improvement: make query timeout const

fix: update audit log endpoint and nginx timeout to handle lengthy queries
2025-07-28 02:53:22 +00:00 · 2025-03-05 16:26:56 -08:00 · 2025-03-05 16:19:07 -08:00
438 changed files with 4303 additions and 13009 deletions
--- a/.envrc
+++ b/.envrc
@@ -1,3 +0,0 @@
-# Learn more at https://direnv.net
-# We instruct direnv to use our Nix flake for a consistent development environment.
-use flake
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@@ -35,20 +35,7 @@ jobs:
          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-
-          echo "Examining built image:"
-          docker image inspect infisical-api | grep -A 5 "Entrypoint"
-          
-          docker run --name infisical-api -d -p 4000:4000 \
-            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
-            -e REDIS_URL=$REDIS_URL \
-            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
-            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
-            --env-file .env \
-            infisical-api
-          
-          echo "Container status right after creation:"
-          docker ps -a | grep infisical-api
+          docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api
        env:
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@@ -62,42 +49,29 @@ jobs:
          SECONDS=0
          HEALTHY=0
          while [ $SECONDS -lt 60 ]; do
-            # Check if container is running
-            if docker ps | grep infisical-api; then
-              # Try to access the API endpoint
-              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
-                echo "API endpoint is responding. Container seems healthy."
-                HEALTHY=1
-                break
-              fi
-            else
-              echo "Container is not running!"
-              docker ps -a | grep infisical-api
+            if docker ps | grep infisical-api | grep -q healthy; then
+              echo "Container is healthy."
+              HEALTHY=1
              break
            fi
-            
            echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-            sleep 5
-            SECONDS=$((SECONDS+5))
+
+            docker logs infisical-api
+
+            sleep 2
+            SECONDS=$((SECONDS+2))
          done
-          
+
          if [ $HEALTHY -ne 1 ]; then
            echo "Container did not become healthy in time"
-            echo "Container status:"
-            docker ps -a | grep infisical-api
-            echo "Container logs (if any):"
-            docker logs infisical-api || echo "No logs available"
-            echo "Container inspection:"
-            docker inspect infisical-api | grep -A 5 "State"
            exit 1
          fi
      - name: Install openapi-diff
-        run: go install github.com/oasdiff/oasdiff@latest
+        run: go install github.com/tufin/oasdiff@latest
      - name: Running OpenAPI Spec diff action
        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
      - name: cleanup
-        if: always()
        run: |
          docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api || true
-          docker rm infisical-api || true
+          docker stop infisical-api
+          docker remove infisical-api
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@@ -34,10 +34,7 @@ jobs:
        working-directory: backend
      - name: Start postgres and redis
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Run unit test
-        run: npm run test:unit
-        working-directory: backend
-      - name: Run integration test
+      - name: Start integration test
        run: npm run test:e2e
        working-directory: backend
        env:
@@ -47,5 +44,4 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - name: cleanup
        run: |
-          docker compose -f "docker-compose.dev.yml" down
-
+          docker compose -f "docker-compose.dev.yml" down
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,3 @@
-.direnv/
-
 # backend
 node_modules
 .env
@@ -28,6 +26,8 @@ node_modules
 /.pnp
 .pnp.js

+.env
+
 # testing
 coverage
 reports
@@ -63,12 +63,10 @@ yarn-error.log*

 # Editor specific
 .vscode/*
-**/.idea/*
+.idea/*

 frontend-build

-# cli
-.go/
 *.tgz
 cli/infisical-merge
 cli/test/infisical-merge
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@@ -120,3 +120,4 @@ export default {
    };
  }
 };
+
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -31,7 +31,7 @@
        "@fastify/swagger-ui": "^2.1.0",
        "@google-cloud/kms": "^4.5.0",
        "@infisical/quic": "^1.0.8",
-        "@node-saml/passport-saml": "^5.0.1",
+        "@node-saml/passport-saml": "^4.0.4",
        "@octokit/auth-app": "^7.1.1",
        "@octokit/plugin-retry": "^5.0.5",
        "@octokit/rest": "^20.0.2",
@@ -6747,35 +6747,32 @@
      }
    },
    "node_modules/@node-saml/node-saml": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.0.1.tgz",
-      "integrity": "sha512-YQzFPEC+CnsfO9AFYnwfYZKIzOLx3kITaC1HrjHVLTo6hxcQhc+LgHODOMvW4VCV95Gwrz1MshRUWCPzkDqmnA==",
-      "license": "MIT",
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-4.0.5.tgz",
+      "integrity": "sha512-J5DglElbY1tjOuaR1NPtjOXkXY5bpUhDoKVoeucYN98A3w4fwgjIOPqIGcb6cQsqFq2zZ6vTCeKn5C/hvefSaw==",
      "dependencies": {
-        "@types/debug": "^4.1.12",
-        "@types/qs": "^6.9.11",
-        "@types/xml-encryption": "^1.2.4",
-        "@types/xml2js": "^0.4.14",
-        "@xmldom/is-dom-node": "^1.0.1",
-        "@xmldom/xmldom": "^0.8.10",
+        "@types/debug": "^4.1.7",
+        "@types/passport": "^1.0.11",
+        "@types/xml-crypto": "^1.4.2",
+        "@types/xml-encryption": "^1.2.1",
+        "@types/xml2js": "^0.4.11",
+        "@xmldom/xmldom": "^0.8.6",
        "debug": "^4.3.4",
-        "xml-crypto": "^6.0.1",
+        "xml-crypto": "^3.0.1",
        "xml-encryption": "^3.0.2",
-        "xml2js": "^0.6.2",
-        "xmlbuilder": "^15.1.1",
-        "xpath": "^0.0.34"
+        "xml2js": "^0.5.0",
+        "xmlbuilder": "^15.1.1"
      },
      "engines": {
-        "node": ">= 18"
+        "node": ">= 14"
      }
    },
    "node_modules/@node-saml/node-saml/node_modules/debug": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-      "license": "MIT",
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
      "dependencies": {
-        "ms": "^2.1.3"
+        "ms": "2.1.2"
      },
      "engines": {
        "node": ">=6.0"
@@ -6786,43 +6783,25 @@
        }
      }
    },
-    "node_modules/@node-saml/node-saml/node_modules/xml2js": {
-      "version": "0.6.2",
-      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz",
-      "integrity": "sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA==",
-      "license": "MIT",
-      "dependencies": {
-        "sax": ">=0.6.0",
-        "xmlbuilder": "~11.0.0"
-      },
-      "engines": {
-        "node": ">=4.0.0"
-      }
-    },
-    "node_modules/@node-saml/node-saml/node_modules/xml2js/node_modules/xmlbuilder": {
-      "version": "11.0.1",
-      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-11.0.1.tgz",
-      "integrity": "sha512-fDlsI/kFEx7gLvbecc0/ohLG50fugQp8ryHzMTuW9vSa1GJ0XYWKnhsUx7oie3G98+r56aTQIUB4kht42R3JvA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=4.0"
-      }
+    "node_modules/@node-saml/node-saml/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
    "node_modules/@node-saml/passport-saml": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.0.1.tgz",
-      "integrity": "sha512-fMztg3zfSnjLEgxvpl6HaDMNeh0xeQX4QHiF9e2Lsie2dc4qFE37XYbQZhVmn8XJ2awPpSWLQ736UskYgGU8lQ==",
-      "license": "MIT",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-4.0.4.tgz",
+      "integrity": "sha512-xFw3gw0yo+K1mzlkW15NeBF7cVpRHN/4vpjmBKzov5YFImCWh/G0LcTZ8krH3yk2/eRPc3Or8LRPudVJBjmYaw==",
      "dependencies": {
-        "@node-saml/node-saml": "^5.0.1",
-        "@types/express": "^4.17.21",
-        "@types/passport": "^1.0.16",
-        "@types/passport-strategy": "^0.2.38",
-        "passport": "^0.7.0",
+        "@node-saml/node-saml": "^4.0.4",
+        "@types/express": "^4.17.14",
+        "@types/passport": "^1.0.11",
+        "@types/passport-strategy": "^0.2.35",
+        "passport": "^0.6.0",
        "passport-strategy": "^1.0.0"
      },
      "engines": {
-        "node": ">= 18"
+        "node": ">= 14"
      }
    },
    "node_modules/@nodelib/fs.scandir": {
@@ -9627,7 +9606,6 @@
      "version": "4.1.12",
      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
      "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
-      "license": "MIT",
      "dependencies": {
        "@types/ms": "*"
      }
@@ -9747,10 +9725,9 @@
      "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w=="
    },
    "node_modules/@types/ms": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
-      "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
-      "license": "MIT"
+      "version": "0.7.34",
+      "resolved": "https://registry.npmjs.org/@types/ms/-/ms-0.7.34.tgz",
+      "integrity": "sha512-nG96G3Wp6acyAgJqGasjODb+acrI7KltPiRxzHPXnP3NgI28bpQDRv53olbqGXbfcgF5aiiHmO3xpwEpS5Ld9g=="
    },
    "node_modules/@types/node": {
      "version": "20.9.5",
@@ -9930,10 +9907,9 @@
      "dev": true
    },
    "node_modules/@types/qs": {
-      "version": "6.9.18",
-      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.18.tgz",
-      "integrity": "sha512-kK7dgTYDyGqS+e2Q4aK9X3D7q234CIZ1Bv0q/7Z5IwRDoADNU81xXJK/YVyLbLTZCoIwUoDoffFeF+p/eIklAA==",
-      "license": "MIT"
+      "version": "6.9.10",
+      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.10.tgz",
+      "integrity": "sha512-3Gnx08Ns1sEoCrWssEgTSJs/rsT2vhGP+Ja9cnnk9k4ALxinORlQneLXFeFKOTJMOeZUFD1s7w+w2AphTpvzZw=="
    },
    "node_modules/@types/range-parser": {
      "version": "1.2.7",
@@ -10082,11 +10058,19 @@
        "@types/webidl-conversions": "*"
      }
    },
+    "node_modules/@types/xml-crypto": {
+      "version": "1.4.6",
+      "resolved": "https://registry.npmjs.org/@types/xml-crypto/-/xml-crypto-1.4.6.tgz",
+      "integrity": "sha512-A6jEW2FxLZo1CXsRWnZHUX2wzR3uDju2Bozt6rDbSmU/W8gkilaVbwFEVN0/NhnUdMVzwYobWtM6bU1QJJFb7Q==",
+      "dependencies": {
+        "@types/node": "*",
+        "xpath": "0.0.27"
+      }
+    },
    "node_modules/@types/xml-encryption": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/@types/xml-encryption/-/xml-encryption-1.2.4.tgz",
      "integrity": "sha512-I69K/WW1Dv7j6O3jh13z0X8sLWJRXbu5xnHDl9yHzUNDUBtUoBY058eb5s+x/WG6yZC1h8aKdI2EoyEPjyEh+Q==",
-      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
      }
@@ -10095,7 +10079,6 @@
      "version": "0.4.14",
      "resolved": "https://registry.npmjs.org/@types/xml2js/-/xml2js-0.4.14.tgz",
      "integrity": "sha512-4YnrRemBShWRO2QjvUin8ESA41rH+9nQGLUGZV/1IDhi3SL9OhdpNC/MrulTWuptXKwhx/aDxE7toV0f/ypIXQ==",
-      "license": "MIT",
      "dependencies": {
        "@types/node": "*"
      }
@@ -10539,20 +10522,10 @@
        "url": "https://opencollective.com/vitest"
      }
    },
-    "node_modules/@xmldom/is-dom-node": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@xmldom/is-dom-node/-/is-dom-node-1.0.1.tgz",
-      "integrity": "sha512-CJDxIgE5I0FH+ttq/Fxy6nRpxP70+e2O048EPe85J2use3XKdatVM7dDVvFNjQudd9B49NPoZ+8PG49zj4Er8Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 16"
-      }
-    },
    "node_modules/@xmldom/xmldom": {
      "version": "0.8.10",
      "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.10.tgz",
      "integrity": "sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw==",
-      "license": "MIT",
      "engines": {
        "node": ">=10.0.0"
      }
@@ -18249,10 +18222,9 @@
      }
    },
    "node_modules/passport": {
-      "version": "0.7.0",
-      "resolved": "https://registry.npmjs.org/passport/-/passport-0.7.0.tgz",
-      "integrity": "sha512-cPLl+qZpSc+ireUvt+IzqbED1cHHkDoVYMo30jbJIdOOjQ1MQYZBPiNvmi8UM6lJuOpTPXJGZQk0DtC4y61MYQ==",
-      "license": "MIT",
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/passport/-/passport-0.6.0.tgz",
+      "integrity": "sha512-0fe+p3ZnrWRW74fe8+SvCyf4a3Pb2/h7gFkQ8yTJpAO50gDzlfjZUZTO1k5Eg9kUct22OxHLqDZoKUWRHOh9ug==",
      "dependencies": {
        "passport-strategy": "1.x.x",
        "pause": "0.0.1",
@@ -23720,44 +23692,42 @@
      }
    },
    "node_modules/xml-crypto": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
-      "integrity": "sha512-v05aU7NS03z4jlZ0iZGRFeZsuKO1UfEbbYiaeRMiATBFs6Jq9+wqKquEMTn4UTrYZ9iGD8yz3KT4L9o2iF682w==",
-      "license": "MIT",
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-3.2.0.tgz",
+      "integrity": "sha512-qVurBUOQrmvlgmZqIVBqmb06TD2a/PpEUfFPgD7BuBfjmoH4zgkqaWSIJrnymlCvM2GGt9x+XtJFA+ttoAufqg==",
      "dependencies": {
-        "@xmldom/is-dom-node": "^1.0.1",
-        "@xmldom/xmldom": "^0.8.10",
-        "xpath": "^0.0.33"
+        "@xmldom/xmldom": "^0.8.8",
+        "xpath": "0.0.32"
      },
      "engines": {
-        "node": ">=16"
+        "node": ">=4.0.0"
      }
    },
    "node_modules/xml-crypto/node_modules/xpath": {
-      "version": "0.0.33",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.33.tgz",
-      "integrity": "sha512-NNXnzrkDrAzalLhIUc01jO2mOzXGXh1JwPgkihcLLzw98c0WgYDmmjSh1Kl3wzaxSVWMuA+fe0WTWOBDWCBmNA==",
-      "license": "MIT",
+      "version": "0.0.32",
+      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz",
+      "integrity": "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==",
      "engines": {
        "node": ">=0.6.0"
      }
    },
    "node_modules/xml-encryption": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/xml-encryption/-/xml-encryption-3.1.0.tgz",
-      "integrity": "sha512-PV7qnYpoAMXbf1kvQkqMScLeQpjCMixddAKq9PtqVrho8HnYbBOWNfG0kA4R7zxQDo7w9kiYAyzS/ullAyO55Q==",
-      "license": "MIT",
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/xml-encryption/-/xml-encryption-3.0.2.tgz",
+      "integrity": "sha512-VxYXPvsWB01/aqVLd6ZMPWZ+qaj0aIdF+cStrVJMcFj3iymwZeI0ABzB3VqMYv48DkSpRhnrXqTUkR34j+UDyg==",
      "dependencies": {
        "@xmldom/xmldom": "^0.8.5",
        "escape-html": "^1.0.3",
        "xpath": "0.0.32"
+      },
+      "engines": {
+        "node": ">=12"
      }
    },
    "node_modules/xml-encryption/node_modules/xpath": {
      "version": "0.0.32",
      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz",
      "integrity": "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw==",
-      "license": "MIT",
      "engines": {
        "node": ">=0.6.0"
      }
@@ -23794,7 +23764,6 @@
      "version": "15.1.1",
      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-15.1.1.tgz",
      "integrity": "sha512-yMqGBqtXyeN1e3TGYvgNgDVZ3j84W4cwkOXQswghol6APgZWaff9lnbvN7MHYJOiXsvGPXtjTYJEiC9J2wv9Eg==",
-      "license": "MIT",
      "engines": {
        "node": ">=8.0"
      }
@@ -23805,10 +23774,9 @@
      "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw=="
    },
    "node_modules/xpath": {
-      "version": "0.0.34",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.34.tgz",
-      "integrity": "sha512-FxF6+rkr1rNSQrhUNYrAFJpRXNzlDoMxeXN5qI84939ylEv3qqPFKa85Oxr6tDaJKqwW6KKyo2v26TSv3k6LeA==",
-      "license": "MIT",
+      "version": "0.0.27",
+      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.27.tgz",
+      "integrity": "sha512-fg03WRxtkCV6ohClePNAECYsmpKKTv5L8y/X3Dn1hQrec3POx2jHZ/0P2qQ6HvsrU1BmeqXcof3NGGueG6LxwQ==",
      "engines": {
        "node": ">=0.6.0"
      }
--- a/backend/package.json
+++ b/backend/package.json
@@ -40,7 +40,6 @@
    "type:check": "tsc --noEmit",
    "lint:fix": "eslint --fix --ext js,ts ./src",
    "lint": "eslint 'src/**/*.ts'",
-    "test:unit": "vitest run -c vitest.unit.config.ts",
    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
@@ -71,7 +70,6 @@
    "migrate:org": "tsx ./scripts/migrate-organization.ts",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
-    "seed-dev": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
  },
  "keywords": [],
@@ -148,7 +146,7 @@
    "@fastify/swagger-ui": "^2.1.0",
    "@google-cloud/kms": "^4.5.0",
    "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.0.1",
+    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
--- a/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
+++ b/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
@@ -1,45 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
-    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
-    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
-    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
-
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      if (!hasSecretVersionV2UserActorId) {
-        t.uuid("userActorId");
-        t.foreign("userActorId").references("id").inTable(TableName.Users);
-      }
-      if (!hasSecretVersionV2IdentityActorId) {
-        t.uuid("identityActorId");
-        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
-      }
-      if (!hasSecretVersionV2ActorType) {
-        t.string("actorType");
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
-    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
-    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
-    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
-
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      if (hasSecretVersionV2UserActorId) {
-        t.dropColumn("userActorId");
-      }
-      if (hasSecretVersionV2IdentityActorId) {
-        t.dropColumn("identityActorId");
-      }
-      if (hasSecretVersionV2ActorType) {
-        t.dropColumn("actorType");
-      }
-    });
-  }
-}
--- a/backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts
+++ b/backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts
@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Organization)) {
-    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
-      TableName.Organization,
-      "allowSecretSharingOutsideOrganization"
-    );
-
-    if (!hasSecretShareToAnyoneCol) {
-      await knex.schema.alterTable(TableName.Organization, (t) => {
-        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Organization)) {
-    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
-      TableName.Organization,
-      "allowSecretSharingOutsideOrganization"
-    );
-    if (hasSecretShareToAnyoneCol) {
-      await knex.schema.alterTable(TableName.Organization, (t) => {
-        t.dropColumn("allowSecretSharingOutsideOrganization");
-      });
-    }
-  }
-}
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -22,8 +22,7 @@ export const OrganizationsSchema = z.object({
  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
  defaultMembershipRole: z.string().default("member"),
  enforceMfa: z.boolean().default(false),
-  selectedMfaMethod: z.string().nullable().optional(),
-  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
+  selectedMfaMethod: z.string().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/secret-versions-v2.ts
+++ b/backend/src/db/schemas/secret-versions-v2.ts
@@ -25,10 +25,7 @@ export const SecretVersionsV2Schema = z.object({
  folderId: z.string().uuid(),
  userId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  userActorId: z.string().uuid().nullable().optional(),
-  identityActorId: z.string().uuid().nullable().optional(),
-  actorType: z.string().nullable().optional()
+  updatedAt: z.date()
 });

 export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -1,11 +1,16 @@
 import { z } from "zod";

