Prevent users from deleting the last payment method attached to the org

.env.example

@@ -123,17 +123,8 @@ INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
-INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET=
+INF_APP_CONNECTION_AZURE_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
 
 # datadog
 SHOULD_USE_DATADOG_TRACER=

.github/workflows/release_build_infisical_cli.yml

@@ -0,0 +1,153 @@
+name: Build and release CLI
+
+on:
+  workflow_dispatch:
+
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  cli-integration-tests:
+    name: Run tests before deployment
+    uses: ./.github/workflows/run-cli-tests.yml
+    secrets:
+      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+  npm-release:
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./npm
+    needs:
+      - cli-integration-tests
+      - goreleaser
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        run: |
+          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+          echo "Version extracted: $VERSION"
+          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Print version
+        run: echo ${{ env.CLI_VERSION }}
+
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: ./npm/package-lock.json
+      - name: Install dependencies
+        working-directory: ${{ env.working-directory }}
+        run: npm install --ignore-scripts
+
+      - name: Set NPM version
+        working-directory: ${{ env.working-directory }}
+        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+      - name: Setup NPM
+        working-directory: ${{ env.working-directory }}
+        run: |
+          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Pack NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm pack
+
+      - name: Publish NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  goreleaser:
+    runs-on: ubuntu-latest-8-cores
+    needs: [cli-integration-tests]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: Setup for libssl1.0-dev
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          sudo apt update
+          sudo apt-get install -y libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: v1.26.2-pro
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
+        with:
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Install deb-s3
+        run: gem install deb-s3
+      - name: Configure GPG Key
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

.github/workflows/run-cli-tests.yml

@@ -0,0 +1,55 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_dispatch:
+
+    workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+              run: go test -v -count=1 ./test

.goreleaser.yaml

@@ -0,0 +1,241 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+# before:
+#   hooks:
+#     # You may remove this if you don't use go modules.
+#     - cd cli && go mod tidy
+#     # you may remove this if you don't need go generate
+#     - cd cli && go generate ./...
+before:
+  hooks:
+    - ./cli/scripts/completions.sh
+    - ./cli/scripts/manpages.sh
+
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
+builds:
+  - id: darwin-build
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    env:
+      - CGO_ENABLED=1
+      - CC=/home/runner/work/osxcross/target/bin/o64-clang
+      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
+    goos:
+      - darwin
+    ignore:
+      - goos: darwin
+        goarch: "386"
+    dir: ./cli
+
+  - id: all-other-builds
+    env:
+      - CGO_ENABLED=0
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    goos:
+      - freebsd
+      - linux
+      - netbsd
+      - openbsd
+      - windows
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    goarm:
+      - "6"
+      - "7"
+    ignore:
+      - goos: windows
+        goarch: "386"
+      - goos: freebsd
+        goarch: "386"
+    dir: ./cli
+
+archives:
+  - format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
+
+release:
+  replace_existing_draft: true
+  mode: "replace"
+
+checksum:
+  name_template: "checksums.txt"
+
+snapshot:
+  name_template: "{{ .Version }}-devel"
+
+# publishers:
+#   - name: fury.io
+#     ids:
+#       - infisical
+#     dir: "{{ dir .ArtifactPath }}"
+#     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
+brews:
+  - name: infisical
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+  - name: "infisical@{{.Version}}"
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
+nfpms:
+  - id: infisical
+    package_name: infisical
+    builds:
+      - all-other-builds
+    vendor: Infisical, Inc
+    homepage: https://infisical.com/
+    maintainer: Infisical, Inc
+    description: The offical Infisical CLI
+    license: MIT
+    formats:
+      - rpm
+      - deb
+      - apk
+      - archlinux
+    bindir: /usr/bin
+    contents:
+      - src: ./completions/infisical.bash
+        dst: /etc/bash_completion.d/infisical
+      - src: ./completions/infisical.fish
+        dst: /usr/share/fish/vendor_completions.d/infisical.fish
+      - src: ./completions/infisical.zsh
+        dst: /usr/share/zsh/site-functions/_infisical
+      - src: ./manpages/infisical.1.gz
+        dst: /usr/share/man/man1/infisical.1.gz
+
+scoop:
+  bucket:
+    owner: Infisical
+    name: scoop-infisical
+  commit_author:
+    name: "Infisical"
+    email: ai@infisical.com
+  homepage: "https://infisical.com"
+  description: "The official Infisical CLI"
+  license: MIT
+
+winget:
+  - name: infisical
+    publisher: infisical
+    license: MIT
+    homepage: https://infisical.com
+    short_description: "The official Infisical CLI"
+    repository:
+      owner: infisical
+      name: winget-pkgs
+      branch: "infisical-{{.Version}}"
+      pull_request:
+        enabled: true
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
+
+aurs:
+  - name: infisical-bin
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    maintainers:
+      - Infisical, Inc <support@infisical.com>
+    license: MIT
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+    package: |-
+      # bin
+      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+      # license
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+      # completions
+      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+      # man pages
+      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:latest-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+      - "infisical/cli:latest-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+
+docker_manifests:
+  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+  - name_template: "infisical/cli:latest"
+    image_templates:
+      - "infisical/cli:latest-amd64"
+      - "infisical/cli:latest-arm64"

Dockerfile.fips.standalone-infisical

@@ -34,8 +34,6 @@ ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
 
-ENV NODE_OPTIONS="--max-old-space-size=8192"
-
 # Build
 RUN npm run build
 
@@ -147,11 +145,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips \
-    && cd / \
-    && rm -rf /openssl-build \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && make install_fips
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
@@ -192,11 +186,12 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=8192 --force-fips"
+ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 # FIPS mode of operation:
 ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
 ENV FIPS_ENABLED=true
   
 
@@ -211,11 +206,6 @@ EXPOSE 443
 RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
     mv dist/main.mjs.tmp dist/main.mjs
 
-# The OpenSSL library is installed in different locations in different architectures (x86_64 and arm64).
-# This is a workaround to avoid errors when the library is not found.
-RUN ln -sf /usr/local/lib64/ossl-modules /usr/local/lib/ossl-modules || \
-    ln -sf /usr/local/lib/ossl-modules /usr/local/lib64/ossl-modules
-
 USER non-root-user
 
 CMD ["./standalone-entrypoint.sh"]

backend/Dockerfile.dev.fips

@@ -59,11 +59,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips \
-    && cd / \
-    && rm -rf /openssl-build \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && make install_fips
 
 # ? App setup
 

backend/e2e-test/mocks/queue.ts

@@ -24,7 +24,6 @@ export const mockQueue = (): TQueueServiceFactory => {
       events[name] = event;
     },
     getRepeatableJobs: async () => [],
-    getDelayedJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
     stopJobByIdPg: async () => {},

backend/package-lock.json

@@ -7,7 +7,6 @@
     "": {
       "name": "backend",
       "version": "1.0.0",
-      "hasInstallScript": true,
       "license": "ISC",
       "dependencies": {
         "@aws-sdk/client-elasticache": "^3.637.0",
@@ -62,7 +61,7 @@
         "ajv": "^8.12.0",
         "argon2": "^0.31.2",
         "aws-sdk": "^2.1553.0",
-        "axios": "^1.11.0",
+        "axios": "^1.6.7",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
         "botbuilder": "^4.23.2",
@@ -13700,16 +13699,14 @@
       }
     },
     "node_modules/@types/request/node_modules/form-data": {
-      "version": "2.5.5",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.5.tgz",
-      "integrity": "sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==",
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.2.tgz",
+      "integrity": "sha512-GgwY0PS7DbXqajuGf4OYlsrIu3zgxD6Vvql43IBhm6MahqA5SK/7mwhtNj2AdH2z35YR34ujJ7BN+3fFC3jP5Q==",
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.8",
-        "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
-        "mime-types": "^2.1.35",
+        "combined-stream": "^1.0.6",
+        "mime-types": "^2.1.12",
         "safe-buffer": "^5.2.1"
       },
       "engines": {
@@ -15233,13 +15230,13 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.11.0",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.11.0.tgz",
-      "integrity": "sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==",
+      "version": "1.7.9",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.9.tgz",
+      "integrity": "sha512-LhLcE7Hbiryz8oMDdDptSrWowmB4Bl6RCt6sIJKpRB4XtVf0iEgewX3au/pJqm+Py1kCASkb/FFKjxQaLtxJvw==",
       "license": "MIT",
       "dependencies": {
         "follow-redirects": "^1.15.6",
-        "form-data": "^4.0.4",
+        "form-data": "^4.0.0",
         "proxy-from-env": "^1.1.0"
       }
     },
@@ -18764,15 +18761,13 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
-      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
-      "license": "MIT",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz",
+      "integrity": "sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
         "mime-types": "^2.1.12"
       },
       "engines": {

backend/package.json

@@ -181,7 +181,7 @@
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",
-    "axios": "^1.11.0",
+    "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
     "botbuilder": "^4.23.2",

backend/src/@types/fastify.d.ts

@@ -93,7 +93,6 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -126,15 +125,6 @@ declare module "@fastify/request-context" {
         namespace: string;
         name: string;
       };
-      aws?: {
-        accountId: string;
-        arn: string;
-        userId: string;
-        partition: string;
-        service: string;
-        resourceType: string;
-        resourceName: string;
-      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -295,7 +285,6 @@ declare module "fastify" {
       secretScanningV2: TSecretScanningV2ServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
       pkiTemplate: TPkiTemplatesServiceFactory;
-      reminder: TReminderServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -489,11 +489,6 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import {
-  TAccessApprovalPoliciesEnvironments,
-  TAccessApprovalPoliciesEnvironmentsInsert,
-  TAccessApprovalPoliciesEnvironmentsUpdate
-} from "@app/db/schemas/access-approval-policies-environments";
 import {
   TIdentityLdapAuths,
   TIdentityLdapAuthsInsert,
@@ -509,17 +504,6 @@ import {
   TProjectMicrosoftTeamsConfigsInsert,
   TProjectMicrosoftTeamsConfigsUpdate
 } from "@app/db/schemas/project-microsoft-teams-configs";
-import { TReminders, TRemindersInsert, TRemindersUpdate } from "@app/db/schemas/reminders";
-import {
-  TRemindersRecipients,
-  TRemindersRecipientsInsert,
-  TRemindersRecipientsUpdate
-} from "@app/db/schemas/reminders-recipients";
-import {
-  TSecretApprovalPoliciesEnvironments,
-  TSecretApprovalPoliciesEnvironmentsInsert,
-  TSecretApprovalPoliciesEnvironmentsUpdate
-} from "@app/db/schemas/secret-approval-policies-environments";
 import {
   TSecretReminderRecipients,
   TSecretReminderRecipientsInsert,
@@ -897,12 +881,6 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesBypassersUpdate
     >;
 
-    [TableName.AccessApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesEnvironments,
-      TAccessApprovalPoliciesEnvironmentsInsert,
-      TAccessApprovalPoliciesEnvironmentsUpdate
-    >;
-
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -951,11 +929,6 @@ declare module "knex/types/tables" {
       TSecretApprovalRequestSecretTagsInsert,
       TSecretApprovalRequestSecretTagsUpdate
     >;
-    [TableName.SecretApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
-      TSecretApprovalPoliciesEnvironments,
-      TSecretApprovalPoliciesEnvironmentsInsert,
-      TSecretApprovalPoliciesEnvironmentsUpdate
-    >;
     [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
       TSecretRotations,
       TSecretRotationsInsert,
@@ -1238,11 +1211,5 @@ declare module "knex/types/tables" {
       TSecretScanningConfigsInsert,
       TSecretScanningConfigsUpdate
     >;
-    [TableName.Reminder]: KnexOriginal.CompositeTableType<TReminders, TRemindersInsert, TRemindersUpdate>;
-    [TableName.ReminderRecipient]: KnexOriginal.CompositeTableType<
-      TRemindersRecipients,
-      TRemindersRecipientsInsert,
-      TRemindersRecipientsUpdate
-    >;
   }
 }

backend/src/db/migrations/20250701202824_add-reminder-table.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Reminder))) {
-    await knex.schema.createTable(TableName.Reminder, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("secretId").nullable();
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      t.string("message", 1024).nullable();
-      t.integer("repeatDays").checkPositive().nullable();
-      t.timestamp("nextReminderDate").notNullable();
-      t.timestamps(true, true, true);
-      t.unique("secretId");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ReminderRecipient))) {
-    await knex.schema.createTable(TableName.ReminderRecipient, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("reminderId").notNullable();
-      t.foreign("reminderId").references("id").inTable(TableName.Reminder).onDelete("CASCADE");
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.index("reminderId");
-      t.index("userId");
-      t.unique(["reminderId", "userId"]);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.Reminder);
-  await createOnUpdateTrigger(knex, TableName.ReminderRecipient);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.Reminder);
-  await dropOnUpdateTrigger(knex, TableName.ReminderRecipient);
-  await knex.schema.dropTableIfExists(TableName.ReminderRecipient);
-  await knex.schema.dropTableIfExists(TableName.Reminder);
-}

backend/src/db/migrations/20250718133527_project-unify-revert.ts

@@ -1,432 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-import { v4 as uuidV4 } from "uuid";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { ProjectType, TableName } from "../schemas";
-
-/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
-
-// Single query to get all projects that need any kind of kickout
-const getProjectsNeedingKickouts = async (
-  knex: Knex
-): Promise<
-  Array<{
-    id: string;
-    defaultProduct: string;
-    needsSecretManager: boolean;
-    needsCertManager: boolean;
-    needsSecretScanning: boolean;
-    needsKms: boolean;
-    needsSsh: boolean;
-  }>
-> => {
-  const result = await knex.raw(
-    `
-SELECT DISTINCT
-  p.id,
-  p."defaultProduct",
-  
-  -- Use CASE with direct joins instead of EXISTS subqueries
-  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
-  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
-  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
-  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
-  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
-
-FROM projects p
-LEFT JOIN (
-  SELECT DISTINCT e."projectId", 1 as secret_exists
-  FROM secrets_v2 s
-  JOIN secret_folders sf ON sf.id = s."folderId"
-  JOIN project_environments e ON e.id = sf."envId"
-) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as ca_exists
-  FROM certificate_authorities
-) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as ssds_exists
-  FROM secret_scanning_data_sources
-) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as kms_exists
-  FROM kms_keys
-  WHERE "isReserved" = false
-) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
-
-LEFT JOIN (
-  SELECT DISTINCT sca."projectId", 1 as ssh_exists
-  FROM ssh_certificates sc
-  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
-) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
-
-WHERE p."defaultProduct" IS NOT NULL
-  AND (
-    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
-  )
-    `
-  );
-
-  return result.rows;
-};
-
-const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
-  const newProjectId = uuidV4();
-  const project = await knex(TableName.Project).where("id", projectId).first();
-  await knex(TableName.Project).insert({
-    ...project,
-    type: projectType,
-    defaultProduct: null,
-    // @ts-ignore id is required
-    id: newProjectId,
-    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
-  });
-
-  const customRoleMapping: Record<string, string> = {};
-  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
-  if (projectCustomRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectRoles,
-      projectCustomRoles.map((el) => {
-        const id = uuidV4();
-        customRoleMapping[el.id] = id;
-        return {
-          ...el,
-          id,
-          projectId: newProjectId,
-          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
-        };
-      })
-    );
-  }
-  const groupMembershipMapping: Record<string, string> = {};
-  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
-  if (groupMemberships.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembership,
-      groupMemberships.map((el) => {
-        const id = uuidV4();
-        groupMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    groupMemberships.map((el) => el.id)
-  );
-  if (groupMembershipRoles.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembershipRole,
-      groupMembershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const identityProjectMembershipMapping: Record<string, string> = {};
-  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
-  if (identities.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembership,
-      identities.map((el) => {
-        const id = uuidV4();
-        identityProjectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    identities.map((el) => el.id)
-  );
-  if (identitiesRoles.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembershipRole,
-      identitiesRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const projectMembershipMapping: Record<string, string> = {};
-  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
-  if (projectUserMembers.length) {
-    await knex.batchInsert(
-      TableName.ProjectMembership,
-      projectUserMembers.map((el) => {
-        const id = uuidV4();
-        projectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
-    "projectMembershipId",
-    projectUserMembers.map((el) => el.id)
-  );
-  if (membershipRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectUserMembershipRole,
-      membershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
-  if (kmsKeys.length) {
-    await knex.batchInsert(
-      TableName.KmsKey,
-      kmsKeys.map((el) => {
-        const id = uuidV4();
-        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
-        return { ...el, id, slug, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
-  if (projectBot) {
-    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
-    await knex(TableName.ProjectBot).insert(newProjectBot);
-  }
-
-  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
-  if (projectKeys.length) {
-    await knex.batchInsert(
-      TableName.ProjectKeys,
-      projectKeys.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
-  if (projectGateways.length) {
-    await knex.batchInsert(
-      TableName.ProjectGateway,
-      projectGateways.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
-  if (projectSlackConfigs.length) {
-    await knex.batchInsert(
-      TableName.ProjectSlackConfigs,
-      projectSlackConfigs.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
-  if (projectMicrosoftTeamsConfigs.length) {
-    await knex.batchInsert(
-      TableName.ProjectMicrosoftTeamsConfigs,
-      projectMicrosoftTeamsConfigs.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
-  if (trustedIps.length) {
-    await knex.batchInsert(
-      TableName.TrustedIps,
-      trustedIps.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  return newProjectId;
-};
-
-const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
-  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
-  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
-  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
-  await knex(TableName.KmsKey)
-    .where("projectId", oldProjectId)
-    .andWhere("isReserved", false)
-    .update("projectId", newProjectId);
-  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
-  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const BATCH_SIZE = 1000;
-const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
-
-export async function up(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-    if (hasTemplateTypeColumn) {
-      await knex(TableName.ProjectTemplates).whereNull("type").update({
-        type: ProjectType.SecretManager
-      });
-      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
-      });
-    }
-
-    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-    if (hasTypeColumn && hasDefaultTypeColumn) {
-      await knex(TableName.Project).update({
-        // eslint-disable-next-line
-        // @ts-ignore this is because this field is created later
-        type: knex.raw(`"defaultProduct"`)
-      });
-
-      await knex.schema.alterTable(TableName.Project, (t) => {
-        t.string("type").notNullable().alter();
-        t.string("defaultProduct").nullable().alter();
-      });
-
-      // Get all projects that need kickouts in a single query
-      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
-
-      // Process projects in batches to avoid overwhelming the database
-      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
-        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
-        const processedIds: string[] = [];
-
-        for (const project of batch) {
-          const kickoutPromises: Promise<void>[] = [];
-
-          // Only add kickouts that are actually needed (flags are pre-computed)
-          if (project.needsSecretManager) {
-            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
-          }
-          if (project.needsCertManager) {
-            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
-          }
-          if (project.needsKms) {
-            kickoutPromises.push(kickOutKmsProject(knex, project.id));
-          }
-          if (project.needsSsh) {
-            kickoutPromises.push(kickOutSshProject(knex, project.id));
-          }
-          if (project.needsSecretScanning) {
-            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
-          }
-
-          // Execute all kickouts in parallel and handle any failures gracefully
-          if (kickoutPromises.length > 0) {
-            const results = await Promise.allSettled(kickoutPromises);
-
-            // Log any failures for debugging
-            results.forEach((res) => {
-              if (res.status === "rejected") {
-                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
-              }
-            });
-          }
-
-          processedIds.push(project.id);
-        }
-
-        // Clear defaultProduct for the processed batch
-        if (processedIds.length > 0) {
-          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
-        }
-      }
-    }
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasTypeColumn && hasDefaultTypeColumn) {
-    await knex(TableName.Project).update({
-      // eslint-disable-next-line
-      // @ts-ignore this is because this field is created later
-      defaultProduct: knex.raw(`
-    CASE 
-      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
-      ELSE "type" 
-    END
-  `)
-    });
-
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").nullable().alter();
-      t.string("defaultProduct").notNullable().alter();
-    });
-  }
-
-  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-  if (hasTemplateTypeColumn) {
-    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-      t.string("type").nullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250722152841_add-policies-environments-table.ts

