misc: update CLI latest version check

fix(approval-workflows): allow null committer on secret approval request and cascade delete on access request

backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts

@@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  // update all the secret approval policies secretPath to be "/**"
+  if (existingSecretApprovalPolicies.length) {
+    await knex(TableName.SecretApprovalPolicy)
+      .whereIn(
+        "id",
+        existingSecretApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  // update all the access approval policies secretPath to be "/**"
+  if (existingAccessApprovalPolicies.length) {
+    await knex(TableName.AccessApprovalPolicy)
+      .whereIn(
+        "id",
+        existingAccessApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+}

backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
+
+  if (hasCommitterCol) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      tb.uuid("committerUserId").nullable().alter();
+    });
+  }
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // can't undo committer nullable
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+  }
+}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -14,8 +14,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   updatedAt: z.date(),
   approverUserId: z.string().uuid().nullable().optional(),
   approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(0).nullable().optional(),
-  approvalsRequired: z.number().default(1).nullable().optional()
+  sequence: z.number().default(1).nullable().optional(),
+  approvalsRequired: z.number().nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/access-approval-policies.ts

@@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),

backend/src/db/schemas/certificate-authorities.ts

@@ -12,8 +12,8 @@ export const CertificateAuthoritiesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   projectId: z.string(),
-  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   name: z.string()
 });
 

backend/src/db/schemas/certificates.ts

@@ -25,8 +25,8 @@ export const CertificatesSchema = z.object({
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional(),
-  projectId: z.string()
+  projectId: z.string(),
+  pkiSubscriberId: z.string().uuid().nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),

backend/src/db/schemas/secret-approval-requests.ts

@@ -18,7 +18,7 @@ export const SecretApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
-  committerUserId: z.string().uuid(),
+  committerUserId: z.string().uuid().nullable().optional(),
   statusChangedByUserId: z.string().uuid().nullable().optional(),
   bypassReason: z.string().nullable().optional()
 });

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -2,6 +2,7 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -19,7 +20,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z.object({
         projectSlug: z.string().trim(),
         name: z.string().optional(),
-        secretPath: z.string().trim().default("/"),
+        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
         environment: z.string(),
         approvers: z
           .discriminatedUnion("type", [
@@ -174,8 +175,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         secretPath: z
           .string()
           .trim()
+          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -23,10 +23,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         environment: z.string(),
         secretPath: z
           .string()
-          .optional()
-          .nullable()
-          .default("/")
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          .min(1, { message: "Secret path cannot be empty" })
+          .transform((val) => removeTrailingSlash(val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
@@ -100,10 +98,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
+          .trim()
+          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .nullable()
-          .transform((val) => (val ? removeTrailingSlash(val) : val))
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
         allowedSelfApprovals: z.boolean().default(true)
       }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -58,7 +58,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               deletedAt: z.date().nullish(),
               allowedSelfApprovals: z.boolean()
             }),
-            committerUser: approvalRequestUser,
+            committerUser: approvalRequestUser.nullish(),
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
             environment: z.string(),
             reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
@@ -308,7 +308,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
-              committerUser: approvalRequestUser,
+              committerUser: approvalRequestUser.nullish(),
               reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -53,7 +53,7 @@ export interface TAccessApprovalPolicyDALFactory
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -93,7 +93,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
         deletedAt?: Date | null | undefined;
         environment: {
           id: string;
@@ -116,7 +116,7 @@ export interface TAccessApprovalPolicyDALFactory
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   findLastValidPolicy: (
@@ -138,7 +138,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
         deletedAt?: Date | null | undefined;
       }
     | undefined
@@ -190,7 +190,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -214,7 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -252,7 +252,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
@@ -286,7 +286,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -337,7 +337,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -60,6 +60,26 @@ export const accessApprovalPolicyServiceFactory = ({
   accessApprovalRequestReviewerDAL,
   orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await accessApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
   const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
     name,
     actor,
@@ -106,6 +126,12 @@ export const accessApprovalPolicyServiceFactory = ({
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
     if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
+
     let approverUserIds = userApprovers;
     if (userApproverNames.length) {
       const approverUsersInDB = await userDAL.find({
@@ -279,7 +305,11 @@ export const accessApprovalPolicyServiceFactory = ({
     ) as { username: string; sequence?: number }[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({
+        message: `Access approval policy with ID '${policyId}' not found`
+      });
+    }
 
