Update secret-approval-request-service.ts

Feat: Scoped JWT tokens

.env.example

@@ -3,6 +3,9 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
+# Required
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
@@ -13,9 +16,6 @@ POSTGRES_PASSWORD=infisical
 POSTGRES_USER=infisical
 POSTGRES_DB=infisical
 
-# Required
-DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
-
 # Redis
 REDIS_URL=redis://redis:6379
 

.github/workflows/build-docker-image-to-prod.yml

@@ -41,7 +41,6 @@ jobs:
           load: true
           context: backend
           tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
       - name: ⏻ Spawn backend container and dependencies
         run: |
           docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@@ -93,7 +92,6 @@ jobs:
           project: 64mmf0n610
           context: frontend
           tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
             NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/build-staging-and-deploy-aws.yml

@@ -1,140 +0,0 @@
-name: Deployment pipeline
-on: [workflow_dispatch]
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  infisical-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build backend and push to docker hub
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
-    
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    environment:
-      name: Gamma
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-prod-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
-          wait-for-service-stability: true
-
-  production-postgres-deployment:
-    name: Deploy to production
-    runs-on: ubuntu-latest
-    needs: [gamma-deployment]
-    environment:
-      name: Production
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-prod-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
-          wait-for-service-stability: true

.github/workflows/build-staging-and-deploy.yml

@@ -0,0 +1,120 @@
+name: Build, Publish and Deploy to Gamma
+on: [workflow_dispatch]
+
+jobs:
+  infisical-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: infisical/infisical:test
+      # - name: ⏻ Spawn backend container and dependencies
+      #   run: |
+      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      # - name: 🧪 Test backend image
+      #   run: |
+      #     ./.github/resources/healthcheck.sh infisical-backend-test
+      # - name: ⏻ Shut down backend container and dependencies
+      #   run: |
+      #     docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+  postgres-migration:
+    name: Run latest migration files
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      # - name: Run postgres DB migration files
+      #   env:
+      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+      #   run: npm run migration:latest
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [postgres-migration]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install infisical helm chart
+        run: |
+          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+          helm repo update
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Save DigitalOcean kubeconfig with short-lived credentials
+        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
+      - name: switch to gamma namespace
+        run: kubectl config set-context --current --namespace=gamma
+      - name: test kubectl
+        run: kubectl get ingress
+      - name: Download helm values to file and upgrade gamma deploy
+        run: |
+          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
+          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
+          if [[ $(helm status infisical) == *"FAILED"* ]]; then
+            echo "Helm upgrade failed"
+            exit 1
+          else
+            echo "Helm upgrade was successful"
+          fi

Dockerfile.standalone-infisical

@@ -118,6 +118,9 @@ WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true
 
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
+
 EXPOSE 8080
 EXPOSE 443
 

README.md

@@ -10,8 +10,7 @@
   <a href="https://infisical.com/">Infisical Cloud</a> |
   <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
   <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a> |
-  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
+  <a href="https://www.infisical.com">Website</a>
 </h4>
 
 <p align="center">

backend/src/@types/fastify.d.ts

@@ -21,8 +21,6 @@ import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { TDynamicSecretServiceFactory } from "@app/services/dynamic-secret/dynamic-secret-service";
-import { TDynamicSecretLeaseServiceFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -64,7 +62,7 @@ declare module "fastify" {
       authMethod: ActorAuthMethod;
       type: ActorType;
       id: string;
-      orgId: string;
+      orgId?: string;
     };
     // passport data
     passportUser: {
@@ -119,8 +117,6 @@ declare module "fastify" {
       trustedIp: TTrustedIpServiceFactory;
       secretBlindIndex: TSecretBlindIndexServiceFactory;
       telemetry: TTelemetryServiceFactory;
-      dynamicSecret: TDynamicSecretServiceFactory;
-      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -17,12 +17,6 @@ import {
   TBackupPrivateKey,
   TBackupPrivateKeyInsert,
   TBackupPrivateKeyUpdate,
-  TDynamicSecretLeases,
-  TDynamicSecretLeasesInsert,
-  TDynamicSecretLeasesUpdate,
-  TDynamicSecrets,
-  TDynamicSecretsInsert,
-  TDynamicSecretsUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
@@ -346,12 +340,6 @@ declare module "knex/types/tables" {
       TSecretSnapshotFoldersInsert,
       TSecretSnapshotFoldersUpdate
     >;
-    [TableName.DynamicSecret]: Knex.CompositeTableType<TDynamicSecrets, TDynamicSecretsInsert, TDynamicSecretsUpdate>;
-    [TableName.DynamicSecretLease]: Knex.CompositeTableType<
-      TDynamicSecretLeases,
-      TDynamicSecretLeasesInsert,
-      TDynamicSecretLeasesUpdate
-    >;
     [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
     [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
     [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;

backend/src/db/migrations/20240318164718_dynamic-secret.ts

@@ -1,58 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.DynamicSecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").notNullable();
-      t.string("type").notNullable();
-      t.string("defaultTTL").notNullable();
-      t.string("maxTTL");
-      t.string("inputIV").notNullable();
-      t.text("inputCiphertext").notNullable();
-      t.string("inputTag").notNullable();
-      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.uuid("folderId").notNullable();
-      // for background process communication
-      t.string("status");
-      t.string("statusDetails");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.unique(["name", "folderId"]);
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.DynamicSecret);
-
-  const doesTableDynamicSecretLease = await knex.schema.hasTable(TableName.DynamicSecretLease);
-  if (!doesTableDynamicSecretLease) {
-    await knex.schema.createTable(TableName.DynamicSecretLease, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").notNullable();
-      t.string("externalEntityId").notNullable();
-      t.datetime("expireAt").notNullable();
-      // for background process communication
-      t.string("status");
-      t.string("statusDetails");
-      t.uuid("dynamicSecretId").notNullable();
-      t.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.DynamicSecretLease);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.DynamicSecretLease);
-  await knex.schema.dropTableIfExists(TableName.DynamicSecretLease);
-
-  await dropOnUpdateTrigger(knex, TableName.DynamicSecret);
-  await knex.schema.dropTableIfExists(TableName.DynamicSecret);
-}

backend/src/db/schemas/dynamic-secret-leases.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const DynamicSecretLeasesSchema = z.object({
-  id: z.string().uuid(),
-  version: z.number(),
-  externalEntityId: z.string(),
-  expireAt: z.date(),
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  dynamicSecretId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
-export type TDynamicSecretLeasesInsert = Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>;
-export type TDynamicSecretLeasesUpdate = Partial<Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const DynamicSecretsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  version: z.number(),
-  type: z.string(),
-  defaultTTL: z.string(),
-  maxTTL: z.string().nullable().optional(),
-  inputIV: z.string(),
-  inputCiphertext: z.string(),
-  inputTag: z.string(),
-  algorithm: z.string().default("aes-256-gcm"),
-  keyEncoding: z.string().default("utf8"),
-  folderId: z.string().uuid(),
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
-export type TDynamicSecretsInsert = Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>;
-export type TDynamicSecretsUpdate = Partial<Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -3,8 +3,6 @@ export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
 export * from "./backup-private-key";
-export * from "./dynamic-secret-leases";
-export * from "./dynamic-secrets";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./identities";

backend/src/db/schemas/models.ts

@@ -59,8 +59,6 @@ export enum TableName {
   GitAppOrg = "git_app_org",
   SecretScanningGitRisk = "secret_scanning_git_risks",
   TrustedIps = "trusted_ips",
-  DynamicSecret = "dynamic_secrets",
-  DynamicSecretLease = "dynamic_secret_leases",
   // junction tables with tags
   JnSecretTag = "secret_tag_junction",
   SecretVersionTag = "secret_version_tag_junction"

backend/src/ee/routes/v1/org-role-router.ts

@@ -19,7 +19,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .min(1)
           .trim()
           .refine(
-            (val) => !Object.keys(OrgMembershipRole).includes(val),
+            (val) => Object.keys(OrgMembershipRole).includes(val),
             "Please choose a different slug, the slug you have entered is reserved"
           )
           .refine((v) => slugify(v) === v, {

backend/src/ee/routes/v1/project-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,13 +19,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.workspaceId)
+        workspaceId: z.string().trim()
       }),
       querystring: z.object({
-        environment: z.string().trim().describe(PROJECTS.GET_SNAPSHOTS.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(PROJECTS.GET_SNAPSHOTS.path),
-        offset: z.coerce.number().default(0).describe(PROJECTS.GET_SNAPSHOTS.offset),
-        limit: z.coerce.number().default(20).describe(PROJECTS.GET_SNAPSHOTS.limit)
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().default(20)
       }),
       response: {
         200: z.object({
@@ -92,16 +91,16 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.workspaceId)
+        workspaceId: z.string().trim()
       }),
       querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
-        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
-        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+        eventType: z.nativeEnum(EventType).optional(),
+        userAgentType: z.nativeEnum(UserAgentType).optional(),
+        startDate: z.string().datetime().optional(),
+        endDate: z.string().datetime().optional(),
+        offset: z.coerce.number().default(0),
+        limit: z.coerce.number().default(20),
+        actor: z.string().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/scim-router.ts

@@ -146,7 +146,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         offset: req.query.startIndex,
         limit: req.query.count,
         filter: req.query.filter,
-        orgId: req.permission.orgId
+        orgId: req.permission.orgId as string
       });
       return users;
     }
@@ -184,7 +184,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const user = await req.server.services.scim.getScimUser({
         userId: req.params.userId,
-        orgId: req.permission.orgId
+        orgId: req.permission.orgId as string
       });
       return user;
     }
@@ -243,7 +243,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         email: primaryEmail,
         firstName: req.body.name.givenName,
         lastName: req.body.name.familyName,
-        orgId: req.permission.orgId
+        orgId: req.permission.orgId as string
       });
 
       return user;
@@ -280,7 +280,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const user = await req.server.services.scim.updateScimUser({
         userId: req.params.userId,
-        orgId: req.permission.orgId,
+        orgId: req.permission.orgId as string,
         operations: req.body.Operations
       });
       return user;
@@ -330,7 +330,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const user = await req.server.services.scim.replaceScimUser({
         userId: req.params.userId,
-        orgId: req.permission.orgId,
+        orgId: req.permission.orgId as string,
         active: req.body.active
       });
       return user;

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretSnapshotsSchema, SecretTagsSchema, SecretVersionsSchema } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -67,7 +66,7 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretSnapshotId: z.string().trim().describe(PROJECTS.ROLLBACK_TO_SNAPSHOT.secretSnapshotId)
+        secretSnapshotId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/ee/services/license/licence-fns.ts

@@ -15,7 +15,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   membersUsed: 0,
   environmentLimit: null,
   environmentsUsed: 0,
-  dynamicSecret: true,
   secretVersioning: true,
   pitRecovery: false,
   ipAllowlisting: false,

backend/src/ee/services/license/license-service.ts

@@ -8,7 +8,6 @@ import { ForbiddenError } from "@casl/ability";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { verifyOfflineLicense } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -27,7 +26,6 @@ import {
   TFeatureSet,
   TGetOrgBillInfoDTO,
   TGetOrgTaxIdDTO,
-  TOfflineLicenseContents,
   TOrgInvoiceDTO,
   TOrgLicensesDTO,
   TOrgPlanDTO,
@@ -98,36 +96,6 @@ export const licenseServiceFactory = ({
         }
         return;
       }
-
-      if (appCfg.LICENSE_KEY_OFFLINE) {
-        let isValidOfflineLicense = true;
-        const contents: TOfflineLicenseContents = JSON.parse(
-          Buffer.from(appCfg.LICENSE_KEY_OFFLINE, "base64").toString("utf8")
-        );
-        const isVerified = await verifyOfflineLicense(JSON.stringify(contents.license), contents.signature);
-
-        if (!isVerified) {
-          isValidOfflineLicense = false;
-          logger.warn(`Infisical EE offline license verification failed`);
-        }
-
-        if (contents.license.terminatesAt) {
-          const terminationDate = new Date(contents.license.terminatesAt);
-          if (terminationDate < new Date()) {
-            isValidOfflineLicense = false;
-            logger.warn(`Infisical EE offline license has expired`);
-          }
-        }
-
-        if (isValidOfflineLicense) {
-          onPremFeatures = contents.license.features;
-          instanceType = InstanceType.EnterpriseOnPrem;
-          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
-          isValidLicense = true;
-          return;
-        }
-      }
-
       // this means this is self hosted oss version
       // else it would reach catch statement
       isValidLicense = true;

backend/src/ee/services/license/license-types.ts

@@ -6,28 +6,12 @@ export enum InstanceType {
   Cloud = "cloud"
 }
 
-export type TOfflineLicenseContents = {
-  license: TOfflineLicense;
-  signature: string;
-};
-
-export type TOfflineLicense = {
-  issuedTo: string;
-  licenseId: string;
-  customerId: string | null;
-  issuedAt: string;
-  expiresAt: string | null;
-  terminatesAt: string | null;
-  features: TFeatureSet;
-};
-
 export type TFeatureSet = {
   _id: null;
   slug: null;
   tier: -1;
   workspaceLimit: null;
   workspacesUsed: 0;
-  dynamicSecret: true;
   memberLimit: null;
   membersUsed: 0;
   environmentLimit: null;

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -9,7 +9,6 @@ import jmespath from "jmespath";
 import knex from "knex";
 
 import { getConfig } from "@app/lib/config/env";
-import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
@@ -90,7 +89,7 @@ export const secretRotationDbFn = async ({
   const appCfg = getConfig();
 
   const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  if (host === "localhost" || host === "127.0.0.1" || getDbConnectionHost(appCfg.DB_CONNECTION_URI) === host)
+  if (host === "localhost" || host === "127.0.0.1" || appCfg.DB_CONNECTION_URI.includes(host))
     throw new Error("Invalid db host");
 