-import { SecretApprovalRequestsReviewersSchema, SecretApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
+import {
+  SecretApprovalRequestsReviewersSchema,
+  SecretApprovalRequestsSchema,
+  SecretTagsSchema,
+  UsersSchema
+} from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApprovalStatus, RequestState } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";

@@ -245,6 +250,14 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
    }
  });

+  const tagSchema = SecretTagsSchema.pick({
+    id: true,
+    slug: true,
+    color: true
+  })
+    .array()
+    .optional();
+
  server.route({
    method: "GET",
    url: "/:id",
@@ -278,7 +291,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                .omit({ _id: true, environment: true, workspace: true, type: true, version: true })
                .extend({
                  op: z.string(),
-                  tags: SanitizedTagSchema.array().optional(),
+                  tags: tagSchema,
                  secretMetadata: ResourceMetadataSchema.nullish(),
                  secret: z
                    .object({
@@ -297,7 +310,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                      secretKey: z.string(),
                      secretValue: z.string().optional(),
                      secretComment: z.string().optional(),
-                      tags: SanitizedTagSchema.array().optional(),
+                      tags: tagSchema,
                      secretMetadata: ResourceMetadataSchema.nullish()
                    })
                    .optional()
--- a/backend/src/ee/routes/v1/secret-router.ts
+++ b/backend/src/ee/routes/v1/secret-router.ts
@@ -1,6 +1,6 @@
 import z from "zod";

-import { ProjectPermissionSecretActions } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
 import { RAW_SECRETS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -9,7 +9,7 @@ import { AuthMode } from "@app/services/auth/auth-type";

 const AccessListEntrySchema = z
  .object({
-    allowedActions: z.nativeEnum(ProjectPermissionSecretActions).array(),
+    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
    id: z.string(),
    membershipId: z.string(),
    name: z.string()
--- a/backend/src/ee/routes/v1/secret-version-router.ts
+++ b/backend/src/ee/routes/v1/secret-version-router.ts
@@ -22,11 +22,7 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
      }),
      response: {
        200: z.object({
-          secretVersions: secretRawSchema
-            .extend({
-              secretValueHidden: z.boolean()
-            })
-            .array()
+          secretVersions: secretRawSchema.array()
        })
      }
    },
@@ -41,7 +37,6 @@ export const registerSecretVersionRouter = async (server: FastifyZodProvider) =>
        offset: req.query.offset,
        secretId: req.params.secretId
      });
-
      return { secretVersions };
    }
  });
--- a/backend/src/ee/routes/v1/snapshot-router.ts
+++ b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -1,10 +1,10 @@
 import { z } from "zod";

-import { SecretSnapshotsSchema } from "@app/db/schemas";
+import { SecretSnapshotsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

 export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
@@ -31,9 +31,12 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
            secretVersions: secretRawSchema
              .omit({ _id: true, environment: true, workspace: true, type: true })
              .extend({
-                secretValueHidden: z.boolean(),
                secretId: z.string(),
-                tags: SanitizedTagSchema.array()
+                tags: SecretTagsSchema.pick({
+                  id: true,
+                  slug: true,
+                  color: true
+                }).array()
              })
              .array(),
            folderVersion: z.object({ id: z.string(), name: z.string() }).array(),
@@ -52,7 +55,6 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
        actorOrgId: req.permission.orgId,
        id: req.params.secretSnapshotId
      });
-
      return { secretSnapshot };
    }
  });
--- a/backend/src/ee/routes/v1/user-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/user-additional-privilege-router.ts
@@ -2,7 +2,6 @@ import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";

-import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-types";
 import { PROJECT_USER_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
@@ -24,9 +23,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
      body: z.object({
        projectMembershipId: z.string().min(1).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.projectMembershipId),
        slug: slugSchema({ min: 1, max: 60 }).optional().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions)
-          .refine(checkForInvalidPermissionCombination),
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.CREATE.permissions),
        type: z.discriminatedUnion("isTemporary", [
          z.object({
            isTemporary: z.literal(false)
@@ -84,8 +81,7 @@ export const registerUserAdditionalPrivilegeRouter = async (server: FastifyZodPr
          slug: slugSchema({ min: 1, max: 60 }).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.slug),
          permissions: ProjectPermissionV2Schema.array()
            .optional()
-            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions)
-            .refine(checkForInvalidPermissionCombination),
+            .describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
          type: z.discriminatedUnion("isTemporary", [
            z.object({ isTemporary: z.literal(false).describe(PROJECT_USER_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary) }),
            z.object({
--- a/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts
@@ -3,7 +3,6 @@ import ms from "ms";
 import { z } from "zod";

 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
-import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -31,9 +30,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.identityId),
        projectId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.projectId),
        slug: slugSchema({ min: 1, max: 60 }).optional().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.slug),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission)
-          .refine(checkForInvalidPermissionCombination),
+        permissions: ProjectPermissionV2Schema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.CREATE.permission),
        type: z.discriminatedUnion("isTemporary", [
          z.object({
            isTemporary: z.literal(false)
@@ -97,8 +94,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
        slug: slugSchema({ min: 1, max: 60 }).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.slug),
        permissions: ProjectPermissionV2Schema.array()
          .optional()
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission)
-          .refine(checkForInvalidPermissionCombination),
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.privilegePermission),
        type: z.discriminatedUnion("isTemporary", [
          z.object({ isTemporary: z.literal(false).describe(IDENTITY_ADDITIONAL_PRIVILEGE_V2.UPDATE.isTemporary) }),
          z.object({
--- a/backend/src/ee/routes/v2/project-role-router.ts
+++ b/backend/src/ee/routes/v2/project-role-router.ts
@@ -2,7 +2,6 @@ import { packRules } from "@casl/ability/extra";
 import { z } from "zod";

 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
-import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -38,9 +37,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(PROJECT_ROLE.CREATE.permissions)
-          .refine(checkForInvalidPermissionCombination)
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
        200: z.object({
@@ -95,10 +92,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .describe(PROJECT_ROLE.UPDATE.slug),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
-        permissions: ProjectPermissionV2Schema.array()
-          .describe(PROJECT_ROLE.UPDATE.permissions)
-          .optional()
-          .superRefine(checkForInvalidPermissionCombination)
+        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -1,16 +1,5 @@
 import { z } from "zod";

-export type PasswordRequirements = {
-  length: number;
-  required: {
-    lowercase: number;
-    uppercase: number;
-    digits: number;
-    symbols: number;
-  };
-  allowedSymbols?: string;
-};
-
 export enum SqlProviders {
  Postgres = "postgres",
  MySQL = "mysql2",
@@ -111,28 +100,6 @@ export const DynamicSecretSqlDBSchema = z.object({
  database: z.string().trim(),
  username: z.string().trim(),
  password: z.string().trim(),
-  passwordRequirements: z
-    .object({
-      length: z.number().min(1).max(250),
-      required: z
-        .object({
-          lowercase: z.number().min(0),
-          uppercase: z.number().min(0),
-          digits: z.number().min(0),
-          symbols: z.number().min(0)
-        })
-        .refine((data) => {
-          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
-          return total <= 250;
-        }, "Sum of required characters cannot exceed 250"),
-      allowedSymbols: z.string().optional()
-    })
-    .refine((data) => {
-      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
-      return total <= data.length;
-    }, "Sum of required characters cannot exceed the total length")
-    .optional()
-    .describe("Password generation requirements"),
  creationStatement: z.string().trim(),
  revocationStatement: z.string().trim(),
  renewStatement: z.string().trim().optional(),
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -1,6 +1,6 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
+import { customAlphabet } from "nanoid";
 import { z } from "zod";

 import { withGatewayProxy } from "@app/lib/gateway";
@@ -8,99 +8,16 @@ import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
-import { DynamicSecretSqlDBSchema, PasswordRequirements, SqlProviders, TDynamicProviderFns } from "./models";
+import { DynamicSecretSqlDBSchema, SqlProviders, TDynamicProviderFns } from "./models";

 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;

-const DEFAULT_PASSWORD_REQUIREMENTS = {
-  length: 48,
-  required: {
-    lowercase: 1,
-    uppercase: 1,
-    digits: 1,
-    symbols: 0
-  },
-  allowedSymbols: "-_.~!*"
-};
+const generatePassword = (provider: SqlProviders) => {
+  // oracle has limit of 48 password length
+  const size = provider === SqlProviders.Oracle ? 30 : 48;

-const ORACLE_PASSWORD_REQUIREMENTS = {
-  ...DEFAULT_PASSWORD_REQUIREMENTS,
-  length: 30
-};
-
-const generatePassword = (provider: SqlProviders, requirements?: PasswordRequirements) => {
-  const defaultReqs = provider === SqlProviders.Oracle ? ORACLE_PASSWORD_REQUIREMENTS : DEFAULT_PASSWORD_REQUIREMENTS;
-  const finalReqs = requirements || defaultReqs;
-
-  try {
-    const { length, required, allowedSymbols } = finalReqs;
-
-    const chars = {
-      lowercase: "abcdefghijklmnopqrstuvwxyz",
-      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-      digits: "0123456789",
-      symbols: allowedSymbols || "-_.~!*"
-    };
-
-    const parts: string[] = [];
-
-    if (required.lowercase > 0) {
-      parts.push(
-        ...Array(required.lowercase)
-          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
-      );
-    }
-
-    if (required.uppercase > 0) {
-      parts.push(
-        ...Array(required.uppercase)
-          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
-      );
-    }
-
-    if (required.digits > 0) {
-      parts.push(
-        ...Array(required.digits)
-          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
-      );
-    }
-
-    if (required.symbols > 0) {
-      parts.push(
-        ...Array(required.symbols)
-          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
-      );
-    }
-
-    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
-    const remainingLength = Math.max(length - requiredTotal, 0);
-
-    const allowedChars = Object.entries(chars)
-      .filter(([key]) => required[key as keyof typeof required] > 0)
-      .map(([, value]) => value)
-      .join("");
-
-    parts.push(
-      ...Array(remainingLength)
-        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
-    );
-
-    // shuffle the array to mix up the characters
-    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
-      [parts[i], parts[j]] = [parts[j], parts[i]];
-    }
-
-    return parts.join("");
-  } catch (error: unknown) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    throw new Error(`Failed to generate password: ${message}`);
-  }
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*";
+  return customAlphabet(charset, 48)(size);
 };

 const generateUsername = (provider: SqlProviders) => {
@@ -198,7 +115,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
  const create = async (inputs: unknown, expireAt: number) => {
    const providerInputs = await validateProviderInputs(inputs);
    const username = generateUsername(providerInputs.client);
-    const password = generatePassword(providerInputs.client, providerInputs.passwordRequirements);
+    const password = generatePassword(providerInputs.client);
    const gatewayCallback = async (host = providerInputs.host, port = providerInputs.port) => {
      const db = await $getClient({ ...providerInputs, port, host });
      try {
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";

 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
@@ -87,14 +87,9 @@ export const groupServiceFactory = ({
      actorOrgId
    );
    const isCustomRole = Boolean(customRole);
-
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to create a more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });

    const group = await groupDAL.transaction(async (tx) => {
      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
@@ -161,13 +156,9 @@ export const groupServiceFactory = ({
      );

      const isCustomRole = Boolean(customOrgRole);
-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to update a more privileged group",
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
+      if (!hasRequiredNewRolePermission)
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
      if (isCustomRole) customRole = customOrgRole;
    }

@@ -338,13 +329,9 @@ export const groupServiceFactory = ({
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);

    // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to add user to more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPrivileges)
+      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });

    const user = await userDAL.findOne({ username });
    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
@@ -409,13 +396,9 @@ export const groupServiceFactory = ({
    const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);

    // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to delete user from more privileged group",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, groupRolePermission);
+    if (!hasRequiredPrivileges)
+      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });

    const user = await userDAL.findOne({ username });
    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@@ -3,7 +3,7 @@ import { packRules } from "@casl/ability/extra";
 import ms from "ms";

 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -79,13 +79,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
      slug,
@@ -165,13 +161,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    if (data?.slug) {
      const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
@@ -247,13 +239,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
    return {
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@@ -3,7 +3,7 @@ import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";

 import { ActionProjectType } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -88,13 +88,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
      slug,
@@ -176,13 +172,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetIdentityPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
      slug,
@@ -276,13 +268,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to edit more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });

    const identityPrivilege = await identityProjectAdditionalPrivilegeDAL.findOne({
      slug,
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -32,10 +32,6 @@ export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }

-export enum OrgPermissionSecretShareAction {
-  ManageSettings = "manage-settings"
-}
-
 export enum OrgPermissionGatewayActions {
  // is there a better word for this. This mean can an identity be a gateway
  CreateGateways = "create-gateways",
@@ -63,8 +59,7 @@ export enum OrgPermissionSubjects {
  ProjectTemplates = "project-templates",
  AppConnections = "app-connections",
  Kmip = "kmip",
-  Gateway = "gateway",
-  SecretShare = "secret-share"
+  Gateway = "gateway"
 }

 export type AppConnectionSubjectFields = {
@@ -96,8 +91,7 @@ export type OrgPermissionSet =
      )
    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole]
-  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip]
-  | [OrgPermissionSecretShareAction, OrgPermissionSubjects.SecretShare];
+  | [OrgPermissionKmipActions, OrgPermissionSubjects.Kmip];

 const AppConnectionConditionSchema = z
  .object({
@@ -191,12 +185,6 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
      "Describe what action an entity can take."
    )
  }),
-  z.object({
-    subject: z.literal(OrgPermissionSubjects.SecretShare).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionSecretShareAction).describe(
-      "Describe what action an entity can take."
-    )
-  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Kmip).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionKmipActions).describe(
@@ -304,8 +292,6 @@ const buildAdminPermission = () => {
  // the proxy assignment is temporary in order to prevent "more privilege" error during role assignment to MI
  can(OrgPermissionKmipActions.Proxy, OrgPermissionSubjects.Kmip);

-  can(OrgPermissionSecretShareAction.ManageSettings, OrgPermissionSubjects.SecretShare);
-
  return rules;
 };

--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -1,109 +1,7 @@
-/* eslint-disable no-nested-ternary */
-import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/ability";
-import { z } from "zod";
-
 import { TOrganizations } from "@app/db/schemas";
-import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";

-import {
-  ProjectPermissionSecretActions,
-  ProjectPermissionSet,
-  ProjectPermissionSub,
-  ProjectPermissionV2Schema,
-  SecretSubjectFields
-} from "./project-permission";
-
-export function throwIfMissingSecretReadValueOrDescribePermission(
-  permission: MongoAbility<ProjectPermissionSet> | PureAbility,
-  action: Extract<
-    ProjectPermissionSecretActions,
-    ProjectPermissionSecretActions.ReadValue | ProjectPermissionSecretActions.DescribeSecret
-  >,
-  subjectFields?: SecretSubjectFields
-) {
-  try {
-    if (subjectFields) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionSecretActions.DescribeAndReadValue,
-        subject(ProjectPermissionSub.Secrets, subjectFields)
-      );
-    } else {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionSecretActions.DescribeAndReadValue,
-        ProjectPermissionSub.Secrets
-      );
-    }
-  } catch {
-    if (subjectFields) {
-      ForbiddenError.from(permission).throwUnlessCan(action, subject(ProjectPermissionSub.Secrets, subjectFields));
-    } else {
-      ForbiddenError.from(permission).throwUnlessCan(action, ProjectPermissionSub.Secrets);
-    }
-  }
-}
-
-export function hasSecretReadValueOrDescribePermission(
-  permission: MongoAbility<ProjectPermissionSet>,
-  action: Extract<
-    ProjectPermissionSecretActions,
-    ProjectPermissionSecretActions.DescribeSecret | ProjectPermissionSecretActions.ReadValue
-  >,
-  subjectFields?: SecretSubjectFields
-) {
-  let canNewPermission = false;
-  let canOldPermission = false;
-
-  if (subjectFields) {
-    canNewPermission = permission.can(action, subject(ProjectPermissionSub.Secrets, subjectFields));
-    canOldPermission = permission.can(
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      subject(ProjectPermissionSub.Secrets, subjectFields)
-    );
-  } else {
-    canNewPermission = permission.can(action, ProjectPermissionSub.Secrets);
-    canOldPermission = permission.can(
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSub.Secrets
-    );
-  }
-
-  return canNewPermission || canOldPermission;
-}
-
-const OptionalArrayPermissionSchema = ProjectPermissionV2Schema.array().optional();
-export function checkForInvalidPermissionCombination(permissions: z.infer<typeof OptionalArrayPermissionSchema>) {
-  if (!permissions) return;
-
-  for (const permission of permissions) {
-    if (permission.subject === ProjectPermissionSub.Secrets) {
-      if (permission.action.includes(ProjectPermissionSecretActions.DescribeAndReadValue)) {
-        const hasReadValue = permission.action.includes(ProjectPermissionSecretActions.ReadValue);
-        const hasDescribeSecret = permission.action.includes(ProjectPermissionSecretActions.DescribeSecret);
-
-        // eslint-disable-next-line no-continue
-        if (!hasReadValue && !hasDescribeSecret) continue;
-
-        const hasBothDescribeAndReadValue = hasReadValue && hasDescribeSecret;
-
-        throw new BadRequestError({
-          message: `You have selected Read, and ${
-            hasBothDescribeAndReadValue
-              ? "both Read Value and Describe Secret"
-              : hasReadValue
-                ? "Read Value"
-                : hasDescribeSecret
-                  ? "Describe Secret"
-                  : ""
-          }. You cannot select Read Value or Describe Secret if you have selected Read. The Read permission is a legacy action which has been replaced by Describe Secret and Read Value.`
-        });
-      }
-    }
-  }
-
-  return true;
-}
-
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
  if (!actorAuthMethod) return false;

--- a/backend/src/ee/services/permission/permission-types.ts
+++ b/backend/src/ee/services/permission/permission-types.ts
@@ -5,6 +5,22 @@ import { PermissionConditionOperators } from "@app/lib/casl";

 export const PermissionConditionSchema = {
  [PermissionConditionOperators.$IN]: z.string().trim().min(1).array(),
+  [PermissionConditionOperators.$ALL]: z.string().trim().min(1).array(),
+  [PermissionConditionOperators.$REGEX]: z
+    .string()
+    .min(1)
+    .refine(
+      (el) => {
+        try {
+          // eslint-disable-next-line no-new
+          new RegExp(el);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+      { message: "Invalid regex pattern" }
+    ),
  [PermissionConditionOperators.$EQ]: z.string().min(1),
  [PermissionConditionOperators.$NEQ]: z.string().min(1),
  [PermissionConditionOperators.$GLOB]: z
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -17,15 +17,6 @@ export enum ProjectPermissionActions {
  Delete = "delete"
 }

-export enum ProjectPermissionSecretActions {
-  DescribeAndReadValue = "read",
-  DescribeSecret = "describeSecret",
-  ReadValue = "readValue",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete"
-}
-
 export enum ProjectPermissionCmekActions {
  Read = "read",
  Create = "create",
@@ -124,7 +115,7 @@ export type IdentityManagementSubjectFields = {

 export type ProjectPermissionSet =
  | [
-      ProjectPermissionSecretActions,
+      ProjectPermissionActions,
      ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SecretSubjectFields)
    ]
  | [
@@ -438,7 +429,6 @@ const GeneralPermissionSchema = [
  })
 ];