     const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
@@ -290,9 +320,18 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    if (!accessApprovalPolicy) {
-      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
+    if (
+      await $policyExists({
+        envId: accessApprovalPolicy.envId,
+        secretPath: secretPath || accessApprovalPolicy.secretPath,
+        policyId: accessApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
+      });
     }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -122,7 +122,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -146,7 +146,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -218,7 +218,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -269,7 +269,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1711,7 +1711,7 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
   type: EventType.SECRET_APPROVAL_REQUEST;
   metadata: {
-    committedBy: string;
+    committedBy?: string | null;
     secretApprovalRequestSlug: string;
     secretApprovalRequestId: string;
     eventType: SecretApprovalEvent;

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -361,13 +361,6 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({

backend/src/ee/services/license/licence-enums.ts

@@ -1,5 +1,4 @@
 export const BillingPlanRows = {
-  MemberLimit: { name: "Organization member limit", field: "memberLimit" },
   IdentityLimit: { name: "Organization identity limit", field: "identityLimit" },
   WorkspaceLimit: { name: "Project limit", field: "workspaceLimit" },
   EnvironmentLimit: { name: "Environment limit", field: "environmentLimit" },

backend/src/ee/services/license/license-service.ts

@@ -442,9 +442,7 @@ export const licenseServiceFactory = ({
         rows: data.rows.map((el) => {
           let used = "-";
 
-          if (el.name === BillingPlanRows.MemberLimit.name) {
-            used = orgMembersUsed.toString();
-          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+          if (el.name === BillingPlanRows.WorkspaceLimit.name) {
             used = projectCount.toString();
           } else if (el.name === BillingPlanRows.IdentityLimit.name) {
             used = (identityUsed + orgMembersUsed).toString();
@@ -464,12 +462,10 @@ export const licenseServiceFactory = ({
         const allowed = onPremFeatures[field as keyof TFeatureSet];
         let used = "-";
 
-        if (field === BillingPlanRows.MemberLimit.field) {
-          used = orgMembersUsed.toString();
-        } else if (field === BillingPlanRows.WorkspaceLimit.field) {
+        if (field === BillingPlanRows.WorkspaceLimit.field) {
           used = projectCount.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          used = identityUsed.toString();
+          used = (identityUsed + orgMembersUsed).toString();
         }
 
         return {

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -311,13 +311,6 @@ export const samlConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -55,6 +55,26 @@ export const secretApprovalPolicyServiceFactory = ({
   licenseService,
   secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await secretApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
   const createSecretApprovalPolicy = async ({
     name,
     actor,
@@ -106,10 +126,17 @@ export const secretApprovalPolicyServiceFactory = ({
     }
 
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env)
+    if (!env) {
       throw new NotFoundError({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
+    }
+
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
 
     let groupBypassers: string[] = [];
     let bypasserUserIds: string[] = [];
@@ -260,6 +287,18 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
+    if (
+      await $policyExists({
+        envId: secretApprovalPolicy.envId,
+        secretPath: secretPath || secretApprovalPolicy.secretPath,
+        policyId: secretApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -4,7 +4,7 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app
 
 export type TCreateSapDTO = {
   approvals: number;
-  secretPath?: string | null;
+  secretPath: string;
   environment: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
@@ -20,7 +20,7 @@ export type TCreateSapDTO = {
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
-  secretPath?: string | null;
+  secretPath?: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
     | { type: BypasserType.Group; id: string }