   const db = knex({

backend/src/lib/api-docs/constants.ts

@@ -1,399 +0,0 @@
-export const IDENTITIES = {
-  CREATE: {
-    name: "The name of the identity to create.",
-    organizationId: "The organization ID to which the identity belongs.",
-    role: "The role of the identity. Possible values are 'no-access', 'member', and 'admin'."
-  },
-  UPDATE: {
-    identityId: "The ID of the identity to update.",
-    name: "The new name of the identity.",
-    role: "The new role of the identity."
-  },
-  DELETE: {
-    identityId: "The ID of the identity to delete."
-  }
-} as const;
-
-export const UNIVERSAL_AUTH = {
-  LOGIN: {
-    clientId: "Your Machine Identity Client ID.",
-    clientSecret: "Your Machine Identity Client Secret."
-  },
-  ATTACH: {
-    identityId: "The ID of the identity to attach the configuration onto.",
-    clientSecretTrustedIps:
-      "A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address.",
-    accessTokenTrustedIps:
-      "A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.",
-    accessTokenTTL: "The lifetime for an access token in seconds. This value will be referenced at renewal time.",
-    accessTokenMaxTTL:
-      "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
-    accessTokenNumUsesLimit:
-      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
-  },
-  RETRIEVE: {
-    identityId: "The ID of the identity to retrieve."
-  },
-  UPDATE: {
-    identityId: "The ID of the identity to update.",
-    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
-    accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
-    accessTokenTTL: "The new lifetime for an access token in seconds.",
-    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
-    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
-  },
-  CREATE_CLIENT_SECRET: {
-    identityId: "The ID of the identity to create a client secret for.",
-    description: "The description of the client secret.",
-    numUsesLimit:
-      "The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses.",
-    ttl: "The lifetime for the client secret in seconds."
-  },
-  LIST_CLIENT_SECRETS: {
-    identityId: "The ID of the identity to list client secrets for."
-  },
-  REVOKE_CLIENT_SECRET: {
-    identityId: "The ID of the identity to revoke the client secret from.",
-    clientSecretId: "The ID of the client secret to revoke."
-  },
-  RENEW_ACCESS_TOKEN: {
-    accessToken: "The access token to renew."
-  }
-} as const;
-
-export const ORGANIZATIONS = {
-  LIST_USER_MEMBERSHIPS: {
-    organizationId: "The ID of the organization to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    role: "The new role of the membership."
-  },
-  DELETE_USER_MEMBERSHIP: {
-    organizationId: "The ID of the organization to delete the membership from.",
-    membershipId: "The ID of the membership to delete."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    orgId: "The ID of the organization to get identity memberships from."
-  },
-  GET_PROJECTS: {
-    organizationId: "The ID of the organization to get projects from."
-  }
-} as const;
-
-export const PROJECTS = {
-  CREATE: {
-    organizationSlug: "The slug of the organization to create the project in.",
-    projectName: "The name of the project to create.",
-    slug: "An optional slug for the project."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete."
-  },
-  GET: {
-    workspaceId: "The ID of the project."
-  },
-  UPDATE: {
-    workspaceId: "The ID of the project to update.",
-    name: "The new name of the project.",
-    autoCapitalization: "Disable or enable auto-capitalization for the project."
-  },
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  },
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: "A list of roles to update the membership to."
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
-  GET_KEY: {
-    workspaceId: "The ID of the project to get the key from."
-  },
-  GET_SNAPSHOTS: {
-    workspaceId: "The ID of the project to get snapshots from.",
-    environment: "The environment to get snapshots from.",
-    path: "The secret path to get snapshots from.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th snapshot.",
-    limit: "The number of snapshots to return."
-  },
-  ROLLBACK_TO_SNAPSHOT: {
-    secretSnapshotId: "The ID of the snapshot to rollback to."
-  }
-} as const;
-
-export const ENVIRONMENTS = {
-  CREATE: {
-    workspaceId: "The ID of the project to create the environment in.",
-    name: "The name of the environment to create.",
-    slug: "The slug of the environment to create."
-  },
-  UPDATE: {
-    workspaceId: "The ID of the project to update the environment in.",
-    id: "The ID of the environment to update.",
-    name: "The new name of the environment.",
-    slug: "The new slug of the environment.",
-    position: "The new position of the environment. The lowest number will be displayed as the first environment."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete the environment from.",
-    id: "The ID of the environment to delete."
-  }
-} as const;
-
-export const FOLDERS = {
-  LIST: {
-    workspaceId: "The ID of the project to list folders from.",
-    environment: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    directory: "The directory to list folders from. (Deprecated in favor of path)"
-  },
-  CREATE: {
-    workspaceId: "The ID of the project to create the folder in.",
-    environment: "The slug of the environment to create the folder in.",
-    name: "The name of the folder to create.",
-    path: "The path of the folder to create.",
-    directory: "The directory of the folder to create. (Deprecated in favor of path)"
-  },
-  UPDATE: {
-    folderId: "The ID of the folder to update.",
-    environment: "The slug of the environment where the folder is located.",
-    name: "The new name of the folder.",
-    path: "The path of the folder to update.",
-    directory: "The new directory of the folder to update. (Deprecated in favor of path)",
-    workspaceId: "The ID of the project where the folder is located."
-  },
-  DELETE: {
-    folderIdOrName: "The ID or name of the folder to delete.",
-    workspaceId: "The ID of the project to delete the folder from.",
-    environment: "The slug of the environment where the folder is located.",
-    directory: "The directory of the folder to delete. (Deprecated in favor of path)",
-    path: "The path of the folder to delete."
-  }
-} as const;
-
-export const SECRETS = {
-  ATTACH_TAGS: {
-    secretName: "The name of the secret to attach tags to.",
-    secretPath: "The path of the secret to attach tags to.",
-    type: "The type of the secret to attach tags to. (shared/personal)",
-    environment: "The slug of the environment where the secret is located",
-    projectSlug: "The slug of the project where the secret is located",
-    tagSlugs: "An array of existing tag slugs to attach to the secret."
-  },
-  DETACH_TAGS: {
-    secretName: "The name of the secret to detach tags from.",
-    secretPath: "The path of the secret to detach tags from.",
-    type: "The type of the secret to attach tags to. (shared/personal)",
-    environment: "The slug of the environment where the secret is located",
-    projectSlug: "The slug of the project where the secret is located",
-    tagSlugs: "An array of existing tag slugs to detach from the secret."
-  }
-} as const;
-
-export const RAW_SECRETS = {
-  LIST: {
-    workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
-    environment: "The slug of the environment to list secrets from.",
-    secretPath: "The secret path to list secrets from.",
-    includeImports: "Weather to include imported secrets or not."
-  },
-  CREATE: {
-    secretName: "The name of the secret to create.",
-    environment: "The slug of the environment to create the secret in.",
-    secretComment: "Attach a comment to the secret.",
-    secretPath: "The path to create the secret in.",
-    secretValue: "The value of the secret to create.",
-    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
-    type: "The type of the secret to create.",
-    workspaceId: "The ID of the project to create the secret in."
-  },
-  GET: {
-    secretName: "The name of the secret to get.",
-    workspaceId: "The ID of the project to get the secret from.",
-    environment: "The slug of the environment to get the secret from.",
-    secretPath: "The path of the secret to get.",
-    version: "The version of the secret to get.",
-    type: "The type of the secret to get.",
-    includeImports: "Weather to include imported secrets or not."
-  },
-  UPDATE: {
-    secretName: "The name of the secret to update.",
-    environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret to update",
-    secretValue: "The new value of the secret.",
-    skipMultilineEncoding: "Skip multiline encoding for the secret value.",
-    type: "The type of the secret to update.",
-    workspaceId: "The ID of the project to update the secret in."
-  },
-  DELETE: {
-    secretName: "The name of the secret to delete.",
-    environment: "The slug of the environment where the secret is located.",
-    secretPath: "The path of the secret.",
-    type: "The type of the secret to delete.",
-    workspaceId: "The ID of the project where the secret is located."
-  }
-} as const;
-
-export const SECRET_IMPORTS = {
-  LIST: {
-    workspaceId: "The ID of the project to list secret imports from.",
-    environment: "The slug of the environment to list secret imports from.",
-    path: "The path to list secret imports from."
-  },
-  CREATE: {
-    environment: "The slug of the environment to import into.",
-    path: "The path to import into.",
-    workspaceId: "The ID of the project you are working in.",
-    import: {
-      environment: "The slug of the environment to import from.",
-      path: "The path to import from."
-    }
-  },
-  UPDATE: {
-    secretImportId: "The ID of the secret import to update.",
-    environment: "The slug of the environment where the secret import is located.",
-    import: {
-      environment: "The new environment slug to import from.",
-      path: "The new path to import from.",
-      position: "The new position of the secret import. The lowest number will be displayed as the first import."
-    },
-    path: "The path of the secret import to update.",
-    workspaceId: "The ID of the project where the secret import is located."
-  },
-  DELETE: {
-    workspaceId: "The ID of the project to delete the secret import from.",
-    secretImportId: "The ID of the secret import to delete.",
-    environment: "The slug of the environment where the secret import is located.",
-    path: "The path of the secret import to delete."
-  }
-} as const;
-
-export const AUDIT_LOGS = {
-  EXPORT: {
-    workspaceId: "The ID of the project to export audit logs from.",
-    eventType: "The type of the event to export.",
-    userAgentType: "Choose which consuming application to export audit logs for.",
-    startDate: "The date to start the export from.",
-    endDate: "The date to end the export at.",
-    offset: "The offset to start from. If you enter 10, it will start from the 10th audit log.",
-    limit: "The number of audit logs to return.",
-    actor: "The actor to filter the audit logs by."
-  }
-} as const;
-
-export const DYNAMIC_SECRETS = {
-  LIST: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from."
-  },
-  LIST_LEAES_BY_NAME: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    name: "The name of the dynamic secret."
-  },
-  GET_BY_NAME: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    name: "The name of the dynamic secret."
-  },
-  CREATE: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to create the dynamic secret in.",
-    path: "The path to create the dynamic secret in.",
-    name: "The name of the dynamic secret.",
-    provider: "The type of dynamic secret.",
-    defaultTTL: "The default TTL that will be applied for all the leases.",
-    maxTTL: "The maximum limit a TTL can be leases or renewed."
-  },
-  UPDATE: {
-    projectSlug: "The slug of the project to update dynamic secret in.",
-    environmentSlug: "The slug of the environment to update the dynamic secret in.",
-    path: "The path to update the dynamic secret in.",
-    name: "The name of the dynamic secret.",
-    inputs: "The new partial values for the configurated provider of the dynamic secret",
-    defaultTTL: "The default TTL that will be applied for all the leases.",
-    maxTTL: "The maximum limit a TTL can be leases or renewed.",
-    newName: "The new name for the dynamic secret."
-  },
-  DELETE: {
-    projectSlug: "The slug of the project to delete dynamic secret in.",
-    environmentSlug: "The slug of the environment to delete the dynamic secret in.",
-    path: "The path to delete the dynamic secret in.",
-    name: "The name of the dynamic secret.",
-    isForced:
-      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
-  }
-} as const;
-
-export const DYNAMIC_SECRET_LEASES = {
-  GET_BY_LEASEID: {
-    projectSlug: "The slug of the project to create dynamic secret in.",
-    environmentSlug: "The slug of the environment to list folders from.",
-    path: "The path to list folders from.",
-    leaseId: "The ID of the dynamic secret lease."
-  },
-  CREATE: {
-    projectSlug: "The slug of the project of the dynamic secret in.",
-    environmentSlug: "The slug of the environment of the dynamic secret in.",
-    path: "The path of the dynamic secret in.",
-    dynamicSecretName: "The name of the dynamic secret.",
-    ttl: "The lease lifetime ttl. If not provided the default TTL of dynamic secret will be used."
-  },
-  RENEW: {
-    projectSlug: "The slug of the project of the dynamic secret in.",
-    environmentSlug: "The slug of the environment of the dynamic secret in.",
-    path: "The path of the dynamic secret in.",
-    leaseId: "The ID of the dynamic secret lease.",
-    ttl: "The renew TTL that gets added with current expiry (ensure it's below max TTL) for a total less than creation time + max TTL."
-  },
-  DELETE: {
-    projectSlug: "The slug of the project of the dynamic secret in.",
-    environmentSlug: "The slug of the environment of the dynamic secret in.",
-    path: "The path of the dynamic secret in.",
-    leaseId: "The ID of the dynamic secret lease.",
-    isForced:
-      "A boolean flag to delete the the dynamic secret from infisical without trying to remove it from external provider. Used when the dynamic secret got modified externally."
-  }
-} as const;
-export const SECRET_TAGS = {
-  LIST: {
-    projectId: "The ID of the project to list tags from."
-  },
-  CREATE: {
-    projectId: "The ID of the project to create the tag in.",
-    name: "The name of the tag to create.",
-    slug: "The slug of the tag to create.",
-    color: "The color of the tag to create."
-  },
-  DELETE: {
-    tagId: "The ID of the tag to delete.",
-    projectId: "The ID of the project to delete the tag from."
-  }
-} as const;

backend/src/lib/api-docs/index.ts

@@ -1 +0,0 @@
-export * from "./constants";

backend/src/lib/config/env.ts

@@ -18,7 +18,6 @@ const envSchema = z
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
       `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
     ),
-    MAX_LEASE_LIMIT: z.coerce.number().default(10000),
     DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
     DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
     DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
@@ -107,7 +106,6 @@ const envSchema = z
     LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
     LICENSE_SERVER_KEY: zpStr(z.string().optional()),
     LICENSE_KEY: zpStr(z.string().optional()),
-    LICENSE_KEY_OFFLINE: zpStr(z.string().optional()),
 
     // GENERIC
     STANDALONE_MODE: z

backend/src/lib/crypto/index.ts

@@ -17,5 +17,4 @@ export {
   decryptSecrets,
   decryptSecretVersions
 } from "./secret-encryption";
-export { verifyOfflineLicense } from "./signing";
 export { generateSrpServerKey, srpCheckClientProof } from "./srp";

backend/src/lib/crypto/license_public_key.pem

@@ -1,8 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBCgKCAQEApchBY3BXTu4zWGBguB7nM/pjpVLY3V7VGZOAxmR5ueQTJOwiGM13
-5HN3EM9fDlQnZu9VSc0OFqRM/bUeUaI1oLPE6WzTHjdHyKjDI/S+TLx3VGEsvhM1
-uukZpYX+3KX2w4wzRHBaBWyglFy0CVNth9UJhhpD+KKfv7dzcRmsbyoUWi9wGfJu
-wLYCwaCwZRXIt1sLGmMncPz14vfwdnm2a5Tj1Jbt0GTyBl+1/ZqLbO6SsslLg2G+
-o7FfGS9z8OUTkvDdu16qxL+p2wCEFZMnOz5BB4oakuT2gS9iOO2l5AOPcT4WzPzy
-PYbX3d7cN9BkOY9I5z0cX4wzqHjQTvGNLQIDAQAB
------END RSA PUBLIC KEY-----

backend/src/lib/crypto/signing.ts

@@ -1,22 +0,0 @@
-import crypto, { KeyObject } from "crypto";
-import fs from "fs/promises";
-import path from "path";
-
-export const verifySignature = (data: string, signature: Buffer, publicKey: KeyObject) => {
-  const verify = crypto.createVerify("SHA256");
-  verify.update(data);
-  verify.end();
-  return verify.verify(publicKey, signature);
-};
-
-export const verifyOfflineLicense = async (licenseContents: string, signature: string) => {
-  const publicKeyPem = await fs.readFile(path.join(__dirname, "license_public_key.pem"), "utf8");
-
-  const publicKey = crypto.createPublicKey({
-    key: publicKeyPem,
-    format: "pem",
-    type: "pkcs1"
-  });
-
-  return verifySignature(licenseContents, Buffer.from(signature, "base64"), publicKey);
-};

backend/src/lib/errors/index.ts

@@ -59,18 +59,6 @@ export class BadRequestError extends Error {
   }
 }
 
-export class DisableRotationErrors extends Error {
-  name: string;
-
-  error: unknown;
-
-  constructor({ name, error, message }: { message: string; name?: string; error?: unknown }) {
-    super(message);
-    this.name = name || "DisableRotationErrors";
-    this.error = error;
-  }
-}
-
 export class ScimRequestError extends Error {
   name: string;
 

backend/src/lib/knex/connection.ts

@@ -1,11 +0,0 @@
-import { URL } from "url"; // Import the URL class
-
-export const getDbConnectionHost = (urlString: string) => {
-  try {
-    const url = new URL(urlString);
-    // Split hostname and port (if provided)
-    return url.hostname.split(":")[0];
-  } catch (error) {
-    return null;
-  }
-};

backend/src/lib/knex/index.ts

@@ -4,7 +4,6 @@ import { Tables } from "knex/types/tables";
 
 import { DatabaseError } from "../errors";
 
-export * from "./connection";
 export * from "./join";
 export * from "./select";
 

backend/src/lib/types/index.ts

@@ -13,7 +13,7 @@ export type TProjectPermission = {
   actorId: string;
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
-  actorOrgId: string;
+  actorOrgId: string | undefined;
 };
 
 export type RequiredKeys<T> = {

backend/src/queue/queue-service.ts

@@ -18,8 +18,7 @@ export enum QueueName {
   SecretWebhook = "secret-webhook",
   SecretFullRepoScan = "secret-full-repo-scan",
   SecretPushEventScan = "secret-push-event-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost",
-  DynamicSecretRevocation = "dynamic-secret-revocation"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost"
 }
 
 export enum QueueJobs {
@@ -31,9 +30,7 @@ export enum QueueJobs {
   TelemetryInstanceStats = "telemetry-self-hosted-stats",
   IntegrationSync = "secret-integration-pull",
   SecretScan = "secret-scan",
-  UpgradeProjectToGhost = "upgrade-project-to-ghost-job",
-  DynamicSecretRevocation = "dynamic-secret-revocation",
-  DynamicSecretPruning = "dynamic-secret-pruning"
+  UpgradeProjectToGhost = "upgrade-project-to-ghost-job"
 }
 
 export type TQueueJobTypes = {
@@ -89,19 +86,6 @@ export type TQueueJobTypes = {
     name: QueueJobs.TelemetryInstanceStats;
     payload: undefined;
   };
-  [QueueName.DynamicSecretRevocation]:
-    | {
-        name: QueueJobs.DynamicSecretRevocation;
-        payload: {
-          leaseId: string;
-        };
-      }
-    | {
-        name: QueueJobs.DynamicSecretPruning;
-        payload: {
-          dynamicSecretCfgId: string;
-        };
-      };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

backend/src/server/plugins/auth/inject-identity.ts

@@ -16,7 +16,7 @@ export type TAuthMode =
       userId: string;
       tokenVersionId: string; // the session id of token used
       user: TUsers;
-      orgId: string;
+      orgId?: string;
       authMethod: AuthMethod;
     }
   | {
@@ -119,7 +119,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
           userId: user.id,
           tokenVersionId,
           actor,
-          orgId: orgId as string,
+          orgId,
           authMethod: token.authMethod
         };
         break;

backend/src/server/plugins/swagger.ts

@@ -14,13 +14,13 @@ export const fastifySwagger = fp(async (fastify) => {
         version: "0.0.1"
       },
       servers: [
-        {
-          url: "https://app.infisical.com",
-          description: "Production server"
-        },
         {
           url: "http://localhost:8080",
           description: "Local server"
+        },
+        {
+          url: "https://app.infisical.com",
+          description: "Production server"
         }
       ],
       components: {

backend/src/server/routes/index.ts

@@ -47,12 +47,6 @@ import { authPaswordServiceFactory } from "@app/services/auth/auth-password-serv
 import { authSignupServiceFactory } from "@app/services/auth/auth-signup-service";
 import { tokenDALFactory } from "@app/services/auth-token/auth-token-dal";
 import { tokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { dynamicSecretDALFactory } from "@app/services/dynamic-secret/dynamic-secret-dal";
-import { dynamicSecretServiceFactory } from "@app/services/dynamic-secret/dynamic-secret-service";
-import { buildDynamicSecretProviders } from "@app/services/dynamic-secret/providers";
-import { dynamicSecretLeaseDALFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-dal";
-import { dynamicSecretLeaseQueueServiceFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-queue";
-import { dynamicSecretLeaseServiceFactory } from "@app/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
@@ -202,8 +196,6 @@ export const registerRoutes = async (
   const gitAppOrgDAL = gitAppDALFactory(db);
   const secretScanningDAL = secretScanningDALFactory(db);
   const licenseDAL = licenseDALFactory(db);
-  const dynamicSecretDAL = dynamicSecretDALFactory(db);
-  const dynamicSecretLeaseDAL = dynamicSecretLeaseDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -558,34 +550,6 @@ export const registerRoutes = async (
     licenseService
   });
 
-  const dynamicSecretProviders = buildDynamicSecretProviders();
-  const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
-    queueService,
-    dynamicSecretLeaseDAL,
-    dynamicSecretProviders,
-    dynamicSecretDAL
-  });
-  const dynamicSecretService = dynamicSecretServiceFactory({
-    projectDAL,
-    dynamicSecretQueueService,
-    dynamicSecretDAL,
-    dynamicSecretLeaseDAL,
-    dynamicSecretProviders,
-    folderDAL,
-    permissionService,
-    licenseService
-  });
-  const dynamicSecretLeaseService = dynamicSecretLeaseServiceFactory({
-    projectDAL,
-    permissionService,
-    dynamicSecretQueueService,
-    dynamicSecretDAL,
-    dynamicSecretLeaseDAL,
-    dynamicSecretProviders,
-    folderDAL,
-    licenseService
-  });
-
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
@@ -627,8 +591,6 @@ export const registerRoutes = async (
     secretApprovalPolicy: sapService,
     secretApprovalRequest: sarService,
     secretRotation: secretRotationService,
-    dynamicSecret: dynamicSecretService,
-    dynamicSecretLease: dynamicSecretLeaseService,
     snapshot: snapshotService,
     saml: samlService,
     ldap: ldapService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -1,11 +1,6 @@
 import { z } from "zod";
 