-// Do not update this schema anymore, as it's kept purely for backwards compatability. Update V2 schema only.
 export const ProjectPermissionV1Schema = z.discriminatedUnion("subject", [
  z.object({
    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
@@ -470,7 +460,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
  z.object({
    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    ),
    conditions: SecretConditionV2Schema.describe(
@@ -527,6 +517,7 @@ const buildAdminPermissionRules = () => {

  // Admins get full access to everything
  [
+    ProjectPermissionSub.Secrets,
    ProjectPermissionSub.SecretFolders,
    ProjectPermissionSub.SecretImports,
    ProjectPermissionSub.SecretApproval,
@@ -559,22 +550,10 @@ const buildAdminPermissionRules = () => {
        ProjectPermissionActions.Create,
        ProjectPermissionActions.Delete
      ],
-      el
+      el as ProjectPermissionSub
    );
  });

-  can(
-    [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSecretActions.DescribeSecret,
-      ProjectPermissionSecretActions.ReadValue,
-      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete
-    ],
-    ProjectPermissionSub.Secrets
-  );
-
  can(
    [
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -634,12 +613,10 @@ const buildMemberPermissionRules = () => {

  can(
    [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
-      ProjectPermissionSecretActions.DescribeSecret,
-      ProjectPermissionSecretActions.ReadValue,
-      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
@@ -811,9 +788,7 @@ export const projectMemberPermissions = buildMemberPermissionRules();
 const buildViewerPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);

-  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
  can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
@@ -862,6 +837,7 @@ export const buildServiceTokenProjectPermission = (
      (subject) => {
        if (canWrite) {
          can(ProjectPermissionActions.Edit, subject, {
+            // TODO: @Akhi
            // @ts-expect-error type
            secretPath: { $glob: secretPath },
            environment
@@ -940,17 +916,7 @@ export const backfillPermissionV1SchemaToV2Schema = (
    subject: ProjectPermissionSub.SecretImports as const
  }));

-  const secretPolicies = secretSubjects.map(({ subject, ...el }) => ({
-    subject: ProjectPermissionSub.Secrets as const,
-    ...el,
-    action:
-      el.action.includes(ProjectPermissionActions.Read) && !el.action.includes(ProjectPermissionSecretActions.ReadValue)
-        ? el.action.concat(ProjectPermissionSecretActions.ReadValue)
-        : el.action
-  }));
-
  const secretFolderPolicies = secretSubjects
-
    .map(({ subject, ...el }) => ({
      ...el,
      // read permission is not needed anymore
@@ -992,7 +958,6 @@ export const backfillPermissionV1SchemaToV2Schema = (
    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
    // @ts-ignore-error this is valid ts
    secretImportPolicies,
-    secretPolicies,
    dynamicSecretPolicies,
    hasReadOnlyFolder.length ? [] : secretFolderPolicies
  );
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@@ -3,7 +3,7 @@ import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";

 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -76,13 +76,9 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetUserPermission.update(targetUserPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged user",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
      slug,
@@ -167,13 +163,9 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
    targetUserPermission.update(targetUserPermission.rules.concat(dto.permissions || []));
-    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, targetUserPermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });

    if (dto?.slug) {
      const existingSlug = await projectUserAdditionalPrivilegeDAL.findOne({
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -6,7 +6,6 @@ import {
  SecretEncryptionAlgo,
  SecretKeyEncoding,
  SecretType,
-  TableName,
  TSecretApprovalRequestsSecretsInsert,
  TSecretApprovalRequestsSecretsV2Insert
 } from "@app/db/schemas";
@@ -58,9 +57,8 @@ import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";

 import { TLicenseServiceFactory } from "../license/license-service";
-import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
@@ -90,12 +88,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
  secretDAL: TSecretDALFactory;
  secretTagDAL: Pick<
    TSecretTagDALFactory,
-    | "findManyTagsById"
-    | "saveTagsToSecret"
-    | "deleteTagsManySecret"
-    | "saveTagsToSecretV2"
-    | "deleteTagsToSecretV2"
-    | "find"
+    "findManyTagsById" | "saveTagsToSecret" | "deleteTagsManySecret" | "saveTagsToSecretV2" | "deleteTagsToSecretV2"
  >;
  secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
@@ -113,7 +106,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "encryptWithInputKey" | "decryptWithInputKey">;
  secretV2BridgeDAL: Pick<
    TSecretV2BridgeDALFactory,
-    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany" | "find"
+    "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "bulkUpdate" | "deleteMany"
  >;
  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
  secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
@@ -510,7 +503,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (!hasMinApproval && !isSoftEnforcement)
      throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });

-    const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);
+    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    let mergeStatus;
    if (shouldUseSecretV2Bridge) {
      // this cycle if for bridged secrets
@@ -868,6 +861,7 @@ export const secretApprovalRequestServiceFactory = ({

    if (isSoftEnforcement) {
      const cfg = getConfig();
+      const project = await projectDAL.findProjectById(projectId);
      const env = await projectEnvDAL.findOne({ id: policy.envId });
      const requestedByUser = await userDAL.findOne({ id: actorId });
      const approverUsers = await userDAL.find({
@@ -919,11 +913,10 @@ export const secretApprovalRequestServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
-
-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-      environment,
-      secretPath
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+    );

    await projectDAL.checkProjectUpgradeStatus(projectId);

@@ -1008,7 +1001,6 @@ export const secretApprovalRequestServiceFactory = ({
              : keyName2BlindIndex[secretName];
          // add tags
          if (tagIds?.length) commitTagIds[keyName2BlindIndex[secretName]] = tagIds;
-
          return {
            ...latestSecretVersions[secretId],
            ...el,
@@ -1164,8 +1156,7 @@ export const secretApprovalRequestServiceFactory = ({
          environment: env.name,
          secretPath,
          projectId,
-          requestId: secretApprovalRequest.id,
-          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretName) ?? []))]
+          requestId: secretApprovalRequest.id
        }
      }
    });
@@ -1336,48 +1327,17 @@ export const secretApprovalRequestServiceFactory = ({
    // deleted secrets
    const deletedSecrets = data[SecretOperations.Delete];
    if (deletedSecrets && deletedSecrets.length) {
-      const secretsToDeleteInDB = await secretV2BridgeDAL.find({
+      const secretsToDeleteInDB = await secretV2BridgeDAL.findBySecretKeys(
        folderId,
-        $complex: {
-          operator: "and",
-          value: [
-            {
-              operator: "or",
-              value: deletedSecrets.map((el) => ({
-                operator: "and",
-                value: [
-                  {
-                    operator: "eq",
-                    field: `${TableName.SecretV2}.key` as "key",
-                    value: el.secretKey
-                  },
-                  {
-                    operator: "eq",
-                    field: "type",
-                    value: SecretType.Shared
-                  }
-                ]
-              }))
-            }
-          ]
-        }
-      });
+        deletedSecrets.map((el) => ({
+          key: el.secretKey,
+          type: SecretType.Shared
+        }))
+      );
      if (secretsToDeleteInDB.length !== deletedSecrets.length)
        throw new NotFoundError({
          message: `Secret does not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
        });
-      secretsToDeleteInDB.forEach((el) => {
-        ForbiddenError.from(permission).throwUnlessCan(
-          ProjectPermissionSecretActions.Delete,
-          subject(ProjectPermissionSub.Secrets, {
-            environment,
-            secretPath,
-            secretName: el.key,
-            secretTags: el.tags?.map((i) => i.slug)
-          })
-        );
-      });
-
      const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
      const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
      const latestSecretVersions = await secretVersionV2BridgeDAL.findLatestVersionMany(folderId, deletedSecretIds);
@@ -1403,9 +1363,9 @@ export const secretApprovalRequestServiceFactory = ({
    const tagsGroupById = groupBy(tags, (i) => i.id);

    commits.forEach((commit) => {
-      let action = ProjectPermissionSecretActions.Create;
-      if (commit.op === SecretOperations.Update) action = ProjectPermissionSecretActions.Edit;
-      if (commit.op === SecretOperations.Delete) return; // we do the validation on top
+      let action = ProjectPermissionActions.Create;
+      if (commit.op === SecretOperations.Update) action = ProjectPermissionActions.Edit;
+      if (commit.op === SecretOperations.Delete) action = ProjectPermissionActions.Delete;

      ForbiddenError.from(permission).throwUnlessCan(
        action,
@@ -1496,8 +1456,7 @@ export const secretApprovalRequestServiceFactory = ({
          environment: env.name,
          secretPath,
          projectId,
-          requestId: secretApprovalRequest.id,
-          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretKey) ?? []))]
+          requestId: secretApprovalRequest.id
        }
      }
    });
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@@ -265,7 +265,6 @@ export const secretReplicationServiceFactory = ({
        folderDAL,
        secretImportDAL,
        decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : ""),
-        viewSecretValue: true,
        hasSecretAccess: () => true
      });
      // secrets that gets replicated across imports
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@@ -13,7 +13,6 @@ import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -333,7 +332,6 @@ export const secretRotationQueueFactory = ({
          await secretVersionV2BridgeDAL.insertMany(
            updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
              ...el,
-              actorType: ActorType.PLATFORM,
              secretId: id
            })),
            tx
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@@ -15,11 +15,7 @@ import { TSecretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret

 import { TLicenseServiceFactory } from "../license/license-service";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSecretActions,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretRotationDALFactory } from "./secret-rotation-dal";
 import { TSecretRotationQueueFactory } from "./secret-rotation-queue";
 import { TSecretRotationEncData } from "./secret-rotation-queue/secret-rotation-queue-types";
@@ -110,7 +106,7 @@ export const secretRotationServiceFactory = ({
      });
    }
    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionSecretActions.Edit,
+      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
    );

--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -1,18 +1,16 @@
 /* eslint-disable @typescript-eslint/no-unsafe-assignment,@typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-argument */
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";

 import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
-import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
-import { INFISICAL_SECRET_VALUE_HIDDEN_MASK } from "@app/services/secret/secret-fns";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
 import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version-tag-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@@ -23,16 +21,8 @@ import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secre
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";

 import { TLicenseServiceFactory } from "../license/license-service";
-import {
-  hasSecretReadValueOrDescribePermission,
-  throwIfMissingSecretReadValueOrDescribePermission
-} from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSecretActions,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import {
  TGetSnapshotDataDTO,
  TProjectSnapshotCountDTO,
@@ -106,10 +96,10 @@ export const secretSnapshotServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret, {
-      environment,
-      secretPath: path
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
    if (!folder) {
@@ -143,10 +133,10 @@ export const secretSnapshotServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret, {
-      environment,
-      secretPath: path
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
+    );

    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
    if (!folder)
@@ -171,7 +161,6 @@ export const secretSnapshotServiceFactory = ({
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
-
    const shouldUseBridge = snapshot.projectVersion === 3;
    let snapshotDetails;
    if (shouldUseBridge) {
@@ -180,112 +169,68 @@ export const secretSnapshotServiceFactory = ({
        projectId: snapshot.projectId
      });
      const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotV2DataById(id);
-
-      const fullFolderPath = await getFullFolderPath({
-        folderDAL,
-        folderId: encryptedSnapshotDetails.folderId,
-        envId: encryptedSnapshotDetails.environment.id
-      });
-
      snapshotDetails = {
        ...encryptedSnapshotDetails,
-        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => {
-          const canReadValue = hasSecretReadValueOrDescribePermission(
-            permission,
-            ProjectPermissionSecretActions.ReadValue,
-            {
-              environment: encryptedSnapshotDetails.environment.slug,
-              secretPath: fullFolderPath,
-              secretName: el.key,
-              secretTags: el.tags.length ? el.tags.map((tag) => tag.slug) : undefined
-            }
-          );
-
-          let secretValue = "";
-          if (canReadValue) {
-            secretValue = el.encryptedValue
-              ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
-              : "";
-          } else {
-            secretValue = INFISICAL_SECRET_VALUE_HIDDEN_MASK;
-          }
-
-          return {
-            ...el,
-            secretKey: el.key,
-            secretValueHidden: !canReadValue,
-            secretValue,
-            secretComment: el.encryptedComment
-              ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
-              : ""
-          };
-        })
+        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
+          ...el,
+          secretKey: el.key,
+          secretValue: el.encryptedValue
+            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
+            : "",
+          secretComment: el.encryptedComment
+            ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
+            : ""
+        }))
      };
    } else {
      const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotDataById(id);
-
-      const fullFolderPath = await getFullFolderPath({
-        folderDAL,
-        folderId: encryptedSnapshotDetails.folderId,
-        envId: encryptedSnapshotDetails.environment.id
-      });
-
      const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
      if (!botKey)
        throw new NotFoundError({ message: `Project bot key not found for project with ID '${snapshot.projectId}'` });
      snapshotDetails = {
        ...encryptedSnapshotDetails,
-        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => {
-          const secretKey = decryptSymmetric128BitHexKeyUTF8({
+        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
+          ...el,
+          secretKey: decryptSymmetric128BitHexKeyUTF8({
            ciphertext: el.secretKeyCiphertext,
            iv: el.secretKeyIV,
            tag: el.secretKeyTag,
            key: botKey
-          });
-
-          const canReadValue = hasSecretReadValueOrDescribePermission(
-            permission,
-            ProjectPermissionSecretActions.ReadValue,
-            {
-              environment: encryptedSnapshotDetails.environment.slug,
-              secretPath: fullFolderPath,
-              secretName: secretKey,
-              secretTags: el.tags.length ? el.tags.map((tag) => tag.slug) : undefined
-            }
-          );
-
-          let secretValue = "";
-
-          if (canReadValue) {
-            secretValue = decryptSymmetric128BitHexKeyUTF8({
-              ciphertext: el.secretValueCiphertext,
-              iv: el.secretValueIV,
-              tag: el.secretValueTag,
-              key: botKey
-            });
-          } else {
-            secretValue = INFISICAL_SECRET_VALUE_HIDDEN_MASK;
-          }
-
-          return {
-            ...el,
-            secretKey,
-            secretValueHidden: !canReadValue,
-            secretValue,
-            secretComment:
-              el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
-                ? decryptSymmetric128BitHexKeyUTF8({
-                    ciphertext: el.secretCommentCiphertext,
-                    iv: el.secretCommentIV,
-                    tag: el.secretCommentTag,
-                    key: botKey
-                  })
-                : ""
-          };
-        })
+          }),
+          secretValue: decryptSymmetric128BitHexKeyUTF8({
+            ciphertext: el.secretValueCiphertext,
+            iv: el.secretValueIV,
+            tag: el.secretValueTag,
+            key: botKey
+          }),
+          secretComment:
+            el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
+              ? decryptSymmetric128BitHexKeyUTF8({
+                  ciphertext: el.secretCommentCiphertext,
+                  iv: el.secretCommentIV,
+                  tag: el.secretCommentTag,
+                  key: botKey
+                })
+              : ""
+        }))
      };
    }

+    const fullFolderPath = await getFullFolderPath({
+      folderDAL,
+      folderId: snapshotDetails.folderId,
+      envId: snapshotDetails.environment.id
+    });
+
+    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment: snapshotDetails.environment.slug,
+        secretPath: fullFolderPath
+      })
+    );
+
    return snapshotDetails;
  };

