improvement: used fix length mask for secrets when unfocused to prevent inference attacks

fix outdated cli instructions
Merge pull request #4424 from Infisical/fix-daily-invite-users
2025-08-28 18:55:53 +00:00 · 2025-08-27 18:20:01 -07:00 · 2025-08-27 17:02:52 -04:00 · 2025-08-27 15:10:37 -04:00 · 2025-08-27 09:38:06 -07:00 · 2025-08-27 17:51:14 +05:30
412 changed files with 16957 additions and 7477 deletions
--- a/.github/workflows/build-docker-image-to-prod.yml
+++ b/.github/workflows/build-docker-image-to-prod.yml
@@ -1,123 +0,0 @@
-name: Release production images (frontend, backend)
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
-      - "!infisical/v*.*.*-postgres"
-
-jobs:
-  backend-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: backend
-          tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
-      - name: ⏻ Spawn backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      - name: 🧪 Test backend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-backend-test
-      - name: ⏻ Shut down backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-
-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
-          context: frontend
-          tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
--- a/.github/workflows/nightly-tag-generation.yml
+++ b/.github/workflows/nightly-tag-generation.yml
@@ -0,0 +1,82 @@
+name: Generate Nightly Tag
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering for testing
+
+permissions:
+  contents: write
+
+jobs:
+  create-nightly-tag:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for tags
+          token: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+      
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      
+      - name: Generate nightly tag
+        run: |
+          # Get the latest infisical production tag
+          LATEST_STABLE_TAG=$(git tag --list | grep "^v[0-9].*$" | grep -v "nightly" | sort -V | tail -n1)
+          
+          if [ -z "$LATEST_STABLE_TAG" ]; then
+            echo "No infisical production tags found, using v0.1.0"
+            LATEST_STABLE_TAG="v0.1.0"
+          fi
+          
+          echo "Latest production tag: $LATEST_STABLE_TAG"
+          
+          # Get current date in YYYYMMDD format
+          DATE=$(date +%Y%m%d)
+          
+          # Base nightly tag name
+          BASE_TAG="${LATEST_STABLE_TAG}-nightly-${DATE}"
+          
+          # Check if this exact tag already exists
+          if git tag --list | grep -q "^${BASE_TAG}$"; then
+            echo "Base tag ${BASE_TAG} already exists, finding next increment"
+            
+            # Find existing tags for this date and get the highest increment
+            EXISTING_TAGS=$(git tag --list | grep "^${BASE_TAG}" | grep -E '\.[0-9]+$' || true)
+            
+            if [ -z "$EXISTING_TAGS" ]; then
+              # No incremental tags exist, create .1
+              NIGHTLY_TAG="${BASE_TAG}.1"
+            else
+              # Find the highest increment
+              HIGHEST_INCREMENT=$(echo "$EXISTING_TAGS" | sed "s|^${BASE_TAG}\.||" | sort -n | tail -n1)
+              NEXT_INCREMENT=$((HIGHEST_INCREMENT + 1))
+              NIGHTLY_TAG="${BASE_TAG}.${NEXT_INCREMENT}"
+            fi
+          else
+            # Base tag doesn't exist, use it
+            NIGHTLY_TAG="$BASE_TAG"
+          fi
+          
+          echo "Generated nightly tag: $NIGHTLY_TAG"
+          echo "NIGHTLY_TAG=$NIGHTLY_TAG" >> $GITHUB_ENV
+          echo "LATEST_PRODUCTION_TAG=$LATEST_STABLE_TAG" >> $GITHUB_ENV
+
+          git tag "$NIGHTLY_TAG"
+          git push origin "$NIGHTLY_TAG"
+          echo "✅ Created and pushed nightly tag: $NIGHTLY_TAG"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ env.NIGHTLY_TAG }}
+          name: ${{ env.NIGHTLY_TAG }}
+          draft: false
+          prerelease: true
+          generate_release_notes: true
+          make_latest: false
--- a/.github/workflows/release-standalone-docker-img-postgres-offical.yml
+++ b/.github/workflows/release-standalone-docker-img-postgres-offical.yml
@@ -2,7 +2,9 @@ name: Release standalone docker image
 on:
    push:
        tags:
-            - "infisical/v*.*.*-postgres"
+            - "v*.*.*"
+            - "v*.*.*-nightly-*"
+            - "v*.*.*-nightly-*.*"

 jobs:
    infisical-tests:
@@ -17,7 +19,7 @@ jobs:
        steps:
            - name: Extract version from tag
              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
@@ -53,7 +55,7 @@ jobs:
                  push: true
                  context: .
                  tags: |
-                      infisical/infisical:latest-postgres
+                      infisical/infisical:latest
                      infisical/infisical:${{ steps.commit.outputs.short }}
                      infisical/infisical:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
@@ -69,7 +71,7 @@ jobs:
        steps:
            - name: Extract version from tag
              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
            - name: ☁️ Checkout source
              uses: actions/checkout@v3
              with:
@@ -105,7 +107,7 @@ jobs:
                  push: true
                  context: .