@@ -1,96 +0,0 @@
-import { Knex } from "knex";
-
-import { selectAllTableCols } from "@app/lib/knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyEnvironment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment);
-      t.timestamps(true, true, true);
-      t.unique(["policyId", "envId"]);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
-
-    const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
-      .select(selectAllTableCols(TableName.AccessApprovalPolicy))
-      .whereNotNull(`${TableName.AccessApprovalPolicy}.envId`);
-
-    const accessApprovalPolicies = existingAccessApprovalPolicies.map(async (policy) => {
-      await knex(TableName.AccessApprovalPolicyEnvironment).insert({
-        policyId: policy.id,
-        envId: policy.envId
-      });
-    });
-
-    await Promise.all(accessApprovalPolicies);
-  }
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyEnvironment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment);
-      t.timestamps(true, true, true);
-      t.unique(["policyId", "envId"]);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
-
-    const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
-      .select(selectAllTableCols(TableName.SecretApprovalPolicy))
-      .whereNotNull(`${TableName.SecretApprovalPolicy}.envId`);
-
-    const secretApprovalPolicies = existingSecretApprovalPolicies.map(async (policy) => {
-      await knex(TableName.SecretApprovalPolicyEnvironment).insert({
-        policyId: policy.id,
-        envId: policy.envId
-      });
-    });
-
-    await Promise.all(secretApprovalPolicies);
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
-  });
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment)) {
-    await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyEnvironment);
-    await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
-  }
-  if (await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment)) {
-    await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyEnvironment);
-    await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-  });
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-  });
-}

backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts

@@ -1,111 +0,0 @@
-/* eslint-disable no-await-in-loop */
-import { Knex } from "knex";
-
-import { chunkArray } from "@app/lib/fn";
-import { logger } from "@app/lib/logger";
-
-import { TableName } from "../schemas";
-import { TReminders, TRemindersInsert } from "../schemas/reminders";
-
-export async function up(knex: Knex): Promise<void> {
-  logger.info("Initializing secret reminders migration");
-  const hasReminderTable = await knex.schema.hasTable(TableName.Reminder);
-
-  if (hasReminderTable) {
-    const secretsWithLatestVersions = await knex(TableName.SecretV2)
-      .whereNotNull(`${TableName.SecretV2}.reminderRepeatDays`)
-      .whereRaw(`"${TableName.SecretV2}"."reminderRepeatDays" > 0`)
-      .innerJoin(TableName.SecretVersionV2, (qb) => {
-        void qb
-          .on(`${TableName.SecretVersionV2}.secretId`, "=", `${TableName.SecretV2}.id`)
-          .andOn(`${TableName.SecretVersionV2}.reminderRepeatDays`, "=", `${TableName.SecretV2}.reminderRepeatDays`);
-      })
-      .whereIn([`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretVersionV2}.version`], (qb) => {
-        void qb
-          .select(["v2.secretId", knex.raw("MIN(v2.version) as version")])
-          .from(`${TableName.SecretVersionV2} as v2`)
-          .innerJoin(`${TableName.SecretV2} as s2`, "v2.secretId", "s2.id")
-          .whereRaw(`v2."reminderRepeatDays" = s2."reminderRepeatDays"`)
-          .whereNotNull("v2.reminderRepeatDays")
-          .whereRaw(`v2."reminderRepeatDays" > 0`)
-          .groupBy("v2.secretId");
-      })
-      // Add LEFT JOIN with Reminder table to check for existing reminders
-      .leftJoin(TableName.Reminder, `${TableName.Reminder}.secretId`, `${TableName.SecretV2}.id`)
-      // Only include secrets that don't already have reminders
-      .whereNull(`${TableName.Reminder}.secretId`)
-      .select(
-        knex.ref("id").withSchema(TableName.SecretV2).as("secretId"),
-        knex.ref("reminderRepeatDays").withSchema(TableName.SecretV2).as("reminderRepeatDays"),
-        knex.ref("reminderNote").withSchema(TableName.SecretV2).as("reminderNote"),
-        knex.ref("createdAt").withSchema(TableName.SecretVersionV2).as("createdAt")
-      );
-
-    logger.info(`Found ${secretsWithLatestVersions.length} reminders to migrate`);
-
-    const reminderInserts: TRemindersInsert[] = [];
-    if (secretsWithLatestVersions.length > 0) {
-      secretsWithLatestVersions.forEach((secret) => {
-        if (!secret.reminderRepeatDays) return;
-
-        const now = new Date();
-        const createdAt = new Date(secret.createdAt);
-        let nextReminderDate = new Date(createdAt);
-        nextReminderDate.setDate(nextReminderDate.getDate() + secret.reminderRepeatDays);
-
-        // If the next reminder date is in the past, calculate the proper next occurrence
-        if (nextReminderDate < now) {
-          const daysSinceCreation = Math.floor((now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24));
-          const daysIntoCurrentCycle = daysSinceCreation % secret.reminderRepeatDays;
-          const daysUntilNextReminder = secret.reminderRepeatDays - daysIntoCurrentCycle;
-
-          nextReminderDate = new Date(now);
-          nextReminderDate.setDate(now.getDate() + daysUntilNextReminder);
-        }
-
-        reminderInserts.push({
-          secretId: secret.secretId,
-          message: secret.reminderNote,
-          repeatDays: secret.reminderRepeatDays,
-          nextReminderDate
-        });
-      });
-
-      const commitBatches = chunkArray(reminderInserts, 2000);
-      for (const commitBatch of commitBatches) {
-        const insertedReminders = (await knex
-          .batchInsert(TableName.Reminder, commitBatch)
-          .returning("*")) as TReminders[];
-
-        const insertedReminderSecretIds = insertedReminders.map((reminder) => reminder.secretId).filter(Boolean);
-
-        const recipients = await knex(TableName.SecretReminderRecipients)
-          .whereRaw(`??.?? IN (${insertedReminderSecretIds.map(() => "?").join(",")})`, [
-            TableName.SecretReminderRecipients,
-            "secretId",
-            ...insertedReminderSecretIds
-          ])
-          .select(
-            knex.ref("userId").withSchema(TableName.SecretReminderRecipients).as("userId"),
-            knex.ref("secretId").withSchema(TableName.SecretReminderRecipients).as("secretId")
-          );
-        const reminderRecipients = recipients.map((recipient) => ({
-          reminderId: insertedReminders.find((reminder) => reminder.secretId === recipient.secretId)?.id,
-          userId: recipient.userId
-        }));
-
-        const filteredRecipients = reminderRecipients.filter((recipient) => Boolean(recipient.reminderId));
-        await knex.batchInsert(TableName.ReminderRecipient, filteredRecipients);
-      }
-      logger.info(`Successfully migrated ${reminderInserts.length} secret reminders`);
-    }
-
-    logger.info("Secret reminders migration completed");
-  } else {
-    logger.warn("Reminder table does not exist, skipping migration");
-  }
-}
-
-export async function down(): Promise<void> {
-  logger.info("Rollback not implemented for secret reminders fix migration");
-}

backend/src/db/migrations/20250725171821_add-secret-detection-ignore-values.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues"))) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.specificType("secretDetectionIgnoreValues", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues")) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("secretDetectionIgnoreValues");
-    });
-  }
-}

backend/src/db/migrations/utils/env-config.ts

@@ -53,7 +53,7 @@ export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory
 
   let envCfg = Object.freeze(parsedEnv.data);
 
-  const fipsEnabled = await crypto.initialize(superAdminDAL, envCfg);
+  const fipsEnabled = await crypto.initialize(superAdminDAL);
 
   // Fix for 128-bit entropy encryption key expansion issue:
   // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.

backend/src/db/schemas/access-approval-policies-environments.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesEnvironmentsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesEnvironments = z.infer<typeof AccessApprovalPoliciesEnvironmentsSchema>;
-export type TAccessApprovalPoliciesEnvironmentsInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesEnvironmentsUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/models.ts

@@ -100,7 +100,6 @@ export enum TableName {
   AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
-  AccessApprovalPolicyEnvironment = "access_approval_policies_environments",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
@@ -108,7 +107,6 @@ export enum TableName {
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
   SecretApprovalRequestSecretTag = "secret_approval_request_secret_tags",
-  SecretApprovalPolicyEnvironment = "secret_approval_policies_environments",
   SecretRotation = "secret_rotations",
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
@@ -162,7 +160,7 @@ export enum TableName {
   SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
-  SecretReminderRecipients = "secret_reminder_recipients", // TODO(Carlos): Remove this in the future after migrating to the new reminder recipients table
+  SecretReminderRecipients = "secret_reminder_recipients",
   GithubOrgSyncConfig = "github_org_sync_configs",
   FolderCommit = "folder_commits",
   FolderCommitChanges = "folder_commit_changes",
@@ -174,10 +172,7 @@ export enum TableName {
   SecretScanningResource = "secret_scanning_resources",
   SecretScanningScan = "secret_scanning_scans",
   SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs",
-  // reminders
-  Reminder = "reminders",
-  ReminderRecipient = "reminders_recipients"
+  SecretScanningConfig = "secret_scanning_configs"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -272,16 +267,6 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  SecretScanning = ProjectType.SecretScanning,
-  // project operations that happen on all types
-  Any = "any"
-}
-
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().default("secret-manager")
+  type: z.string().nullable().optional()
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,13 +25,12 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string(),
+  type: z.string().nullable().optional(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().nullable().optional(),
-  secretDetectionIgnoreValues: z.string().array().nullable().optional()
+  defaultProduct: z.string().default("secret-manager")
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/reminders-recipients.ts

@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const RemindersRecipientsSchema = z.object({
-  id: z.string().uuid(),
-  reminderId: z.string().uuid(),
-  userId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TRemindersRecipients = z.infer<typeof RemindersRecipientsSchema>;
-export type TRemindersRecipientsInsert = Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>;
-export type TRemindersRecipientsUpdate = Partial<Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/reminders.ts

@@ -1,22 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const RemindersSchema = z.object({
-  id: z.string().uuid(),
-  secretId: z.string().uuid().nullable().optional(),
-  message: z.string().nullable().optional(),
-  repeatDays: z.number().nullable().optional(),
-  nextReminderDate: z.date(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TReminders = z.infer<typeof RemindersSchema>;
-export type TRemindersInsert = Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>;
-export type TRemindersUpdate = Partial<Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-policies-environments.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalPoliciesEnvironmentsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretApprovalPoliciesEnvironments = z.infer<typeof SecretApprovalPoliciesEnvironmentsSchema>;
-export type TSecretApprovalPoliciesEnvironmentsInsert = Omit<
-  z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalPoliciesEnvironmentsUpdate = Partial<
-  Omit<z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
->;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -17,66 +17,52 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .min(1, { message: "Secret path cannot be empty" })
-            .transform(removeTrailingSlash),
-          environment: z.string().optional(),
-          environments: z.string().array().optional(),
-          approvers: z
-            .discriminatedUnion("type", [
-              z.object({
-                type: z.literal(ApproverType.Group),
-                id: z.string(),
-                sequence: z.number().int().default(1)
-              }),
-              z.object({
-                type: z.literal(ApproverType.User),
-                id: z.string().optional(),
-                username: z.string().optional(),
-                sequence: z.number().int().default(1)
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 approvers")
-            .min(1, { message: "At least one approver should be provided" })
-            .refine(
-              // @ts-expect-error this is ok
-              (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
-              "Must provide either username or id"
-            ),
-          bypassers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(BypasserType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 bypassers")
-            .optional(),
-          approvalsRequired: z
-            .object({
-              numberOfApprovals: z.number().int(),
-              stepNumber: z.number().int()
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
+        environment: z.string(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({
+              type: z.literal(ApproverType.Group),
+              id: z.string(),
+              sequence: z.number().int().default(1)
+            }),
+            z.object({
+              type: z.literal(ApproverType.User),
+              id: z.string().optional(),
+              username: z.string().optional(),
+              sequence: z.number().int().default(1)
             })
-            .array()
-            .optional(),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
-        })
-        .refine(
-          (val) => Boolean(val.environment) || Boolean(val.environments),
-          "Must provide either environment or environments"
-        ),
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 approvers")
+          .min(1, { message: "At least one approver should be provided" })
+          .refine(
+            // @ts-expect-error this is ok
+            (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
+            "Must provide either username or id"
+          ),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
+        approvalsRequired: z
+          .object({
+            numberOfApprovals: z.number().int(),
+            stepNumber: z.number().int()
+          })
+          .array()
+          .optional(),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -92,8 +78,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name:
-          req.body.name ?? `${req.body.environment || req.body.environments?.join("-").substring(0, 250)}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -226,7 +211,6 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true),
-        environments: z.array(z.string()).optional(),
         approvalsRequired: z
           .object({
             numberOfApprovals: z.number().int(),

backend/src/ee/routes/v1/license-router.ts

@@ -43,12 +43,6 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       params: z.object({ organizationId: z.string().trim() }),
-      querystring: z.object({
-        refreshCache: z
-          .enum(["true", "false"])
-          .default("false")
-          .transform((value) => value === "true")
-      }),
       response: {
         200: z.object({ plan: z.any() })
       }
@@ -60,8 +54,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        orgId: req.params.organizationId,
-        refreshCache: req.query.refreshCache
+        orgId: req.params.organizationId
       });
       return { plan };
     }

backend/src/ee/routes/v1/pit-router.ts

@@ -3,14 +3,11 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { isValidFolderName } from "@app/lib/validator";
-import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
-import { SecretNameSchema } from "@app/server/lib/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const commitHistoryItemSchema = z.object({
   id: z.string(),
@@ -416,166 +413,4 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
       return result;
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/batch/commit",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      hide: true,
-      description: "Commit changes",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        message: z
-          .string()
-          .trim()
-          .min(1)
-          .max(255)
-          .refine((message) => message.trim() !== "", {
-            message: "Commit message cannot be empty"
-          }),
-        changes: z.object({
-          secrets: z.object({
-            create: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema,
-                  secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-                  secretComment: z.string().trim().optional().default(""),
-                  skipMultilineEncoding: z.boolean().optional(),
-                  metadata: z.record(z.string()).optional(),
-                  secretMetadata: ResourceMetadataSchema.optional(),
-                  tagIds: z.string().array().optional()
-                })
-              )
-              .optional(),
-            update: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema,
-                  newSecretName: SecretNameSchema.optional(),
-                  secretValue: z
-                    .string()
-                    .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-                    .optional(),
-                  secretComment: z.string().trim().optional().default(""),
-                  skipMultilineEncoding: z.boolean().optional(),
-                  metadata: z.record(z.string()).optional(),
-                  secretMetadata: ResourceMetadataSchema.optional(),
-                  tagIds: z.string().array().optional()
-                })
-              )
-              .optional(),
-            delete: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema
-                })
-              )
-              .optional()
-          }),
-          folders: z.object({
-            create: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  description: z.string().optional()
-                })
-              )
-              .optional(),
-            update: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  description: z.string().nullable().optional(),
-                  id: z.string()
-                })
-              )
-              .optional(),
-            delete: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  id: z.string()
-                })
-              )
-              .optional()
-          })
-        })
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const result = await server.services.pit.processNewCommitRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        projectId: req.body.projectId,
-        environment: req.body.environment,
-        secretPath: req.body.secretPath,
-        message: req.body.message,
-        changes: {
-          secrets: req.body.changes.secrets,
-          folders: req.body.changes.folders
-        }
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.body.projectId,
-        event: {
-          type: EventType.PIT_PROCESS_NEW_COMMIT_RAW,
-          metadata: {
-            commitId: result.commitId,
-            approvalId: result.approvalId,
-            projectId: req.body.projectId,
-            environment: req.body.environment,
-            secretPath: req.body.secretPath,
-            message: req.body.message
-          }
-        }
-      });
-
-      for await (const event of result.secretMutationEvents) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          orgId: req.permission.orgId,
-          projectId: req.body.projectId,
-          event
-        });
-      }
-
-      return { message: "success" };
-    }
-  });
 };

