fix requested changes

improvement: Slug Validation Errors
2025-07-05 04:29:09 +00:00 · 2024-11-26 16:35:12 +01:00 · 2024-11-26 16:35:11 +01:00
4804 changed files with 106853 additions and 284636 deletions
--- a/.env.example
+++ b/.env.example
@ -26,8 +26,7 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_FROM_ADDRESS=
-SMTP_FROM_NAME=
+SMTP_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=

@ -75,8 +74,8 @@ CAPTCHA_SECRET=

 NEXT_PUBLIC_CAPTCHA_SITE_KEY=

-OTEL_TELEMETRY_COLLECTION_ENABLED=false
-OTEL_EXPORT_TYPE=prometheus
+OTEL_TELEMETRY_COLLECTION_ENABLED=
+OTEL_EXPORT_TYPE=
 OTEL_EXPORT_OTLP_ENDPOINT=
 OTEL_OTLP_PUSH_INTERVAL=

@ -89,34 +88,3 @@ PLAIN_WISH_LABEL_IDS=
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=

 ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
-
-# App Connections
-
-# aws assume-role connection
-INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
-INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
-
-# github oauth connection
-INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
-INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
-
-#github app connection
-INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
-INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
-INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
-INF_APP_CONNECTION_GITHUB_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_APP_ID=
-
-#gcp app connection
-INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
-
-# azure app connection
-INF_APP_CONNECTION_AZURE_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
-
-# datadog
-SHOULD_USE_DATADOG_TRACER=
-DATADOG_PROFILING_ENABLED=
-DATADOG_ENV=
-DATADOG_SERVICE=
-DATADOG_HOSTNAME=
--- a/.envrc
+++ b/.envrc
@ -1,3 +0,0 @@
-# Learn more at https://direnv.net
-# We instruct direnv to use our Nix flake for a consistent development environment.
-use flake
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@ -32,23 +32,10 @@ jobs:
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
      - name: Start the server
        run: |
-          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
-          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
-          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-
-          echo "Examining built image:"
-          docker image inspect infisical-api | grep -A 5 "Entrypoint"
-          
-          docker run --name infisical-api -d -p 4000:4000 \
-            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
-            -e REDIS_URL=$REDIS_URL \
-            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
-            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
-            --env-file .env \
-            infisical-api
-          
-          echo "Container status right after creation:"
-          docker ps -a | grep infisical-api
+            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
+            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
+            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
+            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
        env:
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@ -56,48 +43,35 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - uses: actions/setup-go@v5
        with:
-          go-version: "1.21.5"
+          go-version: '1.21.5'
      - name: Wait for container to be stable and check logs
        run: |
          SECONDS=0
          HEALTHY=0
          while [ $SECONDS -lt 60 ]; do
-            # Check if container is running
-            if docker ps | grep infisical-api; then
-              # Try to access the API endpoint
-              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
-                echo "API endpoint is responding. Container seems healthy."
-                HEALTHY=1
-                break
-              fi
-            else
-              echo "Container is not running!"
-              docker ps -a | grep infisical-api
+            if docker ps | grep infisical-api | grep -q healthy; then
+              echo "Container is healthy."
+              HEALTHY=1
              break
            fi
-            
            echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-            sleep 5
-            SECONDS=$((SECONDS+5))
+
+            docker logs infisical-api
+
+            sleep 2
+            SECONDS=$((SECONDS+2))
          done
-          
+      
          if [ $HEALTHY -ne 1 ]; then
            echo "Container did not become healthy in time"
-            echo "Container status:"
-            docker ps -a | grep infisical-api
-            echo "Container logs (if any):"
-            docker logs infisical-api || echo "No logs available"
-            echo "Container inspection:"
-            docker inspect infisical-api | grep -A 5 "State"
            exit 1
          fi
      - name: Install openapi-diff
-        run: go install github.com/oasdiff/oasdiff@latest
+        run: go install github.com/tufin/oasdiff@latest
      - name: Running OpenAPI Spec diff action
        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
      - name: cleanup
-        if: always()
        run: |
          docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api || true
-          docker rm infisical-api || true
+          docker stop infisical-api
+          docker remove infisical-api
--- a/.github/workflows/check-fe-ts-and-lint.yml
+++ b/.github/workflows/check-fe-ts-and-lint.yml
@ -18,18 +18,18 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 20
+      - name: 🔧 Setup Node 16
        uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "16"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: 📦 Install dependencies
        run: npm install
        working-directory: frontend
      - name: 🏗️ Run Type check
-        run: npm run type:check
+        run: npm run type:check 
        working-directory: frontend
      - name: 🏗️ Run Link check
-        run: npm run lint:fix
+        run: npm run lint:fix 
        working-directory: frontend
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@ -0,0 +1,212 @@
+name: Deployment pipeline
+on: [workflow_dispatch]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  infisical-tests:
+    name: Integration tests
+    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+    uses: ./.github/workflows/run-backend-tests.yml
+    
+  infisical-image:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [infisical-tests]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
+    
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    environment:
+      name: Gamma
+    steps:
+      - uses: twingate/github-action@v1
+        with:
+          # The Twingate Service Key used to connect Twingate to the proper service
+          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+          #
+          # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-core
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-core-gamma-stage
+          cluster: infisical-gamma-stage
+          wait-for-service-stability: true
+
+  production-us:
+    name: US production deploy 
+    runs-on: ubuntu-latest
+    needs: [gamma-deployment]
+    environment:
+      name: Production
+    steps:
+      - uses: twingate/github-action@v1
+        with:
+        # The Twingate Service Key used to connect Twingate to the proper service
+        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+        #
+        # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      - name: Configure AWS Credentials 
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+      - name: Render Amazon ECS task definition
+        id: render-web-container
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: infisical-core-platform
+          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+          environment-variables: "LOG_LEVEL=info"
+      - name: Deploy to Amazon ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+          service: infisical-core-platform
+          cluster: infisical-core-platform
+          wait-for-service-stability: true
+
+  production-eu:
+      name: EU production deploy
+      runs-on: ubuntu-latest
+      needs: [production-us]
+      environment:
+        name: production-eu
+      steps:
+        - uses: twingate/github-action@v1
+          with:
+            service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
+        - name: Configure AWS Credentials 
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            audience: sts.amazonaws.com
+            aws-region: eu-central-1
+            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
+        - name: Checkout code
+          uses: actions/checkout@v2
+        - name: Setup Node.js environment
+          uses: actions/setup-node@v2
+          with:
+            node-version: "20"
+        - name: Change directory to backend and install dependencies
+          env:
+            DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+          run: |
+            cd backend
+            npm install
+            npm run migration:latest
+        - name: Save commit hashes for tag
+          id: commit
+          uses: pr-mpt/actions-commit-hash@v2
+        - name: Download task definition
+          run: |
+            aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+        - name: Render Amazon ECS task definition
+          id: render-web-container
+          uses: aws-actions/amazon-ecs-render-task-definition@v1
+          with:
+            task-definition: task-definition.json
+            container-name: infisical-core-platform
+            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            environment-variables: "LOG_LEVEL=info"
+        - name: Deploy to Amazon ECS service
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+          with:
+            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
+            service: infisical-core-platform
+            cluster: infisical-core-platform
+            wait-for-service-stability: true
--- a/.github/workflows/helm-release-infisical-core.yml
+++ b/.github/workflows/helm-release-infisical-core.yml
@ -1,22 +0,0 @@
-name: Release Infisical Core Helm chart
-
-on: [workflow_dispatch]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install python
-        uses: actions/setup-python@v4
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/helm_chart_release.yml
+++ b/.github/workflows/helm_chart_release.yml
@ -0,0 +1,22 @@
+name: Release Helm Charts
+
+on: [workflow_dispatch]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install python
+        uses: actions/setup-python@v4
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+      - name: Build and push helm package to Cloudsmith
+        run: cd helm-charts && sh upload-to-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release-k8-operator-helm.yml
+++ b/.github/workflows/release-k8-operator-helm.yml
@ -1,27 +0,0 @@
-name: Release K8 Operator Helm Chart
-on:
-    workflow_dispatch:
-
-jobs:
-    release-helm:
-        name: Release Helm Chart
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v2
-
-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
-
-            - name: Install python
-              uses: actions/setup-python@v4
-
-            - name: Install Cloudsmith CLI
-              run: pip install --upgrade cloudsmith-cli
-
-            - name: Build and push helm package to CloudSmith
-              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -1,153 +1,131 @@
 name: Build and release CLI

 on:
-  workflow_dispatch:
+    workflow_dispatch:

-  push:
-    # run only against tags
-    tags:
-      - "infisical-cli/v*.*.*"
+    push:
+        # run only against tags
+        tags:
+            - "infisical-cli/v*.*.*"

 permissions:
-  contents: write
+    contents: write

 jobs:
-  cli-integration-tests:
-    name: Run tests before deployment
-    uses: ./.github/workflows/run-cli-tests.yml
-    secrets:
-      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+    cli-integration-tests:
+        name: Run tests before deployment
+        uses: ./.github/workflows/run-cli-tests.yml
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

-  npm-release:
-    runs-on: ubuntu-latest
-    env:
-      working-directory: ./npm
-    needs:
-      - cli-integration-tests
-      - goreleaser
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Extract version
-        run: |
-          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
-          echo "Version extracted: $VERSION"
-          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
-
-      - name: Print version
-        run: echo ${{ env.CLI_VERSION }}
-
-      - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
-        with:
-          node-version: 20
-          cache: "npm"
-          cache-dependency-path: ./npm/package-lock.json
-      - name: Install dependencies
-        working-directory: ${{ env.working-directory }}
-        run: npm install --ignore-scripts
-
-      - name: Set NPM version
-        working-directory: ${{ env.working-directory }}
-        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
-
-      - name: Setup NPM
-        working-directory: ${{ env.working-directory }}
-        run: |
-          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-
-          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+    npm-release:
+        runs-on: ubuntu-20.04
        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+            working-directory: ./npm
+        needs:
+            - cli-integration-tests
+            - goreleaser
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0

-      - name: Pack NPM
-        working-directory: ${{ env.working-directory }}
-        run: npm pack
+            - name: Extract version
+              run: |
+                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+                  echo "Version extracted: $VERSION"
+                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV

-      - name: Publish NPM
-        working-directory: ${{ env.working-directory }}
-        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+            - name: Print version
+              run: echo ${{ env.CLI_VERSION }}

-  goreleaser:
-    runs-on: ubuntu-latest
-    needs: [cli-integration-tests]
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - run: git fetch --force --tags
-      - run: echo "Ref name ${{github.ref_name}}"
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ">=1.19.3"
-          cache: true
-          cache-dependency-path: cli/go.sum
-      - name: Setup for libssl1.0-dev
-        run: |
-          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-          sudo apt update
-          sudo apt-get install -y libssl1.0-dev
-      - name: OSXCross for CGO Support
-        run: |
-          mkdir ../../osxcross
-          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-      - uses: goreleaser/goreleaser-action@v4
-        with:
-          distribution: goreleaser-pro
-          version: v1.26.2-pro
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - uses: actions/setup-python@v4
-      - run: pip install --upgrade cloudsmith-cli
-      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
-        with:
-          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
-          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-      - name: Install deb-s3
-        run: gem install deb-s3
-      - name: Configure GPG Key
-        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
-        env:
-          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
-          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
-      - name: Publish to CloudSmith
-        run: sh cli/upload_to_cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
-          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
-          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-      - name: Invalidate Cloudfront cache
-        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
+            - name: Setup Node
+              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+              with:
+                  node-version: 20
+                  cache: "npm"
+                  cache-dependency-path: ./npm/package-lock.json
+            - name: Install dependencies
+              working-directory: ${{ env.working-directory }}
+              run: npm install --ignore-scripts
+
+            - name: Set NPM version
+              working-directory: ${{ env.working-directory }}
+              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+            - name: Setup NPM
+              working-directory: ${{ env.working-directory }}
+              run: |
+                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+            - name: Pack NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm pack
+
+            - name: Publish NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+    goreleaser:
+        runs-on: ubuntu-20.04
+        needs: [cli-integration-tests]
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v2
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v2
+            - run: git fetch --force --tags
+            - run: echo "Ref name ${{github.ref_name}}"
+            - uses: actions/setup-go@v3
+              with:
+                  go-version: ">=1.19.3"
+                  cache: true
+                  cache-dependency-path: cli/go.sum
+            - name: libssl1.1 => libssl1.0-dev for OSXCross
+              run: |
+                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+                  sudo apt update && apt-cache policy libssl1.0-dev
+                  sudo apt-get install libssl1.0-dev
+            - name: OSXCross for CGO Support
+              run: |
+                  mkdir ../../osxcross
+                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+            - uses: goreleaser/goreleaser-action@v4
+              with:
+                  distribution: goreleaser-pro
+                  version: v1.26.2-pro
+                  args: release --clean
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+                  AUR_KEY: ${{ secrets.AUR_KEY }}
+                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+            - uses: actions/setup-python@v4
+            - run: pip install --upgrade cloudsmith-cli
+            - name: Publish to CloudSmith
+              run: sh cli/upload_to_cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@ -1,107 +1,37 @@
-name: Release K8 Operator Docker Image
+name: Release Docker image for K8 operator
 on:
-    push:
-        tags:
-            - "infisical-k8-operator/v*.*.*"
-
-permissions:
-    contents: write
-    pull-requests: write
+  push:
+    tags:
+      - "infisical-k8-operator/v*.*.*"

 jobs:
-    release-image:
-        name: Generate Helm Chart PR
-        runs-on: ubuntu-latest
-        outputs:
-            pr_number: ${{ steps.create-pr.outputs.pull-request-number }}
-        steps:
-            - name: Extract version from tag
-              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
+      - uses: actions/checkout@v2

-            - name: Checkout code
-              uses: actions/checkout@v2
+      - name: 🔧 Set up QEMU
+        uses: docker/setup-qemu-action@v1

-            # Dependency for helm generation
-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1

-            # Dependency for helm generation
-            - name: Install Go
-              uses: actions/setup-go@v4
-              with:
-                  go-version: 1.21
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

-            # Install binaries for helm generation
-            - name: Install dependencies
-              working-directory: k8-operator
-              run: |
-                  make helmify
-                  make kustomize
-                  make controller-gen
-
-            - name: Generate Helm Chart
-              working-directory: k8-operator
-              run: make helm
-
-            - name: Update Helm Chart Version
-              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
-
-            - name: Debug - Check file changes
-              run: |
-                  echo "Current git status:"
-                  git status
-                  echo ""
-                  echo "Modified files:"
-                  git diff --name-only
-
-                  # If there is no diff, exit with error. Version should always be changed, so if there is no diff, something is wrong and we should exit.
-                  if [ -z "$(git diff --name-only)" ]; then
-                    echo "No helm changes or version changes. Invalid release detected, Exiting."
-                    exit 1
-                  fi
-
-            - name: Create Helm Chart PR
-              id: create-pr
-              uses: peter-evans/create-pull-request@v5
-              with:
-                  token: ${{ secrets.GITHUB_TOKEN }}
-                  commit-message: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
-                  committer: GitHub <noreply@github.com>
-                  author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-                  branch: helm-update-${{ steps.extract_version.outputs.version }}
-                  delete-branch: true
-                  title: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
-                  body: |
-                      This PR updates the Helm chart to version `${{ steps.extract_version.outputs.version }}`.
-                      Additionally the helm chart has been updated to match the latest operator code changes.
-
-                      Associated Release Workflow: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
-
-                      Once you have approved this PR, you can trigger the helm release workflow manually.
-                  base: main
-
-            - name: 🔧 Set up QEMU
-              uses: docker/setup-qemu-action@v1
-
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v1
-
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v1
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-            - name: Build and push
-              id: docker_build
-              uses: docker/build-push-action@v2
-              with:
-                  context: k8-operator
-                  push: true
-                  platforms: linux/amd64,linux/arm64
-                  tags: |
-                      infisical/kubernetes-operator:latest
-                      infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: k8-operator
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            infisical/kubernetes-operator:latest
+            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/release_helm_gateway.yaml
+++ b/.github/workflows/release_helm_gateway.yaml
@ -1,27 +0,0 @@
-name: Release Gateway Helm Chart
-on:
-    workflow_dispatch:
-
-jobs:
-    release-helm:
-        name: Release Helm Chart
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
-
-            - name: Install Helm
-              uses: azure/setup-helm@v3
-              with:
-                  version: v3.10.0
-
-            - name: Install python
-              uses: actions/setup-python@v4
-
-            - name: Install Cloudsmith CLI
-              run: pip install --upgrade cloudsmith-cli
-
-            - name: Build and push helm package to CloudSmith
-              run: cd helm-charts && sh upload-gateway-cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@ -34,10 +34,7 @@ jobs:
        working-directory: backend
      - name: Start postgres and redis
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Run unit test
-        run: npm run test:unit
-        working-directory: backend
-      - name: Run integration test
+      - name: Start integration test
        run: npm run test:e2e
        working-directory: backend
        env:
@ -47,5 +44,4 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - name: cleanup
        run: |
-          docker compose -f "docker-compose.dev.yml" down
-
+          docker compose -f "docker-compose.dev.yml" down
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -162,24 +162,6 @@ scoop:
  description: "The official Infisical CLI"
  license: MIT

-winget:
-  - name: infisical
-    publisher: infisical
-    license: MIT
-    homepage: https://infisical.com
-    short_description: "The official Infisical CLI"
-    repository:
-      owner: infisical
-      name: winget-pkgs
-      branch: "infisical-{{.Version}}"
-      pull_request:
-        enabled: true
-        draft: false
-        base:
-          owner: microsoft
-          name: winget-pkgs
-          branch: master
-
 aurs:
  - name: infisical-bin
    homepage: "https://infisical.com"
--- a/.infisicalignore
+++ b/.infisicalignore
@ -7,36 +7,3 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
-docs/cli/commands/bootstrap.mdx:jwt:86
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:102
-docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
-frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
-k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
-k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52
-backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts:generic-api-key:125
-frontend/src/components/permissions/AccessTree/nodes/RoleNode.tsx:generic-api-key:67
-frontend/src/components/secret-rotations-v2/RotateSecretRotationV2Modal.tsx:generic-api-key:14
-frontend/src/components/secret-rotations-v2/SecretRotationV2StatusBadge.tsx:generic-api-key:11
-frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewSecretRotationV2GeneratedCredentials.tsx:generic-api-key:23
-frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:28
-frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:65
-frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx:generic-api-key:26
-docs/documentation/platform/kms/overview.mdx:generic-api-key:281
-docs/documentation/platform/kms/overview.mdx:generic-api-key:344
-frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx:generic-api-key:85
-docs/cli/commands/user.mdx:generic-api-key:51
-frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx:generic-api-key:76
-docs/integrations/app-connections/hashicorp-vault.mdx:generic-api-key:188
-cli/detect/config/gitleaks.toml:gcp-api-key:567
-cli/detect/config/gitleaks.toml:gcp-api-key:569
-cli/detect/config/gitleaks.toml:gcp-api-key:570
-cli/detect/config/gitleaks.toml:gcp-api-key:572
-cli/detect/config/gitleaks.toml:gcp-api-key:574
-cli/detect/config/gitleaks.toml:gcp-api-key:575
-cli/detect/config/gitleaks.toml:gcp-api-key:576
-cli/detect/config/gitleaks.toml:gcp-api-key:577
-cli/detect/config/gitleaks.toml:gcp-api-key:578
-cli/detect/config/gitleaks.toml:gcp-api-key:579
-cli/detect/config/gitleaks.toml:gcp-api-key:581
-cli/detect/config/gitleaks.toml:gcp-api-key:582
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -23,16 +23,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -43,10 +44,20 @@ WORKDIR /app

 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user

-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

 USER non-root-user

+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
@ -126,15 +137,14 @@ RUN apt-get update && apt-get install -y \
    freetds-dev \
    freetds-bin \
    tdsodbc \
-    openssh-client \
    && rm -rf /var/lib/apt/lists/*

 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini

 # Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.2 \
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
    && rm -rf /var/lib/apt/lists/*

 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
@ -149,11 +159,14 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

 WORKDIR / 

@ -161,9 +174,6 @@ COPY --from=backend-runner /app /backend

 COPY --from=frontend-runner /app ./backend/frontend-build

-ARG INFISICAL_PLATFORM_VERSION
-ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
-
 ENV PORT 8080
 ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 
@ -171,7 +181,6 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=1024"

 WORKDIR /backend

@ -182,4 +191,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -3,13 +3,16 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key

-FROM node:20-slim AS base
+FROM  node:20-alpine AS base

 FROM base AS frontend-dependencies

+# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
+RUN apk add --no-cache libc6-compat
+
 WORKDIR /app

-COPY frontend/package.json frontend/package-lock.json  ./
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./

 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -24,16 +27,17 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .

 ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV VITE_POSTHOG_HOST $POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV VITE_INTERCOM_ID $INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -42,34 +46,42 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app

-RUN groupadd --system --gid 1001 nodejs
-RUN useradd --system --uid 1001 --gid nodejs non-root-user
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 non-root-user

-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
+RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown non-root-user:nodejs ./public/data
+
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

 USER non-root-user

+ENV NEXT_TELEMETRY_DISABLED 1
+
 ##
 ## BACKEND
 ##
 FROM base AS backend-build
+RUN addgroup --system --gid 1001 nodejs \
+  && adduser --system --uid 1001 non-root-user

 WORKDIR /app

 # Install all required dependencies for build
-RUN apt-get update && apt-get install -y \
+RUN apk --update add \
    python3 \
    make \
    g++ \
    unixodbc \
-    freetds-bin \
+    freetds \
    unixodbc-dev \
    libc-dev \
-    freetds-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN groupadd --system --gid 1001 nodejs
-RUN useradd --system --uid 1001 --gid nodejs non-root-user
+    freetds-dev

 COPY backend/package*.json ./
 RUN npm ci --only-production
@ -85,19 +97,18 @@ FROM base AS backend-runner
 WORKDIR /app

 # Install all required dependencies for runtime
-RUN apt-get update && apt-get install -y \
+RUN apk --update add \
    python3 \
    make \
    g++ \
    unixodbc \
-    freetds-bin \
+    freetds \
    unixodbc-dev \
    libc-dev \
-    freetds-dev \
-    && rm -rf /var/lib/apt/lists/*
+    freetds-dev

 # Configure ODBC
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini

 COPY backend/package*.json ./
 RUN npm ci --only-production
@ -109,36 +120,33 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production

-RUN apt-get update && apt-get install -y \
-    ca-certificates \
-    bash \
-    curl \
-    git \
+RUN apk add --upgrade --no-cache ca-certificates
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.31.1 && apk add --no-cache git
+
+WORKDIR /
+
+# Install all required runtime dependencies
+RUN apk --update add \
    python3 \
    make \
    g++ \
    unixodbc \
-    freetds-bin \
+    freetds \
    unixodbc-dev \
    libc-dev \
    freetds-dev \
-		wget \
-    openssh-client \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.2 \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /
+    bash \
+    curl \
+    git

 # Configure ODBC in production
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini

 # Setup user permissions
-RUN groupadd --system --gid 1001 nodejs \
-  && useradd --system --uid 1001 --gid nodejs non-root-user
+RUN addgroup --system --gid 1001 nodejs \
+  && adduser --system --uid 1001 non-root-user

 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@ -150,17 +158,20 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates

 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV INTERCOM_ID=$INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
+

 COPY --from=backend-runner /app /backend
+
 COPY --from=frontend-runner /app ./backend/frontend-build

-ARG INFISICAL_PLATFORM_VERSION
-ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

 ENV PORT 8080
 ENV HOST=0.0.0.0
@ -168,8 +179,6 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
-ENV NODE_OPTIONS="--max-old-space-size=1024"
-
 WORKDIR /backend

 ENV TELEMETRY_ENABLED true
@ -179,4 +188,4 @@ EXPOSE 443

 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/3
+++ b/3
@ -30,6 +30,3 @@ reviewable-api:
 	npm run type:check

 reviewable: reviewable-ui reviewable-api
-
-up-dev-sso:
-	docker compose -f docker-compose.dev.yml --profile sso up --build
--- a/README.md
+++ b/README.md
@ -14,6 +14,15 @@
  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
 </h4>

+<p align="center">
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
+    <img src=".github/images/deploy-to-aws.png" width="137" />
+  </a>
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
+     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
+  </a>
+</p>
+
 <h4 align="center">
  <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
    <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@ -50,13 +59,13 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Dashboard](https://infisical.com/docs/documentation/platform/project)**: Manage secrets across projects and environments (e.g. development, production, etc.) through a user-friendly interface.
 - **[Native Integrations](https://infisical.com/docs/integrations/overview)**: Sync secrets to platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and use tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)**: Keep track of every secret and project state; roll back when needed.
- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres-credentials), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
+- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
 - **[Dynamic Secrets](https://infisical.com/docs/documentation/platform/dynamic-secrets/overview)**: Generate ephemeral secrets on-demand for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/postgresql), [MySQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/mysql), [RabbitMQ](https://infisical.com/docs/documentation/platform/dynamic-secrets/rabbit-mq), and more.
 - **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)**: Prevent secrets from leaking to git.
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.

-### Infisical (Internal) PKI:
+### Internal PKI:

 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@ -64,17 +73,12 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.

-### Infisical Key Management System (KMS):
+### Key Management (KMS):

- **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.