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -45,7 +45,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
         `statusChangedByUser.id`
       )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
         db(TableName.Users).as("committerUser"),
         `${TableName.SecretApprovalRequest}.committerUserId`,
         `committerUser.id`
@@ -173,13 +173,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                 username: el.statusChangedByUserUsername
               }
             : undefined,
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          },
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null,
           policy: {
             id: el.policyId,
             name: el.policyName,
@@ -377,7 +379,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -488,13 +490,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
         }),
         childrenMapper: [
           {
@@ -581,7 +585,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -693,13 +697,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
         }),
         childrenMapper: [
           {

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1320,7 +1320,7 @@ export const secretApprovalRequestServiceFactory = ({
     });
 
     const env = await projectEnvDAL.findOne({ id: policy.envId });
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);
 
     await triggerWorkflowIntegrationNotification({
       input: {
@@ -1657,7 +1657,7 @@ export const secretApprovalRequestServiceFactory = ({
       return { ...doc, commits: approvalCommits };
     });
 
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });
 
     await triggerWorkflowIntegrationNotification({

backend/src/services/org/org-service.ts

@@ -912,14 +912,6 @@ export const orgServiceFactory = ({
 
         // if there exist no org membership we set is as given by the request
         if (!inviteeOrgMembership) {
-          if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-            // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-            throw new BadRequestError({
-              name: "InviteUser",
-              message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
-            });
-          }
-
           if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
             // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
             throw new BadRequestError({

cli/packages/util/check-for-update.go

@@ -20,7 +20,7 @@ func CheckForUpdate() {
 	if checkEnv := os.Getenv("INFISICAL_DISABLE_UPDATE_CHECK"); checkEnv != "" {
 		return
 	}
-	latestVersion, _, err := getLatestTag("Infisical", "infisical")
+	latestVersion, _, err := getLatestTag("Infisical", "cli")
 	if err != nil {
 		log.Debug().Err(err)
 		// do nothing and continue
@@ -98,7 +98,7 @@ func getLatestTag(repoOwner string, repoName string) (string, string, error) {
 		return "", "", fmt.Errorf("failed to unmarshal github response: %w", err)
 	}
 
-	tag_prefix := "infisical-cli/v"
+	tag_prefix := "v"
 
 	// Extract the version from the first valid tag
 	version := strings.TrimPrefix(releaseDetails.TagName, tag_prefix)

docs/Dockerfile

@@ -1,6 +1,32 @@
-FROM node:20-alpine
+FROM node:20-alpine AS builder
+
 WORKDIR /app
-RUN npm install -g mint
+
+RUN npm install -g mint@4.2.13
+
 COPY . .
+
+# Install a local version of our OpenAPI spec
+RUN apk add --no-cache wget jq && \
+    wget -O spec.json https://app.infisical.com/api/docs/json && \
+    jq '.api.openapi = "./spec.json"' docs.json > temp.json && \
+    mv temp.json docs.json
+
+# Run mint dev briefly to download the web client
+RUN timeout 30 mint dev || true
+
+FROM node:20-alpine
+
+WORKDIR /app
+
+RUN npm install -g mint@4.2.13
+
+COPY . .
+
+COPY --from=builder /root/.mintlify /root/.mintlify
+COPY --from=builder /app/docs.json /app/docs.json
+COPY --from=builder /app/spec.json /app/spec.json
+
 EXPOSE 3000
+
 CMD ["mint", "dev"]

docs/changelog/overview.mdx

@@ -4,61 +4,6 @@ title: "Changelog"
 
 The changelog below reflects new product developments and updates on a monthly basis.
 