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,9 +104,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
-      querystring: z.object({
-        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
-      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -115,10 +112,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
-        req.permission,
-        req.query.type
-      );
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -197,7 +191,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
-        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -17,45 +17,34 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string().optional(),
-          environments: z.string().array().optional(),
-          secretPath: z
-            .string()
-            .min(1, { message: "Secret path cannot be empty" })
-            .transform((val) => removeTrailingSlash(val)),
-          approvers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(ApproverType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .min(1, { message: "At least one approver should be provided" })
-            .max(100, "Cannot have more than 100 approvers"),
-          bypassers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(BypasserType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 bypassers")
-            .optional(),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
-        })
-        .refine((data) => data.environment || data.environments, "At least one environment should be provided"),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .min(1, { message: "Secret path cannot be empty" })
+          .transform((val) => removeTrailingSlash(val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -71,7 +60,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment || req.body.environments?.join(",")}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -114,8 +103,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .optional()
           .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
-        allowedSelfApprovals: z.boolean().default(true),
-        environments: z.array(z.string()).optional()
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -315,12 +315,10 @@ export const registerSecretRotationEndpoints = <
       querystring: z.object({
         deleteSecrets: z
           .enum(["true", "false"])
-          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).deleteSecrets),
         revokeGeneratedCredentials: z
           .enum(["true", "false"])
-          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
       }),

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -26,7 +26,6 @@ export interface TAccessApprovalPolicyDALFactory
     >,
     customFilter?: {
       policyId?: string;
-      envId?: string;
     },
     tx?: Knex
   ) => Promise<
@@ -56,6 +55,11 @@ export interface TAccessApprovalPolicyDALFactory
       allowedSelfApprovals: boolean;
       secretPath: string;
       deletedAt?: Date | null | undefined;
+      environment: {
+        id: string;
+        name: string;
+        slug: string;
+      };
       projectId: string;
       bypassers: (
         | {
@@ -68,11 +72,6 @@ export interface TAccessApprovalPolicyDALFactory
             type: BypasserType.Group;
           }
       )[];
-      environments: {
-        id: string;
-        name: string;
-        slug: string;
-      }[];
     }[]
   >;
   findById: (
@@ -96,11 +95,11 @@ export interface TAccessApprovalPolicyDALFactory
         allowedSelfApprovals: boolean;
         secretPath: string;
         deletedAt?: Date | null | undefined;
-        environments: {
+        environment: {
           id: string;
           name: string;
           slug: string;
-        }[];
+        };
         projectId: string;
       }
     | undefined
@@ -144,26 +143,6 @@ export interface TAccessApprovalPolicyDALFactory
       }
     | undefined
   >;
-  findPolicyByEnvIdAndSecretPath: (
-    { envIds, secretPath }: { envIds: string[]; secretPath: string },
-    tx?: Knex
-  ) => Promise<{
-    name: string;
-    id: string;
-    createdAt: Date;
-    updatedAt: Date;
-    approvals: number;
-    enforcementLevel: string;
-    allowedSelfApprovals: boolean;
-    secretPath: string;
-    deletedAt?: Date | null | undefined;
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
-    projectId: string;
-  }>;
 }
 
 export interface TAccessApprovalPolicyServiceFactory {
@@ -388,7 +367,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
     customFilter?: {
       policyId?: string;
-      envId?: string;
     }
   ) => {
     const result = await tx(TableName.AccessApprovalPolicy)
@@ -399,17 +377,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
         }
       })
-      .join(
-        TableName.AccessApprovalPolicyEnvironment,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
-      )
-      .join(TableName.Environment, `${TableName.AccessApprovalPolicyEnvironment}.envId`, `${TableName.Environment}.id`)
-      .where((qb) => {
-        if (customFilter?.envId) {
-          void qb.where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", customFilter.envId);
-        }
-      })
+      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .leftJoin(
         TableName.AccessApprovalPolicyApprover,
         `${TableName.AccessApprovalPolicy}.id`,
@@ -436,7 +404,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
       .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("environmentId"))
+      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
       .select(tx.ref("projectId").withSchema(TableName.Environment))
       .select(selectAllTableCols(TableName.AccessApprovalPolicy));
 
@@ -480,15 +448,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               sequence: approverSequence,
               approvalsRequired
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -511,6 +470,11 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
         data: docs,
         key: "id",
         parentMapper: (data) => ({
+          environment: {
+            id: data.envId,
+            name: data.envName,
+            slug: data.envSlug
+          },
           projectId: data.projectId,
           ...AccessApprovalPoliciesSchema.parse(data)
           // secretPath: data.secretPath || undefined,
@@ -553,15 +517,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               id,
               type: BypasserType.Group as const
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -590,20 +545,14 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           // eslint-disable-next-line @typescript-eslint/no-misused-promises
           buildFindFilter(
             {
+              envId,
               secretPath
             },
             TableName.AccessApprovalPolicy
           )
         )
-        .join(
-          TableName.AccessApprovalPolicyEnvironment,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", envId)
         .orderBy("deletedAt", "desc")
         .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
         .first();
 
       return result;
@@ -612,81 +561,5 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     }
   };
 
-  const findPolicyByEnvIdAndSecretPath: TAccessApprovalPolicyDALFactory["findPolicyByEnvIdAndSecretPath"] = async (
-    { envIds, secretPath },
-    tx
-  ) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
-        .join(
-          TableName.AccessApprovalPolicyEnvironment,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .join(
-          TableName.Environment,
-          `${TableName.AccessApprovalPolicyEnvironment}.envId`,
-          `${TableName.Environment}.id`
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              $in: {
-                envId: envIds
-              }
-            },
-            TableName.AccessApprovalPolicyEnvironment
-          )
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              secretPath
-            },
-            TableName.AccessApprovalPolicy
-          )
-        )
-        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
-        .orderBy("deletedAt", "desc")
-        .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
-        .select(db.ref("name").withSchema(TableName.Environment).as("envName"))
-        .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-        .select(db.ref("id").withSchema(TableName.Environment).as("environmentId"))
-        .select(db.ref("projectId").withSchema(TableName.Environment));
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          projectId: data.projectId,
-          ...AccessApprovalPoliciesSchema.parse(data)
-        }),
-        childrenMapper: [
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
-          }
-        ]
-      });
-      return formattedDocs?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findPolicyByEnvIdAndSecretPath" });
-    }
-  };
-
-  return {
-    ...accessApprovalPolicyOrm,
-    find,
-    findById,
-    softDeleteById,
-    findLastValidPolicy,
-    findPolicyByEnvIdAndSecretPath
-  };
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-environment-dal.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyEnvironmentDALFactory = ReturnType<typeof accessApprovalPolicyEnvironmentDALFactory>;
-
-export const accessApprovalPolicyEnvironmentDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyEnvironmentOrm = ormify(db, TableName.AccessApprovalPolicyEnvironment);
-
-  const findAvailablePoliciesByEnvId = async (envId: string, tx?: Knex) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicyEnvironment)
-        .join(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter({ envId }, TableName.AccessApprovalPolicyEnvironment))
-        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicyEnvironment));
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findAvailablePoliciesByEnvId" });
-    }
-  };
-
-  return { ...accessApprovalPolicyEnvironmentOrm, findAvailablePoliciesByEnvId };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -21,7 +20,6 @@ import {
   TAccessApprovalPolicyBypasserDALFactory
 } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { TAccessApprovalPolicyEnvironmentDALFactory } from "./access-approval-policy-environment-dal";
 import {
   ApproverType,
   BypasserType,
@@ -46,14 +44,12 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update" | "delete">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
-  accessApprovalPolicyEnvironmentDAL: TAccessApprovalPolicyEnvironmentDALFactory;
 };
 
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
   accessApprovalPolicyBypasserDAL,
-  accessApprovalPolicyEnvironmentDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -66,22 +62,21 @@ export const accessApprovalPolicyServiceFactory = ({
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
   const $policyExists = async ({
     envId,
-    envIds,
     secretPath,
     policyId
   }: {
-    envId?: string;
-    envIds?: string[];
+    envId: string;
     secretPath: string;
     policyId?: string;
   }) => {
-    if (!envId && !envIds) {
-      throw new BadRequestError({ message: "Must provide either envId or envIds" });
-    }
-    const policy = await accessApprovalPolicyDAL.findPolicyByEnvIdAndSecretPath({
-      secretPath,
-      envIds: envId ? [envId] : (envIds as string[])
-    });
+    const policy = await accessApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
     return policyId ? policy && policy.id !== policyId : Boolean(policy);
   };
 
@@ -97,7 +92,6 @@ export const accessApprovalPolicyServiceFactory = ({
     bypassers,
     projectSlug,
     environment,
-    environments,
     enforcementLevel,
     allowedSelfApprovals,
     approvalsRequired
@@ -122,31 +116,20 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
-    const mergedEnvs = (environment ? [environment] : environments) || [];
-    if (mergedEnvs.length === 0) {
-      throw new BadRequestError({ message: "Must provide either environment or environments" });
-    }
-    const envs = await projectEnvDAL.find({ $in: { slug: mergedEnvs }, projectId: project.id });
-    if (!envs.length || envs.length !== mergedEnvs.length) {
-      const notFoundEnvs = mergedEnvs.filter((env) => !envs.find((el) => el.slug === env));
-      throw new NotFoundError({ message: `One or more environments not found: ${notFoundEnvs.join(", ")}` });
-    }
+    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
+    if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
-    for (const env of envs) {
-      // eslint-disable-next-line no-await-in-loop
-      if (await $policyExists({ envId: env.id, secretPath })) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
     }
 
     let approverUserIds = userApprovers;
@@ -214,7 +197,7 @@ export const accessApprovalPolicyServiceFactory = ({
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
-          envId: envs[0].id,
+          envId: env.id,
           approvals,
           secretPath,
           name,
@@ -223,10 +206,6 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
-      await accessApprovalPolicyEnvironmentDAL.insertMany(
-        envs.map((el) => ({ policyId: doc.id, envId: el.id })),
-        tx
-      );
 
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
@@ -279,7 +258,7 @@ export const accessApprovalPolicyServiceFactory = ({
       return doc;
     });
 
-    return { ...accessApproval, environments: envs, projectId: project.id, environment: envs[0] };
+    return { ...accessApproval, environment: env, projectId: project.id };
   };
 
   const getAccessApprovalPolicyByProjectSlug: TAccessApprovalPolicyServiceFactory["getAccessApprovalPolicyByProjectSlug"] =
@@ -293,15 +272,11 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
-      return accessApprovalPolicies.map((policy) => ({
-        ...policy,
-        environment: policy.environments[0]
-      }));
+      return accessApprovalPolicies;
     };
 
   const updateAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["updateAccessApprovalPolicy"] = async ({
@@ -317,8 +292,7 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    environments
+    approvalsRequired
   }: TUpdateAccessApprovalPolicy) => {
     const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);
 
@@ -346,27 +320,16 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    let envs = accessApprovalPolicy.environments;
     if (
-      environments &&
-      (environments.length !== envs.length || environments.some((env) => !envs.find((el) => el.slug === env)))
+      await $policyExists({
+        envId: accessApprovalPolicy.envId,
+        secretPath: secretPath || accessApprovalPolicy.secretPath,
+        policyId: accessApprovalPolicy.id
+      })
     ) {
-      envs = await projectEnvDAL.find({ $in: { slug: environments }, projectId: accessApprovalPolicy.projectId });
-    }
-
-    for (const env of envs) {
-      if (
-        // eslint-disable-next-line no-await-in-loop
-        await $policyExists({
-          envId: env.id,
-          secretPath: secretPath || accessApprovalPolicy.secretPath,
-          policyId: accessApprovalPolicy.id
-        })
-      ) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath || accessApprovalPolicy.secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
+      });
     }
 
     const { permission } = await permissionService.getProjectPermission({
@@ -374,8 +337,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -522,14 +484,6 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      if (environments) {
-        await accessApprovalPolicyEnvironmentDAL.delete({ policyId: doc.id }, tx);
-        await accessApprovalPolicyEnvironmentDAL.insertMany(
-          envs.map((env) => ({ policyId: doc.id, envId: env.id })),
-          tx
-        );
-      }
-
       await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
 
       if (bypasserUserIds.length) {
@@ -559,8 +513,7 @@ export const accessApprovalPolicyServiceFactory = ({
 
     return {
       ...updatedPolicy,
-      environments: accessApprovalPolicy.environments,
-      environment: accessApprovalPolicy.environments[0],
+      environment: accessApprovalPolicy.environment,
       projectId: accessApprovalPolicy.projectId
     };
   };
@@ -580,8 +533,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -611,10 +563,7 @@ export const accessApprovalPolicyServiceFactory = ({
       }
     });
 
-    return {
-      ...policy,
-      environment: policy.environments[0]
-    };
+    return policy;
   };
 
   const getAccessPolicyCountByEnvSlug: TAccessApprovalPolicyServiceFactory["getAccessPolicyCountByEnvSlug"] = async ({
@@ -634,8 +583,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -644,13 +592,11 @@ export const accessApprovalPolicyServiceFactory = ({
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policies = await accessApprovalPolicyDAL.find(
-      {
-        projectId: project.id,
-        deletedAt: null
-      },
-      { envId: environment.id }
-    );
+    const policies = await accessApprovalPolicyDAL.find({
+      envId: environment.id,
+      projectId: project.id,
+      deletedAt: null
+    });
     if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });
 
     return { count: policies.length };
@@ -676,16 +622,12 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
-    return {
-      ...policy,
-      environment: policy.environments[0]
-    };
+    return policy;
   };
 
   return {

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -26,8 +26,7 @@ export enum BypasserType {
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
-  environment?: string;
-  environments?: string[];
+  environment: string;
   approvers: (
     | { type: ApproverType.Group; id: string; sequence?: number }
     | { type: ApproverType.User; id?: string; username?: string; sequence?: number }
@@ -59,7 +58,6 @@ export type TUpdateAccessApprovalPolicy = {
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
-  environments?: string[];
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {
@@ -115,15 +113,6 @@ export interface TAccessApprovalPolicyServiceFactory {
       slug: string;
       position: number;
     };
-    environments: {
-      name: string;
-      id: string;
-      createdAt: Date;
-      updatedAt: Date;
-      projectId: string;
-      slug: string;
-      position: number;
-    }[];
     projectId: string;
     name: string;
     id: string;
@@ -164,11 +153,6 @@ export interface TAccessApprovalPolicyServiceFactory {
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
   }>;
   updateAccessApprovalPolicy: ({
@@ -184,19 +168,13 @@ export interface TAccessApprovalPolicyServiceFactory {
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    environments
+    approvalsRequired
   }: TUpdateAccessApprovalPolicy) => Promise<{
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
     name: string;
     id: string;
@@ -247,11 +225,6 @@ export interface TAccessApprovalPolicyServiceFactory {
         name: string;
         slug: string;
       };
-      environments: {
-        id: string;
-        name: string;
-        slug: string;
-      }[];
       projectId: string;
       bypassers: (
         | {
@@ -303,11 +276,6 @@ export interface TAccessApprovalPolicyServiceFactory {
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
     bypassers: (
       | {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -65,7 +65,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
           deletedAt: Date | null | undefined;
         };
         projectId: string;
-        environments: string[];
+        environment: string;
         requestedByUser: {
           userId: string;
           email: string | null | undefined;
@@ -515,17 +515,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         `accessApprovalReviewerUser.id`
       )
 
-      .leftJoin(
-        TableName.AccessApprovalPolicyEnvironment,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
-      )
-
-      .leftJoin(
-        TableName.Environment,
-        `${TableName.AccessApprovalPolicyEnvironment}.envId`,
-        `${TableName.Environment}.id`
-      )
+      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .select(selectAllTableCols(TableName.AccessApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
@@ -693,11 +683,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
               lastName,
               username
             })
-          },
-          {
-            key: "environment",
-            label: "environments" as const,
-            mapper: ({ environment }) => environment
           }
         ]
       });

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -86,25 +86,6 @@ export const accessApprovalRequestServiceFactory = ({
   projectMicrosoftTeamsConfigDAL,
   projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep): TAccessApprovalRequestServiceFactory => {
-  const $getEnvironmentFromPermissions = (permissions: unknown): string | null => {
-    if (!Array.isArray(permissions) || permissions.length === 0) {
-      return null;
-    }
-
-    const firstPermission = permissions[0] as unknown[];
-    if (!Array.isArray(firstPermission) || firstPermission.length < 3) {
-      return null;
-    }
-
-    const metadata = firstPermission[2] as Record<string, unknown>;
-    if (typeof metadata === "object" && metadata !== null && "environment" in metadata) {
-      const env = metadata.environment;
-      return typeof env === "string" ? env : null;
-    }
-
-    return null;
-  };
-
   const createAccessApprovalRequest: TAccessApprovalRequestServiceFactory["createAccessApprovalRequest"] = async ({
     isTemporary,
     temporaryRange,
@@ -126,8 +107,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -236,7 +216,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -309,8 +289,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -327,15 +306,6 @@ export const accessApprovalRequestServiceFactory = ({
       requests = requests.filter((request) => request.environment === envSlug);
     }
 
-    requests = requests.map((request) => {
-      const permissionEnvironment = $getEnvironmentFromPermissions(request.permissions);
-
-      if (permissionEnvironment) {
-        request.environmentName = permissionEnvironment;
-      }
-      return request;
-    });
-
     return { requests };
   };
 
@@ -353,34 +323,19 @@ export const accessApprovalRequestServiceFactory = ({
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy, environments, permissions } = accessApprovalRequest;
+    const { policy, environment } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
 
-    const permissionEnvironment = $getEnvironmentFromPermissions(permissions);
-    if (
-      !permissionEnvironment ||
-      (!environments.includes(permissionEnvironment) && status === ApprovalStatus.APPROVED)
-    ) {
-      throw new BadRequestError({
-        message: `The original policy ${policy.name} is not attached to environment '${permissionEnvironment}'.`
-      });
-    }
-    const environment = await projectEnvDAL.findOne({
-      projectId: accessApprovalRequest.projectId,
-      slug: permissionEnvironment
-    });
-
     const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     if (!membership) {
@@ -595,8 +550,8 @@ export const accessApprovalRequestServiceFactory = ({
                   requesterEmail: actingUser.email,
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
-                  environment: environment?.name || permissionEnvironment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
+                  environment,
+                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -627,8 +582,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -38,8 +37,7 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
     });
 
     if (targetActorType === ActorType.USER) {
@@ -60,8 +58,7 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
     });
 
     const appCfg = getConfig();