-### Infisical SSH
-
- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
-
 ### General Platform:
-
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
@ -125,7 +129,7 @@ Install pre commit hook to scan each commit before you push to your repository
 infisical scan install --pre-commit-hook
 ```

-Learn about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
+Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)

 ## Open-source vs. paid

--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@ -69,15 +69,6 @@ module.exports = {
          ["^\\."]
        ]
      }
-    ],
-    "import/extensions": [
-      "error",
-      "ignorePackages",
-      {
-        "": "never", // this is required to get the .tsx to work...
-        ts: "never",
-        tsx: "never"
-      }
    ]
  }
 };
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -1,23 +1,22 @@
 # Build stage
-FROM node:20-slim AS build
+FROM node:20-alpine AS build

 WORKDIR /app

 # Required for pkcs11js
-RUN apt-get update && apt-get install -y \
-    python3 \
-    make \
-    g++ \
-    openssh-client \
-    openssl 
+RUN apk --update add \
+        python3 \
+        make \
+        g++

-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
    unixodbc \
-    freetds-bin \
-    freetds-dev \
+    freetds \
    unixodbc-dev \
-    libc-dev
+    libc-dev \
+    freetds-dev
+

 COPY package*.json ./
 RUN npm ci --only-production
@ -26,36 +25,36 @@ COPY . .
 RUN npm run build

 # Production stage
-FROM node:20-slim
+FROM node:20-alpine
 WORKDIR /app

 ENV npm_config_cache /home/node/.npm

 COPY package*.json ./

-RUN apt-get update && apt-get install -y \
-    python3 \
-    make \
-    g++
+RUN apk --update add \
+        python3 \
+        make \
+        g++

-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
    unixodbc \
-    freetds-bin \
-    freetds-dev \
+    freetds \
    unixodbc-dev \
-    libc-dev
+    libc-dev \
+    freetds-dev

-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini

 RUN npm ci --only-production && npm cache clean --force

 COPY --from=build /app .

-# Install Infisical CLI
-RUN apt-get install -y curl bash && \
-    curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.41.2 git
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1 && apk add --no-cache git

 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
  CMD node healthcheck.js
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM node:20-slim
+FROM node:20-alpine

 # ? Setup a test SoftHSM module. In production a real HSM is used.

@ -7,33 +7,31 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
    SOFTHSM2_SOURCES=/tmp/softhsm2

-# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
-RUN apt-get update && apt-get install -y \
-    build-essential \
-    autoconf \
-    automake \
-    git \
-    libtool \
-    libssl-dev \
-    python3 \
-    make \
-    g++ \
-    openssh-client \
-    openssl \
-    curl \
-    pkg-config
+# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apk --update add \
+        alpine-sdk \
+        autoconf \
+        automake \
+        git \
+        libtool \
+        openssl-dev \
+        python3 \
+        make \
+        g++

-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
    unixodbc \
+    freetds \
    unixodbc-dev \
-    freetds-dev \
-    freetds-bin \
-    tdsodbc
+    libc-dev \
+    freetds-dev

-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini

-# Build and install SoftHSM2
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# build and install SoftHSM2
+
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}

@ -46,18 +44,16 @@ RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}

-# Install pkcs11-tool
-RUN apt-get install -y opensc
+# install pkcs11-tool
+RUN apk --update add opensc

-RUN mkdir -p /etc/softhsm2/tokens && \
-    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000

 # ? App setup

-# Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && \
-    apt-get install -y infisical=0.41.2
+RUN apk add --no-cache bash curl && curl -1sLf \
+  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
+  && apk add infisical=0.8.1 && apk add --no-cache git

 WORKDIR /app

--- a/backend/Dockerfile.dev.fips
+++ b/backend/Dockerfile.dev.fips
@ -1,85 +0,0 @@
-FROM node:20-slim
-
-# ? Setup a test SoftHSM module. In production a real HSM is used.
-
-ARG SOFTHSM2_VERSION=2.5.0
-
-ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
-    SOFTHSM2_SOURCES=/tmp/softhsm2
-
-# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
-RUN apt-get update && apt-get install -y \
-    build-essential \
-    autoconf \
-    automake \
-    git \
-    libtool \
-    libssl-dev \
-    python3 \
-    make \
-    g++ \
-    openssh-client \
-    curl \
-    pkg-config \
-    perl \
-    wget
-
-# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apt-get install -y \
-    unixodbc \
-    unixodbc-dev \
-    freetds-dev \
-    freetds-bin \
-    tdsodbc
-
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
-
-# Build and install SoftHSM2
-RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
-WORKDIR ${SOFTHSM2_SOURCES}
-
-RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
-    && sh autogen.sh \
-    && ./configure --prefix=/usr/local --disable-gost \
-    && make \
-    && make install
-
-WORKDIR /root
-RUN rm -fr ${SOFTHSM2_SOURCES}
-
-# Install pkcs11-tool
-RUN apt-get install -y opensc
-
-RUN mkdir -p /etc/softhsm2/tokens && \
-    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-    
-WORKDIR /openssl-build
-RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
-    && tar -xf openssl-3.1.2.tar.gz \
-    && cd openssl-3.1.2 \
-    && ./Configure enable-fips \
-    && make \
-    && make install_fips
-
-# ? App setup
-
-# Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && \
-    apt-get install -y infisical=0.41.2
-
-WORKDIR /app
-
-COPY package.json package.json
-COPY package-lock.json package-lock.json
-
-RUN npm install
-
-COPY . .
-
-ENV HOST=0.0.0.0
-ENV OPENSSL_CONF=/app/nodejs.cnf
-ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV NODE_OPTIONS=--force-fips
-
-CMD ["npm", "run", "dev:docker"]
--- a/backend/e2e-test/mocks/keystore.ts
+++ b/backend/e2e-test/mocks/keystore.ts
@ -1,8 +1,4 @@
-import RE2 from "re2";
-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
-import { applyJitter } from "@app/lib/dates";
-import { delay as delayMs } from "@app/lib/delay";
 import { Lock } from "@app/lib/red-lock";

 export const mockKeyStore = (): TKeyStoreFactory => {
@ -13,7 +9,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
      store[key] = value;
      return "OK";
    },
-    setExpiry: async () => 0,
    setItemWithExpiry: async (key, value) => {
      store[key] = value;
      return "OK";
@ -22,27 +17,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
      delete store[key];
      return 1;
    },
-    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
-      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
-      let totalDeleted = 0;
-      const keys = Object.keys(store);
-
-      for (let i = 0; i < keys.length; i += batchSize) {
-        const batch = keys.slice(i, i + batchSize);
-
-        for (const key of batch) {
-          if (regex.test(key)) {
-            delete store[key];
-            totalDeleted += 1;
-          }
-        }
-
-        // eslint-disable-next-line no-await-in-loop
-        await delayMs(Math.max(0, applyJitter(delay, jitter)));
-      }
-
-      return totalDeleted;
-    },
    getItem: async (key) => {
      const value = store[key];
      if (typeof value === "string") {
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -10,23 +10,17 @@ export const mockQueue = (): TQueueServiceFactory => {
    queue: async (name, jobData) => {
      job[name] = jobData;
    },
-    queuePg: async () => {},
-    schedulePg: async () => {},
-    initialize: async () => {},
    shutdown: async () => undefined,
    stopRepeatableJob: async () => true,
    start: (name, jobFn) => {
      queues[name] = jobFn;
      workers[name] = jobFn;
    },
-    startPg: async () => {},
    listen: (name, event) => {
      events[name] = event;
    },
-    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true,
-    stopRepeatableJobByKey: async () => true
+    stopRepeatableJobByJobId: async () => true
  };
 };
--- a/backend/e2e-test/routes/v3/secret-recursive.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-recursive.spec.ts
@ -1,86 +0,0 @@
-import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
-import { createSecretV2, deleteSecretV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
-
-import { seedData1 } from "@app/db/seed-data";
-
-describe("Secret Recursive Testing", async () => {
-  const projectId = seedData1.projectV3.id;
-  const folderAndSecretNames = [
-    { name: "deep1", path: "/", expectedSecretCount: 4 },
-    { name: "deep21", path: "/deep1", expectedSecretCount: 2 },
-    { name: "deep3", path: "/deep1/deep2", expectedSecretCount: 1 },
-    { name: "deep22", path: "/deep2", expectedSecretCount: 1 }
-  ];
-
-  beforeAll(async () => {
-    const rootFolderIds: string[] = [];
-    for (const folder of folderAndSecretNames) {
-      // eslint-disable-next-line no-await-in-loop
-      const createdFolder = await createFolder({
-        authToken: jwtAuthToken,
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        secretPath: folder.path,
-        name: folder.name
-      });
-
-      if (folder.path === "/") {
-        rootFolderIds.push(createdFolder.id);
-      }
-      // eslint-disable-next-line no-await-in-loop
-      await createSecretV2({
-        secretPath: folder.path,
-        authToken: jwtAuthToken,
-        environmentSlug: "prod",
-        workspaceId: projectId,
-        key: folder.name,
-        value: folder.name
-      });
-    }
-
-    return async () => {
-      await Promise.all(
-        rootFolderIds.map((id) =>
-          deleteFolder({
-            authToken: jwtAuthToken,
-            secretPath: "/",
-            id,
-            workspaceId: projectId,
-            environmentSlug: "prod"
-          })
-        )
-      );
-
-      await deleteSecretV2({
-        authToken: jwtAuthToken,
-        secretPath: "/",
-        workspaceId: projectId,
-        environmentSlug: "prod",
-        key: folderAndSecretNames[0].name
-      });
-    };
-  });
-
-  test.each(folderAndSecretNames)("$path recursive secret fetching", async ({ path, expectedSecretCount }) => {
-    const secrets = await getSecretsV2({
-      authToken: jwtAuthToken,
-      secretPath: path,
-      workspaceId: projectId,
-      environmentSlug: "prod",
-      recursive: true
-    });
-
-    expect(secrets.secrets.length).toEqual(expectedSecretCount);
-    expect(secrets.secrets.sort((a, b) => a.secretKey.localeCompare(b.secretKey))).toEqual(
-      folderAndSecretNames
-        .filter((el) => el.path.startsWith(path))
-        .sort((a, b) => a.name.localeCompare(b.name))
-        .map((el) =>
-          expect.objectContaining({
-            secretKey: el.name,
-            secretValue: el.name
-          })
-        )
-    );
-  });
-});
--- a/backend/e2e-test/routes/v3/secrets-v2.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets-v2.spec.ts
@ -535,107 +535,6 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
      );
    });

-    test.each(secretTestCases)("Bulk upsert secrets in path $path", async ({ secret, path }) => {
-      const updateSharedSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          secretPath: path,
-          mode: "upsert",
-          secrets: Array.from(Array(5)).map((_e, i) => ({
-            secretKey: `BULK-${secret.key}-${i + 1}`,
-            secretValue: "update-value",
-            secretComment: secret.comment
-          }))
-        }
-      });
-      expect(updateSharedSecRes.statusCode).toBe(200);
-      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
-      expect(updateSharedSecPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining(
-          Array.from(Array(5)).map((_e, i) =>
-            expect.objectContaining({
-              secretKey: `BULK-${secret.key}-${i + 1}`,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      await Promise.all(
-        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
-      );
-    });
-
-    test("Bulk upsert secrets in path multiple paths", async () => {
-      const firstBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
-        secretKey: `BULK-KEY-${secretTestCases[0].secret.key}-${i + 1}`,
-        secretValue: "update-value",
-        secretComment: "comment",
-        secretPath: secretTestCases[0].path
-      }));
-      const secondBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
-        secretKey: `BULK-KEY-${secretTestCases[1].secret.key}-${i + 1}`,
-        secretValue: "update-value",
-        secretComment: "comment",
-        secretPath: secretTestCases[1].path
-      }));
-      const testSecrets = [...firstBatchSecrets, ...secondBatchSecrets];
-
-      const updateSharedSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: {
-          workspaceId: seedData1.projectV3.id,
-          environment: seedData1.environment.slug,
-          mode: "upsert",
-          secrets: testSecrets
-        }
-      });
-      expect(updateSharedSecRes.statusCode).toBe(200);
-      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
-      expect(updateSharedSecPayload).toHaveProperty("secrets");
-
-      // bulk ones should exist
-      const firstBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[0].path);
-      expect(firstBatchSecretsOnInfisical).toEqual(
-        expect.arrayContaining(
-          firstBatchSecrets.map((el) =>
-            expect.objectContaining({
-              secretKey: el.secretKey,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      const secondBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[1].path);
-      expect(secondBatchSecretsOnInfisical).toEqual(
-        expect.arrayContaining(
-          secondBatchSecrets.map((el) =>
-            expect.objectContaining({
-              secretKey: el.secretKey,
-              secretValue: "update-value",
-              type: SecretType.Shared
-            })
-          )
-        )
-      );
-      await Promise.all(testSecrets.map((el) => deleteSecret({ path: el.secretPath, key: el.secretKey })));
-    });
-
    test.each(secretTestCases)("Bulk delete secrets in path $path", async ({ secret, path }) => {
      await Promise.all(
        Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))
--- a/backend/e2e-test/testUtils/secrets.ts
+++ b/backend/e2e-test/testUtils/secrets.ts
@ -97,7 +97,6 @@ export const getSecretsV2 = async (dto: {
  environmentSlug: string;
  secretPath: string;
  authToken: string;
-  recursive?: boolean;
 }) => {
  const getSecretsResponse = await testServer.inject({
    method: "GET",
@ -110,8 +109,7 @@ export const getSecretsV2 = async (dto: {
      environment: dto.environmentSlug,
      secretPath: dto.secretPath,
      expandSecretReferences: "true",
-      include_imports: "true",
-      recursive: String(dto.recursive || false)
+      include_imports: "true"
    }
  });
  expect(getSecretsResponse.statusCode).toBe(200);
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -15,22 +15,22 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
+import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
-import { buildRedisFromConfig } from "@app/lib/config/redis";

 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
  name: "knex-env",
  transformMode: "ssr",
  async setup() {
-    const logger = initLogger();
-    const envConfig = initEnvConfig(logger);
+    const logger = await initLogger();
+    const cfg = initEnvConfig(logger);
    const db = initDbConnection({
-      dbConnectionUri: envConfig.DB_CONNECTION_URI,
-      dbRootCert: envConfig.DB_ROOT_CERT
+      dbConnectionUri: cfg.DB_CONNECTION_URI,
+      dbRootCert: cfg.DB_ROOT_CERT
    });

-    const redis = buildRedisFromConfig(envConfig);
+    const redis = new Redis(cfg.REDIS_URL);
    await redis.flushdb("SYNC");

    try {
@ -42,7 +42,6 @@ export default {
        },
        true
      );
-
      await db.migrate.latest({
        directory: path.join(__dirname, "../src/db/migrations"),
        extension: "ts",
@ -53,24 +52,14 @@ export default {
        directory: path.join(__dirname, "../src/db/seeds"),
        extension: "ts"
      });
-
      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig);
+      const queue = queueServiceFactory(cfg.REDIS_URL);
+      const keyStore = keyStoreFactory(cfg.REDIS_URL);

-      const hsmModule = initializeHsmModule(envConfig);
+      const hsmModule = initializeHsmModule();
      hsmModule.initialize();

-      const server = await main({
-        db,
-        smtp,
-        logger,
-        queue,
-        keyStore,
-        hsmModule: hsmModule.getModule(),
-        redis,
-        envConfig
-      });
+      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule() });

      // @ts-expect-error type
      globalThis.testServer = server;
@ -84,8 +73,8 @@ export default {
          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
-        envConfig.AUTH_SECRET,
-        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
+        cfg.AUTH_SECRET,
+        { expiresIn: cfg.JWT_AUTH_LIFETIME }
      );
    } catch (error) {
      // eslint-disable-next-line
--- a/backend/nodejs.cnf
+++ b/backend/nodejs.cnf
@ -1,16 +0,0 @@
-nodejs_conf = nodejs_init
-
-.include /usr/local/ssl/fipsmodule.cnf
-
-[nodejs_init]
-providers = provider_sect
-
-[provider_sect]
-default = default_sect
-fips = fips_sect
-
-[default_sect]
-activate = 1
-
-[algorithm_sect]
-default_properties = fips=yes 
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -38,42 +38,32 @@
    "build:frontend": "npm run build --prefix ../frontend",
    "start": "node --enable-source-maps dist/main.mjs",
    "type:check": "tsc --noEmit",
-    "lint:fix": "node --max-old-space-size=8192 ./node_modules/.bin/eslint --fix --ext js,ts ./src",
-    "lint": "node --max-old-space-size=8192 ./node_modules/.bin/eslint 'src/**/*.ts'",
-    "test:unit": "vitest run -c vitest.unit.config.ts",
+    "lint:fix": "eslint --fix --ext js,ts ./src",
+    "lint": "eslint 'src/**/*.ts'",
    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
    "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
-    "auditlog-migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:latest",
-    "auditlog-migration:up": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:up",
-    "auditlog-migration:down": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:down",
-    "auditlog-migration:list": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:list",
-    "auditlog-migration:status": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:status",
-    "auditlog-migration:unlock": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:unlock",
-    "auditlog-migration:rollback": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:rollback",
+    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
+    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
+    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
+    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
+    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
+    "auditlog-migration:unlock": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:unlock",
+    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
    "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:up",
-    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:down",
-    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:list",
-    "migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && npm run auditlog-migration:latest && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:latest",
-    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:status",
-    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./dist/db/knexfile.mjs migrate:rollback",
-    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./dist/db/knexfile.mjs migrate:unlock",
-    "migration:up-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback-dev": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
-    "migration:unlock-dev": "knex --knexfile ./src/db/knexfile.ts migrate:unlock",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./src/db/knexfile.ts migrate:unlock",
    "migrate:org": "tsx ./scripts/migrate-organization.ts",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
-    "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
-    "seed-dev": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
-    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest",
-    "email:dev": "email dev --dir src/services/smtp/emails"
+    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
+    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
  },
  "keywords": [],
  "author": "",
@ -90,14 +80,14 @@
    "@types/jsrp": "^0.2.6",
    "@types/libsodium-wrappers": "^0.7.13",
    "@types/lodash.isequal": "^4.5.8",
-    "@types/node": "^20.17.30",
+    "@types/node": "^20.9.5",
    "@types/nodemailer": "^6.4.14",
+    "@types/passport-github": "^1.1.12",
    "@types/passport-google-oauth20": "^2.0.14",
    "@types/pg": "^8.10.9",
    "@types/picomatch": "^2.3.3",
    "@types/pkcs11js": "^1.0.4",
    "@types/prompt-sync": "^4.2.3",
-    "@types/react": "^19.1.2",
    "@types/resolve": "^1.20.6",
    "@types/safe-regex": "^1.1.6",
    "@types/sjcl": "^1.0.34",
@ -117,7 +107,6 @@
    "nodemon": "^3.0.2",
    "pino-pretty": "^10.2.3",
    "prompt-sync": "^4.2.0",
-    "react-email": "4.0.7",
    "rimraf": "^5.0.5",
    "ts-node": "^10.9.2",
    "tsc-alias": "^1.8.8",
@ -131,7 +120,6 @@
    "@aws-sdk/client-elasticache": "^3.637.0",
    "@aws-sdk/client-iam": "^3.525.0",
    "@aws-sdk/client-kms": "^3.609.0",
-    "@aws-sdk/client-route-53": "^3.810.0",
    "@aws-sdk/client-secrets-manager": "^3.504.0",
    "@aws-sdk/client-sts": "^3.600.0",
    "@casl/ability": "^6.5.0",
@ -141,53 +129,44 @@
    "@fastify/etag": "^5.1.0",
    "@fastify/formbody": "^7.4.0",
    "@fastify/helmet": "^11.1.1",
-    "@fastify/multipart": "8.3.1",
+    "@fastify/multipart": "8.3.0",
    "@fastify/passport": "^2.4.0",
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
-    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
-    "@google-cloud/kms": "^4.5.0",
-    "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.0.1",
+    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/auth-app": "^7.1.1",
-    "@octokit/core": "^5.2.1",
-    "@octokit/plugin-paginate-graphql": "^4.0.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
-    "@octopusdeploy/api-client": "^3.4.1",
    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
    "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
    "@opentelemetry/exporter-prometheus": "^0.55.0",
    "@opentelemetry/instrumentation": "^0.55.0",
-    "@opentelemetry/instrumentation-http": "^0.57.2",
    "@opentelemetry/resources": "^1.28.0",
    "@opentelemetry/sdk-metrics": "^1.28.0",
    "@opentelemetry/semantic-conventions": "^1.27.0",
    "@peculiar/asn1-schema": "^2.3.8",
    "@peculiar/x509": "^1.12.1",
-    "@react-email/components": "0.0.36",
    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
    "@sindresorhus/slugify": "1.1.0",
-    "@slack/oauth": "^3.0.2",
-    "@slack/web-api": "^7.8.0",
+    "@slack/oauth": "^3.0.1",
+    "@slack/web-api": "^7.3.4",
+    "@team-plain/typescript-sdk": "^4.6.1",
    "@ucast/mongo2js": "^1.3.4",
-    "acme-client": "^5.4.0",
    "ajv": "^8.12.0",
    "argon2": "^0.31.2",
    "aws-sdk": "^2.1553.0",
    "axios": "^1.6.7",
    "axios-retry": "^4.0.0",
    "bcrypt": "^5.1.1",
-    "botbuilder": "^4.23.2",
    "bullmq": "^5.4.2",
    "cassandra-driver": "^4.7.2",
    "connect-redis": "^7.1.1",
    "cron": "^3.1.7",
-    "dd-trace": "^5.40.0",
    "dotenv": "^16.4.1",
    "fastify": "^4.28.1",
    "fastify-plugin": "^4.5.1",
@ -196,7 +175,6 @@
    "handlebars": "^4.7.8",
    "hdb": "^0.19.10",
    "ioredis": "^5.3.2",
-    "isomorphic-dompurify": "^2.22.0",
    "jmespath": "^0.16.0",
    "jsonwebtoken": "^9.0.2",
    "jsrp": "^0.2.4",
@ -209,20 +187,18 @@
    "mongodb": "^6.8.1",
    "ms": "^2.1.3",
    "mysql2": "^3.9.8",
-    "nanoid": "^3.3.8",
+    "nanoid": "^3.3.4",
    "nodemailer": "^6.9.9",
-    "oci-sdk": "^2.108.0",
    "odbc": "^2.4.9",
    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
    "oracledb": "^6.4.0",
    "otplib": "^12.0.1",
+    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
    "passport-ldapauth": "^3.0.1",
-    "passport-oauth2": "^1.8.0",
    "pg": "^8.11.3",
-    "pg-boss": "^10.1.5",
    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
@ -230,9 +206,6 @@
    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
    "probot": "^13.3.8",
-    "re2": "^1.21.4",
-    "react": "19.1.0",
-    "react-dom": "19.1.0",
    "safe-regex": "^2.1.1",
    "scim-patch": "^0.8.3",
    "scim2-parse-filter": "^0.2.10",
@ -244,6 +217,6 @@
    "tweetnacl-util": "^0.15.1",
    "uuid": "^9.0.1",
    "zod": "^3.22.4",
-    "zod-to-json-schema": "^3.24.5"
+    "zod-to-json-schema": "^3.22.4"
  }
 }
--- a/backend/src/@types/fastify-request-context.d.ts
+++ b/backend/src/@types/fastify-request-context.d.ts
@ -0,0 +1,7 @@
+import "@fastify/request-context";