-import {
-  DynamicSecretsSchema,
-  IntegrationAuthsSchema,
-  SecretApprovalPoliciesSchema,
-  UsersSchema
-} from "@app/db/schemas";
+import { IntegrationAuthsSchema, SecretApprovalPoliciesSchema, UsersSchema } from "@app/db/schemas";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -61,11 +56,3 @@ export const secretRawSchema = z.object({
   secretValue: z.string(),
   secretComment: z.string().optional()
 });
-
-export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
-  inputIV: true,
-  inputTag: true,
-  inputCiphertext: true,
-  keyEncoding: true,
-  algorithm: true
-});

backend/src/server/routes/v1/dynamic-secret-lease-router.ts

@@ -1,185 +0,0 @@
-import ms from "ms";
-import { z } from "zod";
-
-import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
-import { daysToMillisecond } from "@app/lib/dates";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { SanitizedDynamicSecretSchema } from "../sanitizedSchemas";
-
-export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
-        ttl: z
-          .string()
-          .optional()
-          .describe(DYNAMIC_SECRET_LEASES.CREATE.ttl)
-          .superRefine((val, ctx) => {
-            if (!val) return;
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          }),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRET_LEASES.CREATE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.path)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema,
-          dynamicSecret: SanitizedDynamicSecretSchema,
-          data: z.unknown()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { data, lease, dynamicSecret } = await server.services.dynamicSecretLease.create({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.body.dynamicSecretName,
-        ...req.body
-      });
-      return { lease, data, dynamicSecret };
-    }
-  });
-
-  server.route({
-    url: "/:leaseId",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
-      }),
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.projectSlug),
-        path: z
-          .string()
-          .min(1)
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRET_LEASES.DELETE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.environmentSlug),
-        isForced: z.boolean().default(false).describe(DYNAMIC_SECRET_LEASES.DELETE.isForced)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const lease = await server.services.dynamicSecretLease.revokeLease({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        leaseId: req.params.leaseId,
-        ...req.body
-      });
-      return { lease };
-    }
-  });
-
-  server.route({
-    url: "/:leaseId/renew",
-    method: "POST",
-    schema: {
-      params: z.object({
-        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
-      }),
-      body: z.object({
-        ttl: z
-          .string()
-          .describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
-          .optional()
-          .superRefine((val, ctx) => {
-            if (!val) return;
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          }),
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.projectSlug),
-        path: z
-          .string()
-          .min(1)
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRET_LEASES.RENEW.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.ttl)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const lease = await server.services.dynamicSecretLease.renewLease({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        leaseId: req.params.leaseId,
-        ...req.body
-      });
-      return { lease };
-    }
-  });
-
-  server.route({
-    url: "/:leaseId",
-    method: "GET",
-    schema: {
-      params: z.object({
-        leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
-      }),
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.projectSlug),
-        path: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          lease: DynamicSecretLeasesSchema.extend({
-            dynamicSecret: SanitizedDynamicSecretSchema
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const lease = await server.services.dynamicSecretLease.getLeaseDetails({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        leaseId: req.params.leaseId,
-        ...req.query
-      });
-      return { lease };
-    }
-  });
-};

backend/src/server/routes/v1/dynamic-secret-router.ts

@@ -1,272 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import ms from "ms";
-import { z } from "zod";
-
-import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
-import { daysToMillisecond } from "@app/lib/dates";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { DynamicSecretProviderSchema } from "@app/services/dynamic-secret/providers/models";
-
-import { SanitizedDynamicSecretSchema } from "../sanitizedSchemas";
-
-export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
-        provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
-        defaultTTL: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.defaultTTL)
-          .superRefine((val, ctx) => {
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          }),
-        maxTTL: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.maxTTL)
-          .optional()
-          .superRefine((val, ctx) => {
-            if (!val) return;
-            const valMs = ms(val);
-            if (valMs < 60 * 1000)
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-            if (valMs > daysToMillisecond(1))
-              ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-          })
-          .nullable(),
-        path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
-        environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: z
-          .string()
-          .describe(DYNAMIC_SECRETS.CREATE.name)
-          .min(1)
-          .toLowerCase()
-          .max(64)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid"
-          })
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.create({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/:name",
-    method: "PATCH",
-    schema: {
-      params: z.object({
-        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
-      }),
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.UPDATE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.UPDATE.environmentSlug),
-        data: z.object({
-          inputs: z.any().optional().describe(DYNAMIC_SECRETS.UPDATE.inputs),
-          defaultTTL: z
-            .string()
-            .describe(DYNAMIC_SECRETS.UPDATE.defaultTTL)
-            .optional()
-            .superRefine((val, ctx) => {
-              if (!val) return;
-              const valMs = ms(val);
-              if (valMs < 60 * 1000)
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-              if (valMs > daysToMillisecond(1))
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-            }),
-          maxTTL: z
-            .string()
-            .describe(DYNAMIC_SECRETS.UPDATE.maxTTL)
-            .optional()
-            .superRefine((val, ctx) => {
-              if (!val) return;
-              const valMs = ms(val);
-              if (valMs < 60 * 1000)
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
-              if (valMs > daysToMillisecond(1))
-                ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
-            })
-            .nullable(),
-          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
-        })
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.updateByName({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        path: req.body.path,
-        projectSlug: req.body.projectSlug,
-        environmentSlug: req.body.environmentSlug,
-        ...req.body.data
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/:name",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
-      }),
-      body: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.DELETE.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.DELETE.environmentSlug),
-        isForced: z.boolean().default(false).describe(DYNAMIC_SECRETS.DELETE.isForced)
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.deleteByName({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        ...req.body
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/:name",
-    method: "GET",
-    schema: {
-      params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
-      }),
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.GET_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          dynamicSecret: SanitizedDynamicSecretSchema.extend({
-            inputs: z.unknown()
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfg = await server.services.dynamicSecret.getDetails({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        ...req.query
-      });
-      return { dynamicSecret: dynamicSecretCfg };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          dynamicSecrets: SanitizedDynamicSecretSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const dynamicSecretCfgs = await server.services.dynamicSecret.list({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.query
-      });
-      return { dynamicSecrets: dynamicSecretCfgs };
-    }
-  });
-
-  server.route({
-    url: "/:name/leases",
-    method: "GET",
-    schema: {
-      params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
-      }),
-      querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
-        path: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
-      }),
-      response: {
-        200: z.object({
-          leases: DynamicSecretLeasesSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const leases = await server.services.dynamicSecretLease.listLeases({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.params.name,
-        ...req.query
-      });
-      return { leases };
-    }
-  });
-};

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -1,7 +1,5 @@
 import { z } from "zod";
 
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
-
 export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/token/renew",
@@ -9,7 +7,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
     schema: {
       description: "Renew access token",
       body: z.object({
-        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.RENEW_ACCESS_TOKEN.accessToken)
+        accessToken: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { IDENTITIES } from "@app/lib/api-docs";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,9 +20,9 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       body: z.object({
-        name: z.string().trim().describe(IDENTITIES.CREATE.name),
-        organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
-        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role)
+        name: z.string().trim(),
+        organizationId: z.string().trim(),
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess)
       }),
       response: {
         200: z.object({
@@ -80,11 +79,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(IDENTITIES.UPDATE.identityId)
+        identityId: z.string()
       }),
       body: z.object({
-        name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
-        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role)
+        name: z.string().trim().optional(),
+        role: z.string().trim().min(1).optional()
       }),
       response: {
         200: z.object({
@@ -130,7 +129,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(IDENTITIES.DELETE.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-ua.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { IdentityUaClientSecretsSchema, IdentityUniversalAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { UNIVERSAL_AUTH } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
@@ -27,8 +26,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "Login with Universal Auth",
       body: z.object({
-        clientId: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientId),
-        clientSecret: z.string().trim().describe(UNIVERSAL_AUTH.LOGIN.clientSecret)
+        clientId: z.string().trim(),
+        clientSecret: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -77,7 +76,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
+        identityId: z.string().trim()
       }),
       body: z.object({
         clientSecretTrustedIps: z
@@ -86,16 +85,14 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
         accessTokenTTL: z
           .number()
           .int()
@@ -103,22 +100,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
+          .default(2592000),
         accessTokenMaxTTL: z
           .number()
           .int()
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .default(0)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+          .default(2592000), // 30 days
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
       }),
       response: {
         200: z.object({
@@ -167,7 +157,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
+        identityId: z.string()
       }),
       body: z.object({
         clientSecretTrustedIps: z
@@ -176,23 +166,16 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           })
           .array()
           .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
+          .optional(),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).optional().describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
+          .optional(),
+        accessTokenTTL: z.number().int().min(0).optional(),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
         accessTokenMaxTTL: z
           .number()
           .int()
@@ -200,7 +183,6 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -250,7 +232,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.RETRIEVE.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({
@@ -294,12 +276,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.identityId)
+        identityId: z.string()
       }),
       body: z.object({
-        description: z.string().trim().default("").describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.description),
-        numUsesLimit: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.numUsesLimit),
-        ttl: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
+        description: z.string().trim().default(""),
+        numUsesLimit: z.number().min(0).default(0),
+        ttl: z.number().min(0).default(0)
       }),
       response: {
         200: z.object({
@@ -346,7 +328,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.LIST_CLIENT_SECRETS.identityId)
+        identityId: z.string()
       }),
       response: {
         200: z.object({
@@ -389,8 +371,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.identityId),
-        clientSecretId: z.string().describe(UNIVERSAL_AUTH.REVOKE_CLIENT_SECRET.clientSecretId)
+        identityId: z.string(),
+        clientSecretId: z.string()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/index.ts

@@ -1,8 +1,6 @@
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
-import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
-import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
@@ -54,14 +52,6 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     { prefix: "/workspace" }
   );
 
-  await server.register(
-    async (dynamicSecretRouter) => {
-      await dynamicSecretRouter.register(registerDynamicSecretRouter);
-      await dynamicSecretRouter.register(registerDynamicSecretLeaseRouter, { prefix: "/leases" });
-    },
-    { prefix: "/dynamic-secrets" }
-  );
-
   await server.register(registerProjectBotRouter, { prefix: "/bot" });
   await server.register(registerIntegrationRouter, { prefix: "/integration" });
   await server.register(registerIntegrationAuthRouter, { prefix: "/integration-auth" });

backend/src/server/routes/v1/integration-auth-router.ts

@@ -352,68 +352,6 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
-  server.route({
-    url: "/:integrationAuthId/github/orgs",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          orgs: z.object({ name: z.string(), orgId: z.string() }).array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const orgs = await server.services.integrationAuth.getGithubOrgs({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        id: req.params.integrationAuthId
-      });
-      if (!orgs) throw new Error("No organization found.");
-
-      return { orgs };
-    }
-  });
-
-  server.route({
-    url: "/:integrationAuthId/github/envs",
-    method: "GET",
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      querystring: z.object({
-        repoOwner: z.string().trim(),
-        repoName: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          envs: z.object({ name: z.string(), envId: z.string() }).array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const envs = await server.services.integrationAuth.getGithubEnvs({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationAuthId,
-        actorAuthMethod: req.permission.authMethod,
-        repoName: req.query.repoName,
-        repoOwner: req.query.repoOwner
-      });
-      if (!envs) throw new Error("No organization found.");
-
-      return { envs };
-    }
-  });
-
   server.route({
     url: "/:integrationAuthId/qovery/orgs",
     method: "GET",

backend/src/server/routes/v1/integration-router.ts

@@ -33,7 +33,6 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             secretPrefix: z.string().optional(),
             secretSuffix: z.string().optional(),
             initialSyncBehavior: z.string().optional(),
-            shouldAutoRedeploy: z.boolean().optional(),
             secretGCPLabel: z
               .object({
                 labelName: z.string(),

backend/src/server/routes/v1/project-env-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { ENVIRONMENTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,11 +18,11 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.CREATE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       body: z.object({
-        name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
-        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
+        name: z.string().trim(),
+        slug: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -75,13 +74,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.UPDATE.workspaceId),
-        id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
+        workspaceId: z.string().trim(),
+        id: z.string().trim()
       }),
       body: z.object({
-        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
-        name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
-        position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
+        slug: z.string().trim().optional(),
+        name: z.string().trim().optional(),
+        position: z.number().optional()
       }),
       response: {
         200: z.object({
@@ -139,8 +138,8 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(ENVIRONMENTS.DELETE.workspaceId),
-        id: z.string().trim().describe(ENVIRONMENTS.DELETE.id)
+        workspaceId: z.string().trim(),
+        id: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-membership-router.ts

@@ -9,7 +9,6 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -27,7 +26,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -137,8 +136,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim(),
+        membershipId: z.string().trim()
       }),
       body: z.object({
         roles: z
@@ -159,7 +158,6 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
           )
           .min(1)
           .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least long lived role is required")
-          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-router.ts

@@ -7,7 +7,6 @@ import {
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
@@ -129,7 +128,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -158,7 +157,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.DELETE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -221,16 +220,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "PATCH",
     schema: {
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.UPDATE.workspaceId)
+        workspaceId: z.string().trim()
       }),
       body: z.object({
-        name: z
-          .string()
-          .trim()
-          .max(64, { message: "Name must be 64 or fewer characters" })
-          .optional()
-          .describe(PROJECTS.UPDATE.name),
-        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
+        name: z.string().trim().max(64, { message: "Name must be 64 or fewer characters" }).optional(),
+        autoCapitalization: z.boolean().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { FOLDERS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,12 +19,12 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.CREATE.environment),
-        name: z.string().trim().describe(FOLDERS.CREATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        name: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.CREATE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -75,15 +74,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       ],
       params: z.object({
         // old way this was name
-        folderId: z.string().describe(FOLDERS.UPDATE.folderId)
+        folderId: z.string()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-        name: z.string().trim().describe(FOLDERS.UPDATE.name),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        name: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -122,7 +121,6 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
-  // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     url: "/:folderIdOrName",
     method: "DELETE",
@@ -135,14 +133,14 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        folderIdOrName: z.string().describe(FOLDERS.DELETE.folderIdOrName)
+        folderIdOrName: z.string()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.DELETE.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // keep this here as cli need directory
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.DELETE.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -192,11 +190,11 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().describe(FOLDERS.LIST.workspaceId),
-        environment: z.string().trim().describe(FOLDERS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         // backward compatiability with cli
-        directory: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.LIST.directory)
+        directory: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-import-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { SecretImportsSchema, SecretsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SECRET_IMPORTS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -20,12 +19,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.CREATE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         import: z.object({
-          environment: z.string().trim().describe(SECRET_IMPORTS.CREATE.import.environment),
-          path: z.string().trim().transform(removeTrailingSlash).describe(SECRET_IMPORTS.CREATE.import.path)
+          environment: z.string().trim(),
+          path: z.string().trim().transform(removeTrailingSlash)
         })
       }),
       response: {
@@ -82,21 +81,20 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        secretImportId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.secretImportId)
+        secretImportId: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.UPDATE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.UPDATE.path),
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
         import: z.object({
-          environment: z.string().trim().optional().describe(SECRET_IMPORTS.UPDATE.import.environment),
+          environment: z.string().trim().optional(),
           path: z
             .string()
             .trim()
             .optional()
-            .transform((val) => (val ? removeTrailingSlash(val) : val))
-            .describe(SECRET_IMPORTS.UPDATE.import.path),
-          position: z.number().optional().describe(SECRET_IMPORTS.UPDATE.import.position)
+            .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          position: z.number().optional()
         })
       }),
       response: {
@@ -154,12 +152,12 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       params: z.object({
-        secretImportId: z.string().trim().describe(SECRET_IMPORTS.DELETE.secretImportId)
+        secretImportId: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.DELETE.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.DELETE.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.DELETE.path)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({
@@ -215,9 +213,9 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().describe(SECRET_IMPORTS.LIST.workspaceId),
-        environment: z.string().trim().describe(SECRET_IMPORTS.LIST.environment),
-        path: z.string().trim().default("/").transform(removeTrailingSlash).describe(SECRET_IMPORTS.LIST.path)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-tag-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretTagsSchema } from "@app/db/schemas";
-import { SECRET_TAGS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -11,7 +10,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     schema: {
       params: z.object({
-        projectId: z.string().trim().describe(SECRET_TAGS.LIST.projectId)
+        projectId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -37,12 +36,12 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     schema: {
       params: z.object({
-        projectId: z.string().trim().describe(SECRET_TAGS.CREATE.projectId)
+        projectId: z.string().trim()
       }),
       body: z.object({
-        name: z.string().trim().describe(SECRET_TAGS.CREATE.name),
-        slug: z.string().trim().describe(SECRET_TAGS.CREATE.slug),
-        color: z.string().trim().describe(SECRET_TAGS.CREATE.color)
+        name: z.string().trim(),
+        slug: z.string().trim(),
+        color: z.string()
       }),
       response: {
         200: z.object({
@@ -69,8 +68,8 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     schema: {
       params: z.object({
-        projectId: z.string().trim().describe(SECRET_TAGS.DELETE.projectId),
-        tagId: z.string().trim().describe(SECRET_TAGS.DELETE.tagId)
+        projectId: z.string().trim(),
+        tagId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/identity-org-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,7 +18,7 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        orgId: z.string().trim().describe(ORGANIZATIONS.LIST_IDENTITY_MEMBERSHIPS.orgId)
+        orgId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/identity-project-router.ts

@@ -7,7 +7,6 @@ import {
   ProjectMembershipRole,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ProjectUserMembershipTemporaryMode } from "@app/services/project-membership/project-membership-types";
@@ -57,8 +56,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim(),
+        identityId: z.string().trim()
       }),
       body: z.object({
         roles: z
@@ -78,7 +77,6 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
             ])
           )
           .min(1)
-          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({
@@ -112,8 +110,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim(),
+        identityId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -146,7 +144,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
+        projectId: z.string().trim()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/organization-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
-import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
@@ -18,7 +17,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.LIST_USER_MEMBERSHIPS.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -64,7 +63,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
+        organizationId: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -109,12 +108,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           apiKeyAuth: []
         }
       ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.organizationId),
-        membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
-      }),
+      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
       body: z.object({
-        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
+        role: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -149,10 +145,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
           apiKeyAuth: []
         }
       ],
-      params: z.object({
-        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
-        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
-      }),
+      params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
       response: {
         200: z.object({
           membership: OrgMembershipsSchema

backend/src/server/routes/v2/project-membership-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -12,11 +11,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     url: "/:projectId/memberships",
     schema: {
       params: z.object({
-        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
+        projectId: z.string().describe("The ID of the project.")
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe("Emails of the users to add to the project."),
+        usernames: z.string().array().default([]).describe("Usernames of the users to add to the project.")
       }),
       response: {
         200: z.object({
@@ -58,12 +57,12 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     url: "/:projectId/memberships",
     schema: {
       params: z.object({
-        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
+        projectId: z.string().describe("The ID of the project.")
       }),
 