-
-## July 2025
-- Improved speed performance of audit log filtering. 
-- Revamped password reset flow pages.
-- Added support for [Bitbucket for Secret Scanning](https://infisical.com/docs/documentation/platform/secret-scanning/bitbucket).  
-- Released Secret Sync for [Zabbix](https://infisical.com/docs/integrations/secret-syncs/zabbix).
-
-
-
-## June 2025
-- Released Secret Sync for [1Password](https://infisical.com/docs/integrations/secret-syncs/1password), [Heroku](https://infisical.com/docs/integrations/secret-syncs/heroku), [Fly.io](https://infisical.com/docs/integrations/secret-syncs/flyio), and [Render](https://infisical.com/docs/integrations/secret-syncs/render). 
-- Added support for [Kubernetes dynamic secrets](https://infisical.com/docs/documentation/platform/dynamic-secrets/kubernetes) to generate service account tokens
-- Released Secret Rotation for [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql-credentials) and [OracleDB](https://infisical.com/docs/documentation/platform/secret-rotation/oracledb-credentials) as well as Dynamic Secrets for [Vertica](https://infisical.com/docs/documentation/platform/dynamic-secrets/vertica) and [GitHub App Tokens](https://infisical.com/docs/documentation/platform/dynamic-secrets/github). 
-- Added support for Azure Auth in ESO. 
-- [Kubernetes auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth) now supports gateway as a token reviewer.
-- Revamped [Infisical CLI](https://infisical.com/docs/cli/commands/login) to auto-open login link. 
-- Rolled out [Infisical Packer integration](https://infisical.com/docs/integrations/frameworks/packer).
-- Released [AliCloud Authentication method](https://infisical.com/docs/documentation/platform/identities/alicloud-auth).
-- Added support for [multi-step approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows).
-- Revamped UI for Access Controls, Access Tree, Policies, and Approval Workflows. 
-- Released [TLS Certificate Authentication method](https://infisical.com/docs/documentation/platform/identities/tls-cert-auth). 
-- Added ability to copy session tokens in the Infisical Dashboard.
-- Expanded resource support for [Infisical Terraform Provider](https://infisical.com/docs/integrations/frameworks/terraform).
-
-
-## May 2025
-- Added support for [Microsoft Teams integration](https://infisical.com/docs/documentation/platform/workflow-integrations/microsoft-teams-integration).
-- Released [Infisical Gateway](https://infisical.com/docs/documentation/platform/gateways/overview) for accessing private network resources from Infisical. 
-- Added support for [Host Groups](https://infisical.com/docs/documentation/platform/ssh/host-groups) in Infisical SSH.
-- Updated the designs of all emails send by Infisical. 
-- Added secret rotation support for [Azure Client](https://infisical.com/docs/documentation/platform/secret-rotation/azure-client-secret).
-- Released secret sync for [HashiCorp Vault](https://infisical.com/docs/integrations/secret-syncs/hashicorp-vault).  
-- Made significant improvements to [Infisical Secret Scanning](https://infisical.com/docs/documentation/platform/secret-scanning/overview).
-- Released [Infisical ACME Client](https://infisical.com/docs/documentation/platform/pki/acme-ca#certificates-with-acme-ca).
-- [Access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests) now support "break-glass" policies.
-- Updated [Point-in-time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery) UI/UX.
-- Redesigned [Approval Workflows and Change Requests](https://infisical.com/docs/documentation/platform/pr-workflows) user interface. 
-
-
-## April 2025
-
-- Released ability to [request access to projects](https://infisical.com/docs/documentation/platform/access-controls/project-access-requests#project-access-requests). 
-- Updated UI for Audit Logs and Log Filtering.
-- Launched [Infisical SSH V2](https://infisical.com/docs/documentation/platform/ssh/overview).
-- Developer [Infisical MCP](https://github.com/Infisical/infisical-mcp-server).
-- Added support for [Spotify Backstage Infisical plugin](https://infisical.com/docs/integrations/external/backstage).
-- Added secret syncs for Terraform Cloud, Vercel, Windmill, TeamCity, and Camunda.
-- Released [Auth0 Client Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/auth0-client-secret).
-- Launched [Infisical C++ SDK](https://github.com/Infisical/infisical-cpp-sdk).
-- Service tokens will now get expiry notifications. 
-- Added Infisical [Linux binary](https://infisical.com/docs/self-hosting/reference-architectures/linux-deployment-ha#linux-ha). 
-- Released ability to perform user impersonation. 
-- Added support for [LDAP password rotation](https://infisical.com/docs/documentation/platform/secret-rotation/ldap-password). 
-
-
 ## March 2025
 