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -38,8 +37,7 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
+        actorOrgId
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -449,7 +449,6 @@ export enum EventType {
   PIT_REVERT_COMMIT = "pit-revert-commit",
   PIT_GET_FOLDER_STATE = "pit-get-folder-state",
   PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
-  PIT_PROCESS_NEW_COMMIT_RAW = "pit-process-new-commit-raw",
   SECRET_SCANNING_DATA_SOURCE_LIST = "secret-scanning-data-source-list",
   SECRET_SCANNING_DATA_SOURCE_CREATE = "secret-scanning-data-source-create",
   SECRET_SCANNING_DATA_SOURCE_UPDATE = "secret-scanning-data-source-update",
@@ -468,11 +467,7 @@ export enum EventType {
 
   CREATE_PROJECT = "create-project",
   UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project",
-
-  CREATE_SECRET_REMINDER = "create-secret-reminder",
-  GET_SECRET_REMINDER = "get-secret-reminder",
-  DELETE_SECRET_REMINDER = "delete-secret-reminder"
+  DELETE_PROJECT = "delete-project"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1551,9 +1546,8 @@ interface UpdateFolderEvent {
   metadata: {
     environment: string;
     folderId: string;
-    oldFolderName?: string;
+    oldFolderName: string;
     newFolderName: string;
-    newFolderDescription?: string;
     folderPath: string;
   };
 }
@@ -3228,18 +3222,6 @@ interface PitCompareFolderStatesEvent {
   };
 }
 
-interface PitProcessNewCommitRawEvent {
-  type: EventType.PIT_PROCESS_NEW_COMMIT_RAW;
-  metadata: {
-    projectId: string;
-    environment: string;
-    secretPath: string;
-    message: string;
-    approvalId?: string;
-    commitId?: string;
-  };
-}
-
 interface SecretScanningDataSourceListEvent {
   type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST;
   metadata: {
@@ -3330,31 +3312,6 @@ interface SecretScanningConfigUpdateEvent {
   };
 }
 
-interface SecretReminderCreateEvent {
-  type: EventType.CREATE_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-    message?: string | null;
-    repeatDays?: number | null;
-    nextReminderDate?: string | null;
-    recipients?: string[] | null;
-  };
-}
-
-interface SecretReminderGetEvent {
-  type: EventType.GET_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-  };
-}
-
-interface SecretReminderDeleteEvent {
-  type: EventType.DELETE_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-  };
-}
-
 interface SecretScanningConfigReadEvent {
   type: EventType.SECRET_SCANNING_CONFIG_GET;
   metadata?: Record<string, never>; // not needed, based off projectId
@@ -3701,7 +3658,6 @@ export type Event =
   | PitRevertCommitEvent
   | PitCompareFolderStatesEvent
   | PitGetFolderStateEvent
-  | PitProcessNewCommitRawEvent
   | SecretScanningDataSourceListEvent
   | SecretScanningDataSourceGetEvent
   | SecretScanningDataSourceCreateEvent
@@ -3718,7 +3674,4 @@ export type Event =
   | OrgUpdateEvent
   | ProjectCreateEvent
   | ProjectUpdateEvent
-  | ProjectDeleteEvent
-  | SecretReminderCreateEvent
-  | SecretReminderGetEvent
-  | SecretReminderDeleteEvent;
+  | ProjectDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -78,8 +77,7 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -85,8 +84,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -202,8 +200,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -300,8 +297,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -389,8 +385,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -437,8 +432,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -79,8 +78,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -209,8 +207,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -361,8 +358,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -427,8 +423,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -492,8 +487,7 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
       });
 
       // verify user has access to each env in request
@@ -536,8 +530,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -585,8 +578,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -623,8 +615,7 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId: actor.orgId
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -668,8 +659,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/gateway/gateway-service.ts

@@ -566,14 +566,6 @@ export const gatewayServiceFactory = ({
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
     const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
-
-    const orgLicensePlan = await licenseService.getPlan(orgGatewayConfig.orgId);
-    if (!orgLicensePlan.gateway) {
-      throw new BadRequestError({
-        message: "Please upgrade your instance to Infisical's Enterprise plan to use gateways."
-      });
-    }
-
     const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: orgGatewayConfig.orgId

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,8 +61,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -160,8 +158,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -172,8 +169,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -260,8 +256,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -272,8 +267,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -321,8 +315,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -356,8 +349,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -392,8 +384,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -87,8 +85,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -175,8 +172,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -189,8 +185,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -293,8 +288,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -306,8 +300,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -366,8 +359,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -409,8 +401,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
@@ -79,8 +78,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -133,8 +131,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -165,8 +162,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -199,8 +195,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -221,8 +216,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -258,8 +252,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/license/license-service.ts

@@ -5,13 +5,14 @@
 // TODO(akhilmhdh): With tony find out the api structure and fill it here
 
 import { ForbiddenError } from "@casl/ability";
+import { AxiosError } from "axios";
 import { CronJob } from "cron";
 import { Knex } from "knex";
 
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -295,19 +296,8 @@ export const licenseServiceFactory = ({
     return data;
   };
 
-  const getOrgPlan = async ({
-    orgId,
-    actor,
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    projectId,
-    refreshCache
-  }: TOrgPlanDTO) => {
+  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
     await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    if (refreshCache) {
-      await refreshPlan(orgId);
-    }
     const plan = await getPlan(orgId, projectId);
     return plan;
   };
@@ -614,10 +604,22 @@ export const licenseServiceFactory = ({
       });
     }
 
-    const { data } = await licenseServerCloudApi.request.delete(
-      `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
-    );
-    return data;
+    try {
+      const { data } = await licenseServerCloudApi.request.delete(
+        `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods/${pmtMethodId}`
+      );
+      return data;
+    } catch (error) {
+      if (error instanceof AxiosError) {
+        throw new BadRequestError({
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+          message: `Failed to remove payment method: ${error.response?.data?.message}`
+        });
+      }
+      throw new BadRequestError({
+        message: "Unable to remove payment method"
+      });
+    }
   };
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {

backend/src/ee/services/license/license-types.ts

@@ -84,7 +84,6 @@ export type TOrgPlansTableDTO = {
 
 export type TOrgPlanDTO = {
   projectId?: string;
-  refreshCache?: boolean;
 } & TOrgPermission;
 
 export type TStartOrgTrialDTO = {

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,7 +1,6 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionSet } from "./org-permission";
@@ -21,7 +20,6 @@ export type TGetUserProjectPermissionArg = {
   userId: string;
   projectId: string;
   authMethod: ActorAuthMethod;
-  actionProjectType: ActionProjectType;
   userOrgId?: string;
 };
 
@@ -29,14 +27,12 @@ export type TGetIdentityProjectPermissionArg = {
   identityId: string;
   projectId: string;
   identityOrgId?: string;
-  actionProjectType: ActionProjectType;
 };
 
 export type TGetServiceTokenProjectPermissionArg = {
   serviceTokenId: string;
   projectId: string;
   actorOrgId?: string;
-  actionProjectType: ActionProjectType;
 };
 
 export type TGetProjectPermissionArg = {
@@ -45,7 +41,6 @@ export type TGetProjectPermissionArg = {
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
   actorOrgId?: string;
-  actionProjectType: ActionProjectType;
 };
 
 export type TPermissionServiceFactory = {
@@ -143,13 +138,7 @@ export type TPermissionServiceFactory = {
         };
       }
   >;
-  getUserProjectPermission: ({
-    userId,
-    projectId,
-    authMethod,
-    userOrgId,
-    actionProjectType
-  }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
     permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
     membership: {
       id: string;

backend/src/ee/services/permission/permission-service.ts

@@ -5,7 +5,6 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
-  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
   ServiceTokenScopes,
@@ -214,8 +213,7 @@ export const permissionServiceFactory = ({
     userId,
     projectId,
     authMethod,
-    userOrgId,
-    actionProjectType
+    userOrgId
   }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -242,12 +240,6 @@ export const permissionServiceFactory = ({
       userProjectPermission.orgRole
     );
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -295,8 +287,7 @@ export const permissionServiceFactory = ({
   const getIdentityProjectPermission = async ({
     identityId,
     projectId,
-    identityOrgId,
-    actionProjectType
+    identityOrgId
   }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
@@ -316,12 +307,6 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -376,8 +361,7 @@ export const permissionServiceFactory = ({
   const getServiceTokenProjectPermission = async ({
     serviceTokenId,
     projectId,
-    actorOrgId,
-    actionProjectType
+    actorOrgId
   }: TGetServiceTokenProjectPermissionArg) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -402,12 +386,6 @@ export const permissionServiceFactory = ({
       });
     }
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
-      throw new BadRequestError({
-        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -559,8 +537,7 @@ export const permissionServiceFactory = ({
     actorId: inputActorId,
     projectId,
     actorAuthMethod,
-    actorOrgId,
-    actionProjectType
+    actorOrgId
   }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
     let actor = inputActor;
     let actorId = inputActorId;
@@ -581,22 +558,19 @@ export const permissionServiceFactory = ({
           userId: actorId,
           projectId,
           authMethod: actorAuthMethod,
-          userOrgId: actorOrgId,
-          actionProjectType
+          userOrgId: actorOrgId
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
         return getServiceTokenProjectPermission({
           serviceTokenId: actorId,
           projectId,
-          actorOrgId,
-          actionProjectType
+          actorOrgId
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
         return getIdentityProjectPermission({
           identityId: actorId,
           projectId,
-          identityOrgId: actorOrgId,
-          actionProjectType
+          identityOrgId: actorOrgId
         }) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({

backend/src/ee/services/pit/pit-service.ts

@@ -1,53 +1,29 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
-import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-import { TFolderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
-import {
-  ResourceType,
-  TCommitResourceChangeDTO,
-  TFolderCommitServiceFactory
-} from "@app/services/folder-commit/folder-commit-service";
+import { ResourceType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import {
   isFolderCommitChange,
   isSecretCommitChange
 } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
-import { TProcessNewCommitRawDTO } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
-import { TSecretV2BridgeServiceFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-service";
-import { SecretOperations, SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
-import { TSecretApprovalPolicyServiceFactory } from "../secret-approval-policy/secret-approval-policy-service";
-import { TSecretApprovalRequestServiceFactory } from "../secret-approval-request/secret-approval-request-service";
 
 type TPitServiceFactoryDep = {
   folderCommitService: TFolderCommitServiceFactory;
   secretService: Pick<TSecretServiceFactory, "getSecretVersionsV2ByIds" | "getChangeVersions">;
-  folderService: Pick<
-    TSecretFolderServiceFactory,
-    "getFolderById" | "getFolderVersions" | "createManyFolders" | "updateManyFolders" | "deleteManyFolders"
-  >;
+  folderService: Pick<TSecretFolderServiceFactory, "getFolderById" | "getFolderVersions">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds" | "findBySecretPath">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
-  secretApprovalRequestService: Pick<
-    TSecretApprovalRequestServiceFactory,
-    "generateSecretApprovalRequest" | "generateSecretApprovalRequestV2Bridge"
-  >;
-  secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug" | "findById">;
-  secretV2BridgeService: TSecretV2BridgeServiceFactory;
-  folderCommitDAL: Pick<TFolderCommitDALFactory, "transaction">;
 };
 
 export type TPitServiceFactory = ReturnType<typeof pitServiceFactory>;
@@ -58,12 +34,7 @@ export const pitServiceFactory = ({
   folderService,
   permissionService,
   folderDAL,
-  projectEnvDAL,
-  secretApprovalRequestService,
-  secretApprovalPolicyService,
-  projectDAL,
-  secretV2BridgeService,
-  folderCommitDAL
+  projectEnvDAL
 }: TPitServiceFactoryDep) => {
   const getCommitsCount = async ({
     actor,
@@ -349,8 +320,7 @@ export const pitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(userPermission).throwUnlessCan(
@@ -501,347 +471,6 @@ export const pitServiceFactory = ({
     });
   };
 
-  const processNewCommitRaw = async ({
-    actorId,
-    projectId,
-    environment,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    secretPath,
-    message,
-    changes = {
-      secrets: {
-        create: [],
-        update: [],
-        delete: []
-      },
-      folders: {
-        create: [],
-        update: [],
-        delete: []
-      }
-    }
-  }: {
-    actorId: string;
-    projectId: string;
-    environment: string;
-    actor: ActorType;
-    actorOrgId: string;
-    actorAuthMethod: ActorAuthMethod;
-    secretPath: string;
-    message: string;
-    changes: TProcessNewCommitRawDTO;
-  }) => {
-    const policy =
-      actor === ActorType.USER
-        ? await secretApprovalPolicyService.getSecretApprovalPolicy(projectId, environment, secretPath)
-        : undefined;
-    const secretMutationEvents: Event[] = [];
-
-    const project = await projectDAL.findById(projectId);
-    if (project.enforceCapitalization) {
-      const caseViolatingSecretKeys = [
-        // Check create operations
-        ...(changes.secrets?.create
-          ?.filter((sec) => sec.secretKey !== sec.secretKey.toUpperCase())
-          .map((sec) => sec.secretKey) ?? []),
-
-        // Check update operations
-        ...(changes.secrets?.update
-          ?.filter((sec) => sec.newSecretName && sec.newSecretName !== sec.newSecretName.toUpperCase())
-          .map((sec) => sec.secretKey) ?? [])
-      ];
-
-      if (caseViolatingSecretKeys.length) {
-        throw new BadRequestError({
-          message: `Secret names must be in UPPERCASE per project requirements: ${caseViolatingSecretKeys.join(
-            ", "
-          )}. You can disable this requirement in project settings`
-        });
-      }
-    }
-
-    const response = await folderCommitDAL.transaction(async (trx) => {
-      const targetFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath, trx);
-      if (!targetFolder)
-        throw new NotFoundError({
-          message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`,
-          name: "CreateManySecret"
-        });
-      const commitChanges: TCommitResourceChangeDTO[] = [];
-      const folderChanges: { create: string[]; update: string[]; delete: string[] } = {
-        create: [],
-        update: [],
-        delete: []
-      };
-
-      if ((changes.folders?.create?.length ?? 0) > 0) {
-        const createdFolders = await folderService.createManyFolders({
-          projectId,
-          actor,
-          actorId,
-          actorOrgId,
-          actorAuthMethod,
-          folders:
-            changes.folders?.create?.map((folder) => ({
-              name: folder.folderName,
-              environment,
-              path: secretPath,
-              description: folder.description
-            })) ?? [],
-          tx: trx,
-          commitChanges
-        });
-        const newFolderEvents = createdFolders.folders.map(
-          (folder) =>
-            ({
-              type: EventType.CREATE_FOLDER,
-              metadata: {
-                environment,
-                folderId: folder.id,
-                folderName: folder.name,
-                folderPath: secretPath,
-                ...(folder.description ? { description: folder.description } : {})
-              }
-            }) as Event
-        );
-        secretMutationEvents.push(...newFolderEvents);
-        folderChanges.create.push(...createdFolders.folders.map((folder) => folder.id));
-      }
-
-      if ((changes.folders?.update?.length ?? 0) > 0) {
-        const updatedFolders = await folderService.updateManyFolders({
-          projectId,
-          actor,
-          actorId,
-          actorOrgId,
-          actorAuthMethod,
-          folders:
-            changes.folders?.update?.map((folder) => ({
-              environment,
-              path: secretPath,
-              id: folder.id,
-              name: folder.folderName,
-              description: folder.description
-            })) ?? [],
-          tx: trx,
-          commitChanges
-        });
-
-        const updatedFolderEvents = updatedFolders.newFolders.map(
-          (folder) =>
-            ({
-              type: EventType.UPDATE_FOLDER,
-              metadata: {
-                environment,
-                folderId: folder.id,
-                folderPath: secretPath,
-                newFolderName: folder.name,
-                newFolderDescription: folder.description
-              }
-            }) as Event
-        );
-        secretMutationEvents.push(...updatedFolderEvents);
-        folderChanges.update.push(...updatedFolders.newFolders.map((folder) => folder.id));
-      }
-
-      if ((changes.folders?.delete?.length ?? 0) > 0) {
-        const deletedFolders = await folderService.deleteManyFolders({
-          projectId,
-          actor,
-          actorId,
-          actorOrgId,
-          actorAuthMethod,
-          folders:
-            changes.folders?.delete?.map((folder) => ({
-              environment,
-              path: secretPath,
-              idOrName: folder.id
-            })) ?? [],
-          tx: trx,
-          commitChanges
-        });
-        const deletedFolderEvents = deletedFolders.folders.map(
-          (folder) =>
-            ({
-              type: EventType.DELETE_FOLDER,
-              metadata: {
-                environment,
-                folderId: folder.id,
-                folderPath: secretPath,
-                folderName: folder.name
-              }
-            }) as Event
-        );
-        secretMutationEvents.push(...deletedFolderEvents);
-        folderChanges.delete.push(...deletedFolders.folders.map((folder) => folder.id));
-      }
-
-      if (policy) {
-        if (
-          (changes.secrets?.create?.length ?? 0) > 0 ||
-          (changes.secrets?.update?.length ?? 0) > 0 ||
-          (changes.secrets?.delete?.length ?? 0) > 0
-        ) {
-          const approval = await secretApprovalRequestService.generateSecretApprovalRequestV2Bridge({
-            policy,
-            secretPath,
-            environment,
-            projectId,
-            actor,
-            actorId,
-            actorOrgId,
-            actorAuthMethod,
-            data: {
-              [SecretOperations.Create]:
-                changes.secrets?.create?.map((el) => ({
-                  tagIds: el.tagIds,
-                  secretValue: el.secretValue,
-                  secretComment: el.secretComment,
-                  metadata: el.metadata,
-                  skipMultilineEncoding: el.skipMultilineEncoding,
-                  secretKey: el.secretKey,
-                  secretMetadata: el.secretMetadata
-                })) ?? [],
-              [SecretOperations.Update]:
-                changes.secrets?.update?.map((el) => ({
-                  tagIds: el.tagIds,
-                  newSecretName: el.newSecretName,
-                  secretValue: el.secretValue,
-                  secretComment: el.secretComment,
-                  metadata: el.metadata,
-                  skipMultilineEncoding: el.skipMultilineEncoding,
-                  secretKey: el.secretKey,
-                  secretMetadata: el.secretMetadata
-                })) ?? [],
-              [SecretOperations.Delete]:
-                changes.secrets?.delete?.map((el) => ({
-                  secretKey: el.secretKey
-                })) ?? []
-            }
-          });
-          return {
-            approvalId: approval.id,
-            folderChanges,
-            secretMutationEvents
-          };
-        }
-        return {
-          folderChanges,
-          secretMutationEvents
-        };
-      }
-
-      if ((changes.secrets?.create?.length ?? 0) > 0) {
-        const newSecrets = await secretV2BridgeService.createManySecret({
-          secretPath,
-          environment,
-          projectId,
-          actorAuthMethod,
-          actorOrgId,
-          actor,
-          actorId,
-          secrets: changes.secrets?.create ?? [],
-          tx: trx,
-          commitChanges
-        });
-        secretMutationEvents.push({
-          type: EventType.CREATE_SECRETS,
-          metadata: {
-            environment,
-            secretPath,
-            secrets: newSecrets.map((secret) => ({
-              secretId: secret.id,
-              secretKey: secret.secretKey,
-              secretVersion: secret.version
-            }))
-          }
-        });
-      }
-      if ((changes.secrets?.update?.length ?? 0) > 0) {
-        const updatedSecrets = await secretV2BridgeService.updateManySecret({
-          secretPath,
-          environment,
-          projectId,
-          actorAuthMethod,
-          actorOrgId,
-          actor,
-          actorId,
-          secrets: changes.secrets?.update ?? [],
-          mode: SecretUpdateMode.FailOnNotFound,
-          tx: trx,
-          commitChanges
-        });
-        secretMutationEvents.push({
-          type: EventType.UPDATE_SECRETS,
-          metadata: {
-            environment,
-            secretPath,
-            secrets: updatedSecrets.map((secret) => ({
-              secretId: secret.id,
-              secretKey: secret.secretKey,
-              secretVersion: secret.version
-            }))
-          }
-        });
-      }
-      if ((changes.secrets?.delete?.length ?? 0) > 0) {
-        const deletedSecrets = await secretV2BridgeService.deleteManySecret({
-          secretPath,
-          environment,
-          projectId,
-          actorAuthMethod,
-          actorOrgId,
-          actor,
-          actorId,
-          secrets: changes.secrets?.delete ?? [],
-          tx: trx,
-          commitChanges
-        });
-        secretMutationEvents.push({
-          type: EventType.DELETE_SECRETS,
-          metadata: {
-            environment,
-            secretPath,
-            secrets: deletedSecrets.map((secret) => ({
-              secretId: secret.id,
-              secretKey: secret.secretKey,
-              secretVersion: secret.version
-            }))
-          }
-        });
-      }
-      if (commitChanges?.length > 0) {
-        const commit = await folderCommitService.createCommit(
-          {
-            actor: {
-              type: actor || ActorType.PLATFORM,
-              metadata: {
-                id: actorId
-              }
-            },
-            message,
-            folderId: targetFolder.id,
-            changes: commitChanges
-          },
-          trx
-        );
-        return {
-          folderChanges,
-          commitId: commit?.id,
-          secretMutationEvents
-        };
-      }
-      return {
-        folderChanges,
-        secretMutationEvents
-      };
-    });
-
-    return response;
-  };
-
   return {
     getCommitsCount,
     getCommitsForFolder,
@@ -849,7 +478,6 @@ export const pitServiceFactory = ({
     compareCommitChanges,
     rollbackToCommit,
     revertCommit,
-    getFolderStateAtCommit,
-    processNewCommitRaw
+    getFolderStateAtCommit
   };
 };