                  tags: |
-                      infisical/infisical-fips:latest-postgres
+                      infisical/infisical-fips:latest
                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
                  platforms: linux/amd64,linux/arm64
--- a/.github/workflows/release_docker_k8_operator.yaml
+++ b/.github/workflows/release_docker_k8_operator.yaml
@@ -44,10 +44,7 @@ jobs:

            - name: Generate Helm Chart
              working-directory: k8-operator
-              run: make helm
-
-            - name: Update Helm Chart Version
-              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
+              run: make helm VERSION=${{ steps.extract_version.outputs.version }}

            - name: Debug - Check file changes
              run: |
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@@ -16,6 +16,16 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
+
+
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          docker system prune -af
+          
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - uses: KengoTODA/actions-setup-docker-compose@v1
@@ -34,6 +44,8 @@ jobs:
        working-directory: backend
      - name: Start postgres and redis
        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+      - name: Start Secret Rotation testing databases
+        run: docker compose -f docker-compose.e2e-dbs.yml up -d --wait --wait-timeout 300
      - name: Run unit test
        run: npm run test:unit
        working-directory: backend
@@ -41,6 +53,9 @@ jobs:
        run: npm run test:e2e
        working-directory: backend
        env:
+          E2E_TEST_ORACLE_DB_19_HOST: ${{ secrets.E2E_TEST_ORACLE_DB_19_HOST }}
+          E2E_TEST_ORACLE_DB_19_USERNAME: ${{ secrets.E2E_TEST_ORACLE_DB_19_USERNAME }}
+          E2E_TEST_ORACLE_DB_19_PASSWORD: ${{ secrets.E2E_TEST_ORACLE_DB_19_PASSWORD }}
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
          AUTH_SECRET: something-random
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -50,3 +50,4 @@ docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
 docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
 docs/integrations/app-connections/railway.mdx:generic-api-key:156
 .github/workflows/validate-db-schemas.yml:generic-api-key:21
+k8-operator/config/samples/universalAuthIdentitySecret.yaml:generic-api-key:8
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@@ -1,34 +0,0 @@
-import { TQueueServiceFactory } from "@app/queue";
-
-export const mockQueue = (): TQueueServiceFactory => {
-  const queues: Record<string, unknown> = {};
-  const workers: Record<string, unknown> = {};
-  const job: Record<string, unknown> = {};
-  const events: Record<string, unknown> = {};
-
-  return {
-    queue: async (name, jobData) => {
-      job[name] = jobData;
-    },
-    queuePg: async () => {},
-    schedulePg: async () => {},
-    initialize: async () => {},
-    shutdown: async () => undefined,
-    stopRepeatableJob: async () => true,
-    start: (name, jobFn) => {
-      queues[name] = jobFn;
-      workers[name] = jobFn;
-    },
-    startPg: async () => {},
-    listen: (name, event) => {
-      events[name] = event;
-    },
-    getRepeatableJobs: async () => [],
-    getDelayedJobs: async () => [],
-    clearQueue: async () => {},
-    stopJobById: async () => {},
-    stopJobByIdPg: async () => {},
-    stopRepeatableJobByJobId: async () => true,
-    stopRepeatableJobByKey: async () => true
-  };
-};
--- a/backend/e2e-test/routes/v3/secret-rotations.spec.ts
+++ b/backend/e2e-test/routes/v3/secret-rotations.spec.ts
@@ -0,0 +1,726 @@
+/* eslint-disable no-promise-executor-return */
+/* eslint-disable no-await-in-loop */
+import knex from "knex";
+import { v4 as uuidv4 } from "uuid";
+
+import { seedData1 } from "@app/db/seed-data";
+
+enum SecretRotationType {
+  OracleDb = "oracledb",
+  MySQL = "mysql",
+  Postgres = "postgres"
+}
+
+type TGenericSqlCredentials = {
+  host: string;
+  port: number;
+  username: string;
+  password: string;
+  database: string;
+};
+
+type TSecretMapping = {
+  username: string;
+  password: string;
+};
+
+type TDatabaseUserCredentials = {
+  username: string;
+};
+
+const formatSqlUsername = (username: string) => `${username}_${uuidv4().slice(0, 8).replace(/-/g, "").toUpperCase()}`;
+
+const getSecretValue = async (secretKey: string) => {
+  const passwordSecret = await testServer.inject({
+    url: `/api/v3/secrets/raw/${secretKey}`,
+    method: "GET",
+    query: {
+      workspaceId: seedData1.projectV3.id,
+      environment: seedData1.environment.slug
+    },
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(passwordSecret.statusCode).toBe(200);
+  expect(passwordSecret.json().secret).toBeDefined();
+
+  const passwordSecretJson = JSON.parse(passwordSecret.payload);
+
+  return passwordSecretJson.secret.secretValue as string;
+};
+
+const deleteSecretRotation = async (id: string, type: SecretRotationType) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    query: {
+      deleteSecrets: "true",
+      revokeGeneratedCredentials: "true"
+    },
+    url: `/api/v2/secret-rotations/${type}-credentials/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+};
+
+const deleteAppConnection = async (id: string, type: SecretRotationType) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    url: `/api/v1/app-connections/${type}/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+};
+
+const createOracleDBAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createOracleDBAppConnectionReqBody = {
+    credentials: {
+      database: credentials.database,
+      host: credentials.host,