 - Released [Infisical Gateway](https://infisical.com/docs/documentation/platform/gateways/overview) for secure access to private resources without needing direct inbound connections to private networks.

docs/docs.json

@@ -78,7 +78,10 @@
               },
               {
                 "group": "Infisical SSH",
-                "pages": ["documentation/platform/ssh/overview", "documentation/platform/ssh/host-groups"]
+                "pages": [
+                  "documentation/platform/ssh/overview",
+                  "documentation/platform/ssh/host-groups"
+                ]
               },
               {
                 "group": "Key Management (KMS)",
@@ -375,7 +378,10 @@
               },
               {
                 "group": "Architecture",
-                "pages": ["internals/architecture/components", "internals/architecture/cloud"]
+                "pages": [
+                  "internals/architecture/components",
+                  "internals/architecture/cloud"
+                ]
               },
               "internals/security",
               "internals/service-tokens"
@@ -546,7 +552,10 @@
               "integrations/cloud/gcp-secret-manager",
               {
                 "group": "Cloudflare",
-                "pages": ["integrations/cloud/cloudflare-pages", "integrations/cloud/cloudflare-workers"]
+                "pages": [
+                  "integrations/cloud/cloudflare-pages",
+                  "integrations/cloud/cloudflare-workers"
+                ]
               },
               "integrations/cloud/terraform-cloud",
               "integrations/cloud/databricks",
@@ -658,7 +667,11 @@
                   "cli/commands/reset",
                   {
                     "group": "infisical scan",
-                    "pages": ["cli/commands/scan", "cli/commands/scan-git-changes", "cli/commands/scan-install"]
+                    "pages": [
+                      "cli/commands/scan",
+                      "cli/commands/scan-git-changes",
+                      "cli/commands/scan-install"
+                    ]
                   }
                 ]
               },
@@ -982,7 +995,9 @@
                 "pages": [
                   {
                     "group": "Kubernetes",
-                    "pages": ["api-reference/endpoints/dynamic-secrets/kubernetes/create-lease"]
+                    "pages": [
+                      "api-reference/endpoints/dynamic-secrets/kubernetes/create-lease"
+                    ]
                   },
                   "api-reference/endpoints/dynamic-secrets/create",
                   "api-reference/endpoints/dynamic-secrets/update",

frontend/src/hooks/api/accessApproval/types.ts

@@ -170,7 +170,7 @@ export type TCreateAccessPolicyDTO = {
   approvers?: Approver[];
   bypassers?: Bypasser[];
   approvals?: number;
-  secretPath?: string;
+  secretPath: string;
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];

frontend/src/hooks/api/identities/mutations.tsx

@@ -3,6 +3,7 @@ import { useMutation, useQueryClient } from "@tanstack/react-query";
 import { apiRequest } from "@app/config/request";
 
 import { organizationKeys } from "../organization/queries";
+import { subscriptionQueryKeys } from "../subscriptions/queries";
 import { identitiesKeys } from "./queries";
 import {
   AddIdentityAliCloudAuthDTO,
@@ -82,6 +83,9 @@ export const useCreateIdentity = () => {
       queryClient.invalidateQueries({
         queryKey: organizationKeys.getOrgIdentityMemberships(organizationId)
       });
+      queryClient.invalidateQueries({
+        queryKey: subscriptionQueryKeys.getOrgSubsription(organizationId)
+      });
     }
   });
 };
@@ -123,6 +127,9 @@ export const useDeleteIdentity = () => {
       queryClient.invalidateQueries({
         queryKey: organizationKeys.getOrgIdentityMemberships(organizationId)
       });
+      queryClient.invalidateQueries({
+        queryKey: subscriptionQueryKeys.getOrgSubsription(organizationId)
+      });
     }
   });
 };