@@ -425,21 +370,7 @@ export const secretSnapshotServiceFactory = ({
        const secrets = await secretV2BridgeDAL.insertMany(
          rollbackSnaps.flatMap(({ secretVersions, folderId }) =>
            secretVersions.map(
-              ({
-                latestSecretVersion,
-                version,
-                updatedAt,
-                createdAt,
-                secretId,
-                envId,
-                id,
-                tags,
-                // exclude the bottom fields from the secret - they are for versioning only.
-                userActorId,
-                identityActorId,
-                actorType,
-                ...el
-              }) => ({
+              ({ latestSecretVersion, version, updatedAt, createdAt, secretId, envId, id, tags, ...el }) => ({
                ...el,
                id: secretId,
                version: deletedTopLevelSecsGroupById[secretId] ? latestSecretVersion + 1 : latestSecretVersion,
@@ -470,18 +401,8 @@ export const secretSnapshotServiceFactory = ({
          })),
          tx
        );
-        const userActorId = actor === ActorType.USER ? actorId : undefined;
-        const identityActorId = actor !== ActorType.USER ? actorId : undefined;
-        const actorType = actor || ActorType.PLATFORM;
-
        const secretVersions = await secretVersionV2BridgeDAL.insertMany(
-          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({
-            ...el,
-            secretId: id,
-            userActorId,
-            identityActorId,
-            actorType
-          })),
+          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({ ...el, secretId: id })),
          tx
        );
        await secretVersionV2TagBridgeDAL.insertMany(
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -459,8 +459,7 @@ export const PROJECTS = {
    workspaceId: "The ID of the project to update.",
    name: "The new name of the project.",
    projectDescription: "An optional description label for the project.",
-    autoCapitalization: "Disable or enable auto-capitalization for the project.",
-    slug: "An optional slug for the project. (must be unique within the organization)"
+    autoCapitalization: "Disable or enable auto-capitalization for the project."
  },
  GET_KEY: {
    workspaceId: "The ID of the project to get the key from."
@@ -667,7 +666,6 @@ export const SECRETS = {
    secretPath: "The path of the secret to attach tags to.",
    type: "The type of the secret to attach tags to. (shared/personal)",
    environment: "The slug of the environment where the secret is located",
-    viewSecretValue: "Whether or not to retrieve the secret value.",
    projectSlug: "The slug of the project where the secret is located.",
    tagSlugs: "An array of existing tag slugs to attach to the secret."
  },
@@ -691,7 +689,6 @@ export const RAW_SECRETS = {
      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
    environment: "The slug of the environment to list secrets from.",
    secretPath: "The secret path to list secrets from.",
-    viewSecretValue: "Whether or not to retrieve the secret value.",
    includeImports: "Weather to include imported secrets or not.",
    tagSlugs: "The comma separated tag slugs to filter secrets.",
    metadataFilter:
@@ -720,7 +717,6 @@ export const RAW_SECRETS = {
    secretPath: "The path of the secret to get.",
    version: "The version of the secret to get.",
    type: "The type of the secret to get.",
-    viewSecretValue: "Whether or not to retrieve the secret value.",
    includeImports: "Weather to include imported secrets or not."
  },
  UPDATE: {
@@ -1725,8 +1721,7 @@ export const SecretSyncs = {
  SYNC_OPTIONS: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
-      initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
-      disableSecretDeletion: `Enable this flag to prevent removal of secrets from the ${destinationName} destination when syncing.`
+      initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`
    };
  },
  ADDITIONAL_SYNC_OPTIONS: {
@@ -1772,12 +1767,6 @@ export const SecretSyncs = {
    },
    DATABRICKS: {
      scope: "The Databricks secret scope that secrets should be synced to."
-    },
-    HUMANITEC: {
-      app: "The ID of the Humanitec app to sync secrets to.",
-      org: "The ID of the Humanitec org to sync secrets to.",
-      env: "The ID of the Humanitec environment to sync secrets to.",
-      scope: "The Humanitec scope that secrets should be synced to."
    }
  }
 };
--- a/backend/src/lib/casl/boundary.test.ts
+++ b/backend/src/lib/casl/boundary.test.ts
@@ -1,669 +0,0 @@
-import { createMongoAbility } from "@casl/ability";
-
-import { PermissionConditionOperators } from ".";
-import { validatePermissionBoundary } from "./boundary";
-
-describe("Validate Permission Boundary Function", () => {
-  test.each([
-    {
-      title: "child with equal privilege",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets"
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets"
-        }
-      ]),
-      expectValid: true,
-      missingPermissions: []
-    },
-    {
-      title: "child with less privilege",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets"
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: ["create", "edit"],
-          subject: "secrets"
-        }
-      ]),
-      expectValid: true,
-      missingPermissions: []
-    },
-    {
-      title: "child with more privilege",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets"
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: ["create", "edit"],
-          subject: "secrets"
-        }
-      ]),
-      expectValid: false,
-      missingPermissions: [{ action: "edit", subject: "secrets" }]
-    },
-    {
-      title: "parent with multiple and child with multiple",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets"
-        },
-        {
-          action: ["create", "edit"],
-          subject: "members"
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "members"
-        },
-        {
-          action: ["create"],
-          subject: "secrets"
-        }
-      ]),
-      expectValid: true,
-      missingPermissions: []
-    },
-    {
-      title: "Child with no access",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets"
-        },
-        {
-          action: ["create", "edit"],
-          subject: "members"
-        }
-      ]),
-      childPermission: createMongoAbility([]),
-      expectValid: true,
-      missingPermissions: []
-    },
-    {
-      title: "Parent and child disjoint set",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" }
-          }
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$EQ]: "dev" }
-          }
-        }
-      ]),
-      expectValid: false,
-      missingPermissions: ["create", "edit", "delete", "read"].map((el) => ({
-        action: el,
-        subject: "secrets",
-        conditions: {
-          secretPath: { [PermissionConditionOperators.$EQ]: "dev" }
-        }
-      }))
-    },
-    {
-      title: "Parent with inverted rules",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" }
-          }
-        },
-        {
-          action: "read",
-          subject: "secrets",
-          inverted: true,
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" },
-            secretPath: { [PermissionConditionOperators.$GLOB]: "/hello/**" }
-          }
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: "read",
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" },
-            secretPath: { [PermissionConditionOperators.$EQ]: "/" }
-          }
-        }
-      ]),
-      expectValid: true,
-      missingPermissions: []
-    },
-    {
-      title: "Parent with inverted rules - child accessing invalid one",
-      parentPermission: createMongoAbility([
-        {
-          action: ["create", "edit", "delete", "read"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" }
-          }
-        },
-        {
-          action: "read",
-          subject: "secrets",
-          inverted: true,
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" },
-            secretPath: { [PermissionConditionOperators.$GLOB]: "/hello/**" }
-          }
-        }
-      ]),
-      childPermission: createMongoAbility([
-        {
-          action: "read",
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" },
-            secretPath: { [PermissionConditionOperators.$EQ]: "/hello/world" }
-          }
-        }
-      ]),
-      expectValid: false,
-      missingPermissions: [
-        {
-          action: "read",
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" },
-            secretPath: { [PermissionConditionOperators.$EQ]: "/hello/world" }
-          }
-        }
-      ]
-    }
-  ])("Check permission: $title", ({ parentPermission, childPermission, expectValid, missingPermissions }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    if (expectValid) {
-      expect(permissionBoundary.isValid).toBeTruthy();
-    } else {
-      expect(permissionBoundary.isValid).toBeFalsy();
-      expect(permissionBoundary.missingPermissions).toEqual(expect.arrayContaining(missingPermissions));
-    }
-  });
-});
-
-describe("Validate Permission Boundary: Checking Parent $eq operator", () => {
-  const parentPermission = createMongoAbility([
-    {
-      action: ["create", "read"],
-      subject: "secrets",
-      conditions: {
-        environment: { [PermissionConditionOperators.$EQ]: "dev" }
-      }
-    }
-  ]);
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$IN]: ["dev"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$GLOB]: "dev" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator truthy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeTruthy();
-  });
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "prod" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$IN]: ["dev", "prod"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$GLOB]: "dev**" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$NEQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$GLOB]: "staging" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator falsy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeFalsy();
-  });
-});
-
-describe("Validate Permission Boundary: Checking Parent $neq operator", () => {
-  const parentPermission = createMongoAbility([
-    {
-      action: ["create", "read"],
-      subject: "secrets",
-      conditions: {
-        secretPath: { [PermissionConditionOperators.$NEQ]: "/hello" }
-      }
-    }
-  ]);
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$EQ]: "/" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$NEQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$NEQ]: "/hello" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$IN]: ["/", "/staging"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$GLOB]: "/dev**" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator truthy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeTruthy();
-  });
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$EQ]: "/hello" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$NEQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$NEQ]: "/" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$IN]: ["/", "/hello"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$GLOB]: "/hello**" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator falsy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeFalsy();
-  });
-});
-
-describe("Validate Permission Boundary: Checking Parent $IN operator", () => {
-  const parentPermission = createMongoAbility([
-    {
-      action: ["edit"],
-      subject: "secrets",
-      conditions: {
-        environment: { [PermissionConditionOperators.$IN]: ["dev", "staging"] }
-      }
-    }
-  ]);
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "dev" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$IN]: ["dev"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: `${PermissionConditionOperators.$IN} - 2`,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$IN]: ["dev", "staging"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$GLOB]: "dev" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator truthy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeTruthy();
-  });
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$EQ]: "prod" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$NEQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$NEQ]: "dev" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$IN]: ["dev", "prod"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["edit"],
-          subject: "secrets",
-          conditions: {
-            environment: { [PermissionConditionOperators.$GLOB]: "dev**" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator falsy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeFalsy();
-  });
-});
-
-describe("Validate Permission Boundary: Checking Parent $GLOB operator", () => {
-  const parentPermission = createMongoAbility([
-    {
-      action: ["create", "read"],
-      subject: "secrets",
-      conditions: {
-        secretPath: { [PermissionConditionOperators.$GLOB]: "/hello/**" }
-      }
-    }
-  ]);
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$EQ]: "/hello/world" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$IN]: ["/hello/world", "/hello/world2"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$GLOB]: "/hello/**/world" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator truthy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeTruthy();
-  });
-
-  test.each([
-    {
-      operator: PermissionConditionOperators.$EQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$EQ]: "/print" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$NEQ,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$NEQ]: "/hello/world" }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$IN,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$IN]: ["/", "/hello"] }
-          }
-        }
-      ])
-    },
-    {
-      operator: PermissionConditionOperators.$GLOB,
-      childPermission: createMongoAbility([
-        {
-          action: ["create"],
-          subject: "secrets",
-          conditions: {
-            secretPath: { [PermissionConditionOperators.$GLOB]: "/hello**" }
-          }
-        }
-      ])
-    }
-  ])("Child $operator falsy cases", ({ childPermission }) => {
-    const permissionBoundary = validatePermissionBoundary(parentPermission, childPermission);
-    expect(permissionBoundary.isValid).toBeFalsy();
-  });
-});
--- a/backend/src/lib/casl/boundary.ts
+++ b/backend/src/lib/casl/boundary.ts
@@ -1,249 +0,0 @@
-import { MongoAbility } from "@casl/ability";
-import { MongoQuery } from "@ucast/mongo2js";
-import picomatch from "picomatch";
-
-import { PermissionConditionOperators } from "./index";
-
-type TMissingPermission = {
-  action: string;
-  subject: string;
-  conditions?: MongoQuery;
-};
-
-type TPermissionConditionShape = {
-  [PermissionConditionOperators.$EQ]: string;
-  [PermissionConditionOperators.$NEQ]: string;
-  [PermissionConditionOperators.$GLOB]: string;
-  [PermissionConditionOperators.$IN]: string[];
-};
-
-const getPermissionSetID = (action: string, subject: string) => `${action}:${subject}`;
-const invertTheOperation = (shouldInvert: boolean, operation: boolean) => (shouldInvert ? !operation : operation);
-const formatConditionOperator = (condition: TPermissionConditionShape | string) => {
-  return (
-    typeof condition === "string" ? { [PermissionConditionOperators.$EQ]: condition } : condition
-  ) as TPermissionConditionShape;
-};
-
-const isOperatorsASubset = (parentSet: TPermissionConditionShape, subset: TPermissionConditionShape) => {
-  // we compute each operator against each other in left hand side and right hand side
-  if (subset[PermissionConditionOperators.$EQ] || subset[PermissionConditionOperators.$NEQ]) {
-    const subsetOperatorValue = subset[PermissionConditionOperators.$EQ] || subset[PermissionConditionOperators.$NEQ];
-    const isInverted = !subset[PermissionConditionOperators.$EQ];
-    if (
-      parentSet[PermissionConditionOperators.$EQ] &&
-      invertTheOperation(isInverted, parentSet[PermissionConditionOperators.$EQ] !== subsetOperatorValue)
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$NEQ] &&
-      invertTheOperation(isInverted, parentSet[PermissionConditionOperators.$NEQ] === subsetOperatorValue)
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$IN] &&
-      invertTheOperation(isInverted, !parentSet[PermissionConditionOperators.$IN].includes(subsetOperatorValue))
-    ) {
-      return false;
-    }
-    // ne and glob cannot match each other
-    if (parentSet[PermissionConditionOperators.$GLOB] && isInverted) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$GLOB] &&
-      !picomatch.isMatch(subsetOperatorValue, parentSet[PermissionConditionOperators.$GLOB], { strictSlashes: false })
-    ) {
-      return false;
-    }
-  }
-  if (subset[PermissionConditionOperators.$IN]) {
-    const subsetOperatorValue = subset[PermissionConditionOperators.$IN];
-    if (
-      parentSet[PermissionConditionOperators.$EQ] &&
-      (subsetOperatorValue.length !== 1 || subsetOperatorValue[0] !== parentSet[PermissionConditionOperators.$EQ])
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$NEQ] &&
-      subsetOperatorValue.includes(parentSet[PermissionConditionOperators.$NEQ])
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$IN] &&
-      !subsetOperatorValue.every((el) => parentSet[PermissionConditionOperators.$IN].includes(el))
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$GLOB] &&
-      !subsetOperatorValue.every((el) =>
-        picomatch.isMatch(el, parentSet[PermissionConditionOperators.$GLOB], {
-          strictSlashes: false
-        })
-      )
-    ) {
-      return false;
-    }
-  }
-  if (subset[PermissionConditionOperators.$GLOB]) {
-    const subsetOperatorValue = subset[PermissionConditionOperators.$GLOB];
-    const { isGlob } = picomatch.scan(subsetOperatorValue);
-    // if it's glob, all other fixed operators would make this superset because glob is powerful. like eq
-    // example: $in [dev, prod] => glob: dev** could mean anything starting with dev: thus is bigger
-    if (
-      isGlob &&
-      Object.keys(parentSet).some(
-        (el) => el !== PermissionConditionOperators.$GLOB && el !== PermissionConditionOperators.$NEQ
-      )
-    ) {
-      return false;
-    }
-
-    if (
-      parentSet[PermissionConditionOperators.$EQ] &&
-      parentSet[PermissionConditionOperators.$EQ] !== subsetOperatorValue
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$NEQ] &&
-      picomatch.isMatch(parentSet[PermissionConditionOperators.$NEQ], subsetOperatorValue, {
-        strictSlashes: false
-      })
-    ) {
-      return false;
-    }
-    // if parent set is IN, glob cannot be used for children - It's a bigger scope
-    if (
-      parentSet[PermissionConditionOperators.$IN] &&
-      !parentSet[PermissionConditionOperators.$IN].includes(subsetOperatorValue)
-    ) {
-      return false;
-    }
-    if (
-      parentSet[PermissionConditionOperators.$GLOB] &&
-      !picomatch.isMatch(subsetOperatorValue, parentSet[PermissionConditionOperators.$GLOB], {
-        strictSlashes: false
-      })
-    ) {
-      return false;
-    }
-  }
-  return true;
-};
-
-const isSubsetForSamePermissionSubjectAction = (
-  parentSetRules: ReturnType<MongoAbility["possibleRulesFor"]>,
-  subsetRules: ReturnType<MongoAbility["possibleRulesFor"]>,
-  appendToMissingPermission: (condition?: MongoQuery) => void
-) => {
-  const isMissingConditionInParent = parentSetRules.every((el) => !el.conditions);
-  if (isMissingConditionInParent) return true;
-
-  // all subset rules must pass in comparison to parent rul
-  return subsetRules.every((subsetRule) => {
-    const subsetRuleConditions = subsetRule.conditions as Record<string, TPermissionConditionShape | string>;
-    // compare subset rule with all parent rules
-    const isSubsetOfNonInvertedParentSet = parentSetRules
-      .filter((el) => !el.inverted)
-      .some((parentSetRule) => {
-        // get conditions and iterate
-        const parentSetRuleConditions = parentSetRule?.conditions as Record<string, TPermissionConditionShape | string>;
-        if (!parentSetRuleConditions) return true;
-        return Object.keys(parentSetRuleConditions).every((parentConditionField) => {
-          // if parent condition is missing then it's never a subset
-          if (!subsetRuleConditions?.[parentConditionField]) return false;
-
-          // standardize the conditions plain string operator => $eq function
-          const parentRuleConditionOperators = formatConditionOperator(parentSetRuleConditions[parentConditionField]);
-          const selectedSubsetRuleCondition = subsetRuleConditions?.[parentConditionField];
-          const subsetRuleConditionOperators = formatConditionOperator(selectedSubsetRuleCondition);
-          return isOperatorsASubset(parentRuleConditionOperators, subsetRuleConditionOperators);
-        });
-      });
-
-    const invertedParentSetRules = parentSetRules.filter((el) => el.inverted);
-    const isNotSubsetOfInvertedParentSet = invertedParentSetRules.length
-      ? !invertedParentSetRules.some((parentSetRule) => {
-          // get conditions and iterate
-          const parentSetRuleConditions = parentSetRule?.conditions as Record<
-            string,
-            TPermissionConditionShape | string
-          >;
-          if (!parentSetRuleConditions) return true;
-          return Object.keys(parentSetRuleConditions).every((parentConditionField) => {
-            // if parent condition is missing then it's never a subset
-            if (!subsetRuleConditions?.[parentConditionField]) return false;
-
-            // standardize the conditions plain string operator => $eq function
-            const parentRuleConditionOperators = formatConditionOperator(parentSetRuleConditions[parentConditionField]);
-            const selectedSubsetRuleCondition = subsetRuleConditions?.[parentConditionField];
-            const subsetRuleConditionOperators = formatConditionOperator(selectedSubsetRuleCondition);
-            return isOperatorsASubset(parentRuleConditionOperators, subsetRuleConditionOperators);
-          });
-        })
-      : true;
-    const isSubset = isSubsetOfNonInvertedParentSet && isNotSubsetOfInvertedParentSet;
-    if (!isSubset) {
-      appendToMissingPermission(subsetRule.conditions);
-    }
-    return isSubset;
-  });
-};
-
-export const validatePermissionBoundary = (parentSetPermissions: MongoAbility, subsetPermissions: MongoAbility) => {
-  const checkedPermissionRules = new Set<string>();
-  const missingPermissions: TMissingPermission[] = [];
-
-  subsetPermissions.rules.forEach((subsetPermissionRules) => {
-    const subsetPermissionSubject = subsetPermissionRules.subject.toString();
-    let subsetPermissionActions: string[] = [];
-
-    // actions can be string or string[]
-    if (typeof subsetPermissionRules.action === "string") {
-      subsetPermissionActions.push(subsetPermissionRules.action);
-    } else {
-      subsetPermissionRules.action.forEach((subsetPermissionAction) => {
-        subsetPermissionActions.push(subsetPermissionAction);
-      });
-    }
-
-    // if action is already processed ignore
-    subsetPermissionActions = subsetPermissionActions.filter(
-      (el) => !checkedPermissionRules.has(getPermissionSetID(el, subsetPermissionSubject))
-    );
-
-    if (!subsetPermissionActions.length) return;
-    subsetPermissionActions.forEach((subsetPermissionAction) => {
-      const parentSetRulesOfSubset = parentSetPermissions.possibleRulesFor(
-        subsetPermissionAction,
-        subsetPermissionSubject
-      );
-      const nonInveretedOnes = parentSetRulesOfSubset.filter((el) => !el.inverted);
-      if (!nonInveretedOnes.length) {
-        missingPermissions.push({ action: subsetPermissionAction, subject: subsetPermissionSubject });
-        return;
-      }
-
-      const subsetRules = subsetPermissions.possibleRulesFor(subsetPermissionAction, subsetPermissionSubject);
-      isSubsetForSamePermissionSubjectAction(parentSetRulesOfSubset, subsetRules, (conditions) => {
-        missingPermissions.push({ action: subsetPermissionAction, subject: subsetPermissionSubject, conditions });
-      });
-    });
-
-    subsetPermissionActions.forEach((el) =>
-      checkedPermissionRules.add(getPermissionSetID(el, subsetPermissionSubject))
-    );
-  });
-
-  if (missingPermissions.length) {
-    return { isValid: false as const, missingPermissions };
-  }
-
-  return { isValid: true };
-};
--- a/backend/src/lib/casl/index.ts
+++ b/backend/src/lib/casl/index.ts
@@ -1,5 +1,5 @@
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
-import { buildMongoQueryMatcher } from "@casl/ability";
+import { buildMongoQueryMatcher, MongoAbility } from "@casl/ability";
 import { FieldCondition, FieldInstruction, JsInterpreter } from "@ucast/mongo2js";
 import picomatch from "picomatch";

@@ -20,8 +20,45 @@ const glob: JsInterpreter<FieldCondition<string>> = (node, object, context) => {

 export const conditionsMatcher = buildMongoQueryMatcher({ $glob }, { glob });

+/**
+ * Extracts and formats permissions from a CASL Ability object or a raw permission set.
+ */
+const extractPermissions = (ability: MongoAbility) => {
+  const permissions: string[] = [];
+  ability.rules.forEach((permission) => {
+    if (typeof permission.action === "string") {
+      permissions.push(`${permission.action}_${permission.subject as string}`);
+    } else {
+      permission.action.forEach((permissionAction) => {
+        permissions.push(`${permissionAction}_${permission.subject as string}`);
+      });
+    }
+  });
+  return permissions;
+};
+
+/**
+ * Compares two sets of permissions to determine if the first set is at least as privileged as the second set.
+ * The function checks if all permissions in the second set are contained within the first set and if the first set has equal or more permissions.
+ *
+ */
+export const isAtLeastAsPrivileged = (permissions1: MongoAbility, permissions2: MongoAbility) => {
+  const set1 = new Set(extractPermissions(permissions1));
+  const set2 = new Set(extractPermissions(permissions2));
+
+  for (const perm of set2) {
+    if (!set1.has(perm)) {
+      return false;
+    }
+  }
+
+  return set1.size >= set2.size;
+};
+
 export enum PermissionConditionOperators {
  $IN = "$in",
+  $ALL = "$all",
+  $REGEX = "$regex",
  $EQ = "$eq",
  $NEQ = "$ne",
  $GLOB = "$glob"
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@@ -1,5 +1,4 @@
 /* eslint-disable max-classes-per-file */
-
 export class DatabaseError extends Error {
  name: string;

@@ -53,18 +52,10 @@ export class ForbiddenRequestError extends Error {

  error: unknown;

-  details?: unknown;
-
-  constructor({
-    name,
-    error,
-    message,
-    details
-  }: { message?: string; name?: string; error?: unknown; details?: unknown } = {}) {
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown } = {}) {
    super(message ?? "You are not allowed to access this resource");
    this.name = name || "ForbiddenError";
    this.error = error;
-    this.details = details;
  }
 }