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,4 +1,3 @@
-import { ProjectType } from "@app/db/schemas";
 import {
   InfisicalProjectTemplate,
   TUnpackedPermission
@@ -7,21 +6,18 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"
 
 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
 
-export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
+export const getDefaultProjectTemplate = (orgId: string) => ({
   id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
-  type,
   name: InfisicalProjectTemplate.Default,
   createdAt: new Date(),
   updatedAt: new Date(),
-  description: `Infisical's ${type} default project template`,
-  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
-  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
-    ({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })
-  ),
+  description: `Infisical's default project template`,
+  environments: ProjectTemplateDefaultEnvironments,
+  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
+    name: string;
+    slug: string;
+    permissions: TUnpackedPermission[];
+  }>,
   orgId
 });
 

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { ProjectType, TProjectTemplates } from "@app/db/schemas";
+import { TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -29,13 +29,11 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
   ...rest,
   environments: environments as TProjectTemplateEnvironment[],
   roles: [
-    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
-      ({ name, slug, permissions }) => ({
-        name,
-        slug,
-        permissions: permissions as TUnpackedPermission[]
-      })
-    ),
+    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })),
     ...(roles as TProjectTemplateRole[]).map((role) => ({
       ...role,
       permissions: unpackPermissions(role.permissions)
@@ -48,10 +46,7 @@ export const projectTemplateServiceFactory = ({
   permissionService,
   projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
-    actor,
-    type
-  ) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.projectTemplates)
@@ -70,14 +65,11 @@ export const projectTemplateServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
 
     const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId,
-      ...(type ? { type } : {})
+      orgId: actor.orgId
     });
 
     return [
-      ...(type
-        ? [getDefaultProjectTemplate(actor.orgId, type)]
-        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
+      getDefaultProjectTemplate(actor.orgId),
       ...projectTemplates.map((template) => $unpackProjectTemplate(template))
     ];
   };
@@ -142,7 +134,7 @@ export const projectTemplateServiceFactory = ({
   };
 
   const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, type, ...params },
+    { roles, environments, ...params },
     actor
   ) => {
     const plan = await licenseService.getPlan(actor.orgId);
@@ -162,10 +154,6 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
 
-    if (environments && type !== ProjectType.SecretManager) {
-      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
-    }
-
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({
         // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -188,10 +176,8 @@ export const projectTemplateServiceFactory = ({
     const projectTemplate = await projectTemplateDAL.create({
       ...params,
       roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments:
-        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId,
-      type
+      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId
     });
 
     return $unpackProjectTemplate(projectTemplate);
@@ -222,11 +208,6 @@ export const projectTemplateServiceFactory = ({
     );
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
-    if (projectTemplate.type !== ProjectType.SecretManager && environments)
-      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
-
-    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
-      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
 
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -15,7 +15,6 @@ export type TProjectTemplateRole = {
 
 export type TCreateProjectTemplateDTO = {
   name: string;
-  type: ProjectType;
   description?: string;
   roles: TProjectTemplateRole[];
   environments?: TProjectTemplateEnvironment[] | null;
@@ -30,15 +29,11 @@ export enum InfisicalProjectTemplate {
 }
 
 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (
-    actor: OrgServiceActor,
-    type?: ProjectType
-  ) => Promise<
+  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
     (
       | {
           id: string;
           name: InfisicalProjectTemplate;
-          type: string;
           createdAt: Date;
           updatedAt: Date;
           description: string;
@@ -63,7 +58,6 @@ export type TProjectTemplateServiceFactory = {
         }
       | {
           environments: TProjectTemplateEnvironment[];
-          type: string;
           roles: {
             permissions: {
               action: string[];
@@ -100,7 +94,6 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
-    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -125,7 +118,6 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
-    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -148,7 +140,6 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
-    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -171,7 +162,6 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
-    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -194,7 +184,6 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
-    type: string;
     orgId: string;
     id: string;
     createdAt: Date;

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,8 +61,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@@ -70,8 +69,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -166,8 +164,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@@ -175,8 +172,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -276,8 +272,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -322,8 +317,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -349,8 +343,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 

backend/src/ee/services/scim/scim-service.ts

@@ -579,9 +579,6 @@ export const scimServiceFactory = ({
       });
 
     const serverCfg = await getServerCfg();
-    const hasEmailChanged = email?.toLowerCase() !== membership.email;
-    const defaultEmailVerified =
-      org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails;
     await userDAL.transaction(async (tx) => {
       await userAliasDAL.update(
         {
@@ -608,7 +605,8 @@ export const scimServiceFactory = ({
           firstName,
           email: email?.toLowerCase(),
           lastName,
-          isEmailVerified: hasEmailChanged ? defaultEmailVerified : undefined
+          isEmailVerified:
+            org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails
         },
         tx
       );

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -23,7 +23,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
     customFilter?: {
       sapId?: string;
-      envId?: string;
     }
   ) =>
     tx(TableName.SecretApprovalPolicy)
@@ -34,17 +33,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
           void qb.where(`${TableName.SecretApprovalPolicy}.id`, "=", customFilter.sapId);
         }
       })
-      .join(
-        TableName.SecretApprovalPolicyEnvironment,
-        `${TableName.SecretApprovalPolicyEnvironment}.policyId`,
-        `${TableName.SecretApprovalPolicy}.id`
-      )
-      .join(TableName.Environment, `${TableName.SecretApprovalPolicyEnvironment}.envId`, `${TableName.Environment}.id`)
-      .where((qb) => {
-        if (customFilter?.envId) {
-          void qb.where(`${TableName.SecretApprovalPolicyEnvironment}.envId`, "=", customFilter.envId);
-        }
-      })
+      .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .leftJoin(
         TableName.SecretApprovalPolicyApprover,
         `${TableName.SecretApprovalPolicy}.id`,
@@ -108,7 +97,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
       .select(
         tx.ref("name").withSchema(TableName.Environment).as("envName"),
         tx.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-        tx.ref("id").withSchema(TableName.Environment).as("environmentId"),
+        tx.ref("id").withSchema(TableName.Environment).as("envId"),
         tx.ref("projectId").withSchema(TableName.Environment)
       )
       .select(selectAllTableCols(TableName.SecretApprovalPolicy))
@@ -157,15 +146,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
               firstName,
               lastName
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId, envName, envSlug }) => ({
-              id: environmentId,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -180,7 +160,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
     customFilter?: {
       sapId?: string;
-      envId?: string;
     },
     tx?: Knex
   ) => {
@@ -242,15 +221,6 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
             mapper: ({ approverGroupUserId: userId }) => ({
               userId
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId, envName, envSlug }) => ({
-              id: environmentId,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -265,74 +235,5 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
     return softDeletedPolicy;
   };
 
-  const findPolicyByEnvIdAndSecretPath = async (
-    { envIds, secretPath }: { envIds: string[]; secretPath: string },
-    tx?: Knex
-  ) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.SecretApprovalPolicy)
-        .join(
-          TableName.SecretApprovalPolicyEnvironment,
-          `${TableName.SecretApprovalPolicyEnvironment}.policyId`,
-          `${TableName.SecretApprovalPolicy}.id`
-        )
-        .join(
-          TableName.Environment,
-          `${TableName.SecretApprovalPolicyEnvironment}.envId`,
-          `${TableName.Environment}.id`
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              $in: {
-                envId: envIds
-              }
-            },
-            TableName.SecretApprovalPolicyEnvironment
-          )
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              secretPath
-            },
-            TableName.SecretApprovalPolicy
-          )
-        )
-        .whereNull(`${TableName.SecretApprovalPolicy}.deletedAt`)
-        .orderBy("deletedAt", "desc")
-        .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.SecretApprovalPolicy))
-        .select(db.ref("name").withSchema(TableName.Environment).as("envName"))
-        .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-        .select(db.ref("id").withSchema(TableName.Environment).as("environmentId"))
-        .select(db.ref("projectId").withSchema(TableName.Environment));
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          projectId: data.projectId,
-          ...SecretApprovalPoliciesSchema.parse(data)
-        }),
-        childrenMapper: [
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
-          }
-        ]
-      });
-      return formattedDocs?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findPolicyByEnvIdAndSecretPath" });
-    }
-  };
-
-  return { ...secretApprovalPolicyOrm, findById, find, softDeleteById, findPolicyByEnvIdAndSecretPath };
+  return { ...secretApprovalPolicyOrm, findById, find, softDeleteById };
 };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-environment-dal.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
-
-export type TSecretApprovalPolicyEnvironmentDALFactory = ReturnType<typeof secretApprovalPolicyEnvironmentDALFactory>;
-
-export const secretApprovalPolicyEnvironmentDALFactory = (db: TDbClient) => {
-  const secretApprovalPolicyEnvironmentOrm = ormify(db, TableName.SecretApprovalPolicyEnvironment);
-
-  const findAvailablePoliciesByEnvId = async (envId: string, tx?: Knex) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.SecretApprovalPolicyEnvironment)
-        .join(
-          TableName.SecretApprovalPolicy,
-          `${TableName.SecretApprovalPolicyEnvironment}.policyId`,
-          `${TableName.SecretApprovalPolicy}.id`
-        )
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter({ envId }, TableName.SecretApprovalPolicyEnvironment))
-        .whereNull(`${TableName.SecretApprovalPolicy}.deletedAt`)
-        .select(selectAllTableCols(TableName.SecretApprovalPolicyEnvironment));
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findAvailablePoliciesByEnvId" });
-    }
-  };
-
-  return { ...secretApprovalPolicyEnvironmentOrm, findAvailablePoliciesByEnvId };
-};

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -19,7 +18,6 @@ import {
   TSecretApprovalPolicyBypasserDALFactory
 } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
-import { TSecretApprovalPolicyEnvironmentDALFactory } from "./secret-approval-policy-environment-dal";
 import {
   TCreateSapDTO,
   TDeleteSapDTO,
@@ -37,13 +35,12 @@ const getPolicyScore = (policy: { secretPath?: string | null }) =>
 type TSecretApprovalPolicyServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   secretApprovalPolicyDAL: TSecretApprovalPolicyDALFactory;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne" | "find">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   userDAL: Pick<TUserDALFactory, "find">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
   secretApprovalPolicyBypasserDAL: TSecretApprovalPolicyBypasserDALFactory;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "update">;
-  secretApprovalPolicyEnvironmentDAL: TSecretApprovalPolicyEnvironmentDALFactory;
 };
 
 export type TSecretApprovalPolicyServiceFactory = ReturnType<typeof secretApprovalPolicyServiceFactory>;
@@ -53,30 +50,27 @@ export const secretApprovalPolicyServiceFactory = ({
   permissionService,
   secretApprovalPolicyApproverDAL,
   secretApprovalPolicyBypasserDAL,
-  secretApprovalPolicyEnvironmentDAL,
   projectEnvDAL,
   userDAL,
   licenseService,
   secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
   const $policyExists = async ({
-    envIds,
     envId,
     secretPath,
     policyId
   }: {
-    envIds?: string[];
-    envId?: string;
+    envId: string;
     secretPath: string;
     policyId?: string;
   }) => {
-    if (!envIds && !envId) {
-      throw new BadRequestError({ message: "At least one environment should be provided" });
-    }
-    const policy = await secretApprovalPolicyDAL.findPolicyByEnvIdAndSecretPath({
-      envIds: envId ? [envId] : envIds || [],
-      secretPath
-    });
+    const policy = await secretApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
 
     return policyId ? policy && policy.id !== policyId : Boolean(policy);
   };
@@ -93,7 +87,6 @@ export const secretApprovalPolicyServiceFactory = ({
     projectId,
     secretPath,
     environment,
-    environments,
     enforcementLevel,
     allowedSelfApprovals
   }: TCreateSapDTO) => {
@@ -117,8 +110,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -133,23 +125,17 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const mergedEnvs = (environment ? [environment] : environments) || [];
-    if (mergedEnvs.length === 0) {
-      throw new BadRequestError({ message: "Must provide either environment or environments" });
-    }
-    const envs = await projectEnvDAL.find({ $in: { slug: mergedEnvs }, projectId });
-    if (!envs.length || envs.length !== mergedEnvs.length) {
-      const notFoundEnvs = mergedEnvs.filter((env) => !envs.find((el) => el.slug === env));
-      throw new NotFoundError({ message: `One or more environments not found: ${notFoundEnvs.join(", ")}` });
+    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
+    if (!env) {
+      throw new NotFoundError({
+        message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
+      });
     }
 
-    for (const env of envs) {
-      // eslint-disable-next-line no-await-in-loop
-      if (await $policyExists({ envId: env.id, secretPath })) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
     }
 
     let groupBypassers: string[] = [];
@@ -193,7 +179,7 @@ export const secretApprovalPolicyServiceFactory = ({
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await secretApprovalPolicyDAL.create(
         {
-          envId: envs[0].id,
+          envId: env.id,
           approvals,
           secretPath,
           name,
@@ -202,13 +188,6 @@ export const secretApprovalPolicyServiceFactory = ({
         },
         tx
       );
-      await secretApprovalPolicyEnvironmentDAL.insertMany(
-        envs.map((env) => ({
-          envId: env.id,
-          policyId: doc.id
-        })),
-        tx
-      );
 
       let userApproverIds = userApprovers;
       if (userApproverNames.length) {
@@ -272,13 +251,12 @@ export const secretApprovalPolicyServiceFactory = ({
       return doc;
     });
 
-    return { ...secretApproval, environments: envs, projectId, environment: envs[0] };
+    return { ...secretApproval, environment: env, projectId };
   };
 
   const updateSecretApprovalPolicy = async ({
     approvers,
     bypassers,
-    environments,
     secretPath,
     name,
     actorId,
@@ -308,26 +286,17 @@ export const secretApprovalPolicyServiceFactory = ({
         message: `Secret approval policy with ID '${secretPolicyId}' not found`
       });
     }
-    let envs = secretApprovalPolicy.environments;
+
     if (
-      environments &&
-      (environments.length !== envs.length || environments.some((env) => !envs.find((el) => el.slug === env)))
+      await $policyExists({
+        envId: secretApprovalPolicy.envId,
+        secretPath: secretPath || secretApprovalPolicy.secretPath,
+        policyId: secretApprovalPolicy.id
+      })
     ) {
-      envs = await projectEnvDAL.find({ $in: { slug: environments }, projectId: secretApprovalPolicy.projectId });
-    }
-    for (const env of envs) {
-      if (
-        // eslint-disable-next-line no-await-in-loop
-        await $policyExists({
-          envId: env.id,
-          secretPath: secretPath || secretApprovalPolicy.secretPath,
-          policyId: secretApprovalPolicy.id
-        })
-      ) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath || secretApprovalPolicy.secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
+      });
     }
 
     const { permission } = await permissionService.getProjectPermission({
@@ -335,8 +304,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -444,17 +412,6 @@ export const secretApprovalPolicyServiceFactory = ({
         );
       }
 