frontend/src/hooks/api/secretApproval/types.ts

@@ -49,7 +49,7 @@ export type TCreateSecretPolicyDTO = {
   workspaceId: string;
   name?: string;
   environment: string;
-  secretPath?: string | null;
+  secretPath: string;
   approvers?: Approver[];
   bypassers?: Bypasser[];
   approvals?: number;
@@ -62,7 +62,7 @@ export type TUpdateSecretPolicyDTO = {
   name?: string;
   approvers?: Approver[];
   bypassers?: Bypasser[];
-  secretPath?: string | null;
+  secretPath?: string;
   approvals?: number;
   allowedSelfApprovals?: boolean;
   enforcementLevel?: EnforcementLevel;

frontend/src/hooks/api/users/queries.tsx

@@ -9,6 +9,7 @@ import { APIKeyDataV2 } from "../apiKeys/types";
 import { MfaMethod } from "../auth/types";
 import { TGroupWithProjectMemberships } from "../groups/types";
 import { setAuthToken } from "../reactQuery";
+import { subscriptionQueryKeys } from "../subscriptions/queries";
 import { workspaceKeys } from "../workspace";
 import { userKeys } from "./query-keys";
 import {
@@ -188,6 +189,9 @@ export const useAddUsersToOrg = () => {
     },
     onSuccess: (_, { organizationId, projects }) => {
       queryClient.invalidateQueries({ queryKey: userKeys.getOrgUsers(organizationId) });
+      queryClient.invalidateQueries({
+        queryKey: subscriptionQueryKeys.getOrgSubsription(organizationId)
+      });
 
       projects?.forEach((project) => {
         if (project.slug) {

frontend/src/pages/organization/AccessManagementPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersSection.tsx

@@ -39,10 +39,6 @@ export const OrgMembersSection = () => {
   const { mutateAsync: deleteMutateAsync } = useDeleteOrgMembership();
   const { mutateAsync: updateOrgMembership } = useUpdateOrgMembership();
 
-  const isMoreUsersAllowed = subscription?.memberLimit
-    ? subscription.membersUsed < subscription.memberLimit
-    : true;
-
   const isMoreIdentitiesAllowed = subscription?.identityLimit
     ? subscription.identitiesUsed < subscription.identityLimit
     : true;
@@ -58,7 +54,7 @@ export const OrgMembersSection = () => {
       return;
     }
 
-    if ((!isMoreUsersAllowed || !isMoreIdentitiesAllowed) && !isEnterprise) {
+    if (!isMoreIdentitiesAllowed && !isEnterprise) {
       handlePopUpOpen("upgradePlan", {
         description: "You can add more members if you upgrade your Infisical plan."
       });

frontend/src/pages/secret-manager/SecretApprovalsPage/components/ApprovalPolicyList/components/AccessPolicyModal.tsx

