.DigitalOceanAppPlatform,
+  DigitalOceanAppPlatformSyncOptionsConfig
+).extend({
+  destinationConfig: DigitalOceanAppPlatformSyncDestinationConfigSchema.optional()
+});
+
+export const DigitalOceanAppPlatformSyncListItemSchema = z.object({
+  name: z.literal("Digital Ocean App Platform"),
+  connection: z.literal(AppConnection.DigitalOcean),
+  destination: z.literal(SecretSync.DigitalOceanAppPlatform),
+  canImportSecrets: z.literal(false)
+});

backend/src/services/secret-sync/digital-ocean-app-platform/digital-ocean-app-platform-sync-types.ts

@@ -0,0 +1,23 @@
+import z from "zod";
+
+import { TDigitalOceanConnection, TDigitalOceanVariable } from "@app/services/app-connection/digital-ocean";
+
+import {
+  CreateDigitalOceanAppPlatformSyncSchema,
+  DigitalOceanAppPlatformSyncListItemSchema,
+  DigitalOceanAppPlatformSyncSchema
+} from "./digital-ocean-app-platform-sync-schemas";
+
+export type TDigitalOceanAppPlatformSyncListItem = z.infer<typeof DigitalOceanAppPlatformSyncListItemSchema>;
+
+export type TDigitalOceanAppPlatformSync = z.infer<typeof DigitalOceanAppPlatformSyncSchema>;
+
+export type TDigitalOceanAppPlatformSyncInput = z.infer<typeof CreateDigitalOceanAppPlatformSyncSchema>;
+
+export type TDigitalOceanAppPlatformSyncWithCredentials = TDigitalOceanAppPlatformSync & {
+  connection: TDigitalOceanConnection;
+};
+
+export type TDigitalOceanAppPlatformSecret = TDigitalOceanVariable & {
+  type: "SECRET";
+};