-      if (environments) {
-        await secretApprovalPolicyEnvironmentDAL.delete({ policyId: doc.id }, tx);
-        await secretApprovalPolicyEnvironmentDAL.insertMany(
-          envs.map((env) => ({
-            envId: env.id,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-
       await secretApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
 
       if (bypasserUserIds.length) {
@@ -481,8 +438,7 @@ export const secretApprovalPolicyServiceFactory = ({
     });
     return {
       ...updatedSap,
-      environments: secretApprovalPolicy.environments,
-      environment: secretApprovalPolicy.environments[0],
+      environment: secretApprovalPolicy.environment,
       projectId: secretApprovalPolicy.projectId
     };
   };
@@ -503,8 +459,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -528,12 +483,7 @@ export const secretApprovalPolicyServiceFactory = ({
       const updatedPolicy = await secretApprovalPolicyDAL.softDeleteById(secretPolicyId, tx);
       return updatedPolicy;
     });
-    return {
-      ...deletedPolicy,
-      projectId: sapPolicy.projectId,
-      environments: sapPolicy.environments,
-      environment: sapPolicy.environments[0]
-    };
+    return { ...deletedPolicy, projectId: sapPolicy.projectId, environment: sapPolicy.environment };
   };
 
   const getSecretApprovalPolicyByProjectId = async ({
@@ -548,8 +498,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
@@ -566,7 +515,7 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const policies = await secretApprovalPolicyDAL.find({ deletedAt: null }, { envId: env.id });
+    const policies = await secretApprovalPolicyDAL.find({ envId: env.id, deletedAt: null });
     if (!policies.length) return;
     // this will filter policies either without scoped to secret path or the one that matches with secret path
     const policiesFilteredByPath = policies.filter(
@@ -593,8 +542,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
@@ -620,8 +568,7 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -5,8 +5,7 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app
 export type TCreateSapDTO = {
   approvals: number;
   secretPath: string;
-  environment?: string;
-  environments?: string[];
+  environment: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
     | { type: BypasserType.Group; id: string }
@@ -30,7 +29,6 @@ export type TUpdateSapDTO = {
   name?: string;
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals?: boolean;
-  environments?: string[];
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteSapDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -40,13 +40,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.policyId`,
         `${TableName.SecretApprovalPolicy}.id`
       )
-      .leftJoin(TableName.SecretApprovalPolicyEnvironment, (bd) => {
-        bd.on(
-          `${TableName.SecretApprovalPolicy}.id`,
-          "=",
-          `${TableName.SecretApprovalPolicyEnvironment}.policyId`
-        ).andOn(`${TableName.SecretApprovalPolicyEnvironment}.envId`, "=", `${TableName.SecretFolder}.envId`);
-      })
       .leftJoin<TUsers>(
         db(TableName.Users).as("statusChangedByUser"),
         `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
@@ -153,7 +146,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
-        tx.ref("envId").withSchema(TableName.SecretApprovalPolicyEnvironment).as("policyEnvId"),
+        tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
         tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1,9 +1,7 @@
 /* eslint-disable no-nested-ternary */
 import { ForbiddenError, subject } from "@casl/ability";
-import { Knex } from "knex";
 
 import {
-  ActionProjectType,
   ProjectMembershipRole,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
@@ -69,7 +67,6 @@ import { throwIfMissingSecretReadValueOrDescribePermission } from "../permission
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { ProjectPermissionSecretActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
-import { scanSecretPolicyViolations } from "../secret-scanning-v2/secret-scanning-v2-fns";
 import { TSecretSnapshotServiceFactory } from "../secret-snapshot/secret-snapshot-service";
 import { TSecretApprovalRequestDALFactory } from "./secret-approval-request-dal";
 import { sendApprovalEmailsFn } from "./secret-approval-request-fns";
@@ -186,8 +183,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
@@ -214,8 +210,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -267,8 +262,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -417,8 +411,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -487,8 +480,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -538,19 +530,13 @@ export const secretApprovalRequestServiceFactory = ({
         message: "The policy associated with this secret approval request has been deleted."
       });
     }
-    if (!policy.envId) {
-      throw new BadRequestError({
-        message: "The policy associated with this secret approval request is not linked to the environment."
-      });
-    }
 
     const { hasRole } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     if (
@@ -968,7 +954,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
@@ -1102,8 +1088,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@@ -1383,9 +1368,8 @@ export const secretApprovalRequestServiceFactory = ({
     policy,
     projectId,
     secretPath,
-    environment,
-    trx: providedTx
-  }: TGenerateSecretApprovalRequestV2BridgeDTO & { trx?: Knex }) => {
+    environment
+  }: TGenerateSecretApprovalRequestV2BridgeDTO) => {
     if (actor === ActorType.SERVICE || actor === ActorType.Machine)
       throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
 
@@ -1394,8 +1378,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -1413,20 +1396,6 @@ export const secretApprovalRequestServiceFactory = ({
       projectId
     });
 
-    const project = await projectDAL.findById(projectId);
-    await scanSecretPolicyViolations(
-      projectId,
-      secretPath,
-      [
-        ...(data[SecretOperations.Create] || []),
-        ...(data[SecretOperations.Update] || []).filter((el) => el.secretValue)
-      ].map((el) => ({
-        secretKey: el.secretKey,
-        secretValue: el.secretValue as string
-      })),
-      project.secretDetectionIgnoreValues || []
-    );
-
     // for created secret approval change
     const createdSecrets = data[SecretOperations.Create];
     if (createdSecrets && createdSecrets?.length) {
@@ -1626,7 +1595,7 @@ export const secretApprovalRequestServiceFactory = ({
       );
     });
 
-    const executeApprovalRequestCreation = async (tx: Knex) => {
+    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
       const doc = await secretApprovalRequestDAL.create(
         {
           folderId,
@@ -1688,11 +1657,7 @@ export const secretApprovalRequestServiceFactory = ({
       }
 
       return { ...doc, commits: approvalCommits };
-    };
-
-    const secretApprovalRequest = providedTx
-      ? await executeApprovalRequestCreation(providedTx)
-      : await secretApprovalRequestDAL.transaction(executeApprovalRequestCreation);
+    });
 
     const user = await userDAL.findById(actorId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts

@@ -167,7 +167,7 @@ export const secretRotationV2QueueServiceFactory = async ({
             environment: environment.name,
             projectName: project.name,
             rotationUrl: encodeURI(
-              `${appCfg.SITE_URL}/projects/secret-management/${projectId}/secrets/${environment.slug}`
+              `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
             )
           }
         });

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";
 
-import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
+import { SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
@@ -223,7 +223,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -274,7 +274,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -320,7 +320,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -385,7 +385,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -429,7 +429,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -631,7 +631,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -781,7 +781,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -1113,7 +1113,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -1160,7 +1160,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -1212,7 +1212,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
       projectId
     });
 
@@ -1328,8 +1328,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId: actor.orgId
     });
 
     const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -7,13 +7,12 @@ import {
   TRotationFactoryRevokeCredentials,
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   executeWithPotentialGateway,
   SQL_CONNECTION_ALTER_LOGIN_STATEMENT
 } from "@app/services/app-connection/shared/sql";
 
-import { DEFAULT_PASSWORD_REQUIREMENTS, generatePassword } from "../utils";
+import { generatePassword } from "../utils";
 import {
   TSqlCredentialsRotationGeneratedCredentials,
   TSqlCredentialsRotationWithConnection
@@ -33,11 +32,6 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
   return redactedMessage;
 };
 
-const ORACLE_PASSWORD_REQUIREMENTS = {
-  ...DEFAULT_PASSWORD_REQUIREMENTS,
-  length: 30
-};
-
 export const sqlCredentialsRotationFactory: TRotationFactory<
   TSqlCredentialsRotationWithConnection,
   TSqlCredentialsRotationGeneratedCredentials
@@ -49,9 +43,6 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     secretsMapping
   } = secretRotation;
 
-  const passwordRequirement =
-    connection.app === AppConnection.OracleDB ? ORACLE_PASSWORD_REQUIREMENTS : DEFAULT_PASSWORD_REQUIREMENTS;
-
   const executeOperation = <T>(
     operation: (client: Knex) => Promise<T>,
     credentialsOverride?: TSqlCredentialsRotationGeneratedCredentials[number]
@@ -74,7 +65,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
   const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     try {
       await executeOperation(async (client) => {
-        await client.raw(connection.app === AppConnection.OracleDB ? `SELECT 1 FROM DUAL` : `Select 1`);
+        await client.raw("SELECT 1");
       }, credentials);
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
@@ -84,13 +75,11 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
   const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
     callback
   ) => {
-    // For SQL, since we get existing users, we change both their passwords
-    // on issue to invalidate their existing passwords
     // For SQL, since we get existing users, we change both their passwords
     // on issue to invalidate their existing passwords
     const credentialsSet = [
-      { username: username1, password: generatePassword(passwordRequirement) },
-      { username: username2, password: generatePassword(passwordRequirement) }
+      { username: username1, password: generatePassword() },
+      { username: username2, password: generatePassword() }
     ];
 
     try {
@@ -116,10 +105,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     credentialsToRevoke,
     callback
   ) => {
-    const revokedCredentials = credentialsToRevoke.map(({ username }) => ({
-      username,
-      password: generatePassword(passwordRequirement)
-    }));
+    const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
 
     try {
       await executeOperation(async (client) => {
@@ -142,10 +128,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     callback
   ) => {
     // generate new password for the next active user
-    const credentials = {
-      username: activeIndex === 0 ? username2 : username1,
-      password: generatePassword(passwordRequirement)
-    };
+    const credentials = { username: activeIndex === 0 ? username2 : username1, password: generatePassword() };
 
     try {
       await executeOperation(async (client) => {

backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts

@@ -11,7 +11,7 @@ type TPasswordRequirements = {
   allowedSymbols?: string;
 };
 
-export const DEFAULT_PASSWORD_REQUIREMENTS: TPasswordRequirements = {
+const DEFAULT_PASSWORD_REQUIREMENTS: TPasswordRequirements = {
   length: 48,
   required: {
     lowercase: 1,

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ProjectVersion, TableName } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -66,8 +66,7 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -98,8 +97,7 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -215,8 +213,7 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -266,8 +263,7 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Edit,
@@ -287,8 +283,7 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: doc.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Delete,

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts

@@ -1,21 +1,11 @@
 import { AxiosError } from "axios";
 import { exec } from "child_process";
-import { join } from "path";
-import picomatch from "picomatch";
 import RE2 from "re2";
 
-import {
-  createTempFolder,
-  deleteTempFolder,
-  readFindingsFile,
-  writeTextToFile
-} from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
+import { readFindingsFile } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
 import { SecretMatch } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
 import { BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GITHUB_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION } from "@app/ee/services/secret-scanning-v2/github";
-import { getConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
 import { titleCaseToCamelCase } from "@app/lib/fn";
 
 import { SecretScanningDataSource, SecretScanningFindingSeverity } from "./secret-scanning-v2-enums";
@@ -56,19 +46,6 @@ export function scanDirectory(inputPath: string, outputPath: string, configPath?
   });
 }
 
-export function scanFile(inputPath: string): Promise<void> {
-  return new Promise((resolve, reject) => {
-    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git`;
-    exec(command, (error) => {
-      if (error && error.code === 77) {
-        reject(error);
-      } else {
-        resolve();
-      }
-    });
-  });
-}
-
 export const scanGitRepositoryAndGetFindings = async (
   scanPath: string,
   findingsPath: string,
@@ -163,47 +140,3 @@ export const parseScanErrorMessage = (err: unknown): string => {
     ? errorMessage
     : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };
-
-export const scanSecretPolicyViolations = async (
-  projectId: string,
-  secretPath: string,
-  secrets: { secretKey: string; secretValue: string }[],
-  ignoreValues: string[]
-) => {
-  const appCfg = getConfig();
-
-  if (!appCfg.PARAMS_FOLDER_SECRET_DETECTION_ENABLED) {
-    return;
-  }
-
-  const match = appCfg.PARAMS_FOLDER_SECRET_DETECTION_PATHS?.find(
-    (el) => el.projectId === projectId && picomatch.isMatch(secretPath, el.secretPath, { strictSlashes: false })
-  );
-
-  if (!match) {
-    return;
-  }
-
-  const tempFolder = await createTempFolder();
-  try {
-    const scanPromises = secrets
-      .filter((secret) => !ignoreValues.includes(secret.secretValue))
-      .map(async (secret) => {
-        const secretFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
-        await writeTextToFile(secretFilePath, `${secret.secretKey}=${secret.secretValue}`);
-
-        try {
-          await scanFile(secretFilePath);
-        } catch (error) {
-          throw new BadRequestError({
-            message: `Secret value detected in ${secret.secretKey}. Please add this instead to the designated secrets path in the project.`,
-            name: "SecretPolicyViolation"
-          });
-        }
-      });
-
-    await Promise.all(scanPromises);
-  } finally {
-    await deleteTempFolder(tempFolder);
-  }
-};

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -567,18 +567,14 @@ export const secretScanningV2QueueServiceFactory = async ({
         const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
         const project = await projectDAL.findById(projectId);
 
-        const recipients = projectMembers.filter((member) => {
-          const isAdmin = member.roles.some((role) => role.role === ProjectMembershipRole.Admin);
-          const isCompleted = payload.status === SecretScanningScanStatus.Completed;
-          // We assume that the committer is one of the project members
-          const isCommitter = isCompleted && payload.authorEmail === member.user.email;
-          return isAdmin || isCommitter;
-        });
+        const projectAdmins = projectMembers.filter((member) =>
+          member.roles.some((role) => role.role === ProjectMembershipRole.Admin)
+        );
 
         const timestamp = new Date().toISOString();
 
         await smtpService.sendMail({
-          recipients: recipients.map((member) => member.user.email!).filter(Boolean),
+          recipients: projectAdmins.map((member) => member.user.email!).filter(Boolean),
           template:
             payload.status === SecretScanningScanStatus.Completed
               ? SmtpTemplates.SecretScanningV2SecretsDetected
@@ -596,7 +592,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                   numberOfSecrets: payload.numberOfSecrets,
                   isDiffScan: payload.isDiffScan,
                   url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/findings?search=scanId:${payload.scanId}`
+                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/findings?search=scanId:${payload.scanId}`
                   ),
                   timestamp
                 }
@@ -607,7 +603,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                   timestamp,
                   errorMessage: payload.errorMessage,
                   url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/data-sources/${dataSource.type}/${dataSource.id}`
+                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/data-sources/${dataSource.type}/${dataSource.id}`
                   )
                 }
         });

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { join } from "path";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -95,7 +94,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId
     });
 
@@ -157,7 +156,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -202,7 +201,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId
     });
 
@@ -236,7 +235,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: payload.projectId
     });
 
@@ -349,7 +348,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -402,7 +401,6 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -476,7 +474,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -540,7 +538,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -585,7 +583,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -628,7 +626,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -671,7 +669,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: dataSource.projectId
     });
 
@@ -704,7 +702,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId
     });
 
@@ -738,7 +736,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId
     });
 
@@ -778,7 +776,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId: finding.projectId
     });
 
@@ -809,7 +807,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId
     });
 
@@ -844,7 +842,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
       projectId
     });
 