@@ -55,7 +55,7 @@ const formSchema = z
   .object({
     environment: z.object({ slug: z.string(), name: z.string() }),
     name: z.string().optional(),
-    secretPath: z.string().optional(),
+    secretPath: z.string().trim().min(1),
     approvals: z.number().min(1).default(1),
     userApprovers: z
       .object({ type: z.literal(ApproverType.User), id: z.string() })
@@ -93,20 +93,19 @@ const formSchema = z
       .optional()
   })
   .superRefine((data, ctx) => {
-    if (
-      data.policyType === PolicyType.ChangePolicy &&
-      !(data.groupApprovers.length || data.userApprovers.length)
-    ) {
-      ctx.addIssue({
-        path: ["userApprovers"],
-        code: z.ZodIssueCode.custom,
-        message: "At least one approver should be provided"
-      });
-      ctx.addIssue({
-        path: ["groupApprovers"],
-        code: z.ZodIssueCode.custom,
-        message: "At least one approver should be provided"
-      });
+    if (data.policyType === PolicyType.ChangePolicy) {
+      if (!(data.groupApprovers.length || data.userApprovers.length)) {
+        ctx.addIssue({
+          path: ["userApprovers"],
+          code: z.ZodIssueCode.custom,
+          message: "At least one approver should be provided"
+        });
+        ctx.addIssue({
+          path: ["groupApprovers"],
+          code: z.ZodIssueCode.custom,
+          message: "At least one approver should be provided"
+        });
+      }
     }
   });
 
@@ -127,6 +126,7 @@ const Form = ({
     control,
     handleSubmit,
     watch,
+    resetField,
     formState: { isSubmitting }
   } = useForm<TFormSchema>({
     resolver: zodResolver(formSchema),
@@ -177,6 +177,7 @@ const Form = ({
       : undefined,
     defaultValues: !editValues
       ? {
+          secretPath: "/",
           sequenceApprovers: [{ approvals: 1 }]
         }
       : undefined
@@ -405,7 +406,10 @@ const Form = ({
                 <Select
                   isDisabled={isEditMode}
                   value={value}
-                  onValueChange={(val) => onChange(val as PolicyType)}
+                  onValueChange={(val) => {
+                    onChange(val as PolicyType);
+                    resetField("secretPath");
+                  }}
                   className="w-full border border-mineshaft-500"
                 >
                   {Object.values(PolicyType).map((policyType) => {
@@ -465,6 +469,7 @@ const Form = ({
               <FormControl
                 tooltipText="Secret paths support glob patterns. For example, '/**' will match all paths."
                 label="Secret Path"
+                isRequired
                 isError={Boolean(error)}
                 errorText={error?.message}
                 className="flex-1"

frontend/src/pages/secret-manager/SecretApprovalsPage/components/SecretApprovalRequest/SecretApprovalRequest.tsx

@@ -338,8 +338,14 @@ export const SecretApprovalRequest = () => {
                     </div>
                     <span className="text-xs leading-3 text-gray-500">
                       Opened {formatDistance(new Date(createdAt), new Date())} ago by{" "}
-                      {committerUser?.firstName || ""} {committerUser?.lastName || ""} (
-                      {committerUser?.email})
+                      {committerUser ? (
+                        <>
+                          {committerUser?.firstName || ""} {committerUser?.lastName || ""} (
+                          {committerUser?.email})
+                        </>
+                      ) : (
+                        <span className="text-gray-600">Deleted User</span>
+                      )}
                       {!isReviewed && status === "open" && " - Review required"}
                     </span>
                   </div>

frontend/src/pages/secret-manager/SecretApprovalsPage/components/SecretApprovalRequest/components/SecretApprovalRequestChanges.tsx

@@ -250,10 +250,17 @@ export const SecretApprovalRequestChanges = ({
                 secretApprovalRequestDetails.isReplicated
               )}
             </div>
-            <span className="-mt-1 flex items-center space-x-2 text-xs text-gray-400">
-              By {secretApprovalRequestDetails?.committerUser?.firstName} (
-              {secretApprovalRequestDetails?.committerUser?.email})
-            </span>
+            <p className="-mt-1 text-xs text-gray-400">
+              By{" "}
+              {secretApprovalRequestDetails?.committerUser ? (
+                <>
+                  {secretApprovalRequestDetails?.committerUser?.firstName} (
+                  {secretApprovalRequestDetails?.committerUser?.email})
+                </>
+              ) : (
+                <span className="text-gray-500">Deleted User</span>
+              )}
+            </p>
           </div>
           {!hasMerged &&
             secretApprovalRequestDetails.status === "open" &&