--- a/backend/src/lib/gateway/index.ts
+++ b/backend/src/lib/gateway/index.ts
@@ -2,7 +2,7 @@
 import crypto from "node:crypto";
 import net from "node:net";

-import quicDefault, * as quicModule from "@infisical/quic";
+import * as quic from "@infisical/quic";

 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -10,8 +10,6 @@ import { logger } from "../logger";
 const DEFAULT_MAX_RETRIES = 3;
 const DEFAULT_RETRY_DELAY = 1000; // 1 second

-const quic = quicDefault || quicModule;
-
 const parseSubjectDetails = (data: string) => {
  const values: Record<string, string> = {};
  data.split("\n").forEach((el) => {
@@ -96,7 +94,6 @@ export const pingGatewayAndVerify = async ({
      error: err as Error
    });
  });
-
  for (let attempt = 1; attempt <= maxRetries; attempt += 1) {
    try {
      const stream = quicClient.connection.newStream("bidi");
@@ -109,13 +106,17 @@ export const pingGatewayAndVerify = async ({
      const { value, done } = await reader.read();

      if (done) {
-        throw new Error("Gateway closed before receiving PONG");
+        throw new BadRequestError({
+          message: "Gateway closed before receiving PONG"
+        });
      }

      const response = Buffer.from(value).toString();

      if (response !== "PONG\n" && response !== "PONG") {
-        throw new Error(`Failed to Ping. Unexpected response: ${response}`);
+        throw new BadRequestError({
+          message: `Failed to Ping. Unexpected response: ${response}`
+        });
      }

      reader.releaseLock();
@@ -143,7 +144,6 @@ interface TProxyServer {
  server: net.Server;
  port: number;
  cleanup: () => Promise<void>;
-  getProxyError: () => string;
 }

 const setupProxyServer = async ({
@@ -168,7 +168,6 @@ const setupProxyServer = async ({
      error: err as Error
    });
  });
-  const proxyErrorMsg = [""];

  return new Promise((resolve, reject) => {
    const server = net.createServer();
@@ -184,33 +183,31 @@ const setupProxyServer = async ({
        const forwardWriter = stream.writable.getWriter();
        await forwardWriter.write(Buffer.from(`FORWARD-TCP ${targetHost}:${targetPort}\n`));
        forwardWriter.releaseLock();
-
+        /* eslint-disable @typescript-eslint/no-misused-promises */
        // Set up bidirectional copy
-        const setupCopy = () => {
+        const setupCopy = async () => {
          // Client to QUIC
          // eslint-disable-next-line
          (async () => {
-            const writer = stream.writable.getWriter();
+            try {
+              const writer = stream.writable.getWriter();

-            // Create a handler for client data
-            clientConn.on("data", (chunk) => {
-              writer.write(chunk).catch((err) => {
-                proxyErrorMsg.push((err as Error)?.message);
+              // Create a handler for client data
+              clientConn.on("data", async (chunk) => {
+                await writer.write(chunk);
              });
-            });

-            // Handle client connection close
-            clientConn.on("end", () => {
-              writer.close().catch((err) => {
-                logger.error(err);
+              // Handle client connection close
+              clientConn.on("end", async () => {
+                await writer.close();
              });
-            });

-            clientConn.on("error", (clientConnErr) => {
-              writer.abort(clientConnErr?.message).catch((err) => {
-                proxyErrorMsg.push((err as Error)?.message);
+              clientConn.on("error", async (err) => {
+                await writer.abort(err);
              });
-            });
+            } catch (err) {
+              clientConn.destroy();
+            }
          })();

          // QUIC to Client
@@ -239,18 +236,15 @@ const setupProxyServer = async ({
                }
              }
            } catch (err) {
-              proxyErrorMsg.push((err as Error)?.message);
              clientConn.destroy();
            }
          })();
        };
-
-        setupCopy();
+        await setupCopy();
+        //
        // Handle connection closure
-        clientConn.on("close", () => {
-          stream.destroy().catch((err) => {
-            proxyErrorMsg.push((err as Error)?.message);
-          });
+        clientConn.on("close", async () => {
+          await stream.destroy();
        });

        const cleanup = async () => {
@@ -258,18 +252,13 @@ const setupProxyServer = async ({
          await stream.destroy();
        };

-        clientConn.on("error", (clientConnErr) => {
-          logger.error(clientConnErr, "Client socket error");
-          cleanup().catch((err) => {
-            logger.error(err, "Client conn cleanup");
-          });
+        clientConn.on("error", (err) => {
+          logger.error(err, "Client socket error");
+          void cleanup();
+          reject(err);
        });

-        clientConn.on("end", () => {
-          cleanup().catch((err) => {
-            logger.error(err, "Client conn end");
-          });
-        });
+        clientConn.on("end", cleanup);
      } catch (err) {
        logger.error(err, "Failed to establish target connection:");
        clientConn.end();
@@ -281,12 +270,12 @@ const setupProxyServer = async ({
      reject(err);
    });

-    server.on("close", () => {
-      quicClient?.destroy().catch((err) => {
-        logger.error(err, "Failed to destroy quic client");
-      });
+    server.on("close", async () => {
+      await quicClient?.destroy();
    });

+    /* eslint-enable */
+
    server.listen(0, () => {
      const address = server.address();
      if (!address || typeof address === "string") {
@@ -302,8 +291,7 @@ const setupProxyServer = async ({
        cleanup: async () => {
          server.close();
          await quicClient?.destroy();
-        },
-        getProxyError: () => proxyErrorMsg.join(",")
+        }
      });
    });
  });
@@ -326,7 +314,7 @@ export const withGatewayProxy = async (
  const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;

  // Setup the proxy server
-  const { port, cleanup, getProxyError } = await setupProxyServer({
+  const { port, cleanup } = await setupProxyServer({
    targetHost,
    targetPort,
    relayPort,
@@ -340,12 +328,8 @@ export const withGatewayProxy = async (
    // Execute the callback with the allocated port
    await callback(port);
  } catch (err) {
-    const proxyErrorMessage = getProxyError();
-    if (proxyErrorMessage) {
-      logger.error(new Error(proxyErrorMessage), "Failed to proxy");
-    }
-    logger.error(err, "Failed to do gateway");
-    throw new BadRequestError({ message: proxyErrorMessage || (err as Error)?.message });
+    logger.error(err, "Failed to proxy");
+    throw new BadRequestError({ message: (err as Error)?.message });
  } finally {
    // Ensure cleanup happens regardless of success or failure
    await cleanup();
--- a/backend/src/lib/turn/credentials.ts
+++ b/backend/src/lib/turn/credentials.ts
@@ -1,6 +1,6 @@
 import crypto from "node:crypto";

-const TURN_TOKEN_TTL = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
+const TURN_TOKEN_TTL = 60 * 60 * 1000; // 24 hours in milliseconds
 export const getTurnCredentials = (id: string, authSecret: string, ttl = TURN_TOKEN_TTL) => {
  const timestamp = Math.floor((Date.now() + ttl) / 1000);
  const username = `${timestamp}:${id}`;
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -83,14 +83,6 @@ const run = async () => {
    process.exit(0);
  });

-  process.on("uncaughtException", (error) => {
-    logger.error(error, "CRITICAL ERROR: Uncaught Exception");
-  });
-
-  process.on("unhandledRejection", (error) => {
-    logger.error(error, "CRITICAL ERROR: Unhandled Promise Rejection");
-  });
-
  await server.listen({
    port: envConfig.PORT,
    host: envConfig.HOST,
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -21,7 +21,6 @@ import {
  TQueueSecretSyncSyncSecretsByIdDTO,
  TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
-import { TWebhookPayloads } from "@app/services/webhook/webhook-types";

 export enum QueueName {
  SecretRotation = "secret-rotation",
@@ -108,7 +107,7 @@ export type TQueueJobTypes = {
  };
  [QueueName.SecretWebhook]: {
    name: QueueJobs.SecWebhook;
-    payload: TWebhookPayloads;
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
  };

  [QueueName.AccessTokenStatusUpdate]:
--- a/backend/src/server/lib/schemas.ts
+++ b/backend/src/server/lib/schemas.ts
@@ -21,10 +21,3 @@ export const slugSchema = ({ min = 1, max = 32, field = "Slug" }: SlugSchemaInpu
      message: `${field} field can only contain lowercase letters, numbers, and hyphens`
    });
 };
-
-export const GenericResourceNameSchema = z
-  .string()
-  .trim()
-  .min(1, { message: "Name must be at least 1 character" })
-  .max(64, { message: "Name must be 64 or fewer characters" })
-  .regex(/^[a-zA-Z0-9\-_\s]+$/, "Name can only contain alphanumeric characters, dashes, underscores, and spaces");
--- a/backend/src/server/lib/utils.ts
+++ b/backend/src/server/lib/utils.ts
@@ -0,0 +1,8 @@
+export const QUERY_TIMEOUT = 121000; // 2 mins (query timeout) with padding
+
+export const extendTimeout =
+  (timeoutMs: number) =>
+  (request: { raw: { socket: { setTimeout: (ms: number) => void } } }, reply: unknown, done: () => void) => {
+    request.raw.socket.setTimeout(timeoutMs);
+    done();
+  };
--- a/backend/src/server/plugins/error-handler.ts
+++ b/backend/src/server/plugins/error-handler.ts
@@ -122,8 +122,7 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
        reqId: req.id,
        statusCode: HttpStatusCodes.Forbidden,
        message: error.message,
-        error: error.name,
-        details: error?.details
+        error: error.name
      });
    } else if (error instanceof RateLimitError) {
      void res.status(HttpStatusCodes.TooManyRequests).send({
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -635,7 +635,6 @@ export const registerRoutes = async (
  });
  const superAdminService = superAdminServiceFactory({
    userDAL,
-    identityDAL,
    userAliasDAL,
    authService: loginService,
    serverCfgDAL: superAdminDAL,
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@@ -7,7 +7,6 @@ import {
  ProjectRolesSchema,
  ProjectsSchema,
  SecretApprovalPoliciesSchema,
-  SecretTagsSchema,
  UsersSchema
 } from "@app/db/schemas";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -112,16 +111,7 @@ export const secretRawSchema = z.object({
  secretReminderRepeatDays: z.number().nullable().optional(),
  skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date(),
-  actor: z
-    .object({
-      actorId: z.string().nullable().optional(),
-      actorType: z.string().nullable().optional(),
-      name: z.string().nullable().optional(),
-      membershipId: z.string().nullable().optional()
-    })
-    .optional()
-    .nullable()
+  updatedAt: z.date()
 });

 export const ProjectPermissionSchema = z.object({
@@ -242,11 +232,3 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
  kmsCertificateKeyId: true,
  auditLogsRetentionDays: true
 });
-
-export const SanitizedTagSchema = SecretTagsSchema.pick({
-  id: true,
-  slug: true,
-  color: true
-}).extend({
-  name: z.string()
-});
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@@ -1,7 +1,7 @@
 import DOMPurify from "isomorphic-dompurify";
 import { z } from "zod";

-import { IdentitiesSchema, OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
+import { OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -118,12 +118,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      querystring: z.object({
        searchTerm: z.string().default(""),
        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().max(100).default(20),
-        // TODO: remove this once z.coerce.boolean() is supported
-        adminsOnly: z
-          .string()
-          .transform((val) => val === "true")
-          .default("false")
+        limit: z.coerce.number().max(100).default(20)
      }),
      response: {
        200: z.object({
@@ -154,43 +149,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
    }
  });

-  server.route({
-    method: "GET",
-    url: "/identity-management/identities",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      querystring: z.object({
-        searchTerm: z.string().default(""),
-        offset: z.coerce.number().default(0),
-        limit: z.coerce.number().max(100).default(20)
-      }),
-      response: {
-        200: z.object({
-          identities: IdentitiesSchema.pick({
-            name: true,
-            id: true
-          }).array()
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      const identities = await server.services.superAdmin.getIdentities({
-        ...req.query
-      });
-
-      return {
-        identities
-      };
-    }
-  });
-
  server.route({
    method: "GET",
    url: "/integrations/slack/config",
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -18,10 +18,6 @@ import {
 } from "@app/services/app-connection/databricks";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
-import {
-  HumanitecConnectionListItemSchema,
-  SanitizedHumanitecConnectionSchema
-} from "@app/services/app-connection/humanitec";
 import { AuthMode } from "@app/services/auth/auth-type";

 // can't use discriminated due to multiple schemas for certain apps
@@ -31,8 +27,7 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedGcpConnectionSchema.options,
  ...SanitizedAzureKeyVaultConnectionSchema.options,
  ...SanitizedAzureAppConfigurationConnectionSchema.options,
-  ...SanitizedDatabricksConnectionSchema.options,
-  ...SanitizedHumanitecConnectionSchema.options
+  ...SanitizedDatabricksConnectionSchema.options
 ]);

 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -41,8 +36,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  GcpConnectionListItemSchema,
  AzureKeyVaultConnectionListItemSchema,
  AzureAppConfigurationConnectionListItemSchema,
-  DatabricksConnectionListItemSchema,
-  HumanitecConnectionListItemSchema
+  DatabricksConnectionListItemSchema
 ]);

 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v1/app-connection-routers/humanitec-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/humanitec-connection-router.ts
@@ -1,69 +0,0 @@
-import z from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateHumanitecConnectionSchema,
-  HumanitecOrgWithApps,
-  SanitizedHumanitecConnectionSchema,
-  UpdateHumanitecConnectionSchema
-} from "@app/services/app-connection/humanitec";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerHumanitecConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.Humanitec,
-    server,
-    sanitizedResponseSchema: SanitizedHumanitecConnectionSchema,
-    createSchema: CreateHumanitecConnectionSchema,
-    updateSchema: UpdateHumanitecConnectionSchema
-  });
-
-  // The below endpoints are not exposed and for Infisical App use
-  server.route({
-    method: "GET",
-    url: `/:connectionId/organizations`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z
-          .object({
-            id: z.string(),
-            name: z.string(),
-            apps: z
-              .object({
-                id: z.string(),
-                name: z.string(),
-                envs: z
-                  .object({
-                    id: z.string(),
-                    name: z.string()
-                  })
-                  .array()
-              })
-              .array()
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const organizations: HumanitecOrgWithApps[] = await server.services.appConnection.humanitec.listOrganizations(
-        connectionId,
-        req.permission
-      );
-
-      return organizations;
-    }
-  });
-};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -6,7 +6,6 @@ import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connect
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
-import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";

 export * from "./app-connection-router";

@@ -17,6 +16,5 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.GCP]: registerGcpConnectionRouter,
    [AppConnection.AzureKeyVault]: registerAzureKeyVaultConnectionRouter,
    [AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter,
-    [AppConnection.Databricks]: registerDatabricksConnectionRouter,
-    [AppConnection.Humanitec]: registerHumanitecConnectionRouter
+    [AppConnection.Databricks]: registerDatabricksConnectionRouter
  };
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -1,11 +1,10 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { z } from "zod";

-import { ActionProjectType, SecretFoldersSchema, SecretImportsSchema } from "@app/db/schemas";
+import { ActionProjectType, SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import {
  ProjectPermissionDynamicSecretActions,
-  ProjectPermissionSecretActions,
  ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { DASHBOARD } from "@app/lib/api-docs";
@@ -16,7 +15,7 @@ import { secretsLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedDynamicSecretSchema, SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
@@ -117,10 +116,16 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          dynamicSecrets: SanitizedDynamicSecretSchema.extend({ environment: z.string() }).array().optional(),
          secrets: secretRawSchema
            .extend({
-              secretValueHidden: z.boolean(),
              secretPath: z.string().optional(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
            })
            .array()
            .optional(),
@@ -289,7 +294,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {

        if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
          secrets = await server.services.secret.getSecretsRawMultiEnv({
-            viewSecretValue: true,
            actorId: req.permission.id,
            actor: req.permission.type,
            actorOrgId: req.permission.orgId,
@@ -389,7 +393,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          .optional(),
        search: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.search).optional(),
        tags: z.string().trim().transform(decodeURIComponent).describe(DASHBOARD.SECRET_DETAILS_LIST.tags).optional(),
-        viewSecretValue: booleanSchema.default(true),
        includeSecrets: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeSecrets),
        includeFolders: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeFolders),
        includeDynamicSecrets: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeDynamicSecrets),
@@ -407,10 +410,16 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          dynamicSecrets: SanitizedDynamicSecretSchema.array().optional(),
          secrets: secretRawSchema
            .extend({
-              secretValueHidden: z.boolean(),
              secretPath: z.string().optional(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
            })
            .array()
            .optional(),
@@ -592,25 +601,23 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          });

          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
-            secrets = (
-              await server.services.secret.getSecretsRaw({
-                actorId: req.permission.id,
-                actor: req.permission.type,
-                viewSecretValue: req.query.viewSecretValue,
-                throwOnMissingReadValuePermission: false,
-                actorOrgId: req.permission.orgId,
-                environment,
-                actorAuthMethod: req.permission.authMethod,
-                projectId,
-                path: secretPath,
-                orderBy,
-                orderDirection,
-                search,
-                limit: remainingLimit,
-                offset: adjustedOffset,
-                tagSlugs: tags
-              })
-            ).secrets;
+            const secretsRaw = await server.services.secret.getSecretsRaw({
+              actorId: req.permission.id,
+              actor: req.permission.type,
+              actorOrgId: req.permission.orgId,
+              environment,
+              actorAuthMethod: req.permission.authMethod,
+              projectId,
+              path: secretPath,
+              orderBy,
+              orderDirection,
+              search,
+              limit: remainingLimit,
+              offset: adjustedOffset,
+              tagSlugs: tags
+            });
+
+            secrets = secretsRaw.secrets;

            await server.services.auditLog.createAuditLog({
              projectId,
@@ -689,10 +696,16 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
            .optional(),
          secrets: secretRawSchema
            .extend({
-              secretValueHidden: z.boolean(),
              secretPath: z.string().optional(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
            })
            .array()
            .optional()
@@ -736,7 +749,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {

      const secrets = await server.services.secret.getSecretsRawByFolderMappings(
        {
-          filterByAction: ProjectPermissionSecretActions.DescribeSecret,
          projectId,
          folderMappings,
          filters: {
@@ -834,52 +846,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
    }
  });

-  server.route({
-    method: "GET",
-    url: "/accessible-secrets",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      querystring: z.object({
-        projectId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        filterByAction: z
-          .enum([ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSecretActions.ReadValue])
-          .default(ProjectPermissionSecretActions.ReadValue)
-      }),
-      response: {
-        200: z.object({
-          secrets: secretRawSchema
-            .extend({
-              secretPath: z.string().optional(),
-              secretValueHidden: z.boolean()
-            })
-            .array()
-            .optional()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { projectId, environment, secretPath, filterByAction } = req.query;
-
-      const { secrets } = await server.services.secret.getAccessibleSecrets({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        environment,
-        secretPath,
-        projectId,
-        filterByAction
-      });
-
-      return { secrets };
-    }
-  });
-
  server.route({
    method: "GET",
    url: "/secrets-by-keys",
@@ -896,17 +862,22 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
        projectId: z.string().trim(),
        environment: z.string().trim(),
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        keys: z.string().trim().transform(decodeURIComponent),
-        viewSecretValue: booleanSchema.default(false)
+        keys: z.string().trim().transform(decodeURIComponent)
      }),
      response: {
        200: z.object({
          secrets: secretRawSchema
            .extend({
-              secretValueHidden: z.boolean(),
              secretPath: z.string().optional(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
            })
            .array()
            .optional()
@@ -915,7 +886,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { secretPath, projectId, environment, viewSecretValue } = req.query;
+      const { secretPath, projectId, environment } = req.query;

      const keys = req.query.keys?.split(",").filter((key) => Boolean(key.trim())) ?? [];
      if (!keys.length) throw new BadRequestError({ message: "One or more keys required" });
@@ -924,7 +895,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
-        viewSecretValue,
        environment,
        actorAuthMethod: req.permission.authMethod,
        projectId,
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@@ -91,6 +91,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
      await projectRouter.register(registerProjectMembershipRouter);
      await projectRouter.register(registerSecretTagRouter);
    },
+
    { prefix: "/workspace" }
  );