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -2,7 +2,7 @@
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -103,8 +103,7 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
@@ -140,8 +139,7 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
@@ -169,8 +167,7 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId: snapshot.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
@@ -394,8 +391,7 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId: snapshot.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -59,8 +58,7 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -132,8 +130,7 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -201,8 +198,7 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -228,8 +224,7 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
@@ -80,8 +79,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
@@ -173,8 +171,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -270,8 +267,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -294,8 +290,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
@@ -321,8 +316,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -360,8 +354,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -400,8 +393,7 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);

backend/src/ee/services/ssh-host/ssh-host-fns.ts

@@ -1,6 +1,5 @@
 import { Knex } from "knex";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -63,8 +62,7 @@ export const createSshLoginMappings = async ({
             userId: user.id,
             projectId,
             authMethod: actorAuthMethod,
-            userOrgId: actorOrgId,
-            actionProjectType: ActionProjectType.SSH
+            userOrgId: actorOrgId
           });
         }
 

backend/src/ee/services/ssh-host/ssh-host-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -112,8 +111,7 @@ export const sshHostServiceFactory = ({
           actorId,
           projectId: project.id,
           actorAuthMethod,
-          actorOrgId,
-          actionProjectType: ActionProjectType.SSH
+          actorOrgId
         });
 
         const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
@@ -146,8 +144,7 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -276,8 +273,7 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -338,8 +334,7 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -367,8 +362,7 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -407,8 +401,7 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     const internalPrincipals = await convertActorToPrincipals({
@@ -527,8 +520,7 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ssh/ssh-certificate-authority-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -73,8 +72,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -109,8 +107,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -178,8 +175,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -217,8 +213,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -259,8 +254,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -381,8 +375,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -479,8 +472,7 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/trusted-ip/trusted-ip-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -36,8 +35,7 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
     const trustedIps = await trustedIpDAL.find({
@@ -61,8 +59,7 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
@@ -107,8 +104,7 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
@@ -153,8 +149,7 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 

backend/src/lib/api-docs/constants.ts

@@ -704,8 +704,7 @@ export const PROJECTS = {
     hasDeleteProtection: "Enable or disable delete protection for the project.",
     secretSharing: "Enable or disable secret sharing for the project.",
     showSnapshotsLegacy: "Enable or disable legacy snapshots for the project.",
-    defaultProduct: "The default product in which the project will open",
-    secretDetectionIgnoreValues: "The list of secret values to ignore for secret detection."
+    defaultProduct: "The default product in which the project will open"
   },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
@@ -2246,9 +2245,7 @@ export const AppConnections = {
     },
     AZURE_CLIENT_SECRETS: {
       code: "The OAuth code to use to connect with Azure Client Secrets.",
-      tenantId: "The Tenant ID to use to connect with Azure Client Secrets.",
-      clientId: "The Client ID to use to connect with Azure Client Secrets.",
-      clientSecret: "The Client Secret to use to connect with Azure Client Secrets."
+      tenantId: "The Tenant ID to use to connect with Azure Client Secrets."
     },
     AZURE_DEVOPS: {
       code: "The OAuth code to use to connect with Azure DevOps.",
@@ -2293,9 +2290,6 @@ export const AppConnections = {
       accessKey: "The Key used to access Supabase.",
       instanceUrl: "The URL used to access Supabase."
     },
-    DIGITAL_OCEAN_APP_PLATFORM: {
-      apiToken: "The API token used to authenticate with Digital Ocean App Platform."
-    },
     OKTA: {
       instanceUrl: "The URL used to access your Okta organization.",
       apiToken: "The API token used to authenticate with Okta."
@@ -2376,10 +2370,6 @@ export const SecretSyncs = {
       keyId: "The AWS KMS key ID or alias to use when encrypting parameters synced by Infisical.",
       tags: "Optional tags to add to secrets synced by Infisical.",
       syncSecretMetadataAsTags: `Whether Infisical secret metadata should be added as tags to secrets synced by Infisical.`
-    },
-    RENDER: {
-      autoRedeployServices:
-        "Whether Infisical should automatically redeploy the configured Render service upon secret changes."
     }
   },
   DESTINATION_CONFIG: {
@@ -2516,11 +2506,6 @@ export const SecretSyncs = {
     SUPABASE: {
       projectId: "The ID of the Supabase project to sync secrets to.",
       projectName: "The name of the Supabase project to sync secrets to."
-    },
-    BITBUCKET: {
-      workspaceSlug: "The Bitbucket Workspace slug to sync secrets to.",
-      repositorySlug: "The Bitbucket Repository slug to sync secrets to.",
-      environmentId: "The Bitbucket Deployment Environment uuid to sync secrets to."
     }
   }
 };

backend/src/lib/config/env.ts

@@ -204,17 +204,6 @@ const envSchema = z
     WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
     ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true"),
 
-    // Special Detection Feature
-    PARAMS_FOLDER_SECRET_DETECTION_PATHS: zpStr(
-      z
-        .string()
-        .optional()
-        .transform((val) => {
-          if (!val) return undefined;
-          return JSON.parse(val) as { secretPath: string; projectId: string }[];
-        })
-    ),
-
     // HSM
     HSM_LIB_PATH: zpStr(z.string().optional()),
     HSM_PIN: zpStr(z.string().optional()),
@@ -272,26 +261,10 @@ const envSchema = z
     // gcp app
     INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
 
-    // Legacy Single Multi Purpose Azure App Connection
+    // azure app
     INF_APP_CONNECTION_AZURE_CLIENT_ID: zpStr(z.string().optional()),
     INF_APP_CONNECTION_AZURE_CLIENT_SECRET: zpStr(z.string().optional()),
 
-    // Azure App Configuration App Connection
-    INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET: zpStr(z.string().optional()),
-
-    // Azure Key Vault App Connection
-    INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET: zpStr(z.string().optional()),
-
-    // Azure Client Secrets App Connection
-    INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET: zpStr(z.string().optional()),
-
-    // Azure DevOps App Connection
-    INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET: zpStr(z.string().optional()),
-
     // datadog
     SHOULD_USE_DATADOG_TRACER: zodStrBool.default("false"),
     DATADOG_PROFILING_ENABLED: zodStrBool.default("false"),
@@ -368,24 +341,7 @@ const envSchema = z
     isHsmConfigured:
       Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
-    SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(","),
-    PARAMS_FOLDER_SECRET_DETECTION_ENABLED: (data.PARAMS_FOLDER_SECRET_DETECTION_PATHS?.length ?? 0) > 0,
-    INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID:
-      data.INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID || data.INF_APP_CONNECTION_AZURE_CLIENT_ID,
-    INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET:
-      data.INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET || data.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
-    INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID:
-      data.INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID || data.INF_APP_CONNECTION_AZURE_CLIENT_ID,
-    INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET:
-      data.INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET || data.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
-    INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID:
-      data.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID || data.INF_APP_CONNECTION_AZURE_CLIENT_ID,
-    INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET:
-      data.INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET || data.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
-    INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID:
-      data.INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID || data.INF_APP_CONNECTION_AZURE_CLIENT_ID,
-    INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET:
-      data.INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET || data.INF_APP_CONNECTION_AZURE_CLIENT_SECRET
+    SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));
 
 export type TEnvConfig = Readonly<z.infer<typeof envSchema>>;
@@ -495,54 +451,15 @@ export const overwriteSchema: {
       }
     ]
   },
-  azureAppConfiguration: {
-    name: "Azure App Configuration",
+  azure: {
+    name: "Azure",
     fields: [
       {
-        key: "INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID",
+        key: "INF_APP_CONNECTION_AZURE_CLIENT_ID",
         description: "The Application (Client) ID of your Azure application."
       },
       {
-        key: "INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET",
-        description: "The Client Secret of your Azure application."
-      }
-    ]
-  },
-  azureKeyVault: {
-    name: "Azure Key Vault",
-    fields: [
-      {
-        key: "INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID",
-        description: "The Application (Client) ID of your Azure application."
-      },
-      {
-        key: "INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET",
-        description: "The Client Secret of your Azure application."
-      }
-    ]
-  },
-  azureClientSecrets: {
-    name: "Azure Client Secrets",
-    fields: [
-      {
-        key: "INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID",
-        description: "The Application (Client) ID of your Azure application."
-      },
-      {
-        key: "INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET",
-        description: "The Client Secret of your Azure application."
-      }
-    ]
-  },
-  azureDevOps: {
-    name: "Azure DevOps",
-    fields: [
-      {
-        key: "INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID",
-        description: "The Application (Client) ID of your Azure application."
-      },
-      {
-        key: "INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET",
+        key: "INF_APP_CONNECTION_AZURE_CLIENT_SECRET",
         description: "The Client Secret of your Azure application."
       }
     ]

backend/src/lib/crypto/cryptography/crypto.ts

@@ -14,7 +14,7 @@ import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal
 import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service";
 
 import { isBase64 } from "../../base64";
-import { getConfig, TEnvConfig } from "../../config/env";
+import { getConfig } from "../../config/env";
 import { CryptographyError } from "../../errors";
 import { logger } from "../../logger";
 import { asymmetricFipsValidated } from "./asymmetric-fips";
@@ -106,12 +106,12 @@ const cryptographyFactory = () => {
     }
   };
 
-  const $setFipsModeEnabled = (enabled: boolean, envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">) => {
+  const $setFipsModeEnabled = (enabled: boolean) => {
     // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key.
     if (enabled) {
       crypto.setFips(true);
 
-      const appCfg = envCfg || getConfig();
+      const appCfg = getConfig();
 
       if (appCfg.ENCRYPTION_KEY) {
         // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key
@@ -141,14 +141,14 @@ const cryptographyFactory = () => {
     $isInitialized = true;
   };
 
-  const initialize = async (superAdminDAL: TSuperAdminDALFactory, envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">) => {
+  const initialize = async (superAdminDAL: TSuperAdminDALFactory) => {
     if ($isInitialized) {
       return isFipsModeEnabled();
     }
 
     if (process.env.FIPS_ENABLED !== "true") {
       logger.info("Cryptography module initialized in normal operation mode.");
-      $setFipsModeEnabled(false, envCfg);
+      $setFipsModeEnabled(false);
       return false;
     }
 
@@ -158,11 +158,11 @@ const cryptographyFactory = () => {
     if (serverCfg) {
       if (serverCfg.fipsEnabled) {
         logger.info("[FIPS]: Instance is configured for FIPS mode of operation. Continuing startup with FIPS enabled.");
-        $setFipsModeEnabled(true, envCfg);
+        $setFipsModeEnabled(true);
         return true;
       }
       logger.info("[FIPS]: Instance age predates FIPS mode inception date. Continuing without FIPS.");
-      $setFipsModeEnabled(false, envCfg);
+      $setFipsModeEnabled(false);
       return false;
     }
 
@@ -171,7 +171,7 @@ const cryptographyFactory = () => {
     // TODO(daniel): check if it's an enterprise deployment
 
     // if there is no server cfg, and FIPS_MODE is `true`, its a fresh FIPS deployment. We need to set the fipsEnabled to true.
-    $setFipsModeEnabled(true, envCfg);
+    $setFipsModeEnabled(true);
     return true;
   };
 

backend/src/queue/queue-service.ts

@@ -64,9 +64,7 @@ export enum QueueName {
   FolderTreeCheckpoint = "folder-tree-checkpoint",
   InvalidateCache = "invalidate-cache",
   SecretScanningV2 = "secret-scanning-v2",
-  TelemetryAggregatedEvents = "telemetry-aggregated-events",
-  DailyReminders = "daily-reminders",
-  SecretReminderMigration = "secret-reminder-migration"
+  TelemetryAggregatedEvents = "telemetry-aggregated-events"
 }
 
 export enum QueueJobs {
@@ -106,9 +104,7 @@ export enum QueueJobs {
   SecretScanningV2SendNotification = "secret-scanning-v2-notification",
   CaOrderCertificateForSubscriber = "ca-order-certificate-for-subscriber",
   PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal",
-  TelemetryAggregatedEvents = "telemetry-aggregated-events",
-  DailyReminders = "daily-reminders",
-  SecretReminderMigration = "secret-reminder-migration"
+  TelemetryAggregatedEvents = "telemetry-aggregated-events"
 }
 
 export type TQueueJobTypes = {
@@ -295,14 +291,6 @@ export type TQueueJobTypes = {
       caType: CaType;
     };
   };
-  [QueueName.DailyReminders]: {
-    name: QueueJobs.DailyReminders;
-    payload: undefined;
-  };
-  [QueueName.SecretReminderMigration]: {
-    name: QueueJobs.SecretReminderMigration;
-    payload: undefined;
-  };
   [QueueName.PkiSubscriber]: {
     name: QueueJobs.PkiSubscriberDailyAutoRenewal;
     payload: undefined;
@@ -402,11 +390,6 @@ export type TQueueServiceFactory = {
     startOffset?: number,
     endOffset?: number
   ) => Promise<{ key: string; name: string; id: string | null }[]>;
-  getDelayedJobs: (
-    name: QueueName,
-    startOffset?: number,
-    endOffset?: number
-  ) => Promise<{ delay: number; timestamp: number; repeatJobKey?: string; data?: unknown }[]>;
 };
 
 export const queueServiceFactory = (
@@ -569,13 +552,6 @@ export const queueServiceFactory = (
     return q.getRepeatableJobs(startOffset, endOffset);
   };
 
-  const getDelayedJobs: TQueueServiceFactory["getDelayedJobs"] = (name, startOffset, endOffset) => {
-    const q = queueContainer[name];
-    if (!q) throw new Error(`Queue '${name}' not initialized`);
-
-    return q.getDelayed(startOffset, endOffset);
-  };
-
   const stopRepeatableJobByJobId: TQueueServiceFactory["stopRepeatableJobByJobId"] = async (name, jobId) => {
     const q = queueContainer[name];
     const job = await q.getJob(jobId);
@@ -622,7 +598,6 @@ export const queueServiceFactory = (
     stopJobById,
     stopJobByIdPg,
     getRepeatableJobs,
-    getDelayedJobs,
     startPg,
     queuePg,
     schedulePg

backend/src/server/plugins/auth/inject-identity.ts

@@ -162,12 +162,6 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
             kubernetes: token?.identityAuth?.kubernetes
           });
         }
-        if (token?.identityAuth?.aws) {
-          requestContext.set("identityAuthInfo", {
-            identityId: identity.identityId,
-            aws: token?.identityAuth?.aws
-          });
-        }
         break;
       }
       case AuthMode.SERVICE_TOKEN: {

backend/src/server/routes/index.ts

@@ -11,7 +11,6 @@ import {
   accessApprovalPolicyBypasserDALFactory
 } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
 import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
-import { accessApprovalPolicyEnvironmentDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-environment-dal";
 import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
 import { accessApprovalRequestReviewerDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-reviewer-dal";
@@ -77,7 +76,6 @@ import {
   secretApprovalPolicyBypasserDALFactory
 } from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
 import { secretApprovalPolicyDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-dal";
-import { secretApprovalPolicyEnvironmentDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-environment-dal";
 import { secretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { secretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { secretApprovalRequestReviewerDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-reviewer-dal";
@@ -248,10 +246,6 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { reminderDALFactory } from "@app/services/reminder/reminder-dal";
-import { dailyReminderQueueServiceFactory } from "@app/services/reminder/reminder-queue";
-import { reminderServiceFactory } from "@app/services/reminder/reminder-service";
-import { reminderRecipientDALFactory } from "@app/services/reminder-recipients/reminder-recipient-dal";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
@@ -377,9 +371,6 @@ export const registerRoutes = async (
   const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
   const secretVersionTagV2BridgeDAL = secretVersionV2TagBridgeDALFactory(db);
 
-  const reminderDAL = reminderDALFactory(db);
-  const reminderRecipientDAL = reminderRecipientDALFactory(db);
-
   const integrationDAL = integrationDALFactory(db);
   const integrationAuthDAL = integrationAuthDALFactory(db);
   const webhookDAL = webhookDALFactory(db);
@@ -427,11 +418,9 @@ export const registerRoutes = async (
   const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
   const accessApprovalPolicyBypasserDAL = accessApprovalPolicyBypasserDALFactory(db);
   const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
-  const accessApprovalPolicyEnvironmentDAL = accessApprovalPolicyEnvironmentDALFactory(db);
 
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const sapBypasserDAL = secretApprovalPolicyBypasserDALFactory(db);
-  const sapEnvironmentDAL = secretApprovalPolicyEnvironmentDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
   const secretApprovalRequestReviewerDAL = secretApprovalRequestReviewerDALFactory(db);
@@ -565,7 +554,6 @@ export const registerRoutes = async (
     projectEnvDAL,
     secretApprovalPolicyApproverDAL: sapApproverDAL,
     secretApprovalPolicyBypasserDAL: sapBypasserDAL,
-    secretApprovalPolicyEnvironmentDAL: sapEnvironmentDAL,
     permissionService,
     secretApprovalPolicyDAL,
     licenseService,
@@ -746,17 +734,9 @@ export const registerRoutes = async (
 
   const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
 
-  const reminderService = reminderServiceFactory({
-    reminderDAL,
-    reminderRecipientDAL,
-    smtpService,
-    projectMembershipDAL,
-    permissionService,
-    secretV2BridgeDAL
-  });
-
   const orgService = orgServiceFactory({
     userAliasDAL,
+    queueService,
     identityMetadataDAL,
     secretDAL,
     secretV2BridgeDAL,
@@ -782,8 +762,7 @@ export const registerRoutes = async (
     orgBotDAL,
     oidcConfigDAL,
     loginService,
-    projectBotService,
-    reminderService
+    projectBotService
   });
   const signupService = authSignupServiceFactory({
     tokenService,
@@ -1081,6 +1060,7 @@ export const registerRoutes = async (
     secretImportDAL,
     projectEnvDAL,
     webhookDAL,
+    orgDAL,
     auditLogService,
     userDAL,
     projectMembershipDAL,
@@ -1102,11 +1082,11 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     projectKeyDAL,
     projectUserMembershipRoleDAL,
+    secretReminderRecipientsDAL,
     orgService,
     resourceMetadataDAL,
     folderCommitService,
-    secretSyncQueue,
-    reminderService
+    secretSyncQueue
   });
 
   const projectService = projectServiceFactory({
@@ -1115,6 +1095,7 @@ export const registerRoutes = async (
     projectSshConfigDAL,
     secretDAL,
     secretV2BridgeDAL,
+    queueService,
     projectQueue: projectQueueService,
     projectBotService,
     identityProjectDAL,
@@ -1151,8 +1132,7 @@ export const registerRoutes = async (
     microsoftTeamsIntegrationDAL,
     projectTemplateService,
     groupProjectDAL,
-    smtpService,
-    reminderService
+    smtpService
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -1161,9 +1141,7 @@ export const registerRoutes = async (
     keyStore,
     licenseService,
     projectDAL,
-    folderDAL,
-    accessApprovalPolicyEnvironmentDAL,
-    secretApprovalPolicyEnvironmentDAL: sapEnvironmentDAL
+    folderDAL
   });
 
   const projectRoleService = projectRoleServiceFactory({
@@ -1238,7 +1216,6 @@ export const registerRoutes = async (
 
   const secretV2BridgeService = secretV2BridgeServiceFactory({
     folderDAL,
-    projectDAL,
     secretVersionDAL: secretVersionV2BridgeDAL,
     folderCommitService,
     secretQueueService,
@@ -1254,7 +1231,6 @@ export const registerRoutes = async (
     kmsService,
     snapshotService,
     resourceMetadataDAL,
-    reminderService,
     keyStore
   });
 
@@ -1308,8 +1284,7 @@ export const registerRoutes = async (
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
     secretApprovalRequestService,
-    licenseService,
-    reminderService
+    licenseService
   });
 
   const secretSharingService = secretSharingServiceFactory({
@@ -1325,7 +1300,6 @@ export const registerRoutes = async (
     accessApprovalPolicyDAL,
     accessApprovalPolicyApproverDAL,
     accessApprovalPolicyBypasserDAL,
-    accessApprovalPolicyEnvironmentDAL,
     groupDAL,
     permissionService,
     projectEnvDAL,
@@ -1564,12 +1538,7 @@ export const registerRoutes = async (
     folderService,
     permissionService,
     folderDAL,
-    projectEnvDAL,
-    secretApprovalRequestService,
-    secretApprovalPolicyService,
-    projectDAL,
-    secretV2BridgeService,
-    folderCommitDAL
+    projectEnvDAL
   });
 
   const identityOidcAuthService = identityOidcAuthServiceFactory({
@@ -1642,6 +1611,7 @@ export const registerRoutes = async (
     auditLogDAL,
     queueService,
     secretVersionDAL,
+    secretDAL,
     secretFolderVersionDAL: folderVersionDAL,
     snapshotDAL,
     identityAccessTokenDAL,
@@ -1652,13 +1622,6 @@ export const registerRoutes = async (
     orgService
   });
 