+
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    requestId: string;
+  }
+}
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -1,11 +1,8 @@
 import "fastify";

-import { Redis } from "ioredis";
-
 import { TUsers } from "@app/db/schemas";
 import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
-import { TAssumePrivilegeServiceFactory } from "@app/ee/services/assume-privilege/assume-privilege-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
@ -14,14 +11,9 @@ import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
-import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
-import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
-import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
-import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
-import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@ -35,17 +27,11 @@ import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
-import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
-import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
-import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
-import { TSshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
-import { TSshHostGroupServiceFactory } from "@app/ee/services/ssh-host-group/ssh-host-group-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
-import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
@ -53,7 +39,6 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
-import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
@ -65,24 +50,18 @@ import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-acces
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
-import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
-import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
-import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
-import { TMicrosoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
 import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
-import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@ -95,7 +74,6 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
-import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@ -108,27 +86,7 @@ import { TUserEngagementServiceFactory } from "@app/services/user-engagement/use
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";

-declare module "@fastify/request-context" {
-  interface RequestContextData {
-    reqId: string;
-    orgId?: string;
-    identityAuthInfo?: {
-      identityId: string;
-      oidc?: {
-        claims: Record<string, string>;
-      };
-    };
-    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
-    assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
-  }
-}
-
 declare module "fastify" {
-  interface Session {
-    callbackPort: string;
-    isAdminLogin: boolean;
-  }
-
  interface FastifyRequest {
    realIp: string;
    // used for mfa session authentication
@ -148,31 +106,15 @@ declare module "fastify" {
    rateLimits: RateLimitConfiguration;
    // passport data
    passportUser: {
-      isUserCompleted: boolean;
+      isUserCompleted: string;
      providerAuthToken: string;
-      externalProviderAccessToken?: string;
-    };
-    passportMachineIdentity: {
-      identityId: string;
-      user: {
-        uid: string;
-        mail?: string;
-      };
-    };
-    kmipUser: {
-      projectId: string;
-      clientId: string;
-      name: string;
    };
    auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
    ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
-    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>> & {
-      allowedFields?: TAllowedFields[];
-    };
+    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
  }

  interface FastifyInstance {
-    redis: Redis;
    services: {
      login: TAuthLoginFactory;
      password: TAuthPasswordFactory;
@ -212,10 +154,7 @@ declare module "fastify" {
      identityGcpAuth: TIdentityGcpAuthServiceFactory;
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
-      identityOciAuth: TIdentityOciAuthServiceFactory;
      identityOidcAuth: TIdentityOidcAuthServiceFactory;
-      identityJwtAuth: TIdentityJwtAuthServiceFactory;
-      identityLdapAuth: TIdentityLdapAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@ -229,15 +168,10 @@ declare module "fastify" {
      auditLogStream: TAuditLogStreamServiceFactory;
      certificate: TCertificateServiceFactory;
      certificateTemplate: TCertificateTemplateServiceFactory;
-      sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
-      sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
-      sshHost: TSshHostServiceFactory;
-      sshHostGroup: TSshHostGroupServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
      pkiCollection: TPkiCollectionServiceFactory;
-      pkiSubscriber: TPkiSubscriberServiceFactory;
      secretScanning: TSecretScanningServiceFactory;
      license: TLicenseServiceFactory;
      trustedIp: TTrustedIpServiceFactory;
@ -261,22 +195,11 @@ declare module "fastify" {
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
      projectTemplate: TProjectTemplateServiceFactory;
      totp: TTotpServiceFactory;
-      appConnection: TAppConnectionServiceFactory;
-      secretSync: TSecretSyncServiceFactory;
-      kmip: TKmipServiceFactory;
-      kmipOperation: TKmipOperationServiceFactory;
-      gateway: TGatewayServiceFactory;
-      secretRotationV2: TSecretRotationV2ServiceFactory;
-      microsoftTeams: TMicrosoftTeamsServiceFactory;
-      assumePrivileges: TAssumePrivilegeServiceFactory;
-      githubOrgSync: TGithubOrgSyncServiceFactory;
-      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
    store: {
      user: Pick<TUserDALFactory, "findById">;
-      kmipClient: Pick<TKmipClientDALFactory, "findByProjectAndClientId">;
    };
  }
 }
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -17,9 +17,6 @@ import {
  TApiKeys,
  TApiKeysInsert,
  TApiKeysUpdate,
-  TAppConnections,
-  TAppConnectionsInsert,
-  TAppConnectionsUpdate,
  TAuditLogs,
  TAuditLogsInsert,
  TAuditLogStreams,
@ -68,27 +65,15 @@ import {
  TDynamicSecrets,
  TDynamicSecretsInsert,
  TDynamicSecretsUpdate,
-  TExternalCertificateAuthorities,
-  TExternalCertificateAuthoritiesInsert,
-  TExternalCertificateAuthoritiesUpdate,
-  TExternalGroupOrgRoleMappings,
-  TExternalGroupOrgRoleMappingsInsert,
-  TExternalGroupOrgRoleMappingsUpdate,
  TExternalKms,
  TExternalKmsInsert,
  TExternalKmsUpdate,
-  TGateways,
-  TGatewaysInsert,
-  TGatewaysUpdate,
  TGitAppInstallSessions,
  TGitAppInstallSessionsInsert,
  TGitAppInstallSessionsUpdate,
  TGitAppOrg,
  TGitAppOrgInsert,
  TGitAppOrgUpdate,
-  TGithubOrgSyncConfigs,
-  TGithubOrgSyncConfigsInsert,
-  TGithubOrgSyncConfigsUpdate,
  TGroupProjectMembershipRoles,
  TGroupProjectMembershipRolesInsert,
  TGroupProjectMembershipRolesUpdate,
@ -113,18 +98,12 @@ import {
  TIdentityGcpAuths,
  TIdentityGcpAuthsInsert,
  TIdentityGcpAuthsUpdate,
-  TIdentityJwtAuths,
-  TIdentityJwtAuthsInsert,
-  TIdentityJwtAuthsUpdate,
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
  TIdentityMetadata,
  TIdentityMetadataInsert,
  TIdentityMetadataUpdate,
-  TIdentityOciAuths,
-  TIdentityOciAuthsInsert,
-  TIdentityOciAuthsUpdate,
  TIdentityOidcAuths,
  TIdentityOidcAuthsInsert,
  TIdentityOidcAuthsUpdate,
@ -158,24 +137,9 @@ import {
  TIntegrations,
  TIntegrationsInsert,
  TIntegrationsUpdate,
-  TInternalCertificateAuthorities,
-  TInternalCertificateAuthoritiesInsert,
-  TInternalCertificateAuthoritiesUpdate,
  TInternalKms,
  TInternalKmsInsert,
  TInternalKmsUpdate,
-  TKmipClientCertificates,
-  TKmipClientCertificatesInsert,
-  TKmipClientCertificatesUpdate,
-  TKmipClients,
-  TKmipClientsInsert,
-  TKmipClientsUpdate,
-  TKmipOrgConfigs,
-  TKmipOrgConfigsInsert,
-  TKmipOrgConfigsUpdate,
-  TKmipOrgServerCertificates,
-  TKmipOrgServerCertificatesInsert,
-  TKmipOrgServerCertificatesUpdate,
  TKmsKeys,
  TKmsKeysInsert,
  TKmsKeysUpdate,
@ -200,9 +164,6 @@ import {
  TOrgBots,
  TOrgBotsInsert,
  TOrgBotsUpdate,
-  TOrgGatewayConfig,
-  TOrgGatewayConfigInsert,
-  TOrgGatewayConfigUpdate,
  TOrgMemberships,
  TOrgMembershipsInsert,
  TOrgMembershipsUpdate,
@ -218,18 +179,12 @@ import {
  TPkiCollections,
  TPkiCollectionsInsert,
  TPkiCollectionsUpdate,
-  TPkiSubscribers,
-  TPkiSubscribersInsert,
-  TPkiSubscribersUpdate,
  TProjectBots,
  TProjectBotsInsert,
  TProjectBotsUpdate,
  TProjectEnvironments,
  TProjectEnvironmentsInsert,
  TProjectEnvironmentsUpdate,
-  TProjectGateways,
-  TProjectGatewaysInsert,
-  TProjectGatewaysUpdate,
  TProjectKeys,
  TProjectKeysInsert,
  TProjectKeysUpdate,
@ -244,12 +199,6 @@ import {
  TProjectSlackConfigs,
  TProjectSlackConfigsInsert,
  TProjectSlackConfigsUpdate,
-  TProjectSplitBackfillIds,
-  TProjectSplitBackfillIdsInsert,
-  TProjectSplitBackfillIdsUpdate,
-  TProjectSshConfigs,
-  TProjectSshConfigsInsert,
-  TProjectSshConfigsUpdate,
  TProjectsUpdate,
  TProjectTemplates,
  TProjectTemplatesInsert,
@ -263,9 +212,6 @@ import {
  TRateLimit,
  TRateLimitInsert,
  TRateLimitUpdate,
-  TResourceMetadata,
-  TResourceMetadataInsert,
-  TResourceMetadataUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -323,12 +269,6 @@ import {
  TSecretRotations,
  TSecretRotationsInsert,
  TSecretRotationsUpdate,
-  TSecretRotationsV2,
-  TSecretRotationsV2Insert,
-  TSecretRotationsV2Update,
-  TSecretRotationV2SecretMappings,
-  TSecretRotationV2SecretMappingsInsert,
-  TSecretRotationV2SecretMappingsUpdate,
  TSecrets,
  TSecretScanningGitRisks,
  TSecretScanningGitRisksInsert,
@ -350,27 +290,15 @@ import {
  TSecretSnapshotsInsert,
  TSecretSnapshotsUpdate,
  TSecretsUpdate,
-  TSecretsV2,
-  TSecretsV2Insert,
-  TSecretsV2Update,
-  TSecretSyncs,
-  TSecretSyncsInsert,
-  TSecretSyncsUpdate,
  TSecretTagJunction,
  TSecretTagJunctionInsert,
  TSecretTagJunctionUpdate,
  TSecretTags,
  TSecretTagsInsert,
  TSecretTagsUpdate,
-  TSecretV2TagJunction,
-  TSecretV2TagJunctionInsert,
-  TSecretV2TagJunctionUpdate,
  TSecretVersions,
  TSecretVersionsInsert,
  TSecretVersionsUpdate,
-  TSecretVersionsV2,
-  TSecretVersionsV2Insert,
-  TSecretVersionsV2Update,
  TSecretVersionTagJunction,
  TSecretVersionTagJunctionInsert,
  TSecretVersionTagJunctionUpdate,
@ -383,36 +311,6 @@ import {
  TSlackIntegrations,
  TSlackIntegrationsInsert,
  TSlackIntegrationsUpdate,
-  TSshCertificateAuthorities,
-  TSshCertificateAuthoritiesInsert,
-  TSshCertificateAuthoritiesUpdate,
-  TSshCertificateAuthoritySecrets,
-  TSshCertificateAuthoritySecretsInsert,
-  TSshCertificateAuthoritySecretsUpdate,
-  TSshCertificateBodies,
-  TSshCertificateBodiesInsert,
-  TSshCertificateBodiesUpdate,
-  TSshCertificates,
-  TSshCertificatesInsert,
-  TSshCertificatesUpdate,
-  TSshCertificateTemplates,
-  TSshCertificateTemplatesInsert,
-  TSshCertificateTemplatesUpdate,
-  TSshHostGroupMemberships,
-  TSshHostGroupMembershipsInsert,
-  TSshHostGroupMembershipsUpdate,
-  TSshHostGroups,
-  TSshHostGroupsInsert,
-  TSshHostGroupsUpdate,
-  TSshHostLoginUserMappings,
-  TSshHostLoginUserMappingsInsert,
-  TSshHostLoginUserMappingsUpdate,
-  TSshHostLoginUsers,
-  TSshHostLoginUsersInsert,
-  TSshHostLoginUsersUpdate,
-  TSshHosts,
-  TSshHostsInsert,
-  TSshHostsUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
@ -445,25 +343,21 @@ import {
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
 import {
-  TIdentityLdapAuths,
-  TIdentityLdapAuthsInsert,
-  TIdentityLdapAuthsUpdate
-} from "@app/db/schemas/identity-ldap-auths";
+  TExternalGroupOrgRoleMappings,
+  TExternalGroupOrgRoleMappingsInsert,
+  TExternalGroupOrgRoleMappingsUpdate
+} from "@app/db/schemas/external-group-org-role-mappings";
 import {
-  TMicrosoftTeamsIntegrations,
-  TMicrosoftTeamsIntegrationsInsert,
-  TMicrosoftTeamsIntegrationsUpdate
-} from "@app/db/schemas/microsoft-teams-integrations";
+  TSecretV2TagJunction,
+  TSecretV2TagJunctionInsert,
+  TSecretV2TagJunctionUpdate
+} from "@app/db/schemas/secret-v2-tag-junction";
 import {
-  TProjectMicrosoftTeamsConfigs,
-  TProjectMicrosoftTeamsConfigsInsert,
-  TProjectMicrosoftTeamsConfigsUpdate
-} from "@app/db/schemas/project-microsoft-teams-configs";
-import {
-  TSecretReminderRecipients,
-  TSecretReminderRecipientsInsert,
-  TSecretReminderRecipientsUpdate
-} from "@app/db/schemas/secret-reminder-recipients";
+  TSecretVersionsV2,
+  TSecretVersionsV2Insert,
+  TSecretVersionsV2Update
+} from "@app/db/schemas/secret-versions-v2";
+import { TSecretsV2, TSecretsV2Insert, TSecretsV2Update } from "@app/db/schemas/secrets-v2";

 declare module "knex" {
  namespace Knex {
@ -478,52 +372,6 @@ declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
-    [TableName.SshHostGroup]: KnexOriginal.CompositeTableType<
-      TSshHostGroups,
-      TSshHostGroupsInsert,
-      TSshHostGroupsUpdate
-    >;
-    [TableName.SshHostGroupMembership]: KnexOriginal.CompositeTableType<
-      TSshHostGroupMemberships,
-      TSshHostGroupMembershipsInsert,
-      TSshHostGroupMembershipsUpdate
-    >;
-    [TableName.SshHost]: KnexOriginal.CompositeTableType<TSshHosts, TSshHostsInsert, TSshHostsUpdate>;
-    [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TSshCertificateAuthorities,
-      TSshCertificateAuthoritiesInsert,
-      TSshCertificateAuthoritiesUpdate
-    >;
-    [TableName.SshCertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
-      TSshCertificateAuthoritySecrets,
-      TSshCertificateAuthoritySecretsInsert,
-      TSshCertificateAuthoritySecretsUpdate
-    >;
-    [TableName.SshCertificateTemplate]: KnexOriginal.CompositeTableType<
-      TSshCertificateTemplates,
-      TSshCertificateTemplatesInsert,
-      TSshCertificateTemplatesUpdate
-    >;
-    [TableName.SshCertificate]: KnexOriginal.CompositeTableType<
-      TSshCertificates,
-      TSshCertificatesInsert,
-      TSshCertificatesUpdate
-    >;
-    [TableName.SshCertificateBody]: KnexOriginal.CompositeTableType<
-      TSshCertificateBodies,
-      TSshCertificateBodiesInsert,
-      TSshCertificateBodiesUpdate
-    >;
-    [TableName.SshHostLoginUser]: KnexOriginal.CompositeTableType<
-      TSshHostLoginUsers,
-      TSshHostLoginUsersInsert,
-      TSshHostLoginUsersUpdate
-    >;
-    [TableName.SshHostLoginUserMapping]: KnexOriginal.CompositeTableType<
-      TSshHostLoginUserMappings,
-      TSshHostLoginUserMappingsInsert,
-      TSshHostLoginUserMappingsUpdate
-    >;
    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
      TCertificateAuthorities,
      TCertificateAuthoritiesInsert,
@ -544,16 +392,6 @@ declare module "knex/types/tables" {
      TCertificateAuthorityCrlInsert,
      TCertificateAuthorityCrlUpdate
    >;
-    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TInternalCertificateAuthorities,
-      TInternalCertificateAuthoritiesInsert,
-      TInternalCertificateAuthoritiesUpdate
-    >;
-    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TExternalCertificateAuthorities,
-      TExternalCertificateAuthoritiesInsert,
-      TExternalCertificateAuthoritiesUpdate
-    >;
    [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
    [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
      TCertificateTemplates,
@ -586,11 +424,6 @@ declare module "knex/types/tables" {
      TPkiCollectionItemsInsert,
      TPkiCollectionItemsUpdate
    >;
-    [TableName.PkiSubscriber]: KnexOriginal.CompositeTableType<
-      TPkiSubscribers,
-      TPkiSubscribersInsert,
-      TPkiSubscribersUpdate
-    >;
    [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
      TUserGroupMembership,
      TUserGroupMembershipInsert,
@ -643,11 +476,6 @@ declare module "knex/types/tables" {
    [TableName.SuperAdmin]: KnexOriginal.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
    [TableName.ApiKey]: KnexOriginal.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
    [TableName.Project]: KnexOriginal.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
-    [TableName.ProjectSshConfig]: KnexOriginal.CompositeTableType<
-      TProjectSshConfigs,
-      TProjectSshConfigsInsert,
-      TProjectSshConfigsUpdate
-    >;
    [TableName.ProjectMembership]: KnexOriginal.CompositeTableType<
      TProjectMemberships,
      TProjectMembershipsInsert,
@ -757,26 +585,11 @@ declare module "knex/types/tables" {
      TIdentityAzureAuthsInsert,
      TIdentityAzureAuthsUpdate
    >;
-    [TableName.IdentityOciAuth]: KnexOriginal.CompositeTableType<
-      TIdentityOciAuths,
-      TIdentityOciAuthsInsert,
-      TIdentityOciAuthsUpdate
-    >;
    [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
      TIdentityOidcAuths,
      TIdentityOidcAuthsInsert,
      TIdentityOidcAuthsUpdate
    >;
-    [TableName.IdentityJwtAuth]: KnexOriginal.CompositeTableType<
-      TIdentityJwtAuths,
-      TIdentityJwtAuthsInsert,
-      TIdentityJwtAuthsUpdate
-    >;
-    [TableName.IdentityLdapAuth]: KnexOriginal.CompositeTableType<
-      TIdentityLdapAuths,
-      TIdentityLdapAuthsInsert,
-      TIdentityLdapAuthsUpdate
-    >;
    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
@ -1017,78 +830,5 @@ declare module "knex/types/tables" {
      TProjectTemplatesUpdate
    >;
    [TableName.TotpConfig]: KnexOriginal.CompositeTableType<TTotpConfigs, TTotpConfigsInsert, TTotpConfigsUpdate>;
-    [TableName.ProjectSplitBackfillIds]: KnexOriginal.CompositeTableType<
-      TProjectSplitBackfillIds,
-      TProjectSplitBackfillIdsInsert,
-      TProjectSplitBackfillIdsUpdate
-    >;
-    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
-      TResourceMetadata,
-      TResourceMetadataInsert,
-      TResourceMetadataUpdate
-    >;
-    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
-      TAppConnections,
-      TAppConnectionsInsert,
-      TAppConnectionsUpdate
-    >;
-    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
-    [TableName.KmipClient]: KnexOriginal.CompositeTableType<TKmipClients, TKmipClientsInsert, TKmipClientsUpdate>;
-    [TableName.KmipOrgConfig]: KnexOriginal.CompositeTableType<
-      TKmipOrgConfigs,
-      TKmipOrgConfigsInsert,
-      TKmipOrgConfigsUpdate
-    >;
-    [TableName.KmipOrgServerCertificates]: KnexOriginal.CompositeTableType<
-      TKmipOrgServerCertificates,
-      TKmipOrgServerCertificatesInsert,
-      TKmipOrgServerCertificatesUpdate
-    >;
-    [TableName.KmipClientCertificates]: KnexOriginal.CompositeTableType<
-      TKmipClientCertificates,
-      TKmipClientCertificatesInsert,
-      TKmipClientCertificatesUpdate
-    >;
-    [TableName.Gateway]: KnexOriginal.CompositeTableType<TGateways, TGatewaysInsert, TGatewaysUpdate>;
-    [TableName.ProjectGateway]: KnexOriginal.CompositeTableType<
-      TProjectGateways,
-      TProjectGatewaysInsert,
-      TProjectGatewaysUpdate
-    >;
-    [TableName.OrgGatewayConfig]: KnexOriginal.CompositeTableType<
-      TOrgGatewayConfig,
-      TOrgGatewayConfigInsert,
-      TOrgGatewayConfigUpdate
-    >;
-    [TableName.SecretRotationV2]: KnexOriginal.CompositeTableType<
-      TSecretRotationsV2,
-      TSecretRotationsV2Insert,
-      TSecretRotationsV2Update
-    >;
-    [TableName.SecretRotationV2SecretMapping]: KnexOriginal.CompositeTableType<
-      TSecretRotationV2SecretMappings,
-      TSecretRotationV2SecretMappingsInsert,
-      TSecretRotationV2SecretMappingsUpdate
-    >;
-    [TableName.MicrosoftTeamsIntegrations]: KnexOriginal.CompositeTableType<
-      TMicrosoftTeamsIntegrations,
-      TMicrosoftTeamsIntegrationsInsert,
-      TMicrosoftTeamsIntegrationsUpdate
-    >;
-    [TableName.ProjectMicrosoftTeamsConfigs]: KnexOriginal.CompositeTableType<
-      TProjectMicrosoftTeamsConfigs,
-      TProjectMicrosoftTeamsConfigsInsert,
-      TProjectMicrosoftTeamsConfigsUpdate
-    >;
-    [TableName.SecretReminderRecipients]: KnexOriginal.CompositeTableType<
-      TSecretReminderRecipients,
-      TSecretReminderRecipientsInsert,
-      TSecretReminderRecipientsUpdate
-    >;
-    [TableName.GithubOrgSyncConfig]: KnexOriginal.CompositeTableType<
-      TGithubOrgSyncConfigs,
-      TGithubOrgSyncConfigsInsert,
-      TGithubOrgSyncConfigsUpdate
-    >;
  }
 }
--- a/backend/src/auto-start-migrations.ts
+++ b/backend/src/auto-start-migrations.ts
@ -1,105 +0,0 @@
-import path from "node:path";
-
-import dotenv from "dotenv";
-import { Knex } from "knex";
-import { Logger } from "pino";
-
-import { PgSqlLock } from "./keystore/keystore";
-
-dotenv.config();
-
-type TArgs = {
-  auditLogDb?: Knex;
-  applicationDb: Knex;
-  logger: Logger;
-};
-
-const isProduction = process.env.NODE_ENV === "production";
-const migrationConfig = {
-  directory: path.join(__dirname, "./db/migrations"),
-  loadExtensions: [".mjs", ".ts"],
-  tableName: "infisical_migrations"
-};
-
-const migrationStatusCheckErrorHandler = (err: Error) => {
-  // happens for first time  in which the migration table itself is not created yet
-  //    error: select * from "infisical_migrations" - relation "infisical_migrations" does not exist
-  if (err?.message?.includes("does not exist")) {
-    return true;
-  }
-  throw err;
-};
-
-export const runMigrations = async ({ applicationDb, auditLogDb, logger }: TArgs) => {
-  try {
-    // akhilmhdh(Feb 10 2025): 2 years  from now remove this
-    if (isProduction) {
-      const migrationTable = migrationConfig.tableName;
-      const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
-      if (hasMigrationTable) {
-        const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
-        if (firstFile?.name?.includes(".ts")) {
-          await applicationDb(migrationTable).update({
-            name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
-          });
-        }
-      }
-      if (auditLogDb) {
-        const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
-        if (hasMigrationTableInAuditLog) {
-          const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
-          if (firstFile?.name?.includes(".ts")) {
-            await auditLogDb(migrationTable).update({
-              name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
-            });
-          }
-        }
-      }
-    }
-
-    const shouldRunMigration = Boolean(
-      await applicationDb.migrate.status(migrationConfig).catch(migrationStatusCheckErrorHandler)
-    ); // db.length - code.length
-    if (!shouldRunMigration) {
-      logger.info("No migrations pending: Skipping migration process.");
-      return;
-    }
-
-    if (auditLogDb) {
-      await auditLogDb.transaction(async (tx) => {
-        await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
-        logger.info("Running audit log migrations.");
-
-        const didPreviousInstanceRunMigration = !(await auditLogDb.migrate
-          .status(migrationConfig)
-          .catch(migrationStatusCheckErrorHandler));
-        if (didPreviousInstanceRunMigration) {
-          logger.info("No audit log migrations pending: Applied by previous instance. Skipping migration process.");
-          return;
-        }
-
-        await auditLogDb.migrate.latest(migrationConfig);
-        logger.info("Finished audit log migrations.");
-      });
-    }
-
-    await applicationDb.transaction(async (tx) => {
-      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
-      logger.info("Running application migrations.");
-
-      const didPreviousInstanceRunMigration = !(await applicationDb.migrate
-        .status(migrationConfig)
-        .catch(migrationStatusCheckErrorHandler));
-      if (didPreviousInstanceRunMigration) {
-        logger.info("No application migrations pending: Applied by previous instance. Skipping migration process.");
-        return;
-      }
-
-      await applicationDb.migrate.latest(migrationConfig);
-      logger.info("Finished application migrations.");
-    });
-  } catch (err) {
-    logger.error(err, "Boot up migration failed");
-    process.exit(1);
-  }
-};
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -49,9 +49,6 @@ export const initDbConnection = ({
            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
          }
        : false
-    },
-    migrations: {
-      tableName: "infisical_migrations"
    }
  });

@ -67,9 +64,6 @@ export const initDbConnection = ({
              ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii")
            }
          : false
-      },
-      migrations: {
-        tableName: "infisical_migrations"
      }
    });
  });
@ -104,9 +98,6 @@ export const initAuditLogDbConnection = ({
            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
          }
        : false
-    },
-    migrations: {
-      tableName: "infisical_migrations"
    }
  });

--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@ -38,8 +38,7 @@ export default {
      directory: "./seeds"
    },
    migrations: {
-      tableName: "infisical_migrations",
-      loadExtensions: [".mjs", ".ts"]
+      tableName: "infisical_migrations"
    }
  },
  production: {
@ -63,8 +62,7 @@ export default {
      max: 10
    },
    migrations: {
-      tableName: "infisical_migrations",
-      loadExtensions: [".mjs", ".ts"]
+      tableName: "infisical_migrations"
    }
  }
 } as Knex.Config;
--- a/backend/src/db/manual-migrations/partition-audit-logs.ts
+++ b/backend/src/db/manual-migrations/partition-audit-logs.ts
@ -16,7 +16,7 @@ const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Dat
  const startDateStr = formatPartitionDate(startDate);