--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -13,7 +13,8 @@ import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-t
 import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { GenericResourceNameSchema, slugSchema } from "@app/server/lib/schemas";
+import { slugSchema } from "@app/server/lib/schemas";
+import { extendTimeout, QUERY_TIMEOUT } from "@app/server/lib/utils";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
 import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
@@ -108,6 +109,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: readLimit
    },
+    preHandler: extendTimeout(QUERY_TIMEOUT),
    schema: {
      description: "Get all audit logs for an organization",
      querystring: z.object({
@@ -251,14 +253,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      body: z.object({
-        name: GenericResourceNameSchema.optional(),
+        name: z.string().trim().max(64, { message: "Name must be 64 or fewer characters" }).optional(),
        slug: slugSchema({ max: 64 }).optional(),
        authEnforced: z.boolean().optional(),
        scimEnabled: z.boolean().optional(),
        defaultMembershipRoleSlug: slugSchema({ max: 64, field: "Default Membership Role" }).optional(),
        enforceMfa: z.boolean().optional(),
-        selectedMfaMethod: z.nativeEnum(MfaMethod).optional(),
-        allowSecretSharingOutsideOrganization: z.boolean().optional()
+        selectedMfaMethod: z.nativeEnum(MfaMethod).optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/password-router.ts
+++ b/backend/src/server/routes/v1/password-router.ts
@@ -6,7 +6,6 @@ import { authRateLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { validateSignUpAuthorization } from "@app/services/auth/auth-fns";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { UserEncryption } from "@app/services/user/user-types";

 export const registerPasswordRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -114,16 +113,20 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
+          message: z.string(),
          user: UsersSchema,
-          token: z.string(),
-          userEncryptionVersion: z.nativeEnum(UserEncryption)
+          token: z.string()
        })
      }
    },
    handler: async (req) => {
-      const passwordReset = await server.services.password.verifyPasswordResetEmail(req.body.email, req.body.code);
+      const { token, user } = await server.services.password.verifyPasswordResetEmail(req.body.email, req.body.code);

-      return passwordReset;
+      return {
+        message: "Successfully verified email",
+        user,
+        token
+      };
    }
  });

--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -2,12 +2,10 @@ import { z } from "zod";

 import {
  IntegrationsSchema,
-  ProjectEnvironmentsSchema,
  ProjectMembershipsSchema,
  ProjectRolesSchema,
  ProjectSlackConfigsSchema,
  ProjectType,
-  SecretFoldersSchema,
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
@@ -309,17 +307,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          .max(256, { message: "Description must be 256 or fewer characters" })
          .optional()
          .describe(PROJECTS.UPDATE.projectDescription),
-        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization),
-        slug: z
-          .string()
-          .trim()
-          .regex(
-            /^[a-z0-9]+(?:[_-][a-z0-9]+)*$/,
-            "Project slug can only contain lowercase letters and numbers, with optional single hyphens (-) or underscores (_) between words. Cannot start or end with a hyphen or underscore."
-          )
-          .max(64, { message: "Slug must be 64 characters or fewer" })
-          .optional()
-          .describe(PROJECTS.UPDATE.slug)
+        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
      }),
      response: {
        200: z.object({
@@ -337,8 +325,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        update: {
          name: req.body.name,
          description: req.body.description,
-          autoCapitalization: req.body.autoCapitalization,
-          slug: req.body.slug
+          autoCapitalization: req.body.autoCapitalization
        },
        actorAuthMethod: req.permission.authMethod,
        actorId: req.permission.id,
@@ -677,31 +664,4 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      return slackConfig;
    }
  });
-
-  server.route({
-    method: "GET",
-    url: "/:workspaceId/environment-folder-tree",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        workspaceId: z.string().trim()
-      }),
-      response: {
-        200: z.record(
-          ProjectEnvironmentsSchema.extend({ folders: SecretFoldersSchema.extend({ path: z.string() }).array() })
-        )
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const environmentsFolders = await server.services.folder.getProjectEnvironmentsFolders(
-        req.params.workspaceId,
-        req.permission
-      );
-
-      return environmentsFolders;
-    }
-  });
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/humanitec-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/humanitec-sync-router.ts
@@ -1,17 +0,0 @@
-import {
-  CreateHumanitecSyncSchema,
-  HumanitecSyncSchema,
-  UpdateHumanitecSyncSchema
-} from "@app/services/secret-sync/humanitec";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
-export const registerHumanitecSyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.Humanitec,
-    server,
-    responseSchema: HumanitecSyncSchema,
-    createSchema: CreateHumanitecSyncSchema,
-    updateSchema: UpdateHumanitecSyncSchema
-  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -7,7 +7,6 @@ import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
-import { registerHumanitecSyncRouter } from "./humanitec-sync-router";

 export * from "./secret-sync-router";

@@ -18,6 +17,5 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.GCPSecretManager]: registerGcpSyncRouter,
  [SecretSync.AzureKeyVault]: registerAzureKeyVaultSyncRouter,
  [SecretSync.AzureAppConfiguration]: registerAzureAppConfigurationSyncRouter,
-  [SecretSync.Databricks]: registerDatabricksSyncRouter,
-  [SecretSync.Humanitec]: registerHumanitecSyncRouter
+  [SecretSync.Databricks]: registerDatabricksSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -21,7 +21,6 @@ import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/s
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
-import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";

 const SecretSyncSchema = z.discriminatedUnion("destination", [
  AwsParameterStoreSyncSchema,
@@ -30,8 +29,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  GcpSyncSchema,
  AzureKeyVaultSyncSchema,
  AzureAppConfigurationSyncSchema,
-  DatabricksSyncSchema,
-  HumanitecSyncSchema
+  DatabricksSyncSchema
 ]);

 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -41,8 +39,7 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  GcpSyncListItemSchema,
  AzureKeyVaultSyncListItemSchema,
  AzureAppConfigurationSyncListItemSchema,
-  DatabricksSyncListItemSchema,
-  HumanitecSyncListItemSchema
+  DatabricksSyncListItemSchema
 ]);

 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v2/index.ts
+++ b/backend/src/server/routes/v2/index.ts
@@ -3,7 +3,6 @@ import { registerIdentityOrgRouter } from "./identity-org-router";
 import { registerIdentityProjectRouter } from "./identity-project-router";
 import { registerMfaRouter } from "./mfa-router";
 import { registerOrgRouter } from "./organization-router";
-import { registerPasswordRouter } from "./password-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
 import { registerServiceTokenRouter } from "./service-token-router";
@@ -13,7 +12,6 @@ export const registerV2Routes = async (server: FastifyZodProvider) => {
  await server.register(registerMfaRouter, { prefix: "/auth" });
  await server.register(registerUserRouter, { prefix: "/users" });
  await server.register(registerServiceTokenRouter, { prefix: "/service-token" });
-  await server.register(registerPasswordRouter, { prefix: "/password" });
  await server.register(
    async (orgRouter) => {
      await orgRouter.register(registerOrgRouter);
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@@ -12,7 +12,6 @@ import {
 import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";

@@ -331,7 +330,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        name: GenericResourceNameSchema
+        name: z.string().trim()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v2/password-router.ts
+++ b/backend/src/server/routes/v2/password-router.ts
@@ -1,53 +0,0 @@
-import { z } from "zod";
-
-import { authRateLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { validatePasswordResetAuthorization } from "@app/services/auth/auth-fns";
-import { ResetPasswordV2Type } from "@app/services/auth/auth-password-type";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerPasswordRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/password-reset",
-    config: {
-      rateLimit: authRateLimit
-    },
-    schema: {
-      body: z.object({
-        newPassword: z.string().trim()
-      })
-    },
-    handler: async (req) => {
-      const token = validatePasswordResetAuthorization(req.headers.authorization);
-      await server.services.password.resetPasswordV2({
-        type: ResetPasswordV2Type.Recovery,
-        newPassword: req.body.newPassword,
-        userId: token.userId
-      });
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/user/password-reset",
-    schema: {
-      body: z.object({
-        oldPassword: z.string().trim(),
-        newPassword: z.string().trim()
-      })
-    },
-    config: {
-      rateLimit: authRateLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
-    handler: async (req) => {
-      await server.services.password.resetPasswordV2({
-        type: ResetPasswordV2Type.LoggedInReset,
-        userId: req.permission.id,
-        newPassword: req.body.newPassword,
-        oldPassword: req.body.oldPassword
-      });
-    }
-  });
-};
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -1,7 +1,13 @@
 import picomatch from "picomatch";
 import { z } from "zod";

-import { SecretApprovalRequestsSchema, SecretsSchema, SecretType, ServiceTokenScopes } from "@app/db/schemas";
+import {
+  SecretApprovalRequestsSchema,
+  SecretsSchema,
+  SecretTagsSchema,
+  SecretType,
+  ServiceTokenScopes
+} from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -17,7 +23,7 @@ import { SecretOperations, SecretProtectionType } from "@app/services/secret/sec
 import { SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

-import { SanitizedTagSchema, secretRawSchema } from "../sanitizedSchemas";
+import { secretRawSchema } from "../sanitizedSchemas";

 const SecretReferenceNode = z.object({
  key: z.string(),
@@ -25,14 +31,6 @@ const SecretReferenceNode = z.object({
  environment: z.string(),
  secretPath: z.string()
 });
-
-const convertStringBoolean = (defaultValue: boolean = false) => {
-  return z
-    .enum(["true", "false"])
-    .default(defaultValue ? "true" : "false")
-    .transform((value) => value === "true");
-};
-
 type TSecretReferenceNode = z.infer<typeof SecretReferenceNode> & { children: TSecretReferenceNode[] };

 const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReferenceNode.extend({
@@ -77,9 +75,17 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          secret: SecretsSchema.omit({ secretBlindIndex: true }).extend({
-            tags: SanitizedTagSchema.array()
-          })
+          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
+            z.object({
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+            })
+          )
        })
      }
    },
@@ -133,7 +139,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          secret: SecretsSchema.omit({ secretBlindIndex: true }).extend({
-            tags: SanitizedTagSchema.array()
+            tags: SecretTagsSchema.pick({
+              id: true,
+              slug: true,
+              color: true
+            })
+              .extend({ name: z.string() })
+              .array()
          })
        })
      }
@@ -235,10 +247,21 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceSlug),
        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
-        viewSecretValue: convertStringBoolean(true).describe(RAW_SECRETS.LIST.viewSecretValue),
-        expandSecretReferences: convertStringBoolean().describe(RAW_SECRETS.LIST.expand),
-        recursive: convertStringBoolean().describe(RAW_SECRETS.LIST.recursive),
-        include_imports: convertStringBoolean().describe(RAW_SECRETS.LIST.includeImports),
+        expandSecretReferences: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.LIST.expand),
+        recursive: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.LIST.recursive),
+        include_imports: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.LIST.includeImports),
        tagSlugs: z
          .string()
          .describe(RAW_SECRETS.LIST.tagSlugs)
@@ -251,9 +274,15 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          secrets: secretRawSchema
            .extend({
              secretPath: z.string().optional(),
-              secretValueHidden: z.boolean(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
            })
            .array(),
          imports: z
@@ -264,7 +293,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
              secrets: secretRawSchema
                .omit({ createdAt: true, updatedAt: true })
                .extend({
-                  secretValueHidden: z.boolean(),
                  secretMetadata: ResourceMetadataSchema.optional()
                })
                .array()
@@ -314,7 +342,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        expandSecretReferences: req.query.expandSecretReferences,
        actorAuthMethod: req.permission.authMethod,
        projectId: workspaceId,
-        viewSecretValue: req.query.viewSecretValue,
        path: secretPath,
        metadataFilter: req.query.metadataFilter,
        includeImports: req.query.include_imports,
@@ -349,46 +376,10 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          }
        });
      }
-
      return { secrets, imports };
    }
  });

-  server.route({
-    method: "GET",
-    url: "/raw/id/:secretId",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      params: z.object({
-        secretId: z.string()
-      }),
-      response: {
-        200: z.object({
-          secret: secretRawSchema.extend({
-            secretPath: z.string(),
-            tags: SanitizedTagSchema.array().optional(),
-            secretMetadata: ResourceMetadataSchema.optional()
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { secretId } = req.params;
-      const secret = await server.services.secret.getSecretByIdRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretId
-      });
-
-      return { secret };
-    }
-  });
-
  server.route({
    method: "GET",
    url: "/raw/:secretName",
@@ -412,15 +403,28 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
-        viewSecretValue: convertStringBoolean(true).describe(RAW_SECRETS.GET.viewSecretValue),
-        expandSecretReferences: convertStringBoolean().describe(RAW_SECRETS.GET.expand),
-        include_imports: convertStringBoolean().describe(RAW_SECRETS.GET.includeImports)
+        expandSecretReferences: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.expand),
+        include_imports: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.includeImports)
      }),
      response: {
        200: z.object({
          secret: secretRawSchema.extend({
-            secretValueHidden: z.boolean(),
-            tags: SanitizedTagSchema.array().optional(),
+            tags: SecretTagsSchema.pick({
+              id: true,
+              slug: true,
+              color: true
+            })
+              .extend({ name: z.string() })
+              .array()
+              .optional(),
            secretMetadata: ResourceMetadataSchema.optional()
          })
        })
@@ -452,7 +456,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        expandSecretReferences: req.query.expandSecretReferences,
        environment,
        projectId: workspaceId,
-        viewSecretValue: req.query.viewSecretValue,
        projectSlug: workspaceSlug,
        path: secretPath,
        secretName: req.params.secretName,
@@ -659,9 +662,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secret: secretRawSchema.extend({
-              secretValueHidden: z.boolean()
-            })
+            secret: secretRawSchema
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
@@ -757,9 +758,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secret: secretRawSchema.extend({
-              secretValueHidden: z.boolean()
-            })
+            secret: secretRawSchema
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
@@ -781,7 +780,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      if (secretOperation.type === SecretProtectionType.Approval) {
        return { approval: secretOperation.approval };
      }
-
      const { secret } = secretOperation;

      await server.services.auditLog.createAuditLog({
@@ -844,7 +842,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
              workspace: z.string(),
              environment: z.string(),
              secretPath: z.string().optional(),
-              tags: SanitizedTagSchema.array()
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
            })
            .array(),
          imports: z
@@ -940,7 +944,10 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
        type: z.nativeEnum(SecretType).default(SecretType.Shared),
        version: z.coerce.number().optional(),
-        include_imports: convertStringBoolean()
+        include_imports: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
      }),
      response: {
        200: z.object({
@@ -1211,7 +1218,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          z.object({
            secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
              z.object({
-                secretValueHidden: z.boolean(),
                _id: z.string(),
                workspace: z.string(),
                environment: z.string()
@@ -1381,12 +1387,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secret: SecretsSchema.omit({ secretBlindIndex: true }).extend({
-              _id: z.string(),
-              secretValueHidden: z.boolean(),
-              workspace: z.string(),
-              environment: z.string()
-            })
+            secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
+              z.object({
+                _id: z.string(),
+                workspace: z.string(),
+                environment: z.string()
+              })
+            )
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
@@ -1698,7 +1705,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secrets: SecretsSchema.omit({ secretBlindIndex: true }).extend({ secretValueHidden: z.boolean() }).array()
+            secrets: SecretsSchema.omit({ secretBlindIndex: true }).array()
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
@@ -1813,11 +1820,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secrets: SecretsSchema.omit({ secretBlindIndex: true })
-              .extend({
-                secretValueHidden: z.boolean()
-              })
-              .array()
+            secrets: SecretsSchema.omit({ secretBlindIndex: true }).array()
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
@@ -2079,7 +2082,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secrets: secretRawSchema.extend({ secretValueHidden: z.boolean() }).array()
+            secrets: secretRawSchema.array()
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
@@ -2201,11 +2204,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.union([
          z.object({
-            secrets: secretRawSchema
-              .extend({
-                secretValueHidden: z.boolean()
-              })
-              .array()
+            secrets: secretRawSchema.array()
          }),
          z.object({ approval: SecretApprovalRequestsSchema }).describe("When secret protection policy is enabled")
        ])
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@@ -4,7 +4,6 @@ import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError } from "@app/lib/errors";
 import { authRateLimit } from "@app/server/config/rateLimiter";
-import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

@@ -101,7 +100,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
        encryptedPrivateKeyTag: z.string().trim(),
        salt: z.string().trim(),
        verifier: z.string().trim(),
-        organizationName: GenericResourceNameSchema,
+        organizationName: z.string().trim().min(1),
        providerAuthToken: z.string().trim().optional().nullish(),
        attributionSource: z.string().trim().optional(),
        password: z.string()
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -4,8 +4,7 @@ export enum AppConnection {
  Databricks = "databricks",
  GCP = "gcp",
  AzureKeyVault = "azure-key-vault",
-  AzureAppConfiguration = "azure-app-configuration",
-  Humanitec = "humanitec"
+  AzureAppConfiguration = "azure-app-configuration"
 }

 export enum AWSRegion {
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -35,11 +35,6 @@ import {
  getAzureKeyVaultConnectionListItem,
  validateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
-import {
-  getHumanitecConnectionListItem,
-  HumanitecConnectionMethod,
-  validateHumanitecConnectionCredentials
-} from "./humanitec";

 export const listAppConnectionOptions = () => {
  return [
@@ -48,8 +43,7 @@ export const listAppConnectionOptions = () => {
    getGcpConnectionListItem(),
    getAzureKeyVaultConnectionListItem(),
    getAzureAppConfigurationConnectionListItem(),
-    getDatabricksConnectionListItem(),
-    getHumanitecConnectionListItem()
+    getDatabricksConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
 };