-  const dailyReminderQueueService = dailyReminderQueueServiceFactory({
-    reminderService,
-    queueService,
-    secretDAL: secretV2BridgeDAL,
-    secretReminderRecipientsDAL
-  });
-
   const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
     queueService,
     pkiAlertService
@@ -1958,8 +1921,6 @@ export const registerRoutes = async (
   await telemetryQueue.startTelemetryCheck();
   await telemetryQueue.startAggregatedEventsJob();
   await dailyResourceCleanUp.startCleanUp();
-  await dailyReminderQueueService.startDailyRemindersJob();
-  await dailyReminderQueueService.startSecretReminderMigrationJob();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
   await pkiSubscriberQueue.startDailyAutoRenewalJob();
   await kmsService.startService();
@@ -2070,8 +2031,7 @@ export const registerRoutes = async (
     assumePrivileges: assumePrivilegeService,
     githubOrgSync: githubOrgSyncConfigService,
     folderCommit: folderCommitService,
-    secretScanningV2: secretScanningV2Service,
-    reminder: reminderService
+    secretScanningV2: secretScanningV2Service
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/sanitizedSchemas.ts

@@ -93,13 +93,6 @@ export const sapPubSchema = SecretApprovalPoliciesSchema.merge(
       name: z.string(),
       slug: z.string()
     }),
-    environments: z.array(
-      z.object({
-        id: z.string(),
-        name: z.string(),
-        slug: z.string()
-      })
-    ),
     projectId: z.string()
   })
 );
@@ -271,8 +264,7 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
   auditLogsRetentionDays: true,
   hasDeleteProtection: true,
   secretSharing: true,
-  showSnapshotsLegacy: true,
-  secretDetectionIgnoreValues: true
+  showSnapshotsLegacy: true
 });
 
 export const SanitizedTagSchema = SecretTagsSchema.pick({

backend/src/server/routes/v1/admin-router.ts

@@ -52,8 +52,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             defaultAuthOrgAuthEnforced: z.boolean().nullish(),
             defaultAuthOrgAuthMethod: z.string().nullish(),
             isSecretScanningDisabled: z.boolean(),
-            kubernetesAutoFetchServiceAccountToken: z.boolean(),
-            paramsFolderSecretDetectionEnabled: z.boolean()
+            kubernetesAutoFetchServiceAccountToken: z.boolean()
           })
         })
       }
@@ -68,8 +67,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
           fipsEnabled: crypto.isFipsModeEnabled(),
           isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
           isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
-          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN,
-          paramsFolderSecretDetectionEnabled: serverEnvs.PARAMS_FOLDER_SECRET_DETECTION_ENABLED
+          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN
         }
       };
     }
@@ -687,7 +685,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
       body: z.object({
         email: z.string().email().trim().min(1),
         password: z.string().trim().min(1),

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -51,10 +51,6 @@ import {
   DatabricksConnectionListItemSchema,
   SanitizedDatabricksConnectionSchema
 } from "@app/services/app-connection/databricks";
-import {
-  DigitalOceanConnectionListItemSchema,
-  SanitizedDigitalOceanConnectionSchema
-} from "@app/services/app-connection/digital-ocean";
 import { FlyioConnectionListItemSchema, SanitizedFlyioConnectionSchema } from "@app/services/app-connection/flyio";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
@@ -144,7 +140,6 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedRailwayConnectionSchema.options,
   ...SanitizedChecklyConnectionSchema.options,
   ...SanitizedSupabaseConnectionSchema.options,
-  ...SanitizedDigitalOceanConnectionSchema.options,
   ...SanitizedOktaConnectionSchema.options
 ]);
 
@@ -183,7 +178,6 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   RailwayConnectionListItemSchema,
   ChecklyConnectionListItemSchema,
   SupabaseConnectionListItemSchema,
-  DigitalOceanConnectionListItemSchema,
   OktaConnectionListItemSchema
 ]);
 

backend/src/server/routes/v1/app-connection-routers/bitbucket-connection-router.ts

@@ -85,40 +85,4 @@ export const registerBitbucketConnectionRouter = async (server: FastifyZodProvid
       return { repositories };
     }
   });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/environments`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      querystring: z.object({
-        workspaceSlug: z.string().min(1).max(255),
-        repositorySlug: z.string().min(1).max(255)
-      }),
-      response: {
-        200: z.object({
-          environments: z.object({ slug: z.string(), name: z.string(), uuid: z.string() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const {
-        params: { connectionId },
-        query: { workspaceSlug, repositorySlug }
-      } = req;
-
-      const environments = await server.services.appConnection.bitbucket.listEnvironments(
-        { connectionId, workspaceSlug, repositorySlug },
-        req.permission
-      );
-
-      return { environments };
-    }
-  });
 };

backend/src/server/routes/v1/app-connection-routers/digital-ocean-connection-router.ts

@@ -1,57 +0,0 @@
-import { z } from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  CreateDigitalOceanConnectionSchema,
-  SanitizedDigitalOceanConnectionSchema,
-  UpdateDigitalOceanConnectionSchema
-} from "@app/services/app-connection/digital-ocean";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
-
-export const registerDigitalOceanConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.DigitalOcean,
-    server,
-    createSchema: CreateDigitalOceanConnectionSchema,
-    updateSchema: UpdateDigitalOceanConnectionSchema,
-    sanitizedResponseSchema: SanitizedDigitalOceanConnectionSchema
-  });
-
-  // The below endpoints are not exposed and for Infisical App use
-  server.route({
-    method: "GET",
-    url: `/:connectionId/apps`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          apps: z
-            .object({
-              id: z.string(),
-              spec: z.object({
-                name: z.string()
-              })
-            })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const apps = await server.services.appConnection.digitalOcean.listApps(connectionId, req.permission);
-
-      return { apps };
-    }
-  });
-};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -14,7 +14,6 @@ import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerChecklyConnectionRouter } from "./checkly-connection-router";
 import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
-import { registerDigitalOceanConnectionRouter } from "./digital-ocean-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
@@ -75,6 +74,5 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Railway]: registerRailwayConnectionRouter,
     [AppConnection.Checkly]: registerChecklyConnectionRouter,
     [AppConnection.Supabase]: registerSupabaseConnectionRouter,
-    [AppConnection.DigitalOcean]: registerDigitalOceanConnectionRouter,
     [AppConnection.Okta]: registerOktaConnectionRouter
   };

backend/src/server/routes/v1/dashboard-router.ts

@@ -270,6 +270,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
               }
             }
           });
+
+          remainingLimit -= imports.length;
+          adjustedOffset = 0;
+        } else {
+          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
         }
       }
 
@@ -312,7 +317,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!includeDynamicSecrets && !includeSecrets && !includeSecretRotations)
+      if (!includeDynamicSecrets && !includeSecrets)
         return {
           folders,
           totalFolderCount,
@@ -542,6 +547,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           (totalFolderCount ?? 0) +
           (totalDynamicSecretCount ?? 0) +
           (totalSecretCount ?? 0) +
+          (totalImportCount ?? 0) +
           (totalSecretRotationCount ?? 0)
       };
     }
@@ -898,9 +904,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
             projectId,
             path: secretPath,
             search,
-            tagSlugs: tags,
-            includeTagsInSearch: true,
-            includeMetadataInSearch: true
+            tagSlugs: tags
           });
 
           if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
@@ -920,9 +924,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
                 search,
                 limit: remainingLimit,
                 offset: adjustedOffset,
-                tagSlugs: tags,
-                includeTagsInSearch: true,
-                includeMetadataInSearch: true
+                tagSlugs: tags
               })
             ).secrets;
           }
@@ -1095,8 +1097,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           filters: {
             ...sharedFilters,
             tagSlugs: tags,
-            includeTagsInSearch: true,
-            includeMetadataInSearch: true
+            includeTagsInSearch: true
           }
         },
         req.permission

backend/src/server/routes/v1/index.ts

@@ -42,7 +42,6 @@ import { registerProjectEnvRouter } from "./project-env-router";
 import { registerProjectKeyRouter } from "./project-key-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
-import { SECRET_REMINDER_REGISTER_ROUTER_MAP } from "./reminder-routers";
 import { registerSecretFolderRouter } from "./secret-folder-router";
 import { registerSecretImportRouter } from "./secret-import-router";
 import { registerSecretRequestsRouter } from "./secret-requests-router";
@@ -173,14 +172,4 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     },
     { prefix: "/secret-syncs" }
   );
-
-  await server.register(
-    async (reminderRouter) => {
-      // register service specific reminder endpoints (reminders/secret)
-      for await (const [reminderType, router] of Object.entries(SECRET_REMINDER_REGISTER_ROUTER_MAP)) {
-        await reminderRouter.register(router, { prefix: `/${reminderType}` });
-      }
-    },
-    { prefix: "/reminders" }
-  );
 };

backend/src/server/routes/v1/project-router.ts

@@ -158,8 +158,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         includeRoles: z
           .enum(["true", "false"])
           .default("false")
-          .transform((value) => value === "true"),
-        type: z.nativeEnum(ProjectType).optional()
+          .transform((value) => value === "true")
       }),
       response: {
         200: z.object({
@@ -178,8 +177,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        type: req.query.type
+        actorOrgId: req.permission.orgId
       });
       return { workspaces };
     }
@@ -369,11 +367,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           .describe(PROJECTS.UPDATE.slug),
         secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing),
         showSnapshotsLegacy: z.boolean().optional().describe(PROJECTS.UPDATE.showSnapshotsLegacy),
-        defaultProduct: z.nativeEnum(ProjectType).optional().describe(PROJECTS.UPDATE.defaultProduct),
-        secretDetectionIgnoreValues: z
-          .array(z.string())
-          .optional()
-          .describe(PROJECTS.UPDATE.secretDetectionIgnoreValues)
+        defaultProduct: z.nativeEnum(ProjectType).optional().describe(PROJECTS.UPDATE.defaultProduct)
       }),
       response: {
         200: z.object({
@@ -396,8 +390,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           hasDeleteProtection: req.body.hasDeleteProtection,
           slug: req.body.slug,
           secretSharing: req.body.secretSharing,
-          showSnapshotsLegacy: req.body.showSnapshotsLegacy,
-          secretDetectionIgnoreValues: req.body.secretDetectionIgnoreValues
+          showSnapshotsLegacy: req.body.showSnapshotsLegacy
         },
         actorAuthMethod: req.permission.authMethod,
         actorId: req.permission.id,
@@ -1057,7 +1050,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         limit: z.number().default(100),
         offset: z.number().default(0),
-        type: z.nativeEnum(ProjectType).optional(),
         orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
         orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
         name: z

backend/src/server/routes/v1/reminder-routers/index.ts

@@ -1,8 +0,0 @@
-import { ReminderType } from "@app/services/reminder/reminder-enums";
-
-import { registerSecretReminderRouter } from "./secret-reminder-router";
-
-export const SECRET_REMINDER_REGISTER_ROUTER_MAP: Record<ReminderType, (server: FastifyZodProvider) => Promise<void>> =
-  {
-    [ReminderType.SECRETS]: registerSecretReminderRouter
-  };

backend/src/server/routes/v1/reminder-routers/secret-reminder-router.ts

@@ -1,154 +0,0 @@
-import { z } from "zod";
-
-import { RemindersSchema } from "@app/db/schemas/reminders";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerSecretReminderRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/:secretId",
-    method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        secretId: z.string().uuid()
-      }),
-      body: z
-        .object({
-          message: z.string().trim().max(1024).optional(),
-          repeatDays: z.number().min(1).nullable().optional(),
-          nextReminderDate: z.string().datetime().nullable().optional(),
-          recipients: z.string().array().optional()
-        })
-        .refine((data) => {
-          return data.repeatDays || data.nextReminderDate;
-        }, "At least one of repeatDays or nextReminderDate is required"),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      await server.services.reminder.createReminder({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        reminder: {
-          secretId: req.params.secretId,
-          message: req.body.message,
-          repeatDays: req.body.repeatDays,
-          nextReminderDate: req.body.nextReminderDate,
-          recipients: req.body.recipients
-        }
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.CREATE_SECRET_REMINDER,
-          metadata: {
-            secretId: req.params.secretId,
-            message: req.body.message,
-            repeatDays: req.body.repeatDays,
-            nextReminderDate: req.body.nextReminderDate,
-            recipients: req.body.recipients
-          }
-        }
-      });
-
-      return { message: "Successfully created reminder" };
-    }
-  });
-
-  server.route({
-    url: "/:secretId",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        secretId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          reminder: RemindersSchema.extend({
-            recipients: z.string().array().optional()
-          })
-            .optional()
-            .nullable()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const reminder = await server.services.reminder.getReminder({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        secretId: req.params.secretId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.GET_SECRET_REMINDER,
-          metadata: {
-            secretId: req.params.secretId
-          }
-        }
-      });
-      return { reminder };
-    }
-  });
-
-  server.route({
-    url: "/:secretId",
-    method: "DELETE",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      params: z.object({
-        secretId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      await server.services.reminder.deleteReminder({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        secretId: req.params.secretId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.DELETE_SECRET_REMINDER,
-          metadata: {
-            secretId: req.params.secretId
-          }
-        }
-      });
-      return { message: "Successfully deleted reminder" };
-    }
-  });
-};

backend/src/server/routes/v1/secret-sync-routers/bitbucket-sync-router.ts

@@ -1,17 +0,0 @@
-import {
-  BitbucketSyncSchema,
-  CreateBitbucketSyncSchema,
-  UpdateBitbucketSyncSchema
-} from "@app/services/secret-sync/bitbucket";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
-export const registerBitbucketSyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.Bitbucket,
-    server,
-    responseSchema: BitbucketSyncSchema,
-    createSchema: CreateBitbucketSyncSchema,
-    updateSchema: UpdateBitbucketSyncSchema
-  });

backend/src/server/routes/v1/secret-sync-routers/digital-ocean-app-platform-sync-router.ts

@@ -1,17 +0,0 @@
-import {
-  CreateDigitalOceanAppPlatformSyncSchema,
-  DigitalOceanAppPlatformSyncSchema,
-  UpdateDigitalOceanAppPlatformSyncSchema
-} from "@app/services/secret-sync/digital-ocean-app-platform";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
-export const registerDigitalOceanAppPlatformSyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.DigitalOceanAppPlatform,
-    server,
-    responseSchema: DigitalOceanAppPlatformSyncSchema,
-    createSchema: CreateDigitalOceanAppPlatformSyncSchema,
-    updateSchema: UpdateDigitalOceanAppPlatformSyncSchema
-  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -7,13 +7,11 @@ import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-
 import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
-import { registerBitbucketSyncRouter } from "./bitbucket-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerChecklySyncRouter } from "./checkly-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
-import { registerDigitalOceanAppPlatformSyncRouter } from "./digital-ocean-app-platform-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
@@ -59,7 +57,5 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Supabase]: registerSupabaseSyncRouter,
   [SecretSync.Zabbix]: registerZabbixSyncRouter,
   [SecretSync.Railway]: registerRailwaySyncRouter,
-  [SecretSync.Checkly]: registerChecklySyncRouter,
-  [SecretSync.DigitalOceanAppPlatform]: registerDigitalOceanAppPlatformSyncRouter,
-  [SecretSync.Bitbucket]: registerBitbucketSyncRouter
+  [SecretSync.Checkly]: registerChecklySyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -21,7 +21,6 @@ import {
 } from "@app/services/secret-sync/azure-app-configuration";
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
-import { BitbucketSyncListItemSchema, BitbucketSyncSchema } from "@app/services/secret-sync/bitbucket";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import { ChecklySyncListItemSchema, ChecklySyncSchema } from "@app/services/secret-sync/checkly/checkly-sync-schemas";
 import {
@@ -33,10 +32,6 @@ import {
   CloudflareWorkersSyncSchema
 } from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
-import {
-  DigitalOceanAppPlatformSyncListItemSchema,
-  DigitalOceanAppPlatformSyncSchema
-} from "@app/services/secret-sync/digital-ocean-app-platform";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
@@ -80,9 +75,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   SupabaseSyncSchema,
   ZabbixSyncSchema,
   RailwaySyncSchema,
-  ChecklySyncSchema,
-  DigitalOceanAppPlatformSyncSchema,
-  BitbucketSyncSchema
+  ChecklySyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -109,12 +102,11 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   GitLabSyncListItemSchema,
   CloudflarePagesSyncListItemSchema,
   CloudflareWorkersSyncListItemSchema,
-  DigitalOceanAppPlatformSyncListItemSchema,
+
   ZabbixSyncListItemSchema,
   RailwaySyncListItemSchema,
   ChecklySyncListItemSchema,
-  SupabaseSyncListItemSchema,
-  BitbucketSyncListItemSchema
+  SupabaseSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v3/external-migration-router.ts

@@ -1,11 +1,9 @@
 import fastifyMultipart from "@fastify/multipart";
-import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
-import { writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { VaultMappingType } from "@app/services/external-migration/external-migration-types";
 
 const MB25_IN_BYTES = 26214400;
 
@@ -17,7 +15,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
     bodyLimit: MB25_IN_BYTES,
     url: "/env-key",
     config: {
-      rateLimit: writeLimit
+      rateLimit: readLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
@@ -54,30 +52,4 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
       });
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/vault",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        vaultAccessToken: z.string(),
-        vaultNamespace: z.string().trim().optional(),
-        vaultUrl: z.string(),
-        mappingType: z.nativeEnum(VaultMappingType)
-      })
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      await server.services.migration.importVaultData({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body
-      });
-    }
-  });
 };