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe("Emails of the users to remove from the project."),
+        usernames: z.string().array().default([]).describe("Usernames of the users to remove from the project.")
       }),
       response: {
         200: z.object({

backend/src/server/routes/v2/project-router.ts

@@ -3,7 +3,6 @@ import { z } from "zod";
 
 import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECTS } from "@app/lib/api-docs";
 import { authRateLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -39,7 +38,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECTS.GET_KEY.workspaceId)
+        workspaceId: z.string().trim()
       }),
       response: {
         200: ProjectKeysSchema.merge(
@@ -141,16 +140,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
-        slug: z
-          .string()
-          .min(5)
-          .max(36)
-          .refine((v) => slugify(v) === v, {
-            message: "Slug must be a valid slug"
-          })
+        projectName: z.string().trim().describe("Name of the project you're creating"),
+        slug: slugSchema
           .optional()
-          .describe(PROJECTS.CREATE.slug)
+          .describe("An optional slug for the project. If not provided, it will be auto-generated"),
+        organizationSlug: z.string().trim().describe("The slug of the organization to create the project in")
       }),
       response: {
         200: z.object({
@@ -165,6 +159,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
+        orgSlug: req.body.organizationSlug,
         workspaceName: req.body.projectName,
         slug: req.body.slug
       });

backend/src/server/routes/v3/secret-router.ts

@@ -10,7 +10,6 @@ import {
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
-import { RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -23,124 +22,6 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 import { secretRawSchema } from "../sanitizedSchemas";
 
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/tags/:secretName",
-    method: "POST",
-    schema: {
-      description: "Attach tags to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
-      }),
-      body: z.object({
-        projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
-        environment: z.string().trim().describe(SECRETS.ATTACH_TAGS.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(SECRETS.ATTACH_TAGS.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(SECRETS.ATTACH_TAGS.type),
-        tagSlugs: z.string().array().min(1).describe(SECRETS.ATTACH_TAGS.tagSlugs)
-      }),
-      response: {
-        200: z.object({
-          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
-            z.object({
-              tags: SecretTagsSchema.pick({
-                id: true,
-                slug: true,
-                name: true,
-                color: true
-              }).array()
-            })
-          )
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const secret = await server.services.secret.attachTags({
-        secretName: req.params.secretName,
-        tagSlugs: req.body.tagSlugs,
-        path: req.body.secretPath,
-        environment: req.body.environment,
-        type: req.body.type,
-        projectSlug: req.body.projectSlug,
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return { secret };
-    }
-  });
-
-  server.route({
-    url: "/tags/:secretName",
-    method: "DELETE",
-    schema: {
-      description: "Detach tags from a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
-      }),
-      body: z.object({
-        projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
-        environment: z.string().trim().describe(SECRETS.DETACH_TAGS.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(SECRETS.DETACH_TAGS.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(SECRETS.DETACH_TAGS.type),
-        tagSlugs: z.string().array().min(1).describe(SECRETS.DETACH_TAGS.tagSlugs)
-      }),
-      response: {
-        200: z.object({
-          secret: SecretsSchema.omit({ secretBlindIndex: true }).merge(
-            z.object({
-              tags: SecretTagsSchema.pick({
-                id: true,
-                slug: true,
-                name: true,
-                color: true
-              }).array()
-            })
-          )
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const secret = await server.services.secret.detachTags({
-        secretName: req.params.secretName,
-        tagSlugs: req.body.tagSlugs,
-        path: req.body.secretPath,
-        environment: req.body.environment,
-        type: req.body.type,
-        projectSlug: req.body.projectSlug,
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return { secret };
-    }
-  });
-
   server.route({
     url: "/raw",
     method: "GET",
@@ -153,15 +34,20 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       querystring: z.object({
-        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceId),
-        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceSlug),
-        environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
+        workspaceId: z.string().trim().optional(),
+        workspaceSlug: z
+          .string()
+          .trim()
+          .optional()
+          .describe(
+            "The slug of the workspace. This is only supported when authenticating Machine Identity's. Either the project ID or project slug has to be present in the request."
+          ),
+        environment: z.string().trim().optional(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.LIST.includeImports)
       }),
       response: {
         200: z.object({
@@ -262,19 +148,18 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET.secretName)
+        secretName: z.string().trim()
       }),
       querystring: z.object({
-        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
-        environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
-        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
+        workspaceId: z.string().trim().optional(),
+        environment: z.string().trim().optional(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        version: z.coerce.number().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.GET.includeImports)
       }),
       response: {
         200: z.object({
@@ -354,24 +239,16 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.CREATE.secretPath),
-        secretValue: z
-          .string()
-          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-          .describe(RAW_SECRETS.CREATE.secretValue),
-        secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
-        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+        secretComment: z.string().trim().optional().default(""),
+        skipMultilineEncoding: z.boolean().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({
@@ -440,23 +317,15 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
-        secretValue: z
-          .string()
-          .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-          .describe(RAW_SECRETS.UPDATE.secretValue),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.UPDATE.secretPath),
-        skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        skipMultilineEncoding: z.boolean().optional(),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({
@@ -523,18 +392,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().trim()
       }),
       body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.DELETE.secretPath),
-        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.DELETE.type)
+        workspaceId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        type: z.nativeEnum(SecretType).default(SecretType.Shared)
       }),
       response: {
         200: z.object({

backend/src/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts

@@ -1,80 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { DynamicSecretLeasesSchema, TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-
-export type TDynamicSecretLeaseDALFactory = ReturnType<typeof dynamicSecretLeaseDALFactory>;
-
-export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.DynamicSecretLease);
-
-  const countLeasesForDynamicSecret = async (dynamicSecretId: string, tx?: Knex) => {
-    try {
-      const doc = await (tx || db)(TableName.DynamicSecretLease).count("*").where({ dynamicSecretId }).first();
-      return parseInt(doc || "0", 10);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DynamicSecretCountLeases" });
-    }
-  };
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const doc = await (tx || db)(TableName.DynamicSecretLease)
-        .where({ [`${TableName.DynamicSecretLease}.id` as "id"]: id })
-        .first()
-        .join(
-          TableName.DynamicSecret,
-          `${TableName.DynamicSecretLease}.dynamicSecretId`,
-          `${TableName.DynamicSecret}.id`
-        )
-        .select(selectAllTableCols(TableName.DynamicSecretLease))
-        .select(
-          db.ref("id").withSchema(TableName.DynamicSecret).as("dynId"),
-          db.ref("name").withSchema(TableName.DynamicSecret).as("dynName"),
-          db.ref("version").withSchema(TableName.DynamicSecret).as("dynVersion"),
-          db.ref("type").withSchema(TableName.DynamicSecret).as("dynType"),
-          db.ref("defaultTTL").withSchema(TableName.DynamicSecret).as("dynDefaultTTL"),
-          db.ref("maxTTL").withSchema(TableName.DynamicSecret).as("dynMaxTTL"),
-          db.ref("inputIV").withSchema(TableName.DynamicSecret).as("dynInputIV"),
-          db.ref("inputTag").withSchema(TableName.DynamicSecret).as("dynInputTag"),
-          db.ref("inputCiphertext").withSchema(TableName.DynamicSecret).as("dynInputCiphertext"),
-          db.ref("algorithm").withSchema(TableName.DynamicSecret).as("dynAlgorithm"),
-          db.ref("keyEncoding").withSchema(TableName.DynamicSecret).as("dynKeyEncoding"),
-          db.ref("folderId").withSchema(TableName.DynamicSecret).as("dynFolderId"),
-          db.ref("status").withSchema(TableName.DynamicSecret).as("dynStatus"),
-          db.ref("statusDetails").withSchema(TableName.DynamicSecret).as("dynStatusDetails"),
-          db.ref("createdAt").withSchema(TableName.DynamicSecret).as("dynCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.DynamicSecret).as("dynUpdatedAt")
-        );
-      if (!doc) return;
-
-      return {
-        ...DynamicSecretLeasesSchema.parse(doc),
-        dynamicSecret: {
-          id: doc.dynId,
-          name: doc.dynName,
-          version: doc.dynVersion,
-          type: doc.dynType,
-          defaultTTL: doc.dynDefaultTTL,
-          maxTTL: doc.dynMaxTTL,
-          inputIV: doc.dynInputIV,
-          inputTag: doc.dynInputTag,
-          inputCiphertext: doc.dynInputCiphertext,
-          algorithm: doc.dynAlgorithm,
-          keyEncoding: doc.dynKeyEncoding,
-          folderId: doc.dynFolderId,
-          status: doc.dynStatus,
-          statusDetails: doc.dynStatusDetails,
-          createdAt: doc.dynCreatedAt,
-          updatedAt: doc.dynUpdatedAt
-        }
-      };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DynamicSecretLeaseFindById" });
-    }
-  };
-
-  return { ...orm, findById, countLeasesForDynamicSecret };
-};

backend/src/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts

@@ -1,159 +0,0 @@
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { DisableRotationErrors } from "@app/ee/services/secret-rotation/secret-rotation-queue";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { logger } from "@app/lib/logger";
-import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-
-import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
-import { DynamicSecretStatus } from "../dynamic-secret/dynamic-secret-types";
-import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
-import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
-
-type TDynamicSecretLeaseQueueServiceFactoryDep = {
-  queueService: TQueueServiceFactory;
-  dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "findById" | "deleteById" | "find" | "updateById">;
-  dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findById" | "deleteById" | "updateById">;
-  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-};
-
-export type TDynamicSecretLeaseQueueServiceFactory = ReturnType<typeof dynamicSecretLeaseQueueServiceFactory>;
-
-export const dynamicSecretLeaseQueueServiceFactory = ({
-  queueService,
-  dynamicSecretDAL,
-  dynamicSecretProviders,
-  dynamicSecretLeaseDAL
-}: TDynamicSecretLeaseQueueServiceFactoryDep) => {
-  const pruneDynamicSecret = async (dynamicSecretCfgId: string) => {
-    await queueService.queue(
-      QueueName.DynamicSecretRevocation,
-      QueueJobs.DynamicSecretPruning,
-      { dynamicSecretCfgId },
-      {
-        jobId: dynamicSecretCfgId,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
-      }
-    );
-  };
-
-  const setLeaseRevocation = async (leaseId: string, expiry: number) => {
-    await queueService.queue(
-      QueueName.DynamicSecretRevocation,
-      QueueJobs.DynamicSecretRevocation,
-      { leaseId },
-      {
-        jobId: leaseId,
-        backoff: {
-          type: "exponential",
-          delay: 3000
-        },
-        delay: expiry,
-        removeOnFail: {
-          count: 3
-        },
-        removeOnComplete: true
-      }
-    );
-  };
-
-  const unsetLeaseRevocation = async (leaseId: string) => {
-    await queueService.stopJobById(QueueName.DynamicSecretRevocation, leaseId);
-  };
-
-  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
-    try {
-      if (job.name === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
-        logger.info("Dynamic secret lease revocation started: ", leaseId, job.id);
-
-        const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-        if (!dynamicSecretLease) throw new DisableRotationErrors({ message: "Dynamic secret lease not found" });
-
-        const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
-        const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-        const decryptedStoredInput = JSON.parse(
-          infisicalSymmetricDecrypt({
-            keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-            ciphertext: dynamicSecretCfg.inputCiphertext,
-            tag: dynamicSecretCfg.inputTag,
-            iv: dynamicSecretCfg.inputIV
-          })
-        ) as object;
-
-        await selectedProvider.revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId);
-        await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
-        return;
-      }
-
-      if (job.name === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
-        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, job.id);
-        const dynamicSecretCfg = await dynamicSecretDAL.findById(dynamicSecretCfgId);
-        if (!dynamicSecretCfg) throw new DisableRotationErrors({ message: "Dynamic secret not found" });
-        if ((dynamicSecretCfg.status as DynamicSecretStatus) !== DynamicSecretStatus.Deleting)
-          throw new DisableRotationErrors({ message: "Document not deleted" });
-
-        const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfgId });
-        if (dynamicSecretLeases.length) {
-          const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-          const decryptedStoredInput = JSON.parse(
-            infisicalSymmetricDecrypt({
-              keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-              ciphertext: dynamicSecretCfg.inputCiphertext,
-              tag: dynamicSecretCfg.inputTag,
-              iv: dynamicSecretCfg.inputIV
-            })
-          ) as object;
-
-          await Promise.all(dynamicSecretLeases.map(({ id }) => unsetLeaseRevocation(id)));
-          await Promise.all(
-            dynamicSecretLeases.map(({ externalEntityId }) =>
-              selectedProvider.revoke(decryptedStoredInput, externalEntityId)
-            )
-          );
-        }
-
-        await dynamicSecretDAL.deleteById(dynamicSecretCfgId);
-      }
-      logger.info("Finished dynamic secret job", job.id);
-    } catch (error) {
-      logger.error(error);
-
-      if (job?.name === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
-        await dynamicSecretDAL.updateById(dynamicSecretCfgId, {
-          status: DynamicSecretStatus.FailedDeletion,
-          statusDetails: (error as Error)?.message?.slice(0, 255)
-        });
-      }
-
-      if (job?.name === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
-        await dynamicSecretLeaseDAL.updateById(leaseId, {
-          status: DynamicSecretStatus.FailedDeletion,
-          statusDetails: (error as Error)?.message?.slice(0, 255)
-        });
-      }
-      if (error instanceof DisableRotationErrors) {
-        if (job.id) {
-          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, job.id);
-        }
-      }
-      // propogate to next part
-      throw error;
-    }
-  });
-
-  return {
-    pruneDynamicSecret,
-    setLeaseRevocation,
-    unsetLeaseRevocation
-  };
-};

backend/src/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,341 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-import ms from "ms";
-
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { getConfig } from "@app/lib/config/env";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
-
-import { TDynamicSecretDALFactory } from "../dynamic-secret/dynamic-secret-dal";
-import { DynamicSecretProviders, TDynamicProviderFns } from "../dynamic-secret/providers/models";
-import { TProjectDALFactory } from "../project/project-dal";
-import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
-import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
-import { TDynamicSecretLeaseQueueServiceFactory } from "./dynamic-secret-lease-queue";
-import {
-  DynamicSecretLeaseStatus,
-  TCreateDynamicSecretLeaseDTO,
-  TDeleteDynamicSecretLeaseDTO,
-  TDetailsDynamicSecretLeaseDTO,
-  TListDynamicSecretLeasesDTO,
-  TRenewDynamicSecretLeaseDTO
-} from "./dynamic-secret-lease-types";
-
-type TDynamicSecretLeaseServiceFactoryDep = {
-  dynamicSecretLeaseDAL: TDynamicSecretLeaseDALFactory;
-  dynamicSecretDAL: Pick<TDynamicSecretDALFactory, "findOne">;
-  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-  dynamicSecretQueueService: TDynamicSecretLeaseQueueServiceFactory;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-};
-
-export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
-
-export const dynamicSecretLeaseServiceFactory = ({
-  dynamicSecretLeaseDAL,
-  dynamicSecretProviders,
-  dynamicSecretDAL,
-  folderDAL,
-  permissionService,
-  dynamicSecretQueueService,
-  projectDAL,
-  licenseService
-}: TDynamicSecretLeaseServiceFactoryDep) => {
-  const create = async ({
-    environmentSlug,
-    path,
-    name,
-    projectSlug,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    ttl
-  }: TCreateDynamicSecretLeaseDTO) => {
-    const appCfg = getConfig();
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to create lease due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
-    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
-      throw new BadRequestError({ message: `Max lease limit reached. Limit: ${appCfg.MAX_LEASE_LIMIT}` });
-
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
-    const { maxTTL } = dynamicSecretCfg;
-    const expireAt = new Date(new Date().getTime() + ms(selectedTTL));
-    if (maxTTL) {
-      const maxExpiryDate = new Date(new Date().getTime() + ms(maxTTL));
-      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max TTL" });
-    }
-
-    const { entityId, data } = await selectedProvider.create(decryptedStoredInput, expireAt.getTime());
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.create({
-      expireAt,
-      version: 1,
-      dynamicSecretId: dynamicSecretCfg.id,
-      externalEntityId: entityId
-    });
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
-    return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
-  };
-
-  const renewLease = async ({
-    ttl,
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor,
-    projectSlug,
-    path,
-    environmentSlug,
-    leaseId
-  }: TRenewDynamicSecretLeaseDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to renew lease due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
-
-    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
-    const { maxTTL } = dynamicSecretCfg;
-    const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
-    if (maxTTL) {
-      const maxExpiryDate = new Date(dynamicSecretLease.createdAt.getTime() + ms(maxTTL));
-      if (expireAt > maxExpiryDate) throw new BadRequestError({ message: "TTL cannot be larger than max ttl" });
-    }
-
-    const { entityId } = await selectedProvider.renew(
-      decryptedStoredInput,
-      dynamicSecretLease.externalEntityId,
-      expireAt.getTime()
-    );
-
-    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
-    const updatedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
-      expireAt,
-      externalEntityId: entityId
-    });
-    return updatedDynamicSecretLease;
-  };
-
-  const revokeLease = async ({
-    leaseId,
-    environmentSlug,
-    path,
-    projectSlug,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    isForced
-  }: TDeleteDynamicSecretLeaseDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
-
-    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-
-    const revokeResponse = await selectedProvider
-      .revoke(decryptedStoredInput, dynamicSecretLease.externalEntityId)
-      .catch(async (err) => {
-        // only propogate this error if forced is false
-        if (!isForced) return { error: err as Error };
-      });
-
-    if ((revokeResponse as { error?: Error })?.error) {
-      const { error } = revokeResponse as { error?: Error };
-      const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
-        status: DynamicSecretLeaseStatus.FailedDeletion,
-        statusDetails: error?.message?.slice(0, 255)
-      });
-      return deletedDynamicSecretLease;
-    }
-
-    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
-    const deletedDynamicSecretLease = await dynamicSecretLeaseDAL.deleteById(dynamicSecretLease.id);
-    return deletedDynamicSecretLease;
-  };
-
-  const listLeases = async ({
-    path,
-    name,
-    actor,
-    actorId,
-    projectSlug,
-    actorOrgId,
-    environmentSlug,
-    actorAuthMethod
-  }: TListDynamicSecretLeasesDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
-    return dynamicSecretLeases;
-  };
-
-  const getLeaseDetails = async ({
-    projectSlug,
-    actorOrgId,
-    path,
-    environmentSlug,
-    actor,
-    actorId,
-    leaseId,
-    actorAuthMethod
-  }: TDetailsDynamicSecretLeaseDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
-
-    return dynamicSecretLease;
-  };
-
-  return {
-    create,
-    listLeases,
-    revokeLease,
-    renewLease,
-    getLeaseDetails
-  };
-};