@@ -112,8 +106,6 @@ export const validateAppConnectionCredentials = async (
      return validateAzureKeyVaultConnectionCredentials(appConnection);
    case AppConnection.AzureAppConfiguration:
      return validateAzureAppConfigurationConnectionCredentials(appConnection);
-    case AppConnection.Humanitec:
-      return validateHumanitecConnectionCredentials(appConnection);
    default:
      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
      throw new Error(`Unhandled App Connection ${app}`);
@@ -136,8 +128,6 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
      return "Service Account Impersonation";
    case DatabricksConnectionMethod.ServicePrincipal:
      return "Service Principal";
-    case HumanitecConnectionMethod.API_TOKEN:
-      return "API Token";
    default:
      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
      throw new Error(`Unhandled App Connection Method: ${method}`);
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -6,6 +6,5 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.GCP]: "GCP",
  [AppConnection.AzureKeyVault]: "Azure Key Vault",
  [AppConnection.AzureAppConfiguration]: "Azure App Configuration",
-  [AppConnection.Databricks]: "Databricks",
-  [AppConnection.Humanitec]: "Humanitec"
+  [AppConnection.Databricks]: "Databricks"
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -35,8 +35,6 @@ import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
 import { gcpConnectionService } from "./gcp/gcp-connection-service";
 import { ValidateGitHubConnectionCredentialsSchema } from "./github";
 import { githubConnectionService } from "./github/github-connection-service";
-import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
-import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";

 export type TAppConnectionServiceFactoryDep = {
  appConnectionDAL: TAppConnectionDALFactory;
@@ -52,8 +50,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.GCP]: ValidateGcpConnectionCredentialsSchema,
  [AppConnection.AzureKeyVault]: ValidateAzureKeyVaultConnectionCredentialsSchema,
  [AppConnection.AzureAppConfiguration]: ValidateAzureAppConfigurationConnectionCredentialsSchema,
-  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema,
-  [AppConnection.Humanitec]: ValidateHumanitecConnectionCredentialsSchema
+  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema
 };

 export const appConnectionServiceFactory = ({
@@ -374,7 +371,6 @@ export const appConnectionServiceFactory = ({
    github: githubConnectionService(connectAppConnectionById),
    gcp: gcpConnectionService(connectAppConnectionById),
    databricks: databricksConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    aws: awsConnectionService(connectAppConnectionById),
-    humanitec: humanitecConnectionService(connectAppConnectionById)
+    aws: awsConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -32,12 +32,6 @@ import {
  TValidateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
 import { TGcpConnection, TGcpConnectionConfig, TGcpConnectionInput, TValidateGcpConnectionCredentials } from "./gcp";
-import {
-  THumanitecConnection,
-  THumanitecConnectionConfig,
-  THumanitecConnectionInput,
-  TValidateHumanitecConnectionCredentials
-} from "./humanitec";

 export type TAppConnection = { id: string } & (
  | TAwsConnection
@@ -46,7 +40,6 @@ export type TAppConnection = { id: string } & (
  | TAzureKeyVaultConnection
  | TAzureAppConfigurationConnection
  | TDatabricksConnection
-  | THumanitecConnection
 );

 export type TAppConnectionInput = { id: string } & (
@@ -56,7 +49,6 @@ export type TAppConnectionInput = { id: string } & (
  | TAzureKeyVaultConnectionInput
  | TAzureAppConfigurationConnectionInput
  | TDatabricksConnectionInput
-  | THumanitecConnectionInput
 );

 export type TCreateAppConnectionDTO = Pick<
@@ -74,8 +66,7 @@ export type TAppConnectionConfig =
  | TGcpConnectionConfig
  | TAzureKeyVaultConnectionConfig
  | TAzureAppConfigurationConnectionConfig
-  | TDatabricksConnectionConfig
-  | THumanitecConnectionConfig;
+  | TDatabricksConnectionConfig;

 export type TValidateAppConnectionCredentials =
  | TValidateAwsConnectionCredentials
@@ -83,8 +74,7 @@ export type TValidateAppConnectionCredentials =
  | TValidateGcpConnectionCredentials
  | TValidateAzureKeyVaultConnectionCredentials
  | TValidateAzureAppConfigurationConnectionCredentials
-  | TValidateDatabricksConnectionCredentials
-  | TValidateHumanitecConnectionCredentials;
+  | TValidateDatabricksConnectionCredentials;

 export type TListAwsConnectionKmsKeys = {
  connectionId: string;
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-enums.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-enums.ts
@@ -1,3 +0,0 @@
-export enum HumanitecConnectionMethod {
-  API_TOKEN = "api-token"
-}
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-fns.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-fns.ts
@@ -1,95 +0,0 @@
-import { AxiosError, AxiosResponse } from "axios";
-
-import { request } from "@app/lib/config/request";
-import { BadRequestError, InternalServerError } from "@app/lib/errors";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
-
-import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
-import {
-  HumanitecApp,
-  HumanitecOrg,
-  HumanitecOrgWithApps,
-  THumanitecConnection,
-  THumanitecConnectionConfig
-} from "./humanitec-connection-types";
-
-export const getHumanitecConnectionListItem = () => {
-  return {
-    name: "Humanitec" as const,
-    app: AppConnection.Humanitec as const,
-    methods: Object.values(HumanitecConnectionMethod) as [HumanitecConnectionMethod.API_TOKEN]
-  };
-};
-
-export const validateHumanitecConnectionCredentials = async (config: THumanitecConnectionConfig) => {
-  const { credentials: inputCredentials } = config;
-
-  let response: AxiosResponse<HumanitecOrg[]> | null = null;
-
-  try {
-    response = await request.get<HumanitecOrg[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs`, {
-      headers: {
-        Authorization: `Bearer ${inputCredentials.apiToken}`
-      }
-    });
-  } catch (error: unknown) {
-    if (error instanceof AxiosError) {
-      throw new BadRequestError({
-        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
-      });
-    }
-    throw new BadRequestError({
-      message: "Unable to validate connection - verify credentials"
-    });
-  }
-
-  if (!response?.data) {
-    throw new InternalServerError({
-      message: "Failed to get organizations: Response was empty"
-    });
-  }
-
-  return inputCredentials;
-};
-
-export const listOrganizations = async (appConnection: THumanitecConnection): Promise<HumanitecOrgWithApps[]> => {
-  const {
-    credentials: { apiToken }
-  } = appConnection;
-  const response = await request.get<HumanitecOrg[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs`, {
-    headers: {
-      Authorization: `Bearer ${apiToken}`
-    }
-  });
-
-  if (!response.data) {
-    throw new InternalServerError({
-      message: "Failed to get organizations: Response was empty"
-    });
-  }
-  const orgs = response.data;
-  const orgsWithApps: HumanitecOrgWithApps[] = [];
-
-  for (const org of orgs) {
-    // eslint-disable-next-line no-await-in-loop
-    const appsResponse = await request.get<HumanitecApp[]>(`${IntegrationUrls.HUMANITEC_API_URL}/orgs/${org.id}/apps`, {
-      headers: {
-        Authorization: `Bearer ${apiToken}`
-      }
-    });
-
-    if (appsResponse.data) {
-      const apps = appsResponse.data;
-      orgsWithApps.push({
-        ...org,
-        apps: apps.map((app) => ({
-          name: app.name,
-          id: app.id,
-          envs: app.envs
-        }))
-      });
-    }
-  }
-  return orgsWithApps;
-};
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-schemas.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-schemas.ts
@@ -1,58 +0,0 @@
-import z from "zod";
-
-import { AppConnections } from "@app/lib/api-docs";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  BaseAppConnectionSchema,
-  GenericCreateAppConnectionFieldsSchema,
-  GenericUpdateAppConnectionFieldsSchema
-} from "@app/services/app-connection/app-connection-schemas";
-
-import { HumanitecConnectionMethod } from "./humanitec-connection-enums";
-
-export const HumanitecConnectionAccessTokenCredentialsSchema = z.object({
-  apiToken: z.string().trim().min(1, "API Token required")
-});
-
-const BaseHumanitecConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Humanitec) });
-
-export const HumanitecConnectionSchema = BaseHumanitecConnectionSchema.extend({
-  method: z.literal(HumanitecConnectionMethod.API_TOKEN),
-  credentials: HumanitecConnectionAccessTokenCredentialsSchema
-});
-
-export const SanitizedHumanitecConnectionSchema = z.discriminatedUnion("method", [
-  BaseHumanitecConnectionSchema.extend({
-    method: z.literal(HumanitecConnectionMethod.API_TOKEN),
-    credentials: HumanitecConnectionAccessTokenCredentialsSchema.pick({})
-  })
-]);
-
-export const ValidateHumanitecConnectionCredentialsSchema = z.discriminatedUnion("method", [
-  z.object({
-    method: z
-      .literal(HumanitecConnectionMethod.API_TOKEN)
-      .describe(AppConnections?.CREATE(AppConnection.Humanitec).method),
-    credentials: HumanitecConnectionAccessTokenCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.Humanitec).credentials
-    )
-  })
-]);
-
-export const CreateHumanitecConnectionSchema = ValidateHumanitecConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.Humanitec)
-);
-
-export const UpdateHumanitecConnectionSchema = z
-  .object({
-    credentials: HumanitecConnectionAccessTokenCredentialsSchema.optional().describe(
-      AppConnections.UPDATE(AppConnection.Humanitec).credentials
-    )
-  })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Humanitec));
-
-export const HumanitecConnectionListItemSchema = z.object({
-  name: z.literal("Humanitec"),
-  app: z.literal(AppConnection.Humanitec),
-  methods: z.nativeEnum(HumanitecConnectionMethod).array()
-});
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-service.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-service.ts
@@ -1,29 +0,0 @@
-import { logger } from "@app/lib/logger";
-import { OrgServiceActor } from "@app/lib/types";
-
-import { AppConnection } from "../app-connection-enums";
-import { listOrganizations as getHumanitecOrganizations } from "./humanitec-connection-fns";
-import { THumanitecConnection } from "./humanitec-connection-types";
-
-type TGetAppConnectionFunc = (
-  app: AppConnection,
-  connectionId: string,
-  actor: OrgServiceActor
-) => Promise<THumanitecConnection>;
-
-export const humanitecConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
-  const listOrganizations = async (connectionId: string, actor: OrgServiceActor) => {
-    const appConnection = await getAppConnection(AppConnection.Humanitec, connectionId, actor);
-    try {
-      const organizations = await getHumanitecOrganizations(appConnection);
-      return organizations;
-    } catch (error) {
-      logger.error(error, "Failed to establish connection with Humanitec");
-      return [];
-    }
-  };
-
-  return {
-    listOrganizations
-  };
-};
--- a/backend/src/services/app-connection/humanitec/humanitec-connection-types.ts
+++ b/backend/src/services/app-connection/humanitec/humanitec-connection-types.ts
@@ -1,40 +0,0 @@
-import z from "zod";
-
-import { DiscriminativePick } from "@app/lib/types";
-
-import { AppConnection } from "../app-connection-enums";
-import {
-  CreateHumanitecConnectionSchema,
-  HumanitecConnectionSchema,
-  ValidateHumanitecConnectionCredentialsSchema
-} from "./humanitec-connection-schemas";
-
-export type THumanitecConnection = z.infer<typeof HumanitecConnectionSchema>;
-
-export type THumanitecConnectionInput = z.infer<typeof CreateHumanitecConnectionSchema> & {
-  app: AppConnection.Humanitec;
-};
-
-export type TValidateHumanitecConnectionCredentials = typeof ValidateHumanitecConnectionCredentialsSchema;
-
-export type THumanitecConnectionConfig = DiscriminativePick<
-  THumanitecConnectionInput,
-  "method" | "app" | "credentials"
-> & {
-  orgId: string;
-};
-
-export type HumanitecOrg = {
-  id: string;
-  name: string;
-};
-
-export type HumanitecApp = {
-  name: string;
-  id: string;
-  envs: { name: string; id: string }[];
-};
-
-export type HumanitecOrgWithApps = HumanitecOrg & {
-  apps: HumanitecApp[];
-};
--- a/backend/src/services/app-connection/humanitec/index.ts
+++ b/backend/src/services/app-connection/humanitec/index.ts
@@ -1,4 +0,0 @@
-export * from "./humanitec-connection-enums";
-export * from "./humanitec-connection-fns";
-export * from "./humanitec-connection-schemas";
-export * from "./humanitec-connection-types";
--- a/backend/src/services/auth/auth-fns.ts
+++ b/backend/src/services/auth/auth-fns.ts
@@ -45,36 +45,6 @@ export const validateSignUpAuthorization = (token: string, userId: string, valid
  if (decodedToken.userId !== userId) throw new UnauthorizedError();
 };

-export const validatePasswordResetAuthorization = (token?: string) => {
-  if (!token) throw new UnauthorizedError();
-
-  const appCfg = getConfig();
-  const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>token?.split(" ", 2) ?? [null, null];
-  if (AUTH_TOKEN_TYPE === null) {
-    throw new UnauthorizedError({ message: "Missing Authorization Header in the request header." });
-  }
-  if (AUTH_TOKEN_TYPE.toLowerCase() !== "bearer") {
-    throw new UnauthorizedError({
-      message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`
-    });
-  }
-  if (AUTH_TOKEN_VALUE === null) {
-    throw new UnauthorizedError({
-      message: "Missing Authorization Body in the request header"
-    });
-  }
-
-  const decodedToken = jwt.verify(AUTH_TOKEN_VALUE, appCfg.AUTH_SECRET) as AuthModeProviderSignUpTokenPayload;
-
-  if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) {
-    throw new UnauthorizedError({
-      message: `The provided authentication token type is not supported.`
-    });
-  }
-
-  return decodedToken;
-};
-
 export const enforceUserLockStatus = (isLocked: boolean, temporaryLockDateEnd?: Date | null) => {
  if (isLocked) {
    throw new ForbiddenRequestError({
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@@ -4,10 +4,7 @@ import jwt from "jsonwebtoken";
 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { generateUserSrpKeys } from "@app/lib/crypto/srp";
 import { BadRequestError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";

 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
@@ -15,13 +12,10 @@ import { TokenType } from "../auth-token/auth-token-types";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TTotpConfigDALFactory } from "../totp/totp-config-dal";
 import { TUserDALFactory } from "../user/user-dal";
-import { UserEncryption } from "../user/user-types";
 import { TAuthDALFactory } from "./auth-dal";
 import {
-  ResetPasswordV2Type,
  TChangePasswordDTO,
  TCreateBackupPrivateKeyDTO,
-  TResetPasswordV2DTO,
  TResetPasswordViaBackupKeyDTO,
  TSetupPasswordViaBackupKeyDTO
 } from "./auth-password-type";
@@ -120,31 +114,26 @@ export const authPaswordServiceFactory = ({
   * Email password reset flow via email. Step 1 send email
   */
  const sendPasswordResetEmail = async (email: string) => {
-    const sendEmail = async () => {
-      const user = await userDAL.findUserByUsername(email);
+    const user = await userDAL.findUserByUsername(email);
+    // ignore as user is not found to avoid an outside entity to identify infisical registered accounts
+    if (!user || (user && !user.isAccepted)) return;

-      if (user && user.isAccepted) {
-        const cfg = getConfig();
-        const token = await tokenService.createTokenForUser({
-          type: TokenType.TOKEN_EMAIL_PASSWORD_RESET,
-          userId: user.id
-        });
+    const cfg = getConfig();
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_PASSWORD_RESET,
+      userId: user.id
+    });

-        await smtpService.sendMail({
-          template: SmtpTemplates.ResetPassword,
-          recipients: [email],
-          subjectLine: "Infisical password reset",
-          substitutions: {
-            email,
-            token,
-            callback_url: cfg.SITE_URL ? `${cfg.SITE_URL}/password-reset` : ""
-          }
-        });
+    await smtpService.sendMail({
+      template: SmtpTemplates.ResetPassword,
+      recipients: [email],
+      subjectLine: "Infisical password reset",
+      substitutions: {
+        email,
+        token,
+        callback_url: cfg.SITE_URL ? `${cfg.SITE_URL}/password-reset` : ""
      }
-    };
-
-    // note(daniel): run in background to prevent timing attacks
-    void sendEmail().catch((err) => logger.error(err, "Failed to send password reset email"));
+    });
  };

  /*
@@ -153,11 +142,6 @@ export const authPaswordServiceFactory = ({
  const verifyPasswordResetEmail = async (email: string, code: string) => {
    const cfg = getConfig();
    const user = await userDAL.findUserByUsername(email);
-
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-
-    if (!userEnc) throw new BadRequestError({ message: "Failed to find user encryption data" });
-
    // ignore as user is not found to avoid an outside entity to identify infisical registered accounts
    if (!user || (user && !user.isAccepted)) {
      throw new Error("Failed email verification for pass reset");
@@ -178,91 +162,8 @@ export const authPaswordServiceFactory = ({
      { expiresIn: cfg.JWT_SIGNUP_LIFETIME }
    );

-    return { token, user, userEncryptionVersion: userEnc.encryptionVersion as UserEncryption };
+    return { token, user };
  };
-
-  const resetPasswordV2 = async ({ userId, newPassword, type, oldPassword }: TResetPasswordV2DTO) => {
-    const cfg = getConfig();
-
-    const user = await userDAL.findUserEncKeyByUserId(userId);
-    if (!user) {
-      throw new BadRequestError({ message: `User encryption key not found for user with ID '${userId}'` });
-    }
-
-    if (!user.hashedPassword) {
-      throw new BadRequestError({ message: "Unable to reset password, no password is set" });
-    }
-
-    if (!user.authMethods?.includes(AuthMethod.EMAIL)) {
-      throw new BadRequestError({ message: "Unable to reset password, no email authentication method is configured" });
-    }
-
-    // we check the old password if the user is resetting their password while logged in
-    if (type === ResetPasswordV2Type.LoggedInReset) {
-      if (!oldPassword) {
-        throw new BadRequestError({ message: "Current password is required." });
-      }
-
-      const isValid = await bcrypt.compare(oldPassword, user.hashedPassword);
-      if (!isValid) {
-        throw new BadRequestError({ message: "Incorrect current password." });
-      }
-    }
-
-    const newHashedPassword = await bcrypt.hash(newPassword, cfg.BCRYPT_SALT_ROUND);
-
-    // we need to get the original private key first for v2
-    let privateKey: string;
-    if (
-      user.serverEncryptedPrivateKey &&
-      user.serverEncryptedPrivateKeyTag &&
-      user.serverEncryptedPrivateKeyIV &&
-      user.serverEncryptedPrivateKeyEncoding &&
-      user.encryptionVersion === UserEncryption.V2
-    ) {
-      privateKey = infisicalSymmetricDecrypt({
-        iv: user.serverEncryptedPrivateKeyIV,
-        tag: user.serverEncryptedPrivateKeyTag,
-        ciphertext: user.serverEncryptedPrivateKey,
-        keyEncoding: user.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
-      });
-    } else {
-      throw new BadRequestError({
-        message: "Cannot reset password without current credentials or recovery method",
-        name: "Reset password"
-      });
-    }
-
-    const encKeys = await generateUserSrpKeys(user.username, newPassword, {
-      publicKey: user.publicKey,
-      privateKey
-    });
-
-    const { tag, iv, ciphertext, encoding } = infisicalSymmetricEncypt(privateKey);
-
-    await userDAL.updateUserEncryptionByUserId(userId, {
-      hashedPassword: newHashedPassword,
-
-      // srp params
-      salt: encKeys.salt,
-      verifier: encKeys.verifier,
-
-      protectedKey: encKeys.protectedKey,
-      protectedKeyIV: encKeys.protectedKeyIV,
-      protectedKeyTag: encKeys.protectedKeyTag,
-      encryptedPrivateKey: encKeys.encryptedPrivateKey,
-      iv: encKeys.encryptedPrivateKeyIV,
-      tag: encKeys.encryptedPrivateKeyTag,
-
-      serverEncryptedPrivateKey: ciphertext,
-      serverEncryptedPrivateKeyIV: iv,
-      serverEncryptedPrivateKeyTag: tag,
-      serverEncryptedPrivateKeyEncoding: encoding
-    });
-
-    await tokenService.revokeAllMySessions(userId);
-  };
-
  /*
   * Reset password of a user via backup key
   * */
@@ -490,7 +391,6 @@ export const authPaswordServiceFactory = ({
    createBackupPrivateKey,
    getBackupPrivateKeyOfUser,
    sendPasswordSetupEmail,
-    setupPassword,
-    resetPasswordV2
+    setupPassword
  };
 };
--- a/backend/src/services/auth/auth-password-type.ts
+++ b/backend/src/services/auth/auth-password-type.ts
@@ -13,18 +13,6 @@ export type TChangePasswordDTO = {
  password: string;
 };