  const endDateStr = formatPartitionDate(endDate);

-  const partitionName = `${TableName.AuditLog}_${startDateStr.replaceAll("-", "")}_${endDateStr.replaceAll("-", "")}`;
+  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;

  await knex.schema.raw(
    `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`
--- a/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
+++ b/backend/src/db/migrations/20241203165840_allow-disabling-approval-workflows.ts
@ -1,59 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicy,
-    "deletedAt"
-  );
-  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.SecretApprovalPolicy,
-    "deletedAt"
-  );
-
-  if (!hasAccessApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.timestamp("deletedAt");
-    });
-  }
-  if (!hasSecretApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-      t.timestamp("deletedAt");
-    });
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-    t.dropForeign(["privilegeId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAccessApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.AccessApprovalPolicy,
-    "deletedAt"
-  );
-  const hasSecretApprovalPolicyDeletedAtColumn = await knex.schema.hasColumn(
-    TableName.SecretApprovalPolicy,
-    "deletedAt"
-  );
-
-  if (hasAccessApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.dropColumn("deletedAt");
-    });
-  }
-  if (hasSecretApprovalPolicyDeletedAtColumn) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-      t.dropColumn("deletedAt");
-    });
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-    t.dropForeign(["privilegeId"]);
-    t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
-  });
-}
--- a/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
+++ b/backend/src/db/migrations/20241209144123_add-identity-jwt-auth.ts
@ -1,34 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityJwtAuth))) {
-    await knex.schema.createTable(TableName.IdentityJwtAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("configurationType").notNullable();
-      t.string("jwksUrl").notNullable();
-      t.binary("encryptedJwksCaCert").notNullable();
-      t.binary("encryptedPublicKeys").notNullable();
-      t.string("boundIssuer").notNullable();
-      t.string("boundAudiences").notNullable();
-      t.jsonb("boundClaims").notNullable();
-      t.string("boundSubject").notNullable();
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityJwtAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityJwtAuth);
-}
--- a/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
+++ b/backend/src/db/migrations/20241213122320_add-index-for-secret-version-v2-folder.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      t.index("folderId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretVersionV2, "folderId")) {
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      t.dropIndex("folderId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20241213122350_project-split-to-products.ts
+++ b/backend/src/db/migrations/20241213122350_project-split-to-products.ts
@ -1,297 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-import { v4 as uuidV4 } from "uuid";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { ProjectType, TableName } from "../schemas";
-
-/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
-const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
-  const newProjectId = uuidV4();
-  const project = await knex(TableName.Project).where("id", projectId).first();
-  await knex(TableName.Project).insert({
-    ...project,
-    type: projectType,
-    // @ts-ignore id is required
-    id: newProjectId,
-    slug: slugify(`${project?.name}-${alphaNumericNanoId(4)}`)
-  });
-
-  const customRoleMapping: Record<string, string> = {};
-  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
-  if (projectCustomRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectRoles,
-      projectCustomRoles.map((el) => {
-        const id = uuidV4();
-        customRoleMapping[el.id] = id;
-        return {
-          ...el,
-          id,
-          projectId: newProjectId,
-          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
-        };
-      })
-    );
-  }
-  const groupMembershipMapping: Record<string, string> = {};
-  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
-  if (groupMemberships.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembership,
-      groupMemberships.map((el) => {
-        const id = uuidV4();
-        groupMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    groupMemberships.map((el) => el.id)
-  );
-  if (groupMembershipRoles.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembershipRole,
-      groupMembershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const identityProjectMembershipMapping: Record<string, string> = {};
-  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
-  if (identities.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembership,
-      identities.map((el) => {
-        const id = uuidV4();
-        identityProjectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    identities.map((el) => el.id)
-  );
-  if (identitiesRoles.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembershipRole,
-      identitiesRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const projectMembershipMapping: Record<string, string> = {};
-  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
-  if (projectUserMembers.length) {
-    await knex.batchInsert(
-      TableName.ProjectMembership,
-      projectUserMembers.map((el) => {
-        const id = uuidV4();
-        projectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
-    "projectMembershipId",
-    projectUserMembers.map((el) => el.id)
-  );
-  if (membershipRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectUserMembershipRole,
-      membershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
-  if (kmsKeys.length) {
-    await knex.batchInsert(
-      TableName.KmsKey,
-      kmsKeys.map((el) => {
-        const id = uuidV4();
-        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
-        return { ...el, id, slug, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
-  if (projectBot) {
-    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
-    await knex(TableName.ProjectBot).insert(newProjectBot);
-  }
-
-  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
-  if (projectKeys.length) {
-    await knex.batchInsert(
-      TableName.ProjectKeys,
-      projectKeys.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  return newProjectId;
-};
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
-  if (!hasSplitMappingTable) {
-    await knex.schema.createTable(TableName.ProjectSplitBackfillIds, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("sourceProjectId", 36).notNullable();
-      t.foreign("sourceProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("destinationProjectType").notNullable();
-      t.string("destinationProjectId", 36).notNullable();
-      t.foreign("destinationProjectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  if (!hasTypeColumn) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type");
-    });
-
-    let projectsToBeTyped;
-    do {
-      // eslint-disable-next-line no-await-in-loop
-      projectsToBeTyped = await knex(TableName.Project).whereNull("type").limit(BATCH_SIZE).select("id");
-      if (projectsToBeTyped.length) {
-        // eslint-disable-next-line no-await-in-loop
-        await knex(TableName.Project)
-          .whereIn(
-            "id",
-            projectsToBeTyped.map((el) => el.id)
-          )
-          .update({ type: ProjectType.SecretManager });
-      }
-    } while (projectsToBeTyped.length > 0);
-
-    const projectsWithCertificates = await knex(TableName.CertificateAuthority)
-      .distinct("projectId")
-      .select("projectId");
-    /* eslint-disable no-await-in-loop,no-param-reassign */
-    for (const { projectId } of projectsWithCertificates) {
-      const newProjectId = await newProject(knex, projectId, ProjectType.CertificateManager);
-      await knex(TableName.CertificateAuthority).where("projectId", projectId).update({ projectId: newProjectId });
-      await knex(TableName.PkiAlert).where("projectId", projectId).update({ projectId: newProjectId });
-      await knex(TableName.PkiCollection).where("projectId", projectId).update({ projectId: newProjectId });
-      await knex(TableName.ProjectSplitBackfillIds).insert({
-        sourceProjectId: projectId,
-        destinationProjectType: ProjectType.CertificateManager,
-        destinationProjectId: newProjectId
-      });
-    }
-
-    const projectsWithCmek = await knex(TableName.KmsKey)
-      .where("isReserved", false)
-      .whereNotNull("projectId")
-      .distinct("projectId")
-      .select("projectId");
-    for (const { projectId } of projectsWithCmek) {
-      if (projectId) {
-        const newProjectId = await newProject(knex, projectId, ProjectType.KMS);
-        await knex(TableName.KmsKey)
-          .where({
-            isReserved: false,
-            projectId
-          })
-          .update({ projectId: newProjectId });
-        await knex(TableName.ProjectSplitBackfillIds).insert({
-          sourceProjectId: projectId,
-          destinationProjectType: ProjectType.KMS,
-          destinationProjectId: newProjectId
-        });
-      }
-    }
-
-    /* eslint-enable */
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasSplitMappingTable = await knex.schema.hasTable(TableName.ProjectSplitBackfillIds);
-
-  if (hasTypeColumn && hasSplitMappingTable) {
-    const splitProjectMappings = await knex(TableName.ProjectSplitBackfillIds).where({});
-    const certMapping = splitProjectMappings.filter(
-      (el) => el.destinationProjectType === ProjectType.CertificateManager
-    );
-    /* eslint-disable no-await-in-loop */
-    for (const project of certMapping) {
-      await knex(TableName.CertificateAuthority)
-        .where("projectId", project.destinationProjectId)
-        .update({ projectId: project.sourceProjectId });
-      await knex(TableName.PkiAlert)
-        .where("projectId", project.destinationProjectId)
-        .update({ projectId: project.sourceProjectId });
-      await knex(TableName.PkiCollection)
-        .where("projectId", project.destinationProjectId)
-        .update({ projectId: project.sourceProjectId });
-    }
-
-    /* eslint-enable */
-    const kmsMapping = splitProjectMappings.filter((el) => el.destinationProjectType === ProjectType.KMS);
-    /* eslint-disable no-await-in-loop */
-    for (const project of kmsMapping) {
-      await knex(TableName.KmsKey)
-        .where({
-          isReserved: false,
-          projectId: project.destinationProjectId
-        })
-        .update({ projectId: project.sourceProjectId });
-    }
-    /* eslint-enable */
-    await knex(TableName.ProjectMembership)
-      .whereIn(
-        "projectId",
-        splitProjectMappings.map((el) => el.destinationProjectId)
-      )
-      .delete();
-    await knex(TableName.ProjectRoles)
-      .whereIn(
-        "projectId",
-        splitProjectMappings.map((el) => el.destinationProjectId)
-      )
-      .delete();
-    await knex(TableName.Project)
-      .whereIn(
-        "id",
-        splitProjectMappings.map((el) => el.destinationProjectId)
-      )
-      .delete();
-
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("type");
-    });
-  }
-
-  if (hasSplitMappingTable) {
-    await knex.schema.dropTableIfExists(TableName.ProjectSplitBackfillIds);
-  }
-}
--- a/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
+++ b/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
@ -1,99 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthority))) {
-    await knex.schema.createTable(TableName.SshCertificateAuthority, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("status").notNullable(); // active / disabled
-      t.string("friendlyName").notNullable();
-      t.string("keyAlgorithm").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthoritySecret))) {
-    await knex.schema.createTable(TableName.SshCertificateAuthoritySecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCaId").notNullable().unique();
-      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.binary("encryptedPrivateKey").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificateTemplate))) {
-    await knex.schema.createTable(TableName.SshCertificateTemplate, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCaId").notNullable();
-      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.string("status").notNullable(); // active / disabled
-      t.string("name").notNullable();
-      t.string("ttl").notNullable();
-      t.string("maxTTL").notNullable();
-      t.specificType("allowedUsers", "text[]").notNullable();
-      t.specificType("allowedHosts", "text[]").notNullable();
-      t.boolean("allowUserCertificates").notNullable();
-      t.boolean("allowHostCertificates").notNullable();
-      t.boolean("allowCustomKeyIds").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificate))) {
-    await knex.schema.createTable(TableName.SshCertificate, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCaId").notNullable();
-      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-      t.uuid("sshCertificateTemplateId");
-      t.foreign("sshCertificateTemplateId")
-        .references("id")
-        .inTable(TableName.SshCertificateTemplate)
-        .onDelete("SET NULL");
-      t.string("serialNumber").notNullable().unique();
-      t.string("certType").notNullable(); // user or host
-      t.specificType("principals", "text[]").notNullable();
-      t.string("keyId").notNullable();
-      t.datetime("notBefore").notNullable();
-      t.datetime("notAfter").notNullable();
-    });
-    await createOnUpdateTrigger(knex, TableName.SshCertificate);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshCertificateBody))) {
-    await knex.schema.createTable(TableName.SshCertificateBody, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshCertId").notNullable().unique();
-      t.foreign("sshCertId").references("id").inTable(TableName.SshCertificate).onDelete("CASCADE");
-      t.binary("encryptedCertificate").notNullable();
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SshCertificateBody);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SshCertificateBody);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateBody);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificate);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificate);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificateTemplate);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthoritySecret);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
-
-  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthority);
-  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
-}
--- a/backend/src/db/migrations/20241218165837_resource-metadata.ts
+++ b/backend/src/db/migrations/20241218165837_resource-metadata.ts
@ -1,40 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
-    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value", 1020).notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.uuid("secretId");
-      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (!hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.jsonb("secretMetadata");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.dropColumn("secretMetadata");
-    });
-  }
-}
--- a/backend/src/db/migrations/20241218181018_app-connection.ts
+++ b/backend/src/db/migrations/20241218181018_app-connection.ts
@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AppConnection))) {
-    await knex.schema.createTable(TableName.AppConnection, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("app").notNullable();
-      t.string("method").notNullable();
-      t.binary("encryptedCredentials").notNullable();
-      t.integer("version").defaultTo(1).notNullable();
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.AppConnection);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AppConnection);
-  await dropOnUpdateTrigger(knex, TableName.AppConnection);
-}
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // find any duplicate group names within organizations
-  const duplicates = await knex(TableName.Groups)
-    .select("orgId", "name")
-    .count("* as count")
-    .groupBy("orgId", "name")
-    .having(knex.raw("count(*) > 1"));
-
-  // for each set of duplicates, update all but one with a numbered suffix
-  for await (const duplicate of duplicates) {
-    const groups = await knex(TableName.Groups)
-      .select("id", "name")
-      .where({
-        orgId: duplicate.orgId,
-        name: duplicate.name
-      })
-      .orderBy("createdAt", "asc"); // keep original name for oldest group
-
-    // skip the first (oldest) group, rename others with numbered suffix
-    for (let i = 1; i < groups.length; i += 1) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.Groups)
-        .where("id", groups[i].id)
-        .update({
-          name: `${groups[i].name} (${i})`,
-
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore TS doesn't know about Knex's timestamp types
-          updatedAt: new Date()
-        });
-    }
-  }
-
-  // add the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // Remove the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-}
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (!hasEnforceCapitalizationCol) {
-      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(false).alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (hasEnforceCapitalizationCol) {
-      t.dropColumn("enforceCapitalization");
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(true).alter();
-    }
-  });
-}
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@ -1,50 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
-    await knex.schema.createTable(TableName.SecretSync, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("destination").notNullable();
-      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
-      t.integer("version").defaultTo(1).notNullable();
-      t.jsonb("destinationConfig").notNullable();
-      t.jsonb("syncOptions").notNullable();
-      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
-      // is deleted), to preserve sync configuration
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("folderId");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
-      t.uuid("connectionId").notNullable();
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.timestamps(true, true, true);
-      // sync secrets to destination
-      t.string("syncStatus");
-      t.string("lastSyncJobId");
-      t.string("lastSyncMessage");
-      t.datetime("lastSyncedAt");
-      // import secrets from destination
-      t.string("importStatus");
-      t.string("lastImportJobId");
-      t.string("lastImportMessage");
-      t.datetime("lastImportedAt");
-      // remove secrets from destination
-      t.string("removeStatus");
-      t.string("lastRemoveJobId");
-      t.string("lastRemoveMessage");
-      t.datetime("lastRemovedAt");
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSync);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSync);
-  await dropOnUpdateTrigger(knex, TableName.SecretSync);
-}
--- a/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
+++ b/backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
-
-  await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
-    if (!hasManageGroupMembershipsCol) {
-      tb.boolean("manageGroupMemberships").notNullable().defaultTo(false);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
-
-  await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-    if (hasManageGroupMembershipsCol) {
-      t.dropColumn("manageGroupMemberships");
-    }
-  });
-}
--- a/backend/src/db/migrations/20250203141127_add-kmip.ts
+++ b/backend/src/db/migrations/20250203141127_add-kmip.ts
@ -1,108 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
-  if (!hasKmipClientTable) {
-    await knex.schema.createTable(TableName.KmipClient, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.specificType("permissions", "text[]");
-      t.string("description");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-
-  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
-  if (!hasKmipOrgPkiConfig) {
-    await knex.schema.createTable(TableName.KmipOrgConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.unique("orgId");
-
-      t.string("caKeyAlgorithm").notNullable();
-
-      t.datetime("rootCaIssuedAt").notNullable();
-      t.datetime("rootCaExpiration").notNullable();
-      t.string("rootCaSerialNumber").notNullable();
-      t.binary("encryptedRootCaCertificate").notNullable();
-      t.binary("encryptedRootCaPrivateKey").notNullable();
-
-      t.datetime("serverIntermediateCaIssuedAt").notNullable();
-      t.datetime("serverIntermediateCaExpiration").notNullable();
-      t.string("serverIntermediateCaSerialNumber");
-      t.binary("encryptedServerIntermediateCaCertificate").notNullable();
-      t.binary("encryptedServerIntermediateCaChain").notNullable();
-      t.binary("encryptedServerIntermediateCaPrivateKey").notNullable();
-
-      t.datetime("clientIntermediateCaIssuedAt").notNullable();
-      t.datetime("clientIntermediateCaExpiration").notNullable();
-      t.string("clientIntermediateCaSerialNumber").notNullable();
-      t.binary("encryptedClientIntermediateCaCertificate").notNullable();
-      t.binary("encryptedClientIntermediateCaChain").notNullable();
-      t.binary("encryptedClientIntermediateCaPrivateKey").notNullable();
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.KmipOrgConfig);
-  }
-
-  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
-  if (!hasKmipOrgServerCertTable) {
-    await knex.schema.createTable(TableName.KmipOrgServerCertificates, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.string("commonName").notNullable();
-      t.string("altNames").notNullable();
-      t.string("serialNumber").notNullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("issuedAt").notNullable();
-      t.datetime("expiration").notNullable();
-      t.binary("encryptedCertificate").notNullable();
-      t.binary("encryptedChain").notNullable();
-    });
-  }
-
-  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
-  if (!hasKmipClientCertTable) {
-    await knex.schema.createTable(TableName.KmipClientCertificates, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("kmipClientId").notNullable();
-      t.foreign("kmipClientId").references("id").inTable(TableName.KmipClient).onDelete("CASCADE");
-      t.string("serialNumber").notNullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("issuedAt").notNullable();
-      t.datetime("expiration").notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
-  if (hasKmipOrgPkiConfig) {
-    await knex.schema.dropTable(TableName.KmipOrgConfig);
-    await dropOnUpdateTrigger(knex, TableName.KmipOrgConfig);
-  }
-
-  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
-  if (hasKmipOrgServerCertTable) {
-    await knex.schema.dropTable(TableName.KmipOrgServerCertificates);
-  }
-
-  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
-  if (hasKmipClientCertTable) {
-    await knex.schema.dropTable(TableName.KmipClientCertificates);
-  }
-
-  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
-  if (hasKmipClientTable) {
-    await knex.schema.dropTable(TableName.KmipClient);
-  }
-}
--- a/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
+++ b/backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.AppConnection, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretSync, (t) => {
-    t.unique(["projectId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.AppConnection, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretSync, (t) => {
-    t.dropUnique(["projectId", "name"]);
-  });
-}
--- a/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
+++ b/backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts
@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
-  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
-  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
-    TableName.IdentityGcpAuth,
-    "allowedServiceAccounts"
-  );
-  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
-  if (hasTable) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      if (hasAllowedProjectsColumn) t.string("allowedProjects", 2500).alter();
-      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts", 5000).alter();
-      if (hasAllowedZones) t.string("allowedZones", 2500).alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
-  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
-  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
-    TableName.IdentityGcpAuth,
-    "allowedServiceAccounts"
-  );
-  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
-  if (hasTable) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      if (hasAllowedProjectsColumn) t.string("allowedProjects").alter();
-      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts").alter();
-      if (hasAllowedZones) t.string("allowedZones").alter();
-    });
-  }
-}
--- a/backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts
+++ b/backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts
@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.KmsKey)) {
-    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-
-    if (hasSlugCol) {
-      await knex.schema.alterTable(TableName.KmsKey, (t) => {
-        t.dropColumn("slug");
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.KmsKey)) {
-    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-
-    if (!hasSlugCol) {
-      await knex.schema.alterTable(TableName.KmsKey, (t) => {
-        t.string("slug", 32);
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts
+++ b/backend/src/db/migrations/20250207002643_secret-syncs-increase-message-length.ts
@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSync)) {
-    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
-    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
-    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
-
-    await knex.schema.alterTable(TableName.SecretSync, (t) => {
-      if (hasLastSyncMessage) t.string("lastSyncMessage", 1024).alter();
-      if (hasLastImportMessage) t.string("lastImportMessage", 1024).alter();
-      if (hasLastRemoveMessage) t.string("lastRemoveMessage", 1024).alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSync)) {
-    const hasLastSyncMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastSyncMessage");
-    const hasLastImportMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastImportMessage");
-    const hasLastRemoveMessage = await knex.schema.hasColumn(TableName.SecretSync, "lastRemoveMessage");
-
-    await knex.schema.alterTable(TableName.SecretSync, (t) => {
-      if (hasLastSyncMessage) t.string("lastSyncMessage").alter();
-      if (hasLastImportMessage) t.string("lastImportMessage").alter();
-      if (hasLastRemoveMessage) t.string("lastRemoveMessage").alter();
-    });
-  }
-}
--- a/backend/src/db/migrations/20250210101840_webhook-to-kms.ts
+++ b/backend/src/db/migrations/20250210101840_webhook-to-kms.ts
@ -1,130 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
-  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
-  const hasUrl = await knex.schema.hasColumn(TableName.Webhook, "url");
-
-  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
-  if (hasWebhookTable) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (!hasEncryptedKey) t.binary("encryptedPassKey");
-      if (!hasEncryptedUrl) t.binary("encryptedUrl");
-      if (hasUrl) t.string("url").nullable().alter();
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const projectEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-  const webhooks = await knex(TableName.Webhook)
-    .where({})
-    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.Webhook}.envId`)
-    .select(
-      "url",
-      "encryptedSecretKey",
-      "iv",
-      "tag",
-      "keyEncoding",
-      "urlCipherText",
-      "urlIV",
-      "urlTag",
-      knex.ref("id").withSchema(TableName.Webhook),
-      "envId"
-    )
-    .select(knex.ref("projectId").withSchema(TableName.Environment))
-    .orderBy(`${TableName.Environment}.projectId` as "projectId");
-
-  const updatedWebhooks = await Promise.all(
-    webhooks.map(async (el) => {
-      let projectKmsService = projectEncryptionRingBuffer.getItem(el.projectId);
-      if (!projectKmsService) {
-        projectKmsService = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId: el.projectId
-          },
-          knex
-        );
-        projectEncryptionRingBuffer.push(el.projectId, projectKmsService);
-      }
-
-      let encryptedSecretKey = null;
-      if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
-        const decyptedSecretKey = infisicalSymmetricDecrypt({
-          keyEncoding: el.keyEncoding as SecretKeyEncoding,
-          iv: el.iv,
-          tag: el.tag,
-          ciphertext: el.encryptedSecretKey
-        });
-        encryptedSecretKey = projectKmsService.encryptor({
-          plainText: Buffer.from(decyptedSecretKey, "utf8")
-        }).cipherTextBlob;
-      }
-
-      const decryptedUrl =
-        el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              iv: el.urlIV,
-              tag: el.urlTag,
-              ciphertext: el.urlCipherText
-            })
-          : null;
-
-      const encryptedUrl = projectKmsService.encryptor({
-        plainText: Buffer.from(decryptedUrl || el.url || "")
-      }).cipherTextBlob;
-      return { id: el.id, encryptedUrl, encryptedSecretKey, envId: el.envId };
-    })
-  );
-
-  for (let i = 0; i < updatedWebhooks.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.Webhook)
-      .insert(
-        updatedWebhooks.slice(i, i + BATCH_SIZE).map((el) => ({
-          id: el.id,
-          envId: el.envId,
-          url: "",
-          encryptedUrl: el.encryptedUrl,
-          encryptedPassKey: el.encryptedSecretKey
-        }))
-      )
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasWebhookTable) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (!hasEncryptedUrl) t.binary("encryptedUrl").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
-  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
-
-  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
-  if (hasWebhookTable) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (hasEncryptedKey) t.dropColumn("encryptedPassKey");
-      if (hasEncryptedUrl) t.dropColumn("encryptedUrl");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts
+++ b/backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts
@ -1,111 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
-  const hasInputCiphertextColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputCiphertext");
-  const hasInputIVColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputIV");
-  const hasInputTagColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputTag");
-
-  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (hasDynamicSecretTable) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (!hasEncryptedInputColumn) t.binary("encryptedInput");
-      if (hasInputCiphertextColumn) t.text("inputCiphertext").nullable().alter();
-      if (hasInputIVColumn) t.string("inputIV").nullable().alter();
-      if (hasInputTagColumn) t.string("inputTag").nullable().alter();
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const projectEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const dynamicSecretRootCredentials = await knex(TableName.DynamicSecret)
-    .join(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
-    .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-    .select(selectAllTableCols(TableName.DynamicSecret))
-    .select(knex.ref("projectId").withSchema(TableName.Environment))
-    .orderBy(`${TableName.Environment}.projectId` as "projectId");
-
-  const updatedDynamicSecrets = await Promise.all(
-    dynamicSecretRootCredentials.map(async ({ projectId, ...el }) => {
-      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
-      if (!projectKmsService) {
-        projectKmsService = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId
-          },
-          knex
-        );
-        projectEncryptionRingBuffer.push(projectId, projectKmsService);
-      }
-
-      const decryptedInputData =
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-        el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.inputIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.inputTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.inputCiphertext
-            })
-          : "";
-
-      const encryptedInput = projectKmsService.encryptor({
-        plainText: Buffer.from(decryptedInputData)
-      }).cipherTextBlob;
-
-      return { ...el, encryptedInput };
-    })
-  );
-
-  for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.DynamicSecret)
-      .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasDynamicSecretTable) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (!hasEncryptedInputColumn) t.binary("encryptedInput").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
-
-  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (hasDynamicSecretTable) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (hasEncryptedInputColumn) t.dropColumn("encryptedInput");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
+++ b/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
@ -1,103 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
-
-  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
-  if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
-      if (!hasEncryptedRotationData) t.binary("encryptedRotationData");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const projectEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const secretRotations = await knex(TableName.SecretRotation)
-    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretRotation}.envId`)
-    .select(selectAllTableCols(TableName.SecretRotation))
-    .select(knex.ref("projectId").withSchema(TableName.Environment))
-    .orderBy(`${TableName.Environment}.projectId` as "projectId");
-
-  const updatedRotationData = await Promise.all(
-    secretRotations.map(async ({ projectId, ...el }) => {
-      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
-      if (!projectKmsService) {
-        projectKmsService = await kmsService.createCipherPairWithDataKey(
-          {
-            type: KmsDataKey.SecretManager,
-            projectId
-          },
-          knex
-        );
-        projectEncryptionRingBuffer.push(projectId, projectKmsService);
-      }
-
-      const decryptedRotationData =
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-        el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.encryptedDataIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.encryptedDataTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.encryptedData
-            })
-          : "";
-
-      const encryptedRotationData = projectKmsService.encryptor({
-        plainText: Buffer.from(decryptedRotationData)
-      }).cipherTextBlob;
-      return { ...el, encryptedRotationData };
-    })
-  );
-
-  for (let i = 0; i < updatedRotationData.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.SecretRotation)
-      .insert(updatedRotationData.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
-      if (!hasEncryptedRotationData) t.binary("encryptedRotationData").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
-
-  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
-  if (hasRotationTable) {
-    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
-      if (hasEncryptedRotationData) t.dropColumn("encryptedRotationData");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts
+++ b/backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts
@ -1,200 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-const reencryptIdentityK8sAuth = async (knex: Knex) => {
-  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesTokenReviewerJwt"
-  );
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesCaCertificate"
-  );
-  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
-
-  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "encryptedCaCert");
-  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertIV");
-  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertTag");
-  const hasEncryptedTokenReviewerJwtColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedTokenReviewerJwt"
-  );
-  const hasTokenReviewerJwtIVColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "tokenReviewerJwtIV"
-  );
-  const hasTokenReviewerJwtTagColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "tokenReviewerJwtTag"
-  );
-
-  if (hasidentityKubernetesAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
-      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
-      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
-      if (hasEncryptedTokenReviewerJwtColumn) t.text("encryptedTokenReviewerJwt").nullable().alter();
-      if (hasTokenReviewerJwtIVColumn) t.string("tokenReviewerJwtIV").nullable().alter();
-      if (hasTokenReviewerJwtTagColumn) t.string("tokenReviewerJwtTag").nullable().alter();
-
-      if (!hasEncryptedKubernetesTokenReviewerJwt) t.binary("encryptedKubernetesTokenReviewerJwt");
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedKubernetesCaCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-  const identityKubernetesConfigs = await knex(TableName.IdentityKubernetesAuth)
-    .join(
-      TableName.IdentityOrgMembership,
-      `${TableName.IdentityOrgMembership}.identityId`,
-      `${TableName.IdentityKubernetesAuth}.identityId`
-    )
-    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
-    .select(selectAllTableCols(TableName.IdentityKubernetesAuth))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
-      knex.ref("orgId").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedIdentityKubernetesConfigs = [];
-
-  for await (const {
-    encryptedSymmetricKey,
-    symmetricKeyKeyEncoding,
-    symmetricKeyTag,
-    symmetricKeyIV,
-    orgId,
-    ...el
-  } of identityKubernetesConfigs) {
-    let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
-
-    if (!orgKmsService) {
-      orgKmsService = await kmsService.createCipherPairWithDataKey(
-        {
-          type: KmsDataKey.Organization,
-          orgId
-        },
-        knex
-      );
-      orgEncryptionRingBuffer.push(orgId, orgKmsService);
-    }
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: encryptedSymmetricKey,
-      iv: symmetricKeyIV,
-      tag: symmetricKeyTag,
-      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const decryptedTokenReviewerJwt =
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-      el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
-        ? decryptSymmetric({
-            key,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            iv: el.tokenReviewerJwtIV,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            tag: el.tokenReviewerJwtTag,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            ciphertext: el.encryptedTokenReviewerJwt
-          })
-        : "";
-
-    const decryptedCertificate =
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-      el.encryptedCaCert && el.caCertIV && el.caCertTag
-        ? decryptSymmetric({
-            key,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            iv: el.caCertIV,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            tag: el.caCertTag,
-            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-            ciphertext: el.encryptedCaCert
-          })
-        : "";
-
-    const encryptedKubernetesTokenReviewerJwt = orgKmsService.encryptor({
-      plainText: Buffer.from(decryptedTokenReviewerJwt)
-    }).cipherTextBlob;
-    const encryptedKubernetesCaCertificate = orgKmsService.encryptor({
-      plainText: Buffer.from(decryptedCertificate)
-    }).cipherTextBlob;
-
-    updatedIdentityKubernetesConfigs.push({
-      ...el,
-      accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
-      encryptedKubernetesCaCertificate,
-      encryptedKubernetesTokenReviewerJwt
-    });
-  }
-
-  for (let i = 0; i < updatedIdentityKubernetesConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.IdentityKubernetesAuth)
-      .insert(updatedIdentityKubernetesConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-  if (hasidentityKubernetesAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      if (!hasEncryptedKubernetesTokenReviewerJwt)
-        t.binary("encryptedKubernetesTokenReviewerJwt").notNullable().alter();
-    });
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  await reencryptIdentityK8sAuth(knex);
-}
-
-const dropIdentityK8sColumns = async (knex: Knex) => {
-  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesTokenReviewerJwt"
-  );
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesCaCertificate"
-  );
-  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
-
-  if (hasidentityKubernetesAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      if (hasEncryptedKubernetesTokenReviewerJwt) t.dropColumn("encryptedKubernetesTokenReviewerJwt");
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedKubernetesCaCertificate");
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  await dropIdentityK8sColumns(knex);
-}
--- a/backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts
+++ b/backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts
@ -1,141 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-const reencryptIdentityOidcAuth = async (knex: Knex) => {
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityOidcAuth,
-    "encryptedCaCertificate"
-  );
-  const hasidentityOidcAuthTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
-
-  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "encryptedCaCert");
-  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertIV");
-  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertTag");
-
-  if (hasidentityOidcAuthTable) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
-      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
-      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
-
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedCaCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const identityOidcConfig = await knex(TableName.IdentityOidcAuth)
-    .join(
-      TableName.IdentityOrgMembership,
-      `${TableName.IdentityOrgMembership}.identityId`,
-      `${TableName.IdentityOidcAuth}.identityId`
-    )
-    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
-    .select(selectAllTableCols(TableName.IdentityOidcAuth))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
-      knex.ref("orgId").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedIdentityOidcConfigs = await Promise.all(
-    identityOidcConfig.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, orgId, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedCertificate =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedCaCert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.caCertIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.caCertTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedCaCert
-              })
-            : "";
-
-        const encryptedCaCertificate = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedCertificate)
-        }).cipherTextBlob;
-
-        return {
-          ...el,
-          accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
-          encryptedCaCertificate
-        };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedIdentityOidcConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.IdentityOidcAuth)
-      .insert(updatedIdentityOidcConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  await reencryptIdentityOidcAuth(knex);
-}
-
-const dropIdentityOidcColumns = async (knex: Knex) => {
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
-    TableName.IdentityOidcAuth,
-    "encryptedCaCertificate"
-  );
-  const hasidentityOidcTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
-
-  if (hasidentityOidcTable) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedCaCertificate");
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  await dropIdentityOidcColumns(knex);
-}
--- a/backend/src/db/migrations/20250210101845_directory-config-to-kms.ts
+++ b/backend/src/db/migrations/20250210101845_directory-config-to-kms.ts
@ -1,493 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { SecretKeyEncoding, TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { createCircularCache } from "./utils/ring-buffer";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-const BATCH_SIZE = 500;
-const reencryptSamlConfig = async (knex: Knex) => {
-  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
-  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
-  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
-
-  if (hasSamlConfigTable) {
-    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
-      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint");
-      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer");
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const samlConfigs = await knex(TableName.SamlConfig)
-    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.SamlConfig}.orgId`)
-    .select(selectAllTableCols(TableName.SamlConfig))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedSamlConfigs = await Promise.all(
-    samlConfigs.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId: el.orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedEntryPoint =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.entryPointIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.entryPointTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedEntryPoint
-              })
-            : "";
-
-        const decryptedIssuer =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedIssuer && el.issuerIV && el.issuerTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.issuerIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.issuerTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedIssuer
-              })
-            : "";
-
-        const decryptedCertificate =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedCert && el.certIV && el.certTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.certIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.certTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedCert
-              })
-            : "";
-
-        const encryptedSamlIssuer = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedIssuer)
-        }).cipherTextBlob;
-        const encryptedSamlCertificate = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedCertificate)
-        }).cipherTextBlob;
-        const encryptedSamlEntryPoint = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedEntryPoint)
-        }).cipherTextBlob;
-        return { ...el, encryptedSamlCertificate, encryptedSamlEntryPoint, encryptedSamlIssuer };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedSamlConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.SamlConfig)
-      .insert(updatedSamlConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-
-  if (hasSamlConfigTable) {
-    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
-      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint").notNullable().alter();
-      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer").notNullable().alter();
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate").notNullable().alter();
-    });
-  }
-};
-
-const reencryptLdapConfig = async (knex: Knex) => {
-  const hasEncryptedLdapBindDNColum = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
-  const hasEncryptedLdapBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
-  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
-
-  const hasEncryptedCACertColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedCACert");
-  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertIV");
-  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertTag");
-  const hasEncryptedBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindPass");
-  const hasBindPassIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassIV");
-  const hasBindPassTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassTag");
-  const hasEncryptedBindDNColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindDN");
-  const hasBindDNIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNIV");
-  const hasBindDNTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNTag");
-
-  if (hasLdapConfigTable) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      if (hasEncryptedCACertColumn) t.text("encryptedCACert").nullable().alter();
-      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
-      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
-      if (hasEncryptedBindPassColumn) t.string("encryptedBindPass").nullable().alter();
-      if (hasBindPassIVColumn) t.string("bindPassIV").nullable().alter();
-      if (hasBindPassTagColumn) t.string("bindPassTag").nullable().alter();
-      if (hasEncryptedBindDNColumn) t.string("encryptedBindDN").nullable().alter();
-      if (hasBindDNIVColumn) t.string("bindDNIV").nullable().alter();
-      if (hasBindDNTagColumn) t.string("bindDNTag").nullable().alter();
-
-      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN");
-      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass");
-      if (!hasEncryptedCertificateColumn) t.binary("encryptedLdapCaCertificate");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const ldapConfigs = await knex(TableName.LdapConfig)
-    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.LdapConfig}.orgId`)
-    .select(selectAllTableCols(TableName.LdapConfig))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedLdapConfigs = await Promise.all(
-    ldapConfigs.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId: el.orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedBindDN =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedBindDN && el.bindDNIV && el.bindDNTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.bindDNIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.bindDNTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedBindDN
-              })
-            : "";
-