backend/src/services/dynamic-secret-lease/dynamic-secret-lease-types.ts

@@ -1,43 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export enum DynamicSecretLeaseStatus {
-  FailedDeletion = "Failed to delete"
-}
-
-export type TCreateDynamicSecretLeaseDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  ttl?: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDetailsDynamicSecretLeaseDTO = {
-  leaseId: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListDynamicSecretLeasesDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteDynamicSecretLeaseDTO = {
-  leaseId: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-  isForced?: boolean;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TRenewDynamicSecretLeaseDTO = {
-  leaseId: string;
-  path: string;
-  environmentSlug: string;
-  ttl?: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/services/dynamic-secret/dynamic-secret-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;
-
-export const dynamicSecretDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.DynamicSecret);
-  return orm;
-};

backend/src/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,341 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
-
-import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
-import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TProjectDALFactory } from "../project/project-dal";
-import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
-import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
-import {
-  DynamicSecretStatus,
-  TCreateDynamicSecretDTO,
-  TDeleteDynamicSecretDTO,
-  TDetailsDynamicSecretDTO,
-  TListDynamicSecretsDTO,
-  TUpdateDynamicSecretDTO
-} from "./dynamic-secret-types";
-import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";
-
-type TDynamicSecretServiceFactoryDep = {
-  dynamicSecretDAL: TDynamicSecretDALFactory;
-  dynamicSecretLeaseDAL: Pick<TDynamicSecretLeaseDALFactory, "find">;
-  dynamicSecretProviders: Record<DynamicSecretProviders, TDynamicProviderFns>;
-  dynamicSecretQueueService: Pick<
-    TDynamicSecretLeaseQueueServiceFactory,
-    "pruneDynamicSecret" | "unsetLeaseRevocation"
-  >;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-};
-
-export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
-
-export const dynamicSecretServiceFactory = ({
-  dynamicSecretDAL,
-  dynamicSecretLeaseDAL,
-  licenseService,
-  folderDAL,
-  dynamicSecretProviders,
-  permissionService,
-  dynamicSecretQueueService,
-  projectDAL
-}: TDynamicSecretServiceFactoryDep) => {
-  const create = async ({
-    path,
-    actor,
-    name,
-    actorId,
-    maxTTL,
-    provider,
-    environmentSlug,
-    projectSlug,
-    actorOrgId,
-    defaultTTL,
-    actorAuthMethod
-  }: TCreateDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to create dynamic secret due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (existingDynamicSecret)
-      throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
-
-    const selectedProvider = dynamicSecretProviders[provider.type];
-    const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
-
-    const isConnected = await selectedProvider.validateConnection(provider.inputs);
-    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
-
-    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(inputs));
-    const dynamicSecretCfg = await dynamicSecretDAL.create({
-      type: provider.type,
-      version: 1,
-      inputIV: encryptedInput.iv,
-      inputTag: encryptedInput.tag,
-      inputCiphertext: encryptedInput.ciphertext,
-      algorithm: encryptedInput.algorithm,
-      keyEncoding: encryptedInput.encoding,
-      maxTTL,
-      defaultTTL,
-      folderId: folder.id,
-      name
-    });
-    return dynamicSecretCfg;
-  };
-
-  const updateByName = async ({
-    name,
-    maxTTL,
-    defaultTTL,
-    inputs,
-    environmentSlug,
-    projectSlug,
-    path,
-    actor,
-    actorId,
-    newName,
-    actorOrgId,
-    actorAuthMethod
-  }: TUpdateDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan?.dynamicSecret) {
-      throw new BadRequestError({
-        message: "Failed to update dynamic secret due to plan restriction. Upgrade plan to create dynamic secret."
-      });
-    }
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    if (newName) {
-      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
-      if (existingDynamicSecret)
-        throw new BadRequestError({ message: "Provided dynamic secret already exist under the folder" });
-    }
-
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-    const newInput = { ...decryptedStoredInput, ...(inputs || {}) };
-    const updatedInput = await selectedProvider.validateProviderInputs(newInput);
-
-    const isConnected = await selectedProvider.validateConnection(newInput);
-    if (!isConnected) throw new BadRequestError({ message: "Provider connection failed" });
-
-    const encryptedInput = infisicalSymmetricEncypt(JSON.stringify(updatedInput));
-    const updatedDynamicCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
-      inputIV: encryptedInput.iv,
-      inputTag: encryptedInput.tag,
-      inputCiphertext: encryptedInput.ciphertext,
-      algorithm: encryptedInput.algorithm,
-      keyEncoding: encryptedInput.encoding,
-      maxTTL,
-      defaultTTL,
-      name: newName ?? name,
-      status: null,
-      statusDetails: null
-    });
-
-    return updatedDynamicCfg;
-  };
-
-  const deleteByName = async ({
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor,
-    projectSlug,
-    name,
-    path,
-    environmentSlug,
-    isForced
-  }: TDeleteDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-
-    const leases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
-    // when not forced we check with the external system to first remove the things
-    // we introduce a forced concept because consider the external lease got deleted by some other external like a human or another system
-    // this allows user to clean up it from infisical
-    if (isForced) {
-      // clear all queues for lease revocations
-      await Promise.all(leases.map(({ id: leaseId }) => dynamicSecretQueueService.unsetLeaseRevocation(leaseId)));
-
-      const deletedDynamicSecretCfg = await dynamicSecretDAL.deleteById(dynamicSecretCfg.id);
-      return deletedDynamicSecretCfg;
-    }
-    // if leases exist we should flag it as deleting and then remove leases in background
-    // then delete the main one
-    if (leases.length) {
-      const updatedDynamicSecretCfg = await dynamicSecretDAL.updateById(dynamicSecretCfg.id, {
-        status: DynamicSecretStatus.Deleting
-      });
-      await dynamicSecretQueueService.pruneDynamicSecret(updatedDynamicSecretCfg.id);
-      return updatedDynamicSecretCfg;
-    }
-    // if no leases just delete the config
-    const deletedDynamicSecretCfg = await dynamicSecretDAL.deleteById(dynamicSecretCfg.id);
-    return deletedDynamicSecretCfg;
-  };
-
-  const getDetails = async ({
-    name,
-    projectSlug,
-    path,
-    environmentSlug,
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor
-  }: TDetailsDynamicSecretDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
-    const decryptedStoredInput = JSON.parse(
-      infisicalSymmetricDecrypt({
-        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
-        ciphertext: dynamicSecretCfg.inputCiphertext,
-        tag: dynamicSecretCfg.inputTag,
-        iv: dynamicSecretCfg.inputIV
-      })
-    ) as object;
-    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
-    const providerInputs = (await selectedProvider.validateProviderInputs(decryptedStoredInput)) as object;
-    return { ...dynamicSecretCfg, inputs: providerInputs };
-  };
-
-  const list = async ({
-    actorAuthMethod,
-    actorOrgId,
-    actorId,
-    actor,
-    projectSlug,
-    path,
-    environmentSlug
-  }: TListDynamicSecretsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
-    );
-
-    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
-
-    const dynamicSecretCfg = await dynamicSecretDAL.find({ folderId: folder.id });
-    return dynamicSecretCfg;
-  };
-
-  return {
-    create,
-    updateByName,
-    deleteByName,
-    getDetails,
-    list
-  };
-};

backend/src/services/dynamic-secret/dynamic-secret-types.ts

@@ -1,54 +0,0 @@
-import { z } from "zod";
-
-import { TProjectPermission } from "@app/lib/types";
-
-import { DynamicSecretProviderSchema } from "./providers/models";
-
-// various status for dynamic secret that happens in background
-export enum DynamicSecretStatus {
-  Deleting = "Revocation in process",
-  FailedDeletion = "Failed to delete"
-}
-
-type TProvider = z.infer<typeof DynamicSecretProviderSchema>;
-export type TCreateDynamicSecretDTO = {
-  provider: TProvider;
-  defaultTTL: string;
-  maxTTL?: string | null;
-  path: string;
-  environmentSlug: string;
-  name: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateDynamicSecretDTO = {
-  name: string;
-  newName?: string;
-  defaultTTL?: string;
-  maxTTL?: string | null;
-  path: string;
-  environmentSlug: string;
-  inputs?: TProvider["inputs"];
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteDynamicSecretDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-  isForced?: boolean;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDetailsDynamicSecretDTO = {
-  name: string;
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListDynamicSecretsDTO = {
-  path: string;
-  environmentSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/services/dynamic-secret/providers/index.ts

@@ -1,6 +0,0 @@
-import { DynamicSecretProviders } from "./models";
-import { SqlDatabaseProvider } from "./sql-database";
-
-export const buildDynamicSecretProviders = () => ({
-  [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider()
-});

backend/src/services/dynamic-secret/providers/models.ts

@@ -1,34 +0,0 @@
-import { z } from "zod";
-
-export enum SqlProviders {
-  Postgres = "postgres"
-}
-
-export const DynamicSecretSqlDBSchema = z.object({
-  client: z.nativeEnum(SqlProviders),
-  host: z.string().toLowerCase(),
-  port: z.number(),
-  database: z.string(),
-  username: z.string(),
-  password: z.string(),
-  creationStatement: z.string(),
-  revocationStatement: z.string(),
-  renewStatement: z.string(),
-  ca: z.string().optional()
-});
-
-export enum DynamicSecretProviders {
-  SqlDatabase = "sql-database"
-}
-
-export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
-  z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema })
-]);
-
-export type TDynamicProviderFns = {
-  create: (inputs: unknown, expireAt: number) => Promise<{ entityId: string; data: unknown }>;
-  validateConnection: (inputs: unknown) => Promise<boolean>;
-  validateProviderInputs: (inputs: object) => Promise<unknown>;
-  revoke: (inputs: unknown, entityId: string) => Promise<{ entityId: string }>;
-  renew: (inputs: unknown, entityId: string, expireAt: number) => Promise<{ entityId: string }>;
-};

backend/src/services/dynamic-secret/providers/sql-database.ts

@@ -1,113 +0,0 @@
-import handlebars from "handlebars";
-import knex from "knex";
-import { customAlphabet } from "nanoid";
-import { z } from "zod";
-
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
-import { getDbConnectionHost } from "@app/lib/knex";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { DynamicSecretSqlDBSchema, TDynamicProviderFns } from "./models";
-
-const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
-
-const generatePassword = (size?: number) => {
-  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
-  return customAlphabet(charset, 48)(size);
-};
-
-export const SqlDatabaseProvider = (): TDynamicProviderFns => {
-  const validateProviderInputs = async (inputs: unknown) => {
-    const appCfg = getConfig();
-    const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
-
-    const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1" || dbHost === providerInputs.host)
-      throw new BadRequestError({ message: "Invalid db host" });
-    return providerInputs;
-  };
-
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
-    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const db = knex({
-      client: providerInputs.client,
-      connection: {
-        database: providerInputs.database,
-        port: providerInputs.port,
-        host: providerInputs.host,
-        user: providerInputs.username,
-        password: providerInputs.password,
-        connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,
-        ssl,
-        pool: { min: 0, max: 1 }
-      }
-    });
-    return db;
-  };
-
-  const validateConnection = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-    const isConnected = await db
-      .raw("SELECT NOW()")
-      .then(() => true)
-      .catch(() => false);
-    await db.destroy();
-    return isConnected;
-  };
-
-  const create = async (inputs: unknown, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-
-    const username = alphaNumericNanoId(32);
-    const password = generatePassword();
-    const expiration = new Date(expireAt).toISOString();
-
-    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-      username,
-      password,
-      expiration
-    });
-
-    await db.raw(creationStatement.toString());
-    await db.destroy();
-    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
-  };
-
-  const revoke = async (inputs: unknown, entityId: string) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-
-    const username = entityId;
-
-    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
-    await db.raw(revokeStatement);
-
-    await db.destroy();
-    return { entityId: username };
-  };
-
-  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
-
-    const username = entityId;
-    const expiration = new Date(expireAt).toISOString();
-
-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
-    await db.raw(renewStatement);
-
-    await db.destroy();
-    return { entityId: username };
-  };
-
-  return {
-    validateProviderInputs,
-    validateConnection,
-    create,
-    revoke,
-    renew
-  };
-};

backend/src/services/integration-auth/integration-app-list.ts

@@ -260,44 +260,20 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
  * Return list of services for Render integration
  */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
-  const apps: Array<{ name: string; appId: string }> = [];
-  let hasMorePages = true;
-  const perPage = 100;
-  let cursor;
+  const res = (
+    await request.get<{ service: { name: string; id: string } }[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+        "Accept-Encoding": "application/json"
+      }
+    })
+  ).data;
 
-  interface RenderService {
-    cursor: string;
-    service: { name: string; id: string };
-  }
-
-  while (hasMorePages) {
-    const res: RenderService[] = (
-      await request.get<RenderService[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
-        params: new URLSearchParams({
-          ...(cursor ? { cursor: String(cursor) } : {}),
-          limit: String(perPage)
-        }),
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: "application/json",
-          "Accept-Encoding": "application/json"
-        }
-      })
-    ).data;
-
-    res.forEach((a) => {
-      apps.push({
-        name: a.service.name,
-        appId: a.service.id
-      });
-    });
-
-    if (res.length < perPage) {
-      hasMorePages = false;
-    } else {
-      cursor = res[res.length - 1].cursor;
-    }
-  }
+  const apps = res.map((a) => ({
+    name: a.service.name,
+    appId: a.service.id
+  }));
 
   return apps;
 };

backend/src/services/integration-auth/integration-auth-service.ts

@@ -1,5 +1,4 @@
 import { ForbiddenError } from "@casl/ability";
-import { Octokit } from "@octokit/rest";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -25,8 +24,6 @@ import {
   TIntegrationAuthAppsDTO,
   TIntegrationAuthBitbucketWorkspaceDTO,
   TIntegrationAuthChecklyGroupsDTO,
-  TIntegrationAuthGithubEnvsDTO,
-  TIntegrationAuthGithubOrgsDTO,
   TIntegrationAuthHerokuPipelinesDTO,
   TIntegrationAuthNorthflankSecretGroupDTO,
   TIntegrationAuthQoveryEnvironmentsDTO,
@@ -438,75 +435,6 @@ export const integrationAuthServiceFactory = ({
     return [];
   };
 
-  const getGithubOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthGithubOrgsDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
-
-    const octokit = new Octokit({
-      auth: accessToken
-    });
-
-    const { data } = await octokit.request("GET /user/orgs", {
-      headers: {
-        "X-GitHub-Api-Version": "2022-11-28"
-      }
-    });
-    if (!data) return [];
-
-    return data.map(({ login: name, id: orgId }) => ({ name, orgId: String(orgId) }));
-  };
-
-  const getGithubEnvs = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    id,
-    repoOwner,
-    repoName
-  }: TIntegrationAuthGithubEnvsDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
-
-    const octokit = new Octokit({
-      auth: accessToken
-    });
-
-    const {
-      data: { environments }
-    } = await octokit.request("GET /repos/{owner}/{repo}/environments", {
-      headers: {
-        "X-GitHub-Api-Version": "2022-11-28"
-      },
-      owner: repoOwner,
-      repo: repoName
-    });
-    if (!environments) return [];
-    return environments.map(({ id: envId, name }) => ({ name, envId: String(envId) }));
-  };
-
   const getQoveryOrgs = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TIntegrationAuthQoveryOrgsDTO) => {
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new BadRequestError({ message: "Failed to find integration" });
@@ -1133,8 +1061,6 @@ export const integrationAuthServiceFactory = ({
     getIntegrationApps,
     getVercelBranches,
     getApps,
-    getGithubOrgs,
-    getGithubEnvs,
     getChecklyGroups,
     getQoveryApps,
     getQoveryEnvs,

backend/src/services/integration-auth/integration-auth-types.ts

@@ -44,16 +44,6 @@ export type TIntegrationAuthChecklyGroupsDTO = {
   accountId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TIntegrationAuthGithubOrgsDTO = {
-  id: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TIntegrationAuthGithubEnvsDTO = {
-  id: string;
-  repoName: string;
-  repoOwner: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TIntegrationAuthQoveryOrgsDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -459,7 +459,7 @@ const syncSecretsAWSParameterStore = async ({
 
   const params = {
     Path: integration.path as string,
-    Recursive: false,
+    Recursive: true,
     WithDecryption: true
   };
 
@@ -1110,176 +1110,98 @@ const syncSecretsGitHub = async ({
   interface GitHubRepoKey {
     key_id: string;
     key: string;
-    id?: number | undefined;
-    url?: string | undefined;
-    title?: string | undefined;
-    created_at?: string | undefined;
   }
 
   interface GitHubSecret {
     name: string;
     created_at: string;
     updated_at: string;
-    visibility?: "all" | "private" | "selected";
-    selected_repositories_url?: string | undefined;
+  }
+
+  interface GitHubSecretRes {
+    [index: string]: GitHubSecret;
   }
 
   const octokit = new Octokit({
     auth: accessToken
   });
 
-  enum GithubScope {
-    Repo = "github-repo",
-    Org = "github-org",
-    Env = "github-env"
-  }
-
-  let repoPublicKey: GitHubRepoKey;
-
-  switch (integration.scope) {
-    case GithubScope.Org: {
-      const { data } = await octokit.request("GET /orgs/{org}/actions/secrets/public-key", {
-        org: integration.owner as string
-      });
-      repoPublicKey = data;
-      break;
-    }
-    case GithubScope.Env: {
-      const { data } = await octokit.request(
-        "GET /repositories/{repository_id}/environments/{environment_name}/secrets/public-key",
-        {
-          repository_id: Number(integration.appId),
-          environment_name: integration.targetEnvironmentId as string
-        }
-      );
-      repoPublicKey = data;
-      break;
-    }
-    default: {
-      const { data } = await octokit.request("GET /repos/{owner}/{repo}/actions/secrets/public-key", {
-        owner: integration.owner as string,
-        repo: integration.app as string
-      });
-      repoPublicKey = data;
-      break;
-    }
-  }
+  // const user = (await octokit.request('GET /user', {})).data;
+  const repoPublicKey: GitHubRepoKey = (
+    await octokit.request("GET /repos/{owner}/{repo}/actions/secrets/public-key", {
+      owner: integration.owner as string,
+      repo: integration.app as string
+    })
+  ).data;
 
   // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
-  let encryptedSecrets: GitHubSecret[];
+  let encryptedSecrets: GitHubSecretRes = (
+    await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
+      owner: integration.owner as string,
+      repo: integration.app as string
+    })
+  ).data.secrets.reduce(
+    (obj, secret) => ({
+      ...obj,
+      [secret.name]: secret
+    }),
+    {}
+  );
 
-  switch (integration.scope) {
-    case GithubScope.Org: {
-      encryptedSecrets = (
-        await octokit.request("GET /orgs/{org}/actions/secrets", {
-          org: integration.owner as string
-        })
-      ).data.secrets;
-      break;
-    }
-    case GithubScope.Env: {
-      encryptedSecrets = (
-        await octokit.request("GET /repositories/{repository_id}/environments/{environment_name}/secrets", {
-          repository_id: Number(integration.appId),
-          environment_name: integration.targetEnvironmentId as string
-        })
-      ).data.secrets;
-      break;
-    }
-    default: {
-      encryptedSecrets = (
-        await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
+  encryptedSecrets = Object.keys(encryptedSecrets).reduce(
+    (
+      result: {
+        [key: string]: GitHubSecret;
+      },
+      key
+    ) => {
+      if (
+        (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+        (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+      ) {
+        result[key] = encryptedSecrets[key];
+      }
+      return result;
+    },
+    {}
+  );
+
+  await Promise.all(
+    Object.keys(encryptedSecrets).map(async (key) => {
+      if (!(key in secrets)) {
+        return octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
           owner: integration.owner as string,
-          repo: integration.app as string
-        })
-      ).data.secrets;
-      break;
-    }
-  }
-
-  for await (const encryptedSecret of encryptedSecrets) {
-    if (
-      !(encryptedSecret.name in secrets) &&
-      !(appendices?.prefix !== undefined && !encryptedSecret.name.startsWith(appendices?.prefix)) &&
-      !(appendices?.suffix !== undefined && !encryptedSecret.name.endsWith(appendices?.suffix))
-    ) {
-      switch (integration.scope) {
-        case GithubScope.Org: {
-          await octokit.request("DELETE /orgs/{org}/actions/secrets/{secret_name}", {
-            org: integration.owner as string,
-            secret_name: encryptedSecret.name
-          });
-          break;
-        }
-        case GithubScope.Env: {
-          await octokit.request(
-            "DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
-            {
-              repository_id: Number(integration.appId),
-              environment_name: integration.targetEnvironmentId as string,
-              secret_name: encryptedSecret.name
-            }
-          );
-          break;
-        }
-        default: {
-          await octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
-            owner: integration.owner as string,
-            repo: integration.app as string,
-            secret_name: encryptedSecret.name
-          });
-          break;
-        }
+          repo: integration.app as string,
+          secret_name: key
+        });
       }
-    }
-  }
+    })
+  );
 
-  await sodium.ready.then(async () => {
-    for await (const key of Object.keys(secrets)) {
-      // convert secret & base64 key to Uint8Array.
-      const binkey = sodium.from_base64(repoPublicKey.key, sodium.base64_variants.ORIGINAL);
-      const binsec = sodium.from_string(secrets[key].value);
+  await Promise.all(
+    Object.keys(secrets).map((key) => {
+      // let encryptedSecret;
+      return sodium.ready.then(async () => {
+        // convert secret & base64 key to Uint8Array.
+        const binkey = sodium.from_base64(repoPublicKey.key, sodium.base64_variants.ORIGINAL);
+        const binsec = sodium.from_string(secrets[key].value);
 
-      // encrypt secret using libsodium
-      const encBytes = sodium.crypto_box_seal(binsec, binkey);
+        // encrypt secret using libsodium
+        const encBytes = sodium.crypto_box_seal(binsec, binkey);
 
-      // convert encrypted Uint8Array to base64
-      const encryptedSecret = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
+        // convert encrypted Uint8Array to base64
+        const encryptedSecret = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL);
 
-      switch (integration.scope) {
-        case GithubScope.Org:
-          await octokit.request("PUT /orgs/{org}/actions/secrets/{secret_name}", {
-            org: integration.owner as string,
-            secret_name: key,
-            visibility: "all",
-            encrypted_value: encryptedSecret,
-            key_id: repoPublicKey.key_id
-          });
-          break;
-        case GithubScope.Env:
-          await octokit.request(
-            "PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
-            {
-              repository_id: Number(integration.appId),
-              environment_name: integration.targetEnvironmentId as string,
-              secret_name: key,
-              encrypted_value: encryptedSecret,
-              key_id: repoPublicKey.key_id
-            }
-          );
-          break;
-        default:
-          await octokit.request("PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
-            owner: integration.owner as string,
-            repo: integration.app as string,
-            secret_name: key,
-            encrypted_value: encryptedSecret,
-            key_id: repoPublicKey.key_id
-          });
-          break;
-      }
-    }
-  });
+        await octokit.request("PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+          owner: integration.owner as string,
+          repo: integration.app as string,
+          secret_name: key,
+          encrypted_value: encryptedSecret,
+          key_id: repoPublicKey.key_id
+        });
+      });
+    })
+  );
 };
 
 /**
@@ -1307,22 +1229,6 @@ const syncSecretsRender = async ({
       }
     }
   );
-
-  if (integration.metadata) {
-    const metadata = z.record(z.any()).parse(integration.metadata);
-    if (metadata.shouldAutoRedeploy === true) {
-      await request.post(
-        `${IntegrationUrls.RENDER_API_URL}/v1/services/${integration.appId}/deploys`,
-        {},
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            "Accept-Encoding": "application/json"
-          }
-        }
-      );
-    }
-  }
 };
 
 /**

backend/src/services/project-membership/project-membership-service.ts

@@ -328,7 +328,7 @@ export const projectMembershipServiceFactory = ({
     );
     const hasCustomRole = Boolean(customInputRoles.length);
     if (hasCustomRole) {
-      const plan = await licenseService.getPlan(actorOrgId);
+      const plan = await licenseService.getPlan(actorOrgId as string);
       if (!plan?.rbac)
         throw new BadRequestError({
           message: "Failed to assign custom role due to RBAC restriction. Upgrade plan to assign custom role to member."

backend/src/services/project/project-dal.ts

@@ -168,12 +168,8 @@ export const projectDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectBySlug = async (slug: string, orgId: string | undefined) => {
+  const findProjectBySlug = async (slug: string, orgId: string) => {
     try {
-      if (!orgId) {
-        throw new BadRequestError({ message: "Organization ID is required when querying with slugs" });
-      }
-
       const projects = await db(TableName.ProjectMembership)
         .where(`${TableName.Project}.slug`, slug)
         .where(`${TableName.Project}.orgId`, orgId)

backend/src/services/project/project-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { OrgMembershipRole, ProjectMembershipRole, ProjectVersion } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectVersion } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -92,6 +92,7 @@ export const projectServiceFactory = ({
    * Create workspace. Make user the admin
    * */
   const createProject = async ({
+    orgSlug,
     actor,
     actorId,
     actorOrgId,
@@ -99,7 +100,13 @@ export const projectServiceFactory = ({
     workspaceName,
     slug: projectSlug
   }: TCreateProjectDTO) => {
-    const organization = await orgDAL.findOne({ id: actorOrgId });
+    if (!orgSlug) {
+      throw new BadRequestError({
+        message: "Must provide organization slug to create project"
+      });
+    }
+
+    const organization = await orgDAL.findOne({ slug: orgSlug });
 
     const { permission, membership: orgMembership } = await permissionService.getOrgPermission(
       actor,
@@ -284,11 +291,10 @@ export const projectServiceFactory = ({
 
         // Get the role permission for the identity
         const { permission: rolePermission, role: customRole } = await permissionService.getOrgPermissionByRole(
-          OrgMembershipRole.Member,
+          ProjectMembershipRole.Admin,
           organization.id
         );
 
-        // Identity has to be at least a member in order to create projects
         const hasPrivilege = isAtLeastAsPrivileged(permission, rolePermission);
         if (!hasPrivilege)
           throw new ForbiddenRequestError({

backend/src/services/project/project-types.ts

@@ -24,6 +24,7 @@ export type TCreateProjectDTO = {
   actorAuthMethod: ActorAuthMethod;
   actorId: string;
   actorOrgId?: string;
+  orgSlug: string;
   workspaceName: string;
   slug?: string;
 };

backend/src/services/secret-folder/secret-folder-service.ts

@@ -232,7 +232,6 @@ export const secretFolderServiceFactory = ({
     if (!parentFolder) return [];
 
     const folders = await folderDAL.find({ envId: env.id, parentId: parentFolder.id });
-
     return folders;
   };
 

backend/src/services/secret/secret-dal.ts

@@ -150,27 +150,6 @@ export const secretDALFactory = (db: TDbClient) => {
     }
   };
 
-  const getSecretTags = async (secretId: string, tx?: Knex) => {
-    try {
-      const tags = await (tx || db)(TableName.JnSecretTag)
-        .join(TableName.SecretTag, `${TableName.JnSecretTag}.${TableName.SecretTag}Id`, `${TableName.SecretTag}.id`)
-        .where({ [`${TableName.Secret}Id` as const]: secretId })
-        .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
-        .select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
-        .select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
-        .select(db.ref("name").withSchema(TableName.SecretTag).as("tagName"));
-
-      return tags.map((el) => ({
-        id: el.tagId,
-        color: el.tagColor,
-        slug: el.tagSlug,
-        name: el.tagName
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "get secret tags" });
-    }
-  };
-
   const findByBlindIndexes = async (
     folderId: string,
     blindIndexes: Array<{ blindIndex: string; type: SecretType }>,
@@ -205,7 +184,6 @@ export const secretDALFactory = (db: TDbClient) => {
     bulkUpdate,
     deleteMany,
     bulkUpdateNoVersionIncrement,
-    getSecretTags,
     findByFolderId,
     findByBlindIndexes
   };

backend/src/services/secret/secret-service.ts

@@ -22,7 +22,6 @@ import { TSecretDALFactory } from "./secret-dal";
 import { decryptSecretRaw, fnSecretBlindIndexCheck, fnSecretBulkInsert, fnSecretBulkUpdate } from "./secret-fns";
 import { TSecretQueueFactory } from "./secret-queue";
 import {
-  TAttachSecretTagsDTO,
   TCreateBulkSecretDTO,
   TCreateSecretDTO,
   TCreateSecretRawDTO,
@@ -48,7 +47,7 @@ type TSecretServiceFactoryDep = {
   secretTagDAL: TSecretTagDALFactory;
   secretVersionDAL: TSecretVersionDALFactory;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
@@ -308,7 +307,6 @@ export const secretServiceFactory = ({
     if ((inputSecret.tags || []).length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
 
     const { secretName, ...el } = inputSecret;
-
     const updatedSecret = await secretDAL.transaction(async (tx) =>
       fnSecretBulkUpdate({
         folderId,
@@ -444,7 +442,6 @@ export const secretServiceFactory = ({
     const folderId = folder.id;
 
     const secrets = await secretDAL.findByFolderId(folderId, actorId);
-
     if (includeImports) {
       const secretImports = await secretImportDAL.find({ folderId });
       const allowedImports = secretImports.filter(({ importEnv, importPath }) =>
@@ -997,209 +994,7 @@ export const secretServiceFactory = ({
     return secretVersions;
   };
 
-  const attachTags = async ({
-    secretName,
-    tagSlugs,
-    path: secretPath,
-    environment,
-    type,
-    projectSlug,
-    actor,
-    actorAuthMethod,
-    actorOrgId,
-    actorId
-  }: TAttachSecretTagsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-
-    await projectDAL.checkProjectUpgradeStatus(project.id);
-
-    const secret = await getSecretByName({
-      actorId,
-      actor,
-      actorOrgId,
-      actorAuthMethod,
-      projectId: project.id,
-      environment,
-      path: secretPath,
-      secretName,
-      type
-    });
-
-    if (!secret) {
-      throw new BadRequestError({ message: "Secret not found" });
-    }
-    const folder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
-
-    if (!folder) {
-      throw new BadRequestError({ message: "Folder not found" });
-    }
-
-    const tags = await secretTagDAL.find({
-      projectId: project.id,
-      $in: {
-        slug: tagSlugs
-      }
-    });
-
-    if (tags.length !== tagSlugs.length) {
-      throw new BadRequestError({ message: "One or more tags not found." });
-    }
-
-    const existingSecretTags = await secretDAL.getSecretTags(secret.id);
-
-    if (existingSecretTags.some((tag) => tagSlugs.includes(tag.slug))) {
-      throw new BadRequestError({ message: "One or more tags already exist on the secret" });
-    }
-
-    const combinedTags = new Set([...existingSecretTags.map((tag) => tag.id), ...tags.map((el) => el.id)]);
-
-    const updatedSecret = await secretDAL.transaction(async (tx) =>
-      fnSecretBulkUpdate({
-        folderId: folder.id,
-        projectId: project.id,
-        inputSecrets: [
-          {
-            filter: { id: secret.id },
-            data: {
-              tags: Array.from(combinedTags)
-            }
-          }
-        ],
-        secretDAL,
-        secretVersionDAL,
-        secretTagDAL,
-        secretVersionTagDAL,
-        tx
-      })
-    );
-
-    await snapshotService.performSnapshot(folder.id);
-    await secretQueueService.syncSecrets({ secretPath, projectId: project.id, environment });
-
-    return {
-      ...updatedSecret[0],
-      tags: [...existingSecretTags, ...tags].map((t) => ({ id: t.id, slug: t.slug, name: t.name, color: t.color }))
-    };
-  };
-
-  const detachTags = async ({
-    secretName,
-    tagSlugs,
-    path: secretPath,
-    environment,
-    type,
-    projectSlug,
-    actor,
-    actorAuthMethod,
-    actorOrgId,
-    actorId
-  }: TAttachSecretTagsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Edit,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-    );
-
-    await projectDAL.checkProjectUpgradeStatus(project.id);
-
-    const secret = await getSecretByName({
-      actorId,
-      actor,
-      actorOrgId,
-      actorAuthMethod,
-      projectId: project.id,
-      environment,
-      path: secretPath,
-      secretName,
-      type
-    });
-
-    if (!secret) {
-      throw new BadRequestError({ message: "Secret not found" });
-    }
-    const folder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
-
-    if (!folder) {
-      throw new BadRequestError({ message: "Folder not found" });
-    }
-
-    const tags = await secretTagDAL.find({
-      projectId: project.id,
-      $in: {
-        slug: tagSlugs
-      }
-    });
-
-    if (tags.length !== tagSlugs.length) {
-      throw new BadRequestError({ message: "One or more tags not found." });
-    }
-
-    const existingSecretTags = await secretDAL.getSecretTags(secret.id);
-
-    // Make sure all the tags exist on the secret
-    const tagIdsToRemove = tags.map((tag) => tag.id);
-    const secretTagIds = existingSecretTags.map((tag) => tag.id);
-
-    if (!tagIdsToRemove.every((el) => secretTagIds.includes(el))) {
-      throw new BadRequestError({ message: "One or more tags not found on the secret" });
-    }
-
-    const newTags = existingSecretTags.filter((tag) => !tagIdsToRemove.includes(tag.id));
-
-    const updatedSecret = await secretDAL.transaction(async (tx) =>
-      fnSecretBulkUpdate({
-        folderId: folder.id,
-        projectId: project.id,
-        inputSecrets: [
-          {
-            filter: { id: secret.id },
-            data: {
-              tags: newTags.map((tag) => tag.id)
-            }
-          }
-        ],
-        secretDAL,
-        secretVersionDAL,
-        secretTagDAL,
-        secretVersionTagDAL,
-        tx
-      })
-    );
-
-    await snapshotService.performSnapshot(folder.id);
-    await secretQueueService.syncSecrets({ secretPath, projectId: project.id, environment });
-
-    return {
-      ...updatedSecret[0],
-      tags: newTags
-    };
-  };
-
   return {
-    attachTags,
-    detachTags,
     createSecret,
     deleteSecret,
     updateSecret,

backend/src/services/secret/secret-types.ts

@@ -206,15 +206,6 @@ export type TFnSecretBulkUpdate = {
   tx?: Knex;
 };
 
-export type TAttachSecretTagsDTO = {
-  projectSlug: string;
-  secretName: string;
-  tagSlugs: string[];
-  environment: string;
-  path: string;
-  type: SecretType;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TFnSecretBulkDelete = {
   folderId: string;
   projectId: string;

backend/tsup.config.js

@@ -23,8 +23,7 @@ export default defineConfig({
   loader: {
     ".handlebars": "copy",
     ".md": "copy",
-    ".txt": "copy",
-    ".pem": "copy"
+    ".txt": "copy"
   },
   external: ["../../../frontend/node_modules/next/dist/server/next-server.js"],
   outDir: "dist",

cli/.gitignore

@@ -1,3 +1,2 @@
 .infisical.json
 dist/
-agent-config.test.yaml

cli/packages/api/api.go

@@ -406,14 +406,14 @@ func CallDeleteSecretsV3(httpClient *resty.Client, request DeleteSecretV3Request
 	return nil
 }
 