-export enum ResetPasswordV2Type {
-  Recovery = "recovery",
-  LoggedInReset = "logged-in-reset"
-}
-
-export type TResetPasswordV2DTO = {
-  type: ResetPasswordV2Type;
-  userId: string;
-  newPassword: string;
-  oldPassword?: string;
-};
-
 export type TResetPasswordViaBackupKeyDTO = {
  userId: string;
  protectedKey: string;
--- a/backend/src/services/external-migration/external-migration-fns.ts
+++ b/backend/src/services/external-migration/external-migration-fns.ts
@@ -31,9 +31,9 @@ export type TImportDataIntoInfisicalDTO = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findLastEnvPosition" | "create" | "findOne">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;

-  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "find">;
+  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences" | "findBySecretKeys">;
  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "create">;
-  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create" | "find">;
+  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;

  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
@@ -772,10 +772,6 @@ export const importDataIntoInfisicalFn = async ({
            secretVersionDAL,
            secretTagDAL,
            secretVersionTagDAL,
-            actor: {
-              type: actor,
-              actorId
-            },
            tx
          });
        }
--- a/backend/src/services/external-migration/external-migration-queue.ts
+++ b/backend/src/services/external-migration/external-migration-queue.ts
@@ -27,9 +27,9 @@ export type TExternalMigrationQueueFactoryDep = {
  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findLastEnvPosition" | "create" | "findOne">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;

-  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences" | "findBySecretKeys" | "find">;
+  secretDAL: Pick<TSecretV2BridgeDALFactory, "insertMany" | "upsertSecretReferences" | "findBySecretKeys">;
  secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "create">;
-  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create" | "find">;
+  secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
  secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;

  folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath" | "findOne" | "findById">;
--- a/backend/src/services/group-project/group-project-service.ts
+++ b/backend/src/services/group-project/group-project-service.ts
@@ -4,7 +4,7 @@ import ms from "ms";
 import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -102,13 +102,11 @@ export const groupProjectServiceFactory = ({
        project.id
      );

-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to assign group to a more privileged role",
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+      const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPrivileges) {
+        throw new ForbiddenRequestError({ message: "Failed to assign group to a more privileged role" });
+      }
    }

    // validate custom roles input
@@ -269,13 +267,12 @@ export const groupProjectServiceFactory = ({
        requestedRoleChange,
        project.id
      );
-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to assign group to a more privileged role",
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+
+      const hasRequiredPrivileges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPrivileges) {
+        throw new ForbiddenRequestError({ message: "Failed to assign group to a more privileged role" });
+      }
    }

    // validate custom roles input
--- a/backend/src/services/identity-access-token/identity-access-token-service.ts
+++ b/backend/src/services/identity-access-token/identity-access-token-service.ts
@@ -78,7 +78,9 @@ export const identityAccessTokenServiceFactory = ({
  const renewAccessToken = async ({ accessToken }: TRenewAccessTokenDTO) => {
    const appCfg = getConfig();

-    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as TIdentityAccessTokenJwtPayload;
+    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as JwtPayload & {
+      identityAccessTokenId: string;
+    };
    if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) {
      throw new BadRequestError({ message: "Only identity access tokens can be renewed" });
    }
@@ -125,23 +127,7 @@ export const identityAccessTokenServiceFactory = ({
      accessTokenLastRenewedAt: new Date()
    });

-    const renewedToken = jwt.sign(
-      {
-        identityId: decodedToken.identityId,
-        clientSecretId: decodedToken.clientSecretId,
-        identityAccessTokenId: decodedToken.identityAccessTokenId,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
-      } as TIdentityAccessTokenJwtPayload,
-      appCfg.AUTH_SECRET,
-      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
-      Number(identityAccessToken.accessTokenTTL) === 0
-        ? undefined
-        : {
-            expiresIn: Number(identityAccessToken.accessTokenTTL)
-          }
-    );
-
-    return { accessToken: renewedToken, identityAccessToken: updatedIdentityAccessToken };
+    return { accessToken, identityAccessToken: updatedIdentityAccessToken };
  };

  const revokeAccessToken = async (accessToken: string) => {
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -7,7 +7,7 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -339,12 +339,9 @@ export const identityAwsAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke aws auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke aws auth of identity with more privileged role"
      });

    const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -5,7 +5,7 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -312,12 +312,9 @@ export const identityAzureAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke azure auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke azure auth of identity with more privileged role"
      });

    const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -5,7 +5,7 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -358,12 +358,9 @@ export const identityGcpAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke gcp auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke gcp auth of identity with more privileged role"
      });

    const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
@@ -7,7 +7,7 @@ import { IdentityAuthMethod, TIdentityJwtAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -78,22 +78,14 @@ export const identityJwtAuthServiceFactory = ({
    let tokenData: Record<string, string | boolean | number> = {};

    if (identityJwtAuth.configurationType === JwtConfigurationType.JWKS) {
-      let client: JwksClient;
-      if (identityJwtAuth.jwksUrl.includes("https:")) {
-        const decryptedJwksCaCert = orgDataKeyDecryptor({
-          cipherTextBlob: identityJwtAuth.encryptedJwksCaCert
-        }).toString();
-
-        const requestAgent = new https.Agent({ ca: decryptedJwksCaCert, rejectUnauthorized: !!decryptedJwksCaCert });
-        client = new JwksClient({
-          jwksUri: identityJwtAuth.jwksUrl,
-          requestAgent
-        });
-      } else {
-        client = new JwksClient({
-          jwksUri: identityJwtAuth.jwksUrl
-        });
-      }
+      const decryptedJwksCaCert = orgDataKeyDecryptor({
+        cipherTextBlob: identityJwtAuth.encryptedJwksCaCert
+      }).toString();
+      const requestAgent = new https.Agent({ ca: decryptedJwksCaCert, rejectUnauthorized: !!decryptedJwksCaCert });
+      const client = new JwksClient({
+        jwksUri: identityJwtAuth.jwksUrl,
+        requestAgent
+      });

      const { kid } = decodedToken.header;
      const jwtSigningKey = await client.getSigningKey(kid);
@@ -516,13 +508,11 @@ export const identityJwtAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission)) {
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke jwt auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke JWT auth of identity with more privileged role"
      });
+    }

    const revokedIdentityJwtAuth = await identityJwtAuthDAL.transaction(async (tx) => {
      const deletedJwtAuth = await identityJwtAuthDAL.delete({ identityId }, tx);
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -7,7 +7,7 @@ import { IdentityAuthMethod, TIdentityKubernetesAuthsUpdate } from "@app/db/sche
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -487,12 +487,9 @@ export const identityKubernetesAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke kubernetes auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke kubernetes auth of identity with more privileged role"
      });

    const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@@ -8,7 +8,7 @@ import { IdentityAuthMethod, TIdentityOidcAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -428,13 +428,11 @@ export const identityOidcAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission)) {
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke oidc auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke OIDC auth of identity with more privileged role"
      });
+    }

    const revokedIdentityOidcAuth = await identityOidcAuthDAL.transaction(async (tx) => {
      const deletedOidcAuth = await identityOidcAuthDAL.delete({ identityId }, tx);
--- a/backend/src/services/identity-project/identity-project-service.ts
+++ b/backend/src/services/identity-project/identity-project-service.ts
@@ -4,7 +4,7 @@ import ms from "ms";
 import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";

@@ -91,13 +91,11 @@ export const identityProjectServiceFactory = ({
        projectId
      );

-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to assign to a more privileged role",
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPriviledges) {
+        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
+      }
    }

    // validate custom roles input
@@ -187,13 +185,9 @@ export const identityProjectServiceFactory = ({
        projectId
      );

-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to change to a more privileged role",
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+      if (!isAtLeastAsPrivileged(permission, rolePermission)) {
+        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
+      }
    }

    // validate custom roles input
@@ -283,13 +277,8 @@ export const identityProjectServiceFactory = ({
      actorOrgId,
      actionProjectType: ActionProjectType.Any
    });
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to remove more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    if (!isAtLeastAsPrivileged(permission, identityRolePermission))
+      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });

    const [deletedIdentity] = await identityProjectDAL.delete({ identityId, projectId });
    return deletedIdentity;
--- a/backend/src/services/identity-token-auth/identity-token-auth-service.ts
+++ b/backend/src/services/identity-token-auth/identity-token-auth-service.ts
@@ -5,7 +5,7 @@ import { IdentityAuthMethod, TableName } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
@@ -245,13 +245,11 @@ export const identityTokenAuthServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission)) {
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke token auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke Token Auth of identity with more privileged role"
      });
+    }

    const revokedIdentityTokenAuth = await identityTokenAuthDAL.transaction(async (tx) => {
      const deletedTokenAuth = await identityTokenAuthDAL.delete({ identityId }, tx);
@@ -297,12 +295,10 @@ export const identityTokenAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to create token for identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to create token for identity with more privileged role"
      });

    const identityTokenAuth = await identityTokenAuthDAL.findOne({ identityId });
@@ -419,12 +415,10 @@ export const identityTokenAuthServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update token for identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to update token for identity with more privileged role"
      });

    const [token] = await identityAccessTokenDAL.update(
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@@ -8,7 +8,7 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { checkIPAgainstBlocklist, extractIPDetails, isValidIpOrCidr, TIp } from "@app/lib/ip";
@@ -367,12 +367,9 @@ export const identityUaServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke universal auth of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke universal auth of identity with more privileged role"
      });

    const revokedIdentityUniversalAuth = await identityUaDAL.transaction(async (tx) => {
@@ -417,12 +414,10 @@ export const identityUaServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to create client secret for a more privileged identity.",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to add identity to project with more privileged role"
      });

    const appCfg = getConfig();
@@ -480,12 +475,9 @@ export const identityUaServiceFactory = ({
      actorOrgId
    );

-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to get identity client secret with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to add identity to project with more privileged role"
      });

    const identityUniversalAuth = await identityUaDAL.findOne({
@@ -532,12 +524,9 @@ export const identityUaServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to read identity client secret of identity with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to read identity client secret of project with more privileged role"
      });

    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
@@ -577,12 +566,10 @@ export const identityUaServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
+
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to revoke identity client secret with more privileged role",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
+        message: "Failed to revoke identity client secret with more privileged role"
      });

    const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
--- a/backend/src/services/identity/identity-dal.ts
+++ b/backend/src/services/identity/identity-dal.ts
@@ -1,42 +1,10 @@
 import { TDbClient } from "@app/db";
-import { TableName, TIdentities } from "@app/db/schemas";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-import { DatabaseError } from "@app/lib/errors";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";

 export type TIdentityDALFactory = ReturnType<typeof identityDALFactory>;

 export const identityDALFactory = (db: TDbClient) => {
  const identityOrm = ormify(db, TableName.Identity);
-
-  const getIdentitiesByFilter = async ({
-    limit,
-    offset,
-    searchTerm,
-    sortBy
-  }: {
-    limit: number;
-    offset: number;
-    searchTerm: string;
-    sortBy?: keyof TIdentities;
-  }) => {
-    try {
-      let query = db.replicaNode()(TableName.Identity);
-
-      if (searchTerm) {
-        query = query.where((qb) => {
-          void qb.whereILike("name", `%${searchTerm}%`);
-        });
-      }
-
-      if (sortBy) {
-        query = query.orderBy(sortBy);
-      }
-
-      return await query.limit(limit).offset(offset).select(selectAllTableCols(TableName.Identity));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Get identities by filter" });
-    }
-  };
-
-  return { ...identityOrm, getIdentitiesByFilter };
+  return identityOrm;
 };
--- a/backend/src/services/identity/identity-service.ts
+++ b/backend/src/services/identity/identity-service.ts
@@ -4,7 +4,7 @@ import { OrgMembershipRole, TableName, TOrgRoles } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";

@@ -58,13 +58,9 @@ export const identityServiceFactory = ({
      orgId
    );
    const isCustomRole = Boolean(customRole);
-    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to create a more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to create a more privileged identity" });

    const plan = await licenseService.getPlan(orgId);

@@ -133,13 +129,9 @@ export const identityServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to update a more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });

    let customRole: TOrgRoles | undefined;
    if (role) {
@@ -149,13 +141,9 @@ export const identityServiceFactory = ({
      );

      const isCustomRole = Boolean(customOrgRole);
-      const appliedRolePermissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!appliedRolePermissionBoundary.isValid)
-        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: "Failed to create a more privileged identity",
-          details: { missingPermissions: appliedRolePermissionBoundary.missingPermissions }
-        });
+      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
+      if (!hasRequiredNewRolePermission)
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged identity" });
      if (isCustomRole) customRole = customOrgRole;
    }

@@ -228,13 +216,9 @@ export const identityServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
-    if (!permissionBoundary.isValid)
-      throw new ForbiddenRequestError({
-        name: "PermissionBoundaryError",
-        message: "Failed to delete more privileged identity",
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });

    const deletedIdentity = await identityDAL.deleteById(id);

--- a/backend/src/services/integration-auth/integration-auth-service.ts
+++ b/backend/src/services/integration-auth/integration-auth-service.ts
@@ -114,27 +114,20 @@ export const integrationAuthServiceFactory = ({
  const listOrgIntegrationAuth = async ({ actorId, actor, actorOrgId, actorAuthMethod }: TGenericPermission) => {
    const authorizations = await integrationAuthDAL.getByOrg(actorOrgId as string);

-    const filteredAuthorizations = await Promise.all(
-      authorizations.map(async (auth) => {
-        try {
-          const { permission } = await permissionService.getProjectPermission({
-            actor,
-            actorId,
-            projectId: auth.projectId,
-            actorAuthMethod,
-            actorOrgId,
-            actionProjectType: ActionProjectType.SecretManager
-          });
+    return Promise.all(
+      authorizations.filter(async (auth) => {
+        const { permission } = await permissionService.getProjectPermission({
+          actor,
+          actorId,
+          projectId: auth.projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actionProjectType: ActionProjectType.SecretManager
+        });

-          return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations) ? auth : null;
-        } catch (error) {
-          // user does not belong to the project that the integration auth belongs to
-          return null;
-        }
+        return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
      })
    );
-
-    return filteredAuthorizations.filter((auth): auth is NonNullable<typeof auth> => auth !== null);
  };

  const getIntegrationAuth = async ({ actor, id, actorId, actorAuthMethod, actorOrgId }: TGetIntegrationAuthDTO) => {
--- a/backend/src/services/integration-auth/integration-delete-secret.ts
+++ b/backend/src/services/integration-auth/integration-delete-secret.ts
@@ -68,8 +68,7 @@ const getIntegrationSecretsV2 = async (
    secretDAL: secretV2BridgeDAL,
    secretImportDAL,
    secretImports,
-    hasSecretAccess: () => true,
-    viewSecretValue: true
+    hasSecretAccess: () => true
  });

  for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
--- a/backend/src/services/integration-auth/integration-list.ts
+++ b/backend/src/services/integration-auth/integration-list.ts
@@ -93,7 +93,6 @@ export enum IntegrationUrls {
  NORTHFLANK_API_URL = "https://api.northflank.com",
  HASURA_CLOUD_API_URL = "https://data.pro.hasura.io/v1/graphql",
  AZURE_DEVOPS_API_URL = "https://dev.azure.com",
-  HUMANITEC_API_URL = "https://api.humanitec.io",

  GCP_SECRET_MANAGER_SERVICE_NAME = "secretmanager.googleapis.com",
  GCP_SECRET_MANAGER_URL = `https://${GCP_SECRET_MANAGER_SERVICE_NAME}`,
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@@ -1,13 +1,8 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, subject } from "@casl/ability";

 import { ActionProjectType } from "@app/db/schemas";
-import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSecretActions,
-  ProjectPermissionSub
-} from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";

@@ -96,10 +91,13 @@ export const integrationServiceFactory = ({
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);

-    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-      environment: sourceEnvironment,
-      secretPath
-    });
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment: sourceEnvironment,
+        secretPath
+      })
+    );

    const folder = await folderDAL.findBySecretPath(integrationAuth.projectId, sourceEnvironment, secretPath);
    if (!folder) {
@@ -176,10 +174,13 @@ export const integrationServiceFactory = ({
    const newSecretPath = secretPath || integration.secretPath;

    if (environment || secretPath) {
-      throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-        environment: newEnvironment,
-        secretPath: newSecretPath
-      });
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, {
+          environment: newEnvironment,
+          secretPath: newSecretPath
+        })
+      );
    }

    const folder = await folderDAL.findBySecretPath(integration.projectId, newEnvironment, newSecretPath);
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -19,11 +19,7 @@ import {
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import {
-  OrgPermissionActions,
-  OrgPermissionSecretShareAction,
-  OrgPermissionSubjects
-} from "@app/ee/services/permission/org-permission";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
@@ -290,27 +286,12 @@ export const orgServiceFactory = ({
    actorOrgId,
    actorAuthMethod,
    orgId,
-    data: {
-      name,
-      slug,
-      authEnforced,
-      scimEnabled,
-      defaultMembershipRoleSlug,
-      enforceMfa,
-      selectedMfaMethod,
-      allowSecretSharingOutsideOrganization
-    }
+    data: { name, slug, authEnforced, scimEnabled, defaultMembershipRoleSlug, enforceMfa, selectedMfaMethod }
  }: TUpdateOrgDTO) => {
    const appCfg = getConfig();
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);

-    if (allowSecretSharingOutsideOrganization !== undefined) {
-      ForbiddenError.from(permission).throwUnlessCan(
-        OrgPermissionSecretShareAction.ManageSettings,
-        OrgPermissionSubjects.SecretShare
-      );
-    }
    const plan = await licenseService.getPlan(orgId);
    const currentOrg = await orgDAL.findOrgById(actorOrgId);

@@ -377,8 +358,7 @@ export const orgServiceFactory = ({
      scimEnabled,
      defaultMembershipRole,
      enforceMfa,
-      selectedMfaMethod,
-      allowSecretSharingOutsideOrganization
+      selectedMfaMethod
    });
    if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
    return org;
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@@ -72,7 +72,6 @@ export type TUpdateOrgDTO = {
    defaultMembershipRoleSlug: string;
    enforceMfa: boolean;
    selectedMfaMethod: MfaMethod;
-    allowSecretSharingOutsideOrganization: boolean;
  }>;
 } & TOrgPermission;

--- a/backend/src/services/project-membership/project-membership-service.ts
+++ b/backend/src/services/project-membership/project-membership-service.ts
@@ -7,7 +7,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -274,13 +274,13 @@ export const projectMembershipServiceFactory = ({
        projectId
      );

-      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
-      if (!permissionBoundary.isValid)
+      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
+
+      if (!hasRequiredPriviledges) {
        throw new ForbiddenRequestError({
-          name: "PermissionBoundaryError",
-          message: `Failed to change to a more privileged role ${requestedRoleChange}`,
-          details: { missingPermissions: permissionBoundary.missingPermissions }
+          message: `Failed to change to a more privileged role ${requestedRoleChange}`
        });
+      }
    }

    // validate custom roles input
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Scott Wilson	2c12d8b404	improvement: make query timeout const	2025-03-05 16:26:56 -08:00
Scott Wilson	64fe4187ab	fix: update audit log endpoint and nginx timeout to handle lengthy queries	2025-03-05 16:19:07 -08:00