-        const decryptedBindPass =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedBindPass && el.bindPassIV && el.bindPassTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.bindPassIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.bindPassTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedBindPass
-              })
-            : "";
-
-        const decryptedCertificate =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedCACert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.caCertIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.caCertTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedCACert
-              })
-            : "";
-
-        const encryptedLdapBindDN = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedBindDN)
-        }).cipherTextBlob;
-        const encryptedLdapBindPass = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedBindPass)
-        }).cipherTextBlob;
-        const encryptedLdapCaCertificate = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedCertificate)
-        }).cipherTextBlob;
-        return { ...el, encryptedLdapBindPass, encryptedLdapBindDN, encryptedLdapCaCertificate };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedLdapConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.LdapConfig)
-      .insert(updatedLdapConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-  if (hasLdapConfigTable) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass").notNullable().alter();
-      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN").notNullable().alter();
-    });
-  }
-};
-
-const reencryptOidcConfig = async (knex: Knex) => {
-  const hasEncryptedOidcClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
-  const hasEncryptedOidcClientSecretColumn = await knex.schema.hasColumn(
-    TableName.OidcConfig,
-    "encryptedOidcClientSecret"
-  );
-
-  const hasEncryptedClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientId");
-  const hasClientIdIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdIV");
-  const hasClientIdTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdTag");
-  const hasEncryptedClientSecretColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientSecret");
-  const hasClientSecretIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretIV");
-  const hasClientSecretTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretTag");
-
-  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
-
-  if (hasOidcConfigTable) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      if (hasEncryptedClientIdColumn) t.text("encryptedClientId").nullable().alter();
-      if (hasClientIdIVColumn) t.string("clientIdIV").nullable().alter();
-      if (hasClientIdTagColumn) t.string("clientIdTag").nullable().alter();
-      if (hasEncryptedClientSecretColumn) t.text("encryptedClientSecret").nullable().alter();
-      if (hasClientSecretIVColumn) t.string("clientSecretIV").nullable().alter();
-      if (hasClientSecretTagColumn) t.string("clientSecretTag").nullable().alter();
-
-      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId");
-      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret");
-    });
-  }
-
-  initLogger();
-  const envConfig = getMigrationEnvConfig();
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-  const orgEncryptionRingBuffer =
-    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
-
-  const oidcConfigs = await knex(TableName.OidcConfig)
-    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.OidcConfig}.orgId`)
-    .select(selectAllTableCols(TableName.OidcConfig))
-    .select(
-      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
-      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
-    )
-    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
-
-  const updatedOidcConfigs = await Promise.all(
-    oidcConfigs.map(
-      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
-        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
-        if (!orgKmsService) {
-          orgKmsService = await kmsService.createCipherPairWithDataKey(
-            {
-              type: KmsDataKey.Organization,
-              orgId: el.orgId
-            },
-            knex
-          );
-          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
-        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
-
-        const decryptedClientId =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedClientId && el.clientIdIV && el.clientIdTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.clientIdIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.clientIdTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedClientId
-              })
-            : "";
-
-        const decryptedClientSecret =
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-          el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
-            ? decryptSymmetric({
-                key,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.clientSecretIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.clientSecretTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedClientSecret
-              })
-            : "";
-
-        const encryptedOidcClientId = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedClientId)
-        }).cipherTextBlob;
-        const encryptedOidcClientSecret = orgKmsService.encryptor({
-          plainText: Buffer.from(decryptedClientSecret)
-        }).cipherTextBlob;
-        return { ...el, encryptedOidcClientId, encryptedOidcClientSecret };
-      }
-    )
-  );
-
-  for (let i = 0; i < updatedOidcConfigs.length; i += BATCH_SIZE) {
-    // eslint-disable-next-line no-await-in-loop
-    await knex(TableName.OidcConfig)
-      .insert(updatedOidcConfigs.slice(i, i + BATCH_SIZE))
-      .onConflict("id")
-      .merge();
-  }
-  if (hasOidcConfigTable) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId").notNullable().alter();
-      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret").notNullable().alter();
-    });
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  await reencryptSamlConfig(knex);
-  await reencryptLdapConfig(knex);
-  await reencryptOidcConfig(knex);
-}
-
-const dropSamlConfigColumns = async (knex: Knex) => {
-  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
-  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
-  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
-
-  if (hasSamlConfigTable) {
-    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
-      if (hasEncryptedEntrypointColumn) t.dropColumn("encryptedSamlEntryPoint");
-      if (hasEncryptedIssuerColumn) t.dropColumn("encryptedSamlIssuer");
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedSamlCertificate");
-    });
-  }
-};
-
-const dropLdapConfigColumns = async (knex: Knex) => {
-  const hasEncryptedBindDN = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
-  const hasEncryptedBindPass = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
-  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
-  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
-
-  if (hasLdapConfigTable) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      if (hasEncryptedBindDN) t.dropColumn("encryptedLdapBindDN");
-      if (hasEncryptedBindPass) t.dropColumn("encryptedLdapBindPass");
-      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedLdapCaCertificate");
-    });
-  }
-};
-
-const dropOidcConfigColumns = async (knex: Knex) => {
-  const hasEncryptedClientId = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
-  const hasEncryptedClientSecret = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientSecret");
-  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
-
-  if (hasOidcConfigTable) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      if (hasEncryptedClientId) t.dropColumn("encryptedOidcClientId");
-      if (hasEncryptedClientSecret) t.dropColumn("encryptedOidcClientSecret");
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  await dropSamlConfigColumns(knex);
-  await dropLdapConfigColumns(knex);
-  await dropOidcConfigColumns(knex);
-}
--- a/backend/src/db/migrations/20250212191958_create-gateway.ts
+++ b/backend/src/db/migrations/20250212191958_create-gateway.ts
@ -1,115 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.OrgGatewayConfig))) {
-    await knex.schema.createTable(TableName.OrgGatewayConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("rootCaKeyAlgorithm").notNullable();
-
-      t.datetime("rootCaIssuedAt").notNullable();
-      t.datetime("rootCaExpiration").notNullable();
-      t.string("rootCaSerialNumber").notNullable();
-      t.binary("encryptedRootCaCertificate").notNullable();
-      t.binary("encryptedRootCaPrivateKey").notNullable();
-
-      t.datetime("clientCaIssuedAt").notNullable();
-      t.datetime("clientCaExpiration").notNullable();
-      t.string("clientCaSerialNumber");
-      t.binary("encryptedClientCaCertificate").notNullable();
-      t.binary("encryptedClientCaPrivateKey").notNullable();
-
-      t.string("clientCertSerialNumber").notNullable();
-      t.string("clientCertKeyAlgorithm").notNullable();
-      t.datetime("clientCertIssuedAt").notNullable();
-      t.datetime("clientCertExpiration").notNullable();
-      t.binary("encryptedClientCertificate").notNullable();
-      t.binary("encryptedClientPrivateKey").notNullable();
-
-      t.datetime("gatewayCaIssuedAt").notNullable();
-      t.datetime("gatewayCaExpiration").notNullable();
-      t.string("gatewayCaSerialNumber").notNullable();
-      t.binary("encryptedGatewayCaCertificate").notNullable();
-      t.binary("encryptedGatewayCaPrivateKey").notNullable();
-
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.unique("orgId");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.Gateway))) {
-    await knex.schema.createTable(TableName.Gateway, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.string("name").notNullable();
-      t.string("serialNumber").notNullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("issuedAt").notNullable();
-      t.datetime("expiration").notNullable();
-      t.datetime("heartbeat");
-
-      t.binary("relayAddress").notNullable();
-
-      t.uuid("orgGatewayRootCaId").notNullable();
-      t.foreign("orgGatewayRootCaId").references("id").inTable(TableName.OrgGatewayConfig).onDelete("CASCADE");
-
-      t.uuid("identityId").notNullable();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.Gateway);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectGateway))) {
-    await knex.schema.createTable(TableName.ProjectGateway, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-
-      t.uuid("gatewayId").notNullable();
-      t.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("CASCADE");
-
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.ProjectGateway);
-  }
-
-  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      // not setting a foreign constraint so that cascade effects are not triggered
-      if (!doesGatewayColExist) {
-        t.uuid("projectGatewayId");
-        t.foreign("projectGatewayId").references("id").inTable(TableName.ProjectGateway);
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
-    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
-    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
-      if (doesGatewayColExist) t.dropColumn("projectGatewayId");
-    });
-  }
-
-  await knex.schema.dropTableIfExists(TableName.ProjectGateway);
-  await dropOnUpdateTrigger(knex, TableName.ProjectGateway);
-
-  await knex.schema.dropTableIfExists(TableName.Gateway);
-  await dropOnUpdateTrigger(knex, TableName.Gateway);
-
-  await knex.schema.dropTableIfExists(TableName.OrgGatewayConfig);
-  await dropOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
-}
--- a/backend/src/db/migrations/20250226021631_secret-requests.ts
+++ b/backend/src/db/migrations/20250226021631_secret-requests.ts
@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
-
-  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
-    if (!hasSharingTypeColumn) {
-      table.string("type", 32).defaultTo(SecretSharingType.Share).notNullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
-
-  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
-    if (hasSharingTypeColumn) {
-      table.dropColumn("type");
-    }
-  });
-}
--- a/backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts
+++ b/backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts
@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
-  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
-  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      if (!hasAuthConsentContentCol) {
-        t.text("authConsentContent");
-      }
-      if (!hasPageFrameContentCol) {
-        t.text("pageFrameContent");
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
-  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
-  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-    if (hasAuthConsentContentCol) {
-      t.dropColumn("authConsentContent");
-    }
-    if (hasPageFrameContentCol) {
-      t.dropColumn("pageFrameContent");
-    }
-  });
-}
--- a/backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts
+++ b/backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts
@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  for await (const tableName of [
-    TableName.SecretV2,
-    TableName.SecretVersionV2,
-    TableName.SecretApprovalRequestSecretV2
-  ]) {
-    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
-
-    if (hasReminderNoteCol) {
-      await knex.schema.alterTable(tableName, (t) => {
-        t.string("reminderNote", 1024).alter();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  for await (const tableName of [
-    TableName.SecretV2,
-    TableName.SecretVersionV2,
-    TableName.SecretApprovalRequestSecretV2
-  ]) {
-    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
-
-    if (hasReminderNoteCol) {
-      await knex.schema.alterTable(tableName, (t) => {
-        t.string("reminderNote").alter();
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20250303213350_add-folder-description.ts
+++ b/backend/src/db/migrations/20250303213350_add-folder-description.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
-
-  if (!hasProjectDescription) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.string("description");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
-
-  if (hasProjectDescription) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.dropColumn("description");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250305080145_add-secret-review-comment.ts
+++ b/backend/src/db/migrations/20250305080145_add-secret-review-comment.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.string("comment");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment")) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.dropColumn("comment");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
+++ b/backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts
@ -1,45 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
-    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
-    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
-    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
-
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      if (!hasSecretVersionV2UserActorId) {
-        t.uuid("userActorId");
-        t.foreign("userActorId").references("id").inTable(TableName.Users);
-      }
-      if (!hasSecretVersionV2IdentityActorId) {
-        t.uuid("identityActorId");
-        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
-      }
-      if (!hasSecretVersionV2ActorType) {
-        t.string("actorType");
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
-    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
-    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
-    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
-
-    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
-      if (hasSecretVersionV2UserActorId) {
-        t.dropColumn("userActorId");
-      }
-      if (hasSecretVersionV2IdentityActorId) {
-        t.dropColumn("identityActorId");
-      }
-      if (hasSecretVersionV2ActorType) {
-        t.dropColumn("actorType");
-      }
-    });
-  }
-}
--- a/backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts
+++ b/backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts
@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Organization)) {
-    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
-      TableName.Organization,
-      "allowSecretSharingOutsideOrganization"
-    );
-
-    if (!hasSecretShareToAnyoneCol) {
-      await knex.schema.alterTable(TableName.Organization, (t) => {
-        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Organization)) {
-    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
-      TableName.Organization,
-      "allowSecretSharingOutsideOrganization"
-    );
-    if (hasSecretShareToAnyoneCol) {
-      await knex.schema.alterTable(TableName.Organization, (t) => {
-        t.dropColumn("allowSecretSharingOutsideOrganization");
-      });
-    }
-  }
-}
--- a/backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts
+++ b/backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts
@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem"))) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("shouldUseNewPrivilegeSystem");
-      t.string("privilegeUpgradeInitiatedByUsername");
-      t.dateTime("privilegeUpgradeInitiatedAt");
-    });
-
-    await knex(TableName.Organization).update({
-      shouldUseNewPrivilegeSystem: false
-    });
-
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("shouldUseNewPrivilegeSystem").defaultTo(true).notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem")) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.dropColumn("shouldUseNewPrivilegeSystem");
-      t.dropColumn("privilegeUpgradeInitiatedByUsername");
-      t.dropColumn("privilegeUpgradeInitiatedAt");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts
+++ b/backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
-  if (!hasMappingField) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.jsonb("claimMetadataMapping");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
-  if (hasMappingField) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.dropColumn("claimMetadataMapping");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts
+++ b/backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas/models";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.specificType("adminIdentityIds", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("adminIdentityIds");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250319134021_recursive-folder-index.ts
+++ b/backend/src/db/migrations/20250319134021_recursive-folder-index.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
-  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
-  if (doesParentColumExist && doesNameColumnExist) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.index(["parentId", "name"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
-  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
-  if (doesParentColumExist && doesNameColumnExist) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.dropIndex(["parentId", "name"]);
-    });
-  }
-}
--- a/backend/src/db/migrations/20250321100157_k8s-self-reviewer-jwt.ts
+++ b/backend/src/db/migrations/20250321100157_k8s-self-reviewer-jwt.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasReviewerJwtCol = await knex.schema.hasColumn(
-    TableName.IdentityKubernetesAuth,
-    "encryptedKubernetesTokenReviewerJwt"
-  );
-  if (hasReviewerJwtCol) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.binary("encryptedKubernetesTokenReviewerJwt").nullable().alter();
-    });
-  }
-}
-
-export async function down(): Promise<void> {
-  // we can't make it back to non nullable, it will fail
-}
--- a/backend/src/db/migrations/20250324142102_add-self-approvals-to-secret-approval-policies.ts
+++ b/backend/src/db/migrations/20250324142102_add-self-approvals-to-secret-approval-policies.ts
@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas/models";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
-    });
-  }
-  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals"))) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals")) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-      t.dropColumn("allowedSelfApprovals");
-    });
-  }
-  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals")) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.dropColumn("allowedSelfApprovals");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250324142104_app-connection-is-platform-managed-credentials-col.ts
+++ b/backend/src/db/migrations/20250324142104_app-connection-is-platform-managed-credentials-col.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.AppConnection, "isPlatformManagedCredentials"))) {
-    await knex.schema.alterTable(TableName.AppConnection, (t) => {
-      t.boolean("isPlatformManagedCredentials").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AppConnection, "isPlatformManagedCredentials")) {
-    await knex.schema.alterTable(TableName.AppConnection, (t) => {
-      t.dropColumn("isPlatformManagedCredentials");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250324142105_secret-rotation-v2.ts
+++ b/backend/src/db/migrations/20250324142105_secret-rotation-v2.ts
@ -1,58 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretRotationV2))) {
-    await knex.schema.createTable(TableName.SecretRotationV2, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description");
-      t.string("type").notNullable();
-      t.jsonb("parameters").notNullable();
-      t.jsonb("secretsMapping").notNullable();
-      t.binary("encryptedGeneratedCredentials").notNullable();
-      t.boolean("isAutoRotationEnabled").notNullable().defaultTo(true);
-      t.integer("activeIndex").notNullable().defaultTo(0);
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.uuid("connectionId").notNullable();
-      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
-      t.timestamps(true, true, true);
-      t.integer("rotationInterval").notNullable();
-      t.jsonb("rotateAtUtc").notNullable(); // { hours: number; minutes: number }
-      t.string("rotationStatus").notNullable();
-      t.datetime("lastRotationAttemptedAt").notNullable();
-      t.datetime("lastRotatedAt").notNullable();
-      t.binary("encryptedLastRotationMessage"); // we encrypt this because it may contain sensitive info (SQL errors showing credentials)
-      t.string("lastRotationJobId");
-      t.datetime("nextRotationAt");
-      t.boolean("isLastRotationManual").notNullable().defaultTo(true); // creation is considered a "manual" rotation
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretRotationV2);
-
-    await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
-      t.unique(["folderId", "name"]);
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SecretRotationV2SecretMapping))) {
-    await knex.schema.createTable(TableName.SecretRotationV2SecretMapping, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("secretId").notNullable();
-      // scott: this is deferred to block secret deletion but not prevent folder/environment/project deletion
-      // ie, if rotation is being deleted as well we permit it, otherwise throw
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).deferrable("deferred");
-      t.uuid("rotationId").notNullable();
-      t.foreign("rotationId").references("id").inTable(TableName.SecretRotationV2).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretRotationV2SecretMapping);
-  await knex.schema.dropTableIfExists(TableName.SecretRotationV2);
-  await dropOnUpdateTrigger(knex, TableName.SecretRotationV2);
-}
--- a/backend/src/db/migrations/20250326171707_folder-last-secret-modified.ts
+++ b/backend/src/db/migrations/20250326171707_folder-last-secret-modified.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.datetime("lastSecretModified");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      t.dropColumn("lastSecretModified");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts
+++ b/backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts
@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { KmsKeyUsage } from "@app/services/kms/kms-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
-
-  if (!hasKeyUsageColumn) {
-    await knex.schema.alterTable(TableName.KmsKey, (t) => {
-      t.string("keyUsage").notNullable().defaultTo(KmsKeyUsage.ENCRYPT_DECRYPT);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
-
-  if (hasKeyUsageColumn) {
-    await knex.schema.alterTable(TableName.KmsKey, (t) => {
-      t.dropColumn("keyUsage");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250404022310_ssh-ca-key-source.ts
+++ b/backend/src/db/migrations/20250404022310_ssh-ca-key-source.ts
@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource"))) {
-    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
-      t.string("keySource");
-    });
-
-    // Backfilling the keySource to internal
-    await knex(TableName.SshCertificateAuthority).update({ keySource: "internal" });
-
-    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
-      t.string("keySource").notNullable().alter();
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SshCertificate, "sshCaId")) {