-func CallUpdateSecretsV3(httpClient *resty.Client, request UpdateSecretByNameV3Request, secretName string) error {
+func CallUpdateSecretsV3(httpClient *resty.Client, request UpdateSecretByNameV3Request) error {
 	var secretsResponse GetEncryptedSecretsV3Response
 	response, err := httpClient.
 		R().
 		SetResult(&secretsResponse).
 		SetHeader("User-Agent", USER_AGENT).
 		SetBody(request).
-		Patch(fmt.Sprintf("%v/v3/secrets/%s", config.INFISICAL_URL, secretName))
+		Patch(fmt.Sprintf("%v/v3/secrets/%s", config.INFISICAL_URL, request.SecretName))
 
 	if err != nil {
 		return fmt.Errorf("CallUpdateSecretsV3: Unable to complete api request [err=%s]", err)
@@ -535,23 +535,3 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 
 	return getRawSecretsV3Response, nil
 }
-
-func CallCreateDynamicSecretLeaseV1(httpClient *resty.Client, request CreateDynamicSecretLeaseV1Request) (CreateDynamicSecretLeaseV1Response, error) {
-	var createDynamicSecretLeaseResponse CreateDynamicSecretLeaseV1Response
-	response, err := httpClient.
-		R().
-		SetResult(&createDynamicSecretLeaseResponse).
-		SetHeader("User-Agent", USER_AGENT).
-		SetBody(request).
-		Post(fmt.Sprintf("%v/v1/dynamic-secrets/leases", config.INFISICAL_URL))
-
-	if err != nil {
-		return CreateDynamicSecretLeaseV1Response{}, fmt.Errorf("CreateDynamicSecretLeaseV1: Unable to complete api request [err=%w]", err)
-	}
-
-	if response.IsError() {
-		return CreateDynamicSecretLeaseV1Response{}, fmt.Errorf("CreateDynamicSecretLeaseV1: Unsuccessful response [%v %v] [status-code=%v] [response=%v]", response.Request.Method, response.Request.URL, response.StatusCode(), response.String())
-	}
-
-	return createDynamicSecretLeaseResponse, nil
-}

cli/packages/api/model.go

@@ -401,6 +401,7 @@ type DeleteSecretV3Request struct {
 }
 
 type UpdateSecretByNameV3Request struct {
+	SecretName            string `json:"secretName"`
 	WorkspaceID           string `json:"workspaceId"`
 	Environment           string `json:"environment"`
 	Type                  string `json:"type"`
@@ -500,28 +501,6 @@ type UniversalAuthRefreshResponse struct {
 	AccessTokenMaxTTL int    `json:"accessTokenMaxTTL"`
 }
 
-type CreateDynamicSecretLeaseV1Request struct {
-	Environment string `json:"environment"`
-	ProjectSlug string `json:"projectSlug"`
-	SecretPath  string `json:"secretPath,omitempty"`
-	Slug        string `json:"slug"`
-	TTL         string `json:"ttl,omitempty"`
-}
-
-type CreateDynamicSecretLeaseV1Response struct {
-	Lease struct {
-		Id       string `json:"id"`
-		ExpireAt time.Time `json:"expireAt"`
-	} `json:"lease"`
-	DynamicSecret struct {
-		Id         string `json:"id"`
-		DefaultTTL string `json:"defaultTTL"`
-		MaxTTL     string `json:"maxTTL"`
-		Type       string `json:"type"`
-	} `json:"dynamicSecret"`
-	Data map[string]interface{} `json:"data"`
-}
-
 type GetRawSecretsV3Request struct {
 	Environment   string `json:"environment"`
 	WorkspaceId   string `json:"workspaceId"`

cli/packages/cmd/agent.go

@@ -14,7 +14,6 @@ import (
 	"os/signal"
 	"path"
 	"runtime"
-	"slices"
 	"strings"
 	"sync"
 	"syscall"
@@ -34,9 +33,6 @@ import (
 
 const DEFAULT_INFISICAL_CLOUD_URL = "https://app.infisical.com"
 
-// duration to reduce from expiry of dynamic leases so that it gets triggered before expiry
-const DYNAMIC_SECRET_PRUNE_EXPIRE_BUFFER = -15
-
 type Config struct {
 	Infisical InfisicalConfig `yaml:"infisical"`
 	Auth      AuthConfig      `yaml:"auth"`
@@ -88,115 +84,6 @@ type Template struct {
 	} `yaml:"config"`
 }
 
-func newAgentTemplateChannels(templates []Template) map[string]chan bool {
-	// we keep each destination as an identifier for various channel
-	templateChannel := make(map[string]chan bool)
-	for _, template := range templates {
-		templateChannel[template.DestinationPath] = make(chan bool)
-	}
-	return templateChannel
-}
-
-type DynamicSecretLease struct {
-	LeaseID     string
-	ExpireAt    time.Time
-	Environment string
-	SecretPath  string
-	Slug        string
-	ProjectSlug string
-	Data        map[string]interface{}
-	TemplateIDs []int
-}
-
-type DynamicSecretLeaseManager struct {
-	leases []DynamicSecretLease
-	mutex  sync.Mutex
-}
-
-func (d *DynamicSecretLeaseManager) Prune() {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	d.leases = slices.DeleteFunc(d.leases, func(s DynamicSecretLease) bool {
-		return time.Now().After(s.ExpireAt.Add(DYNAMIC_SECRET_PRUNE_EXPIRE_BUFFER * time.Second))
-	})
-}
-
-func (d *DynamicSecretLeaseManager) Append(lease DynamicSecretLease) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	index := slices.IndexFunc(d.leases, func(s DynamicSecretLease) bool {
-		if lease.SecretPath == s.SecretPath && lease.Environment == s.Environment && lease.ProjectSlug == s.ProjectSlug && lease.Slug == s.Slug {
-			return true
-		}
-		return false
-	})
-
-	if index != -1 {
-		d.leases[index].TemplateIDs = append(d.leases[index].TemplateIDs, lease.TemplateIDs...)
-		return
-	}
-	d.leases = append(d.leases, lease)
-}
-
-func (d *DynamicSecretLeaseManager) RegisterTemplate(projectSlug, environment, secretPath, slug string, templateId int) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	index := slices.IndexFunc(d.leases, func(lease DynamicSecretLease) bool {
-		if lease.SecretPath == secretPath && lease.Environment == environment && lease.ProjectSlug == projectSlug && lease.Slug == slug {
-			return true
-		}
-		return false
-	})
-
-	if index != -1 {
-		d.leases[index].TemplateIDs = append(d.leases[index].TemplateIDs, templateId)
-	}
-}
-
-func (d *DynamicSecretLeaseManager) GetLease(projectSlug, environment, secretPath, slug string) *DynamicSecretLease {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	for _, lease := range d.leases {
-		if lease.SecretPath == secretPath && lease.Environment == environment && lease.ProjectSlug == projectSlug && lease.Slug == slug {
-			return &lease
-		}
-	}
-
-	return nil
-}
-
-// for a given template find the first expiring lease
-// The bool indicates whether it contains valid expiry list
-func (d *DynamicSecretLeaseManager) GetFirstExpiringLeaseTime(templateId int) (time.Time, bool) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	if len(d.leases) == 0 {
-		return time.Time{}, false
-	}
-
-	var firstExpiry time.Time
-	for i, el := range d.leases {
-		if i == 0 {
-			firstExpiry = el.ExpireAt
-		}
-		newLeaseTime := el.ExpireAt.Add(DYNAMIC_SECRET_PRUNE_EXPIRE_BUFFER * time.Second)
-		if newLeaseTime.Before(firstExpiry) {
-			firstExpiry = newLeaseTime
-		}
-	}
-	return firstExpiry, true
-}
-
-func NewDynamicSecretLeaseManager(sigChan chan os.Signal) *DynamicSecretLeaseManager {
-	manager := &DynamicSecretLeaseManager{}
-	return manager
-}
-
 func ReadFile(filePath string) ([]byte, error) {
 	return ioutil.ReadFile(filePath)
 }
@@ -347,43 +234,15 @@ func secretTemplateFunction(accessToken string, existingEtag string, currentEtag
 	}
 }
 
-func dynamicSecretTemplateFunction(accessToken string, dynamicSecretManager *DynamicSecretLeaseManager, templateId int) func(...string) (map[string]interface{}, error) {
-	return func(args ...string) (map[string]interface{}, error) {
-		argLength := len(args)
-		if argLength != 4 && argLength != 5 {
-			return nil, fmt.Errorf("Invalid arguments found for dynamic-secret function. Check template %i", templateId)
-		}
-
-		projectSlug, envSlug, secretPath, slug, ttl := args[0], args[1], args[2], args[3], ""
-		if argLength == 5 {
-			ttl = args[4]
-		}
-		dynamicSecretData := dynamicSecretManager.GetLease(projectSlug, envSlug, secretPath, slug)
-		if dynamicSecretData != nil {
-			dynamicSecretManager.RegisterTemplate(projectSlug, envSlug, secretPath, slug, templateId)
-			return dynamicSecretData.Data, nil
-		}
-
-		res, err := util.CreateDynamicSecretLease(accessToken, projectSlug, envSlug, secretPath, slug, ttl)
-		if err != nil {
-			return nil, err
-		}
-
-		dynamicSecretManager.Append(DynamicSecretLease{LeaseID: res.Lease.Id, ExpireAt: res.Lease.ExpireAt, Environment: envSlug, SecretPath: secretPath, Slug: slug, ProjectSlug: projectSlug, Data: res.Data, TemplateIDs: []int{templateId}})
-		return res.Data, nil
-	}
-}
-
-func ProcessTemplate(templateId int, templatePath string, data interface{}, accessToken string, existingEtag string, currentEtag *string, dynamicSecretManager *DynamicSecretLeaseManager) (*bytes.Buffer, error) {
+func ProcessTemplate(templatePath string, data interface{}, accessToken string, existingEtag string, currentEtag *string) (*bytes.Buffer, error) {
 	// custom template function to fetch secrets from Infisical
 	secretFunction := secretTemplateFunction(accessToken, existingEtag, currentEtag)
-	dynamicSecretFunction := dynamicSecretTemplateFunction(accessToken, dynamicSecretManager, templateId)
 	funcs := template.FuncMap{
-		"secret":         secretFunction,
-		"dynamic_secret": dynamicSecretFunction,
+		"secret": secretFunction,
 	}
 
 	templateName := path.Base(templatePath)
+
 	tmpl, err := template.New(templateName).Funcs(funcs).ParseFiles(templatePath)
 	if err != nil {
 		return nil, err
@@ -397,7 +256,7 @@ func ProcessTemplate(templateId int, templatePath string, data interface{}, acce
 	return &buf, nil
 }
 
-func ProcessBase64Template(templateId int, encodedTemplate string, data interface{}, accessToken string, existingEtag string, currentEtag *string, dynamicSecretLeaser *DynamicSecretLeaseManager) (*bytes.Buffer, error) {
+func ProcessBase64Template(encodedTemplate string, data interface{}, accessToken string, existingEtag string, currentEtag *string) (*bytes.Buffer, error) {
 	// custom template function to fetch secrets from Infisical
 	decoded, err := base64.StdEncoding.DecodeString(encodedTemplate)
 	if err != nil {
@@ -407,10 +266,8 @@ func ProcessBase64Template(templateId int, encodedTemplate string, data interfac
 	templateString := string(decoded)
 
 	secretFunction := secretTemplateFunction(accessToken, existingEtag, currentEtag) // TODO: Fix this
-	dynamicSecretFunction := dynamicSecretTemplateFunction(accessToken, dynamicSecretLeaser, templateId)
 	funcs := template.FuncMap{
-		"secret":         secretFunction,
-		"dynamic_secret": dynamicSecretFunction,
+		"secret": secretFunction,
 	}
 
 	templateName := "base64Template"
@@ -428,7 +285,7 @@ func ProcessBase64Template(templateId int, encodedTemplate string, data interfac
 	return &buf, nil
 }
 
-type AgentManager struct {
+type TokenManager struct {
 	accessToken                    string
 	accessTokenTTL                 time.Duration
 	accessTokenMaxTTL              time.Duration
@@ -437,7 +294,6 @@ type AgentManager struct {
 	mutex                          sync.Mutex
 	filePaths                      []Sink // Store file paths if needed
 	templates                      []Template
-	dynamicSecretLeases            *DynamicSecretLeaseManager
 	clientIdPath                   string
 	clientSecretPath               string
 	newAccessTokenNotificationChan chan bool
@@ -446,8 +302,8 @@ type AgentManager struct {
 	exitAfterAuth                  bool
 }
 
-func NewAgentManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *AgentManager {
-	return &AgentManager{
+func NewTokenManager(fileDeposits []Sink, templates []Template, clientIdPath string, clientSecretPath string, newAccessTokenNotificationChan chan bool, removeClientSecretOnRead bool, exitAfterAuth bool) *TokenManager {
+	return &TokenManager{
 		filePaths:                      fileDeposits,
 		templates:                      templates,
 		clientIdPath:                   clientIdPath,
@@ -459,7 +315,7 @@ func NewAgentManager(fileDeposits []Sink, templates []Template, clientIdPath str
 
 }
 
-func (tm *AgentManager) SetToken(token string, accessTokenTTL time.Duration, accessTokenMaxTTL time.Duration) {
+func (tm *TokenManager) SetToken(token string, accessTokenTTL time.Duration, accessTokenMaxTTL time.Duration) {
 	tm.mutex.Lock()
 	defer tm.mutex.Unlock()
 
@@ -470,7 +326,7 @@ func (tm *AgentManager) SetToken(token string, accessTokenTTL time.Duration, acc
 	tm.newAccessTokenNotificationChan <- true
 }
 
-func (tm *AgentManager) GetToken() string {
+func (tm *TokenManager) GetToken() string {
 	tm.mutex.Lock()
 	defer tm.mutex.Unlock()
 
@@ -478,7 +334,7 @@ func (tm *AgentManager) GetToken() string {
 }
 
 // Fetches a new access token using client credentials
-func (tm *AgentManager) FetchNewAccessToken() error {
+func (tm *TokenManager) FetchNewAccessToken() error {
 	clientID := os.Getenv("INFISICAL_UNIVERSAL_AUTH_CLIENT_ID")
 	if clientID == "" {
 		clientIDAsByte, err := ReadFile(tm.clientIdPath)
@@ -528,7 +384,7 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 }
 
 // Refreshes the existing access token
-func (tm *AgentManager) RefreshAccessToken() error {
+func (tm *TokenManager) RefreshAccessToken() error {
 	httpClient := resty.New()
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
@@ -549,7 +405,7 @@ func (tm *AgentManager) RefreshAccessToken() error {
 	return nil
 }
 
-func (tm *AgentManager) ManageTokenLifecycle() {
+func (tm *TokenManager) ManageTokenLifecycle() {
 	for {
 		accessTokenMaxTTLExpiresInTime := tm.accessTokenFetchedTime.Add(tm.accessTokenMaxTTL - (5 * time.Second))
 		accessTokenRefreshedTime := tm.accessTokenRefreshedTime
@@ -617,7 +473,7 @@ func (tm *AgentManager) ManageTokenLifecycle() {
 	}
 }
 
-func (tm *AgentManager) WriteTokenToFiles() {
+func (tm *TokenManager) WriteTokenToFiles() {
 	token := tm.GetToken()
 	for _, sinkFile := range tm.filePaths {
 		if sinkFile.Type == "file" {
@@ -634,7 +490,7 @@ func (tm *AgentManager) WriteTokenToFiles() {
 	}
 }
 
-func (tm *AgentManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Template) {
+func (tm *TokenManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Template) {
 	if err := WriteBytesToFile(bytes, template.DestinationPath); err != nil {
 		log.Error().Msgf("template engine: unable to write secrets to path because %s. Will try again on next cycle", err)
 		return
@@ -642,7 +498,7 @@ func (tm *AgentManager) WriteTemplateToFile(bytes *bytes.Buffer, template *Templ
 	log.Info().Msgf("template engine: secret template at path %s has been rendered and saved to path %s", template.SourcePath, template.DestinationPath)
 }
 
-func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId int, sigChan chan os.Signal) {
+func (tm *TokenManager) MonitorSecretChanges(secretTemplate Template, sigChan chan os.Signal) {
 
 	pollingInterval := time.Duration(5 * time.Minute)
 
@@ -667,61 +523,47 @@ func (tm *AgentManager) MonitorSecretChanges(secretTemplate Template, templateId
 	execCommand := secretTemplate.Config.Execute.Command
 
 	for {
-		select {
-		case <-sigChan:
-			return
-		default:
-			{
-				tm.dynamicSecretLeases.Prune()
-				token := tm.GetToken()
-				if token != "" {
-					var processedTemplate *bytes.Buffer
-					var err error
+		token := tm.GetToken()
 
-					if secretTemplate.SourcePath != "" {
-						processedTemplate, err = ProcessTemplate(templateId, secretTemplate.SourcePath, nil, token, existingEtag, &currentEtag, tm.dynamicSecretLeases)
-					} else {
-						processedTemplate, err = ProcessBase64Template(templateId, secretTemplate.Base64TemplateContent, nil, token, existingEtag, &currentEtag, tm.dynamicSecretLeases)
-					}
+		if token != "" {
 
-					if err != nil {
-						log.Error().Msgf("unable to process template because %v", err)
-					} else {
-						if (existingEtag != currentEtag) || firstRun {
+			var processedTemplate *bytes.Buffer
+			var err error
 
-							tm.WriteTemplateToFile(processedTemplate, &secretTemplate)
-							existingEtag = currentEtag
+			if secretTemplate.SourcePath != "" {
+				processedTemplate, err = ProcessTemplate(secretTemplate.SourcePath, nil, token, existingEtag, &currentEtag)
+			} else {
+				processedTemplate, err = ProcessBase64Template(secretTemplate.Base64TemplateContent, nil, token, existingEtag, &currentEtag)
+			}
 
-							if !firstRun && execCommand != "" {
-								log.Info().Msgf("executing command: %s", execCommand)
-								err := ExecuteCommandWithTimeout(execCommand, execTimeout)
+			if err != nil {
+				log.Error().Msgf("unable to process template because %v", err)
+			} else {
+				if (existingEtag != currentEtag) || firstRun {
 
-								if err != nil {
-									log.Error().Msgf("unable to execute command because %v", err)
-								}
+					tm.WriteTemplateToFile(processedTemplate, &secretTemplate)
+					existingEtag = currentEtag
 
-							}
-							if firstRun {
-								firstRun = false
-							}
+					if !firstRun && execCommand != "" {
+						log.Info().Msgf("executing command: %s", execCommand)
+						err := ExecuteCommandWithTimeout(execCommand, execTimeout)
+
+						if err != nil {
+							log.Error().Msgf("unable to execute command because %v", err)
 						}
-					}
 
-					// now the idea is we pick the next sleep time in which the one shorter out of
-					// - polling time
-					// - first lease that's gonna get expired in the template
-					firstLeaseExpiry, isValid := tm.dynamicSecretLeases.GetFirstExpiringLeaseTime(templateId)
-					var waitTime = pollingInterval
-					if isValid && firstLeaseExpiry.Sub(time.Now()) < pollingInterval {
-						waitTime = firstLeaseExpiry.Sub(time.Now())
 					}
-					time.Sleep(waitTime)
-				} else {
-					// It fails to get the access token. So we will re-try in 3 seconds. We do this because if we don't, the user will have to wait for the next polling interval to get the first secret render.
-					time.Sleep(3 * time.Second)
+					if firstRun {
+						firstRun = false
+					}
 				}
 			}
+			time.Sleep(pollingInterval)
+		} else {
+			// It fails to get the access token. So we will re-try in 3 seconds. We do this because if we don't, the user will have to wait for the next polling interval to get the first secret render.
+			time.Sleep(3 * time.Second)
 		}
+
 	}
 }
 
@@ -803,14 +645,13 @@ var agentCmd = &cobra.Command{
 		signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 
 		filePaths := agentConfig.Sinks
-		tm := NewAgentManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
-		tm.dynamicSecretLeases = NewDynamicSecretLeaseManager(sigChan)
+		tm := NewTokenManager(filePaths, agentConfig.Templates, configUniversalAuthType.ClientIDPath, configUniversalAuthType.ClientSecretPath, tokenRefreshNotifier, configUniversalAuthType.RemoveClientSecretOnRead, agentConfig.Infisical.ExitAfterAuth)
 
 		go tm.ManageTokenLifecycle()
 
 		for i, template := range agentConfig.Templates {
 			log.Info().Msgf("template engine started for template %v...", i+1)
-			go tm.MonitorSecretChanges(template, i, sigChan)
+			go tm.MonitorSecretChanges(template, sigChan)
 		}
 
 		for {

cli/packages/cmd/secrets.go

@@ -297,6 +297,7 @@ var secretsSetCmd = &cobra.Command{
 			updateSecretRequest := api.UpdateSecretByNameV3Request{
 				WorkspaceID:           workspaceFile.WorkspaceId,
 				Environment:           environmentName,
+				SecretName:            secret.PlainTextKey,
 				SecretValueCiphertext: secret.SecretValueCiphertext,
 				SecretValueIV:         secret.SecretValueIV,
 				SecretValueTag:        secret.SecretValueTag,
@@ -304,7 +305,7 @@ var secretsSetCmd = &cobra.Command{
 				SecretPath:            secretsPath,
 			}
 
-			err = api.CallUpdateSecretsV3(httpClient, updateSecretRequest, secret.PlainTextKey)
+			err = api.CallUpdateSecretsV3(httpClient, updateSecretRequest)
 			if err != nil {
 				util.HandleError(err, "Unable to process secret update request")
 				return
@@ -418,7 +419,7 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse path flag")
 	}
 
-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true}, "")
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}
@@ -476,7 +477,7 @@ func generateExampleEnv(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
-	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath, IncludeImport: true}, "")
+	secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs, SecretsPath: secretsPath}, "")
 	if err != nil {
 		util.HandleError(err, "To fetch all secrets")
 	}

cli/packages/models/cli.go

@@ -1,7 +1,5 @@
 package models
 
-import "time"
-
 type UserCredentials struct {
 	Email        string `json:"email"`
 	PrivateKey   string `json:"privateKey"`
@@ -42,23 +40,6 @@ type PlaintextSecretResult struct {
 	Etag    string
 }
 
-type DynamicSecret struct {
-	Id         string `json:"id"`
-	DefaultTTL string `json:"defaultTTL"`
-	MaxTTL     string `json:"maxTTL"`
-	Type       string `json:"type"`
-}
-
-type DynamicSecretLease struct {
-	Lease struct {
-		Id       string    `json:"id"`
-		ExpireAt time.Time `json:"expireAt"`
-	} `json:"lease"`
-	DynamicSecret DynamicSecret `json:"dynamicSecret"`
-	// this is a varying dict based on provider
-	Data map[string]interface{} `json:"data"`
-}
-
 type SingleFolder struct {
 	ID   string `json:"_id"`
 	Name string `json:"name"`

cli/packages/util/secrets.go

@@ -195,31 +195,6 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 	}, nil
 }
 
-func CreateDynamicSecretLease(accessToken string, projectSlug string, environmentName string, secretsPath string, slug string, ttl string) (models.DynamicSecretLease, error) {
-	httpClient := resty.New()
-	httpClient.SetAuthToken(accessToken).
-		SetHeader("Accept", "application/json")
-
-	dynamicSecretRequest := api.CreateDynamicSecretLeaseV1Request{
-		ProjectSlug: projectSlug,
-		Environment: environmentName,
-		SecretPath:  secretsPath,
-		Slug:        slug,
-		TTL:         ttl,
-	}
-
-	dynamicSecret, err := api.CallCreateDynamicSecretLeaseV1(httpClient, dynamicSecretRequest)
-	if err != nil {
-		return models.DynamicSecretLease{}, err
-	}
-
-	return models.DynamicSecretLease{
-		Lease:         dynamicSecret.Lease,
-		Data:          dynamicSecret.Data,
-		DynamicSecret: dynamicSecret.DynamicSecret,
-	}, nil
-}
-
 func InjectImportedSecret(plainTextWorkspaceKey []byte, secrets []models.SingleEnvironmentVariable, importedSecrets []api.ImportedSecretV3) ([]models.SingleEnvironmentVariable, error) {
 	if importedSecrets == nil {
 		return secrets, nil

docs/api-reference/endpoints/folders/delete.mdx

@@ -1,4 +1,4 @@
 ---
 title: "Delete"
-openapi: "DELETE /api/v1/folders/{folderIdOrName}"
+openapi: "DELETE /api/v1/folders/{folderId}"
 ---

docs/api-reference/endpoints/secret-tags/create.mdx

@@ -1,4 +0,0 @@
----
-title: "Create"
-openapi: "POST /api/v1/workspace/{projectId}/tags"
----

docs/api-reference/endpoints/secret-tags/delete.mdx

@@ -1,4 +0,0 @@
----
-title: "Delete"
-openapi: "DELETE /api/v1/workspace/{projectId}/tags/{tagId}"
----

docs/api-reference/endpoints/secret-tags/list.mdx

@@ -1,4 +0,0 @@
----
-title: "List"
-openapi: "GET /api/v1/workspace/{projectId}/tags"
----

docs/api-reference/endpoints/secrets/attach-tags.mdx

@@ -1,4 +0,0 @@
----
-title: "Attach tags"
-openapi: "POST /api/v3/secrets/tags/{secretName}"
----

docs/api-reference/endpoints/secrets/detach-tags.mdx

@@ -1,4 +0,0 @@
----
-title: "Detach tags"
-openapi: "DELETE /api/v3/secrets/tags/{secretName}"
----

docs/documentation/getting-started/sdks.mdx

@@ -18,4 +18,4 @@ Follow the instructions for your language use the SDK for it:
 - [Java SDK](https://infisical.com/docs/sdks/languages/java)
 - [.NET SDK](https://infisical.com/docs/sdks/languages/csharp)
 
-Missing a language? [Throw in a request here](https://github.com/Infisical/infisical/issues).
+Missing a language? [Throw in a request](https://github.com/Infisical/infisical/issues).

docs/documentation/platform/secret-rotation/mysql.mdx

@@ -1,102 +1,37 @@
 ---
 title: "MySQL/MariaDB"
-description: "How to rotate MySQL/MariaDB database user passwords"
+description: "Rotated database user password of a MySQL or MariaDB"
 ---
 
-The Infisical MySQL secret rotation allows you to automatically rotate your MySQL database user's password at a predefined interval.
+Infisical will update periodically the provided database user's password.
 
+<Warning>
+	At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
+</Warning>
 
-## Prerequisite
+## Working
 
-1. Create two users with the required permission in your MySQL instance. We'll refer to them as `user-a` and `user-b`.
-2. Create another MySQL user with just the permission to update the passwords of `user-a` and `user-b`. We'll refer to this user as the `admin` user.
-
-To learn more about MySQL permission system, please visit this [documentation](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html).
-
-## How it works 
-
-1. Infisical connects to your database using the provided `admin` user account.
-2. A random value is generated and the password for `user-a` is updated with the new value.
-3. The new password is then tested by logging into the database
-4. If test is success, it's saved to the output secret mappings so that rest of the system gets the newly rotated value(s).
-5. The process is then repeated for `user-b` on the next rotation.
-6. The cycle repeats until secret rotation is deleted/stopped.
+1. User's has to create the two user's for Infisical to rotate and provide them required database access
+2. Infisical will connect with your database with admin access
+3. If last rotated one was username1, then username2 is chosen to be rotated
+5. Update it's password with random value
+6. After testing it gets saved to the provided secret mapping
 
 ## Rotation Configuration
 
-<Steps>
-  <Step title="Open Secret Rotation Page">
-	Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar 
-  </Step>
-  <Step title="Click on MySQL card" />
-  <Step title="Provide the inputs">
-	<ParamField path="Admin Username" type="string" required>
-		Rotator admin username
-	</ParamField>
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `MySQL`
+3. Provide the inputs
+	- Admin Username: DB admin username
+	- Admin Password: DB admin password
+	- Host: DB host
+	- Port: DB port(number)
+	- Username1: The first username in two to rotate
+	- Username2: The second username in two to rotate
+	- CA: Certificate to connect with database(string)
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
 
-	<ParamField path="Admin password" type="string" required>
-		Rotator admin password
-	</ParamField>
-
-	<ParamField path="Host" type="string" required>
-		Database host url
-	</ParamField>
-
-	<ParamField path="Port" type="number" required>
-		Database port number
-	</ParamField>
-
-	<ParamField path="Username1" type="string" required>
-		The first username of two to rotate - `user-a`
-	</ParamField>
-
-	<ParamField path="Username2" type="string" required>
-		The second username of two to rotate - `user-b`
-	</ParamField>
- 
-	<ParamField path="CA" type="string">
-		Optional database certificate to connect with database
-	</ParamField>
-
-  </Step>
-  <Step title="Configure the output secret mapping">
-  	When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project. 
-
-	<ParamField path="Environment" type="string" required>
-		The environment where the rotated credentials should be mapped to.
-	</ParamField>
-
-	<ParamField path="Secret Path" type="string" required>
-		The secret path where the rotated credentials should be mapped to.
-	</ParamField>
-
-	<ParamField path="Interval" type="number" required>
-		What interval should the credentials be rotated in days.
-	</ParamField>
-
-	<ParamField path="DB USERNAME" type="string" required>
-		Select an existing secret key where the rotated database username value should be saved to.
-	</ParamField>
-
-	<ParamField path="DB PASSWORD" type="string" required>
-		Select an existing select key where the rotated database password value should be saved to.
-	</ParamField>
-  </Step>
-</Steps>
-
-## FAQ
-
-<AccordionGroup>
-  <Accordion title="Why can't we delete the other user when rotating?">
-  	When a system has multiple nodes by horizontal scaling, redeployment doesn't happen instantly.
-
-	This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out. 
-
-	To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user's credentials are updated.
-  </Accordion>
-  <Accordion title="Why do you need root user account?">
-	The admin account is used by Infisical to update the credentials for `user-a` and `user-b`. 
-
-	You don't need to grant all permission for your admin account but rather just the permissions to update both of the user's passwords.
-  </Accordion>
-</AccordionGroup>
+Congrats. You have 10x your MySQL/MariaDB access security. 

docs/documentation/platform/secret-rotation/postgres.mdx

@@ -1,104 +1,33 @@
 ---
 title: "PostgreSQL/CockroachDB"
-description: "How to rotate postgreSQL/cockroach database user passwords"
+description: "Rotated database user password of a PostgreSQL or Cockroach DB"
 ---
 
-The Infisical Postgres secret rotation allows you to automatically rotate your Postgres database user's password at a predefined interval.
+Infisical will update periodically the provided database user's password.
 
+## Working
 
-## Prerequisite
-
-1. Create two users with the required permission in your PostgreSQL instance. We'll refer to them as `user-a` and `user-b`.
-2. Create another PostgreSQL user with just the permission to update the passwords of `user-a` and `user-b`. We'll refer to this user as the `admin` user.
-
-To learn more about Postgres permission system, please visit this [documentation](https://www.postgresql.org/docs/9.1/sql-grant.html).
-
-
-## How it works 
-
-1. Infisical connects to your database using the provided `admin` user account.
-2. A random value is generated and the password for `user-a` is updated with the new value.
-3. The new password is then tested by logging into the database
-4. If test is success, it's saved to the output secret mappings so that rest of the system gets the newly rotated value(s).
-5. The process is then repeated for `user-b` on the next rotation.
-6. The cycle repeats until secret rotation is deleted/stopped.
+1. User's has to create the two user's for Infisical to rotate and provide them required database access.
+2. Infisical will connect with your database with admin access.
+3. If last rotated one was username1, then username2 is chosen to be rotated.
+5. Update it's password with random value.
+6. After testing it gets saved to the provided secret mapping.
 
 ## Rotation Configuration
 
-<Steps>
-  <Step title="Open Secret Rotation Page">
-	Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar 
-  </Step>
-  <Step title="Click on PostgresSQL card" />
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `PostgreSQL`
+3. Provide the inputs
+	- Admin Username: DB admin username
+	- Admin Password: DB admin password
+	- Host: DB host
+	- Port: DB port(number)
+	- Username1: The first username in two to rotate
+	- Username2: The second username in two to rotate
+	- CA: Certificate to connect with database(string)
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
 
-  <Step title="Provide the inputs">
-	<ParamField path="Admin Username" type="string" required="true">
-		Rotator admin username
-	</ParamField>
-
-	<ParamField path="Admin password" type="string" required="true">
-		Rotator admin password
-	</ParamField>
-
-	<ParamField path="Host" type="string" required="true">
-		Database host url
-	</ParamField>
-
-	<ParamField path="Port" type="number" required="true">
-		Database port number
-	</ParamField>
-
-	<ParamField path="Username1" type="string" required="true">
-		The first username of two to rotate - `user-a`
-	</ParamField>
-
-	<ParamField path="Username2" type="string" required="true">
-		The second username of two to rotate - `user-b`
-	</ParamField>
- 
-	<ParamField path="CA" type="string" optional>
-		Optional database certificate to connect with database
-	</ParamField>
-  </Step>
-  <Step title="Configure the output secret mapping">
-
-  	When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project. 
-
-	<ParamField path="Environment" type="string" required>
-		The environment where the rotated credentials should be mapped to.
-	</ParamField>
-
-	<ParamField path="Secret Path" type="string" required>
-		The secret path where the rotated credentials should be mapped to.
-	</ParamField>
-
-	<ParamField path="Interval" type="number" required>
-		What interval should the credentials be rotated in days.
-	</ParamField>
-
-	<ParamField path="DB USERNAME" type="string" required>
-		Select an existing secret key where the rotated database username value should be saved to.
-	</ParamField>
-
-	<ParamField path="DB PASSWORD" type="string" required>
-		Select an existing select key where the rotated database password value should be saved to.
-	</ParamField>
-  </Step>
-</Steps>
-
-## FAQ
-
-<AccordionGroup>
-  <Accordion title="Why can't we delete the other user when rotating?">
-  	When a system has multiple nodes by horizontal scaling, redeployment doesn't happen instantly.
-
-	This means that when the secrets are rotated, and the redeployment is triggered, the existing system will still be using the old credentials until the change rolls out. 
-
-	To avoid causing failure for them, the old credentials are not removed. Instead, in the next rotation, the previous user's credentials are updated.
-  </Accordion>
-  <Accordion title="Why do you need root user account?">
-	The admin account is used by Infisical to update the credentials for `user-a` and `user-b`. 
-
-	You don't need to grant all permission for your admin account but rather just the permissions to update both of the user's passwords.
-  </Accordion>
-</AccordionGroup>
+Congratulations. You have improved your PostgreSQL/CockroachDB access security. 

docs/documentation/platform/secret-rotation/sendgrid.mdx

@@ -1,58 +1,31 @@
 ---
 title: "Twilio SendGrid"
-description: "How to rotate Twilio SendGrid API keys"
+description: "Rotate Twilio SendGrid API keys"
 ---
 
-Eliminate the use of long lived secrets by rotating Twilio SendGrid API keys with Infisical.
+Twilio SendGrid is a cloud-based email delivery platform that helps businesses send transactional and marketing emails.
+It uses an API key to do various operations. Using Infisical you can easily dynamically change the keys.
 
-## Prerequisite
+## Working
 
-You will need a valid SendGrid admin key with the necessary scope to create additional API keys. 
-
-Follow the [SendGrid Docs to create an admin api key](https://docs.sendgrid.com/ui/account-and-settings/api-keys)
-
-## How it works
-
-Using the provided admin API key, Infisical will attempt to create child API keys with the specified permissions. 
-New keys will ge generated every time a rotation occurs. Behind the scenes, Infisical uses the [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys) to generate new API keys.
+1. Infisical will need an admin token of SendGrid to create API keys dynamically.
+2. Using the given admin token and scope by user Infisical will create and rotate API keys periodically
+3. Under the hood infisical uses [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys)
 
 ## Rotation Configuration
 
-<Steps>
-  <Step title="Open Secret Rotation Page">
-	Head over to Secret Rotation configuration page of your project by clicking on `Secret Rotation` in the left side bar 
-  </Step>
-  <Step title="Click on Twilio SendGrid Card" />
-  <Step title="Provide the inputs">
-	<ParamField path="Admin API Key" type="string" required>
-		SendGrid admin API key with permission to create child scoped API keys.
-	</ParamField>
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `Twilio SendGrid Card`
+3. Provide the inputs
+	- Admin API Key: 
+		SendGrid admin key to create lower scoped API keys.
+	- API Key Scopes
+		SendGrid generated API Key's scopes. For more info refer [this doc](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions)
 
-	<ParamField path="Admin API Key" type="array" required>
-		The permissions that the newly generated API keys will have. To view possible permissions, visit [this documentation](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions).
-		Permissions must be entered as a list of strings. 
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Now your output mapped secret value will be replaced periodically by SendGrid.
 		
-		Example: `["user.profile.read", "user.profile.update"]`
-	</ParamField>
-  </Step>
-  <Step title="Configure the output secret mapping">
-  	When a secret rotation is successful, the updated values needs to be saved to an existing key(s) in your project. 
-	<ParamField path="Environment" type="string" required>
-		The environment where the rotated credentials should be mapped to.
-	</ParamField>
-
-	<ParamField path="Secret Path" type="string" required>
-		The secret path where the rotated credentials should be mapped to.
-	</ParamField>
-
-	<ParamField path="Interval" type="number" required>
-		What interval should the credentials be rotated in days.
-	</ParamField>
-
-	<ParamField path="API KEY" type="string" required>
-		Select an existing select key where the newly rotated API key will get saved to.
-	</ParamField>
-  </Step>
-</Steps>
-
-Now your output mapped secret value will be replaced periodically by SendGrid.