-    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
-      t.uuid("sshCaId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource")) {
-    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
-      t.dropColumn("keySource");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250405185753_ssh-mgmt-v2.ts
+++ b/backend/src/db/migrations/20250405185753_ssh-mgmt-v2.ts
@ -1,93 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SshHost))) {
-    await knex.schema.createTable(TableName.SshHost, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("hostname").notNullable();
-      t.string("userCertTtl").notNullable();
-      t.string("hostCertTtl").notNullable();
-      t.uuid("userSshCaId").notNullable();
-      t.foreign("userSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.uuid("hostSshCaId").notNullable();
-      t.foreign("hostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.unique(["projectId", "hostname"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHost);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshHostLoginUser))) {
-    await knex.schema.createTable(TableName.SshHostLoginUser, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshHostId").notNullable();
-      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("CASCADE");
-      t.string("loginUser").notNullable(); // e.g. ubuntu, root, ec2-user, ...
-      t.unique(["sshHostId", "loginUser"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHostLoginUser);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshHostLoginUserMapping))) {
-    await knex.schema.createTable(TableName.SshHostLoginUserMapping, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshHostLoginUserId").notNullable();
-      t.foreign("sshHostLoginUserId").references("id").inTable(TableName.SshHostLoginUser).onDelete("CASCADE");
-      t.uuid("userId").nullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.unique(["sshHostLoginUserId", "userId"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectSshConfig))) {
-    // new table to store configuration for projects of type SSH (i.e. Infisical SSH)
-    await knex.schema.createTable(TableName.ProjectSshConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("defaultUserSshCaId");
-      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-      t.uuid("defaultHostSshCaId");
-      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
-    });
-    await createOnUpdateTrigger(knex, TableName.ProjectSshConfig);
-  }
-
-  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
-  if (!hasColumn) {
-    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
-      t.uuid("sshHostId").nullable();
-      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectSshConfig);
-  await dropOnUpdateTrigger(knex, TableName.ProjectSshConfig);
-
-  await knex.schema.dropTableIfExists(TableName.SshHostLoginUserMapping);
-  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
-
-  await knex.schema.dropTableIfExists(TableName.SshHostLoginUser);
-  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUser);
-
-  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
-      t.dropColumn("sshHostId");
-    });
-  }
-
-  await knex.schema.dropTableIfExists(TableName.SshHost);
-  await dropOnUpdateTrigger(knex, TableName.SshHost);
-}
--- a/backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts
+++ b/backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts
@ -1,20 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId"))) {
-    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("dynamicSecretId");
-      tb.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId")) {
-    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
-      tb.dropColumn("dynamicSecretId");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250410203010_add-comment-to-access-request.ts
+++ b/backend/src/db/migrations/20250410203010_add-comment-to-access-request.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.string("note").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      t.dropColumn("note");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts
+++ b/backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts
@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
-      t.boolean("expiryNotificationSent").defaultTo(false);
-    });
-
-    // Update only tokens where expiresAt is before current time
-    await knex(TableName.ServiceToken)
-      .whereRaw(`${TableName.ServiceToken}."expiresAt" < NOW()`)
-      .whereNotNull("expiresAt")
-      .update({ expiryNotificationSent: true });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
-      t.dropColumn("expiryNotificationSent");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250414234624_add-project-delete-protection.ts
+++ b/backend/src/db/migrations/20250414234624_add-project-delete-protection.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
-  if (!hasCol) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.boolean("hasDeleteProtection").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
-  if (hasCol) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("hasDeleteProtection");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts
+++ b/backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts
@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    t.string("altNames", 4096).alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.Certificate, (t) => {
-    t.string("altNames").alter(); // Defaults to varchar(255)
-  });
-}
--- a/backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts
+++ b/backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts
@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
-    t.string("altNames", 4096).alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
-    t.string("altNames").alter(); // Defaults to varchar(255)
-  });
-}
--- a/backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts
+++ b/backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts
@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm"))) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      t.string("jwtSignatureAlgorithm").defaultTo(OIDCJWTSignatureAlgorithm.RS256).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm")) {
-    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
-      t.dropColumn("jwtSignatureAlgorithm");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts
+++ b/backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts
@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled"))) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("bypassOrgAuthEnabled").defaultTo(false).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled")) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.dropColumn("bypassOrgAuthEnabled");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250419004044_secret-reminder-recipients.ts
+++ b/backend/src/db/migrations/20250419004044_secret-reminder-recipients.ts
@ -1,34 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasSecretReminderRecipientsTable = await knex.schema.hasTable(TableName.SecretReminderRecipients);
-
-  if (!hasSecretReminderRecipientsTable) {
-    await knex.schema.createTable(TableName.SecretReminderRecipients, (table) => {
-      table.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      table.timestamps(true, true, true);
-      table.uuid("secretId").notNullable();
-      table.uuid("userId").notNullable();
-      table.string("projectId").notNullable();
-
-      // Based on userId rather than project membership ID so we can easily extend group support in the future if need be.
-      // This does however mean we need to manually clean up once a user is removed from a project.
-      table.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      table.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      table.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-
-      table.index("secretId");
-      table.unique(["secretId", "userId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasSecretReminderRecipientsTable = await knex.schema.hasTable(TableName.SecretReminderRecipients);
-
-  if (hasSecretReminderRecipientsTable) {
-    await knex.schema.dropTableIfExists(TableName.SecretReminderRecipients);
-  }
-}
--- a/backend/src/db/migrations/20250421165221_fix-identites-and-user-deletion-secret-version-reference.ts
+++ b/backend/src/db/migrations/20250421165221_fix-identites-and-user-deletion-secret-version-reference.ts
@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.dropForeign(["userActorId"]);
-    table.dropForeign(["identityActorId"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.foreign("userActorId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-
-    table.foreign("identityActorId").references("id").inTable(TableName.Identity).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.dropForeign(["userActorId"]);
-    table.dropForeign(["identityActorId"]);
-  });
-
-  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
-    table.foreign("userActorId").references("id").inTable(TableName.Users);
-
-    table.foreign("identityActorId").references("id").inTable(TableName.Identity);
-  });
-}
--- a/backend/src/db/migrations/20250422125635_microsoft-teams-workflow-integration.ts
+++ b/backend/src/db/migrations/20250422125635_microsoft-teams-workflow-integration.ts
@ -1,130 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const superAdminHasEncryptedMicrosoftTeamsClientIdColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedMicrosoftTeamsAppId"
-  );
-  const superAdminHasEncryptedMicrosoftTeamsClientSecret = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedMicrosoftTeamsClientSecret"
-  );
-  const superAdminHasEncryptedMicrosoftTeamsBotId = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedMicrosoftTeamsBotId"
-  );
-
-  if (
-    !superAdminHasEncryptedMicrosoftTeamsClientIdColumn ||
-    !superAdminHasEncryptedMicrosoftTeamsClientSecret ||
-    !superAdminHasEncryptedMicrosoftTeamsBotId
-  ) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
-      if (!superAdminHasEncryptedMicrosoftTeamsClientIdColumn) {
-        table.binary("encryptedMicrosoftTeamsAppId").nullable();
-      }
-      if (!superAdminHasEncryptedMicrosoftTeamsClientSecret) {
-        table.binary("encryptedMicrosoftTeamsClientSecret").nullable();
-      }
-      if (!superAdminHasEncryptedMicrosoftTeamsBotId) {
-        table.binary("encryptedMicrosoftTeamsBotId").nullable();
-      }
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.WorkflowIntegrations, "status"))) {
-    await knex.schema.alterTable(TableName.WorkflowIntegrations, (table) => {
-      table.enu("status", ["pending", "installed", "failed"]).notNullable().defaultTo("installed"); // defaults to installed so we can have backwards compatibility with existing workflow integrations
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.MicrosoftTeamsIntegrations))) {
-    await knex.schema.createTable(TableName.MicrosoftTeamsIntegrations, (table) => {
-      table.uuid("id", { primaryKey: true }).notNullable();
-      table.foreign("id").references("id").inTable(TableName.WorkflowIntegrations).onDelete("CASCADE"); // the ID itself is the workflow integration ID
-
-      table.string("internalTeamsAppId").nullable();
-      table.string("tenantId").notNullable();
-      table.binary("encryptedAccessToken").nullable();
-      table.binary("encryptedBotAccessToken").nullable();
-
-      table.timestamp("accessTokenExpiresAt").nullable();
-      table.timestamp("botAccessTokenExpiresAt").nullable();
-
-      table.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.MicrosoftTeamsIntegrations);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectMicrosoftTeamsConfigs))) {
-    await knex.schema.createTable(TableName.ProjectMicrosoftTeamsConfigs, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("projectId").notNullable().unique();
-      tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      tb.uuid("microsoftTeamsIntegrationId").notNullable();
-      tb.foreign("microsoftTeamsIntegrationId")
-        .references("id")
-        .inTable(TableName.MicrosoftTeamsIntegrations)
-        .onDelete("CASCADE");
-      tb.boolean("isAccessRequestNotificationEnabled").notNullable().defaultTo(false);
-      tb.boolean("isSecretRequestNotificationEnabled").notNullable().defaultTo(false);
-
-      tb.jsonb("accessRequestChannels").notNullable(); // {teamId: string, channelIds: string[]}
-      tb.jsonb("secretRequestChannels").notNullable(); // {teamId: string, channelIds: string[]}
-      tb.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.ProjectMicrosoftTeamsConfigs);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptedMicrosoftTeamsClientIdColumn = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedMicrosoftTeamsAppId"
-  );
-  const hasEncryptedMicrosoftTeamsClientSecret = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedMicrosoftTeamsClientSecret"
-  );
-  const hasEncryptedMicrosoftTeamsBotId = await knex.schema.hasColumn(
-    TableName.SuperAdmin,
-    "encryptedMicrosoftTeamsBotId"
-  );
-
-  if (
-    hasEncryptedMicrosoftTeamsClientIdColumn ||
-    hasEncryptedMicrosoftTeamsClientSecret ||
-    hasEncryptedMicrosoftTeamsBotId
-  ) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
-      if (hasEncryptedMicrosoftTeamsClientIdColumn) {
-        table.dropColumn("encryptedMicrosoftTeamsAppId");
-      }
-      if (hasEncryptedMicrosoftTeamsClientSecret) {
-        table.dropColumn("encryptedMicrosoftTeamsClientSecret");
-      }
-      if (hasEncryptedMicrosoftTeamsBotId) {
-        table.dropColumn("encryptedMicrosoftTeamsBotId");
-      }
-    });
-  }
-  if (await knex.schema.hasColumn(TableName.WorkflowIntegrations, "status")) {
-    await knex.schema.alterTable(TableName.WorkflowIntegrations, (table) => {
-      table.dropColumn("status");
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.ProjectMicrosoftTeamsConfigs)) {
-    await knex.schema.dropTableIfExists(TableName.ProjectMicrosoftTeamsConfigs);
-    await dropOnUpdateTrigger(knex, TableName.ProjectMicrosoftTeamsConfigs);
-  }
-  if (await knex.schema.hasTable(TableName.MicrosoftTeamsIntegrations)) {
-    await knex.schema.dropTableIfExists(TableName.MicrosoftTeamsIntegrations);
-    await dropOnUpdateTrigger(knex, TableName.MicrosoftTeamsIntegrations);
-  }
-}
--- a/backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts
+++ b/backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts
@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectType, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasDefaultUserCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultUserSshCaId");
-  const hasDefaultHostCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultHostSshCaId");
-
-  if (hasDefaultUserCaCol && hasDefaultHostCaCol) {
-    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
-      t.dropForeign(["defaultUserSshCaId"]);
-      t.dropForeign(["defaultHostSshCaId"]);
-    });
-    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
-      // allow nullable (does not wipe existing values)
-      t.uuid("defaultUserSshCaId").nullable().alter();
-      t.uuid("defaultHostSshCaId").nullable().alter();
-      // re-add with SET NULL behavior (previously CASCADE)
-      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
-    });
-  }
-
-  // (dangtony98): backfill by adding null defaults CAs for all existing Infisical SSH projects
-  // that do not have an associated ProjectSshConfig record introduced in Infisical SSH V2.
-
-  const allProjects = await knex(TableName.Project).where("type", ProjectType.SSH).select("id");
-
-  const projectsWithConfig = await knex(TableName.ProjectSshConfig).select("projectId");
-  const projectIdsWithConfig = new Set(projectsWithConfig.map((config) => config.projectId));
-
-  const projectsNeedingConfig = allProjects.filter((project) => !projectIdsWithConfig.has(project.id));
-
-  if (projectsNeedingConfig.length > 0) {
-    const configsToInsert = projectsNeedingConfig.map((project) => ({
-      projectId: project.id,
-      defaultUserSshCaId: null,
-      defaultHostSshCaId: null,
-      createdAt: new Date(),
-      updatedAt: new Date()
-    }));
-
-    await knex.batchInsert(TableName.ProjectSshConfig, configsToInsert);
-  }
-}
-
-export async function down(): Promise<void> {}
--- a/backend/src/db/migrations/20250426044605_ssh-host-alias.ts
+++ b/backend/src/db/migrations/20250426044605_ssh-host-alias.ts
@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAliasColumn = await knex.schema.hasColumn(TableName.SshHost, "alias");
-  if (!hasAliasColumn) {
-    await knex.schema.alterTable(TableName.SshHost, (t) => {
-      t.string("alias").nullable();
-      t.unique(["projectId", "alias"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAliasColumn = await knex.schema.hasColumn(TableName.SshHost, "alias");
-  if (hasAliasColumn) {
-    await knex.schema.alterTable(TableName.SshHost, (t) => {
-      t.dropUnique(["projectId", "alias"]);
-      t.dropColumn("alias");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250426075943_github-org-sync-config.ts
+++ b/backend/src/db/migrations/20250426075943_github-org-sync-config.ts
@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasTable = await knex.schema.hasTable(TableName.GithubOrgSyncConfig);
-  if (!hasTable) {
-    await knex.schema.createTable(TableName.GithubOrgSyncConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("githubOrgName").notNullable();
-      t.boolean("isActive").defaultTo(false);
-      t.binary("encryptedGithubOrgAccessToken");
-      t.uuid("orgId").notNullable().unique();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.GithubOrgSyncConfig);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.GithubOrgSyncConfig);
-  await dropOnUpdateTrigger(knex, TableName.GithubOrgSyncConfig);
-}
--- a/backend/src/db/migrations/20250428134716_add-org-user-token-expiration-setting.ts
+++ b/backend/src/db/migrations/20250428134716_add-org-user-token-expiration-setting.ts
@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { getConfig } from "@app/lib/config/env";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const appCfg = getConfig();
-  const tokenDuration = appCfg?.JWT_REFRESH_LIFETIME;
-
-  if (!(await knex.schema.hasColumn(TableName.Organization, "userTokenExpiration"))) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.string("userTokenExpiration");
-    });
-    if (tokenDuration) {
-      await knex(TableName.Organization).update({ userTokenExpiration: tokenDuration });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Organization, "userTokenExpiration")) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.dropColumn("userTokenExpiration");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250428173025_ssh-host-groups.ts
+++ b/backend/src/db/migrations/20250428173025_ssh-host-groups.ts
@ -1,55 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SshHostGroup))) {
-    await knex.schema.createTable(TableName.SshHostGroup, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("name").notNullable();
-      t.unique(["projectId", "name"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHostGroup);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.SshHostGroupMembership))) {
-    await knex.schema.createTable(TableName.SshHostGroupMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("sshHostGroupId").notNullable();
-      t.foreign("sshHostGroupId").references("id").inTable(TableName.SshHostGroup).onDelete("CASCADE");
-      t.uuid("sshHostId").notNullable();
-      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("CASCADE");
-      t.unique(["sshHostGroupId", "sshHostId"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.SshHostGroupMembership);
-  }
-
-  const hasGroupColumn = await knex.schema.hasColumn(TableName.SshHostLoginUser, "sshHostGroupId");
-  if (!hasGroupColumn) {
-    await knex.schema.alterTable(TableName.SshHostLoginUser, (t) => {
-      t.uuid("sshHostGroupId").nullable();
-      t.foreign("sshHostGroupId").references("id").inTable(TableName.SshHostGroup).onDelete("CASCADE");
-      t.uuid("sshHostId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasGroupColumn = await knex.schema.hasColumn(TableName.SshHostLoginUser, "sshHostGroupId");
-  if (hasGroupColumn) {
-    await knex.schema.alterTable(TableName.SshHostLoginUser, (t) => {
-      t.dropColumn("sshHostGroupId");
-    });
-  }
-
-  await knex.schema.dropTableIfExists(TableName.SshHostGroupMembership);
-  await dropOnUpdateTrigger(knex, TableName.SshHostGroupMembership);
-
-  await knex.schema.dropTableIfExists(TableName.SshHostGroup);
-  await dropOnUpdateTrigger(knex, TableName.SshHostGroup);
-}
--- a/backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts
+++ b/backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts
@ -1,44 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
-    if (!hasProjectIdColumn) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("projectId", 36).nullable();
-        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      });
-
-      await knex.raw(`
-          UPDATE "${TableName.Certificate}" cert
-          SET "projectId" = ca."projectId"
-          FROM "${TableName.CertificateAuthority}" ca
-          WHERE cert."caId" = ca.id
-        `);
-
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("projectId").notNullable().alter();
-      });
-    }
-
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caId").nullable().alter();
-      t.uuid("caCertId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.dropForeign("projectId");
-        t.dropColumn("projectId");
-      });
-    }
-  }
-
-  // Altering back to notNullable for caId and caCertId will fail
-}
--- a/backend/src/db/migrations/20250429232917_store-cert-secret-key-and-chain.ts
+++ b/backend/src/db/migrations/20250429232917_store-cert-secret-key-and-chain.ts
@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain"))) {
-    await knex.schema.alterTable(TableName.CertificateBody, (t) => {
-      t.binary("encryptedCertificateChain").nullable();
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.CertificateSecret))) {
-    await knex.schema.createTable(TableName.CertificateSecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("certId").notNullable().unique();
-      t.foreign("certId").references("id").inTable(TableName.Certificate).onDelete("CASCADE");
-      t.binary("encryptedPrivateKey").notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateSecret)) {
-    await knex.schema.dropTable(TableName.CertificateSecret);
-  }
-
-  if (await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain")) {
-    await knex.schema.alterTable(TableName.CertificateBody, (t) => {
-      t.dropColumn("encryptedCertificateChain");
-    });
-  }
-}
--- a/backend/src/db/migrations/20250430174352_email-case-change.ts
+++ b/backend/src/db/migrations/20250430174352_email-case-change.ts
@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEmail = await knex.schema.hasColumn(TableName.Users, "email");
-  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
-  if (hasEmail) {
-    await knex(TableName.Users)
-      .where({ isGhost: false })
-      .update({
-        // @ts-expect-error email assume string this is expected
-        email: knex.raw("lower(email)")
-      });
-  }
-  if (hasUsername) {
-    await knex.schema.raw(`
-      CREATE INDEX IF NOT EXISTS ${TableName.Users}_lower_username_idx 
-      ON ${TableName.Users} (LOWER(username))
-    `);
-
-    const duplicatesSubquery = knex(TableName.Users)
-      .select(knex.raw("lower(username) as lowercase_username"))
-      .groupBy("lowercase_username")
-      .having(knex.raw("count(*)"), ">", 1);
-
-    // Update usernames to lowercase where they won't create duplicates
-    await knex(TableName.Users)
-      .where({ isGhost: false })
-      .whereRaw("username <> lower(username)") // Only update if not already lowercase
-      // @ts-expect-error username assume string this is expected
-      .whereNotIn(knex.raw("lower(username)"), duplicatesSubquery)
-      .update({
-        // @ts-expect-error username assume string this is expected
-        username: knex.raw("lower(username)")
-      });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
-  if (hasUsername) {
-    await knex.schema.raw(`
-  DROP INDEX IF EXISTS ${TableName.Users}_lower_username_idx
-`);
-  }
-}
--- a/backend/src/db/migrations/20250501164905_add-groups-to-ssh-host-login-user-mappings.ts
+++ b/backend/src/db/migrations/20250501164905_add-groups-to-ssh-host-login-user-mappings.ts
@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SshHostLoginUserMapping, "groupId"))) {
-    await knex.schema.alterTable(TableName.SshHostLoginUserMapping, (t) => {
-      t.uuid("groupId").nullable();
-      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      t.unique(["sshHostLoginUserId", "groupId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SshHostLoginUserMapping, "groupId")) {
-    await knex.schema.alterTable(TableName.SshHostLoginUserMapping, (t) => {
-      t.dropUnique(["sshHostLoginUserId", "groupId"]);
-      t.dropColumn("groupId");
-    });
-  }
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
McPizza0	0b1f4f0e2a	fix requested changes	2024-11-26 16:35:12 +01:00
McPizza0	b4485a2a57	improvement: Slug Validation Errors	2024-11-26 16:35:11 +01:00