+      username: credentials.username,
+      password: credentials.password,
+      port: credentials.port,
+      sslEnabled: true,
+      sslRejectUnauthorized: true
+    },
+    name: `oracle-db-${uuidv4()}`,
+    description: "Test OracleDB App Connection",
+    gatewayId: null,
+    isPlatformManagedCredentials: false,
+    method: "username-and-password"
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/oracledb`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createOracleDBAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createMySQLAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createMySQLAppConnectionReqBody = {
+    name: `mysql-test-${uuidv4()}`,
+    description: "test-mysql",
+    gatewayId: null,
+    method: "username-and-password",
+    credentials: {
+      host: credentials.host,
+      port: credentials.port,
+      database: credentials.database,
+      username: credentials.username,
+      password: credentials.password,
+      sslEnabled: false,
+      sslRejectUnauthorized: true
+    }
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/mysql`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createMySQLAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createPostgresAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createPostgresAppConnectionReqBody = {
+    credentials: {
+      host: credentials.host,
+      port: credentials.port,
+      database: credentials.database,
+      username: credentials.username,
+      password: credentials.password,
+      sslEnabled: false,
+      sslRejectUnauthorized: true
+    },
+    name: `postgres-test-${uuidv4()}`,
+    description: "test-postgres",
+    gatewayId: null,
+    method: "username-and-password"
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/postgres`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createPostgresAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createOracleInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "oracledb",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000,
+      ssl: {
+        // @ts-expect-error - this is a valid property for the ssl object
+        sslServerDNMatch: true
+      }
+    }
+  });
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, don't create it
+    const existingUser = await client.raw(`SELECT * FROM all_users WHERE username = '${username}'`);
+
+    if (!existingUser.length) {
+      await client.raw(`CREATE USER ${username} IDENTIFIED BY "temporary_password"`);
+    }
+    await client.raw(`GRANT ALL PRIVILEGES TO ${username} WITH ADMIN OPTION`);
+  }
+
+  await client.destroy();
+};
+
+const createMySQLInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "mysql2",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000
+    }
+  });
+
+  // Fix: Ensure root has GRANT OPTION privileges
+  try {
+    await client.raw("GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;");
+    await client.raw("FLUSH PRIVILEGES;");
+  } catch (error) {
+    // Ignore if already has privileges
+  }
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, dont create it
+
+    const existingUser = await client.raw(`SELECT * FROM mysql.user WHERE user = '${username}'`);
+
+    if (!existingUser[0].length) {
+      await client.raw(`CREATE USER '${username}'@'%' IDENTIFIED BY 'temporary_password';`);
+    }
+
+    await client.raw(`GRANT ALL PRIVILEGES ON \`${credentials.database}\`.* TO '${username}'@'%';`);
+    await client.raw("FLUSH PRIVILEGES;");
+  }
+
+  await client.destroy();
+};
+
+const createPostgresInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "pg",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000
+    }
+  });
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, don't create it
+    const existingUser = await client.raw("SELECT * FROM pg_catalog.pg_user WHERE usename = ?", [username]);
+
+    if (!existingUser.rows.length) {
+      await client.raw(`CREATE USER "${username}" WITH PASSWORD 'temporary_password'`);
+    }
+
+    await client.raw("GRANT ALL PRIVILEGES ON DATABASE ?? TO ??", [credentials.database, username]);
+  }
+
+  await client.destroy();
+};
+
+const createOracleDBSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createOracleInfisicalUsers(credentials, userCredentials);
+
+  const createOracleDBSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-oracle-${uuidv4()}`,
+    description: "Test OracleDB Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5, // 5 seconds for testing
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/oracledb-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createOracleDBSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+const createMySQLSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createMySQLInfisicalUsers(credentials, userCredentials);
+
+  const createMySQLSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-mysql-rotation-${uuidv4()}`,
+    description: "Test MySQL Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5,
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/mysql-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createMySQLSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+const createPostgresSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createPostgresInfisicalUsers(credentials, userCredentials);
+
+  const createPostgresSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-postgres-rotation-${uuidv4()}`,
+    description: "Test Postgres Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5,
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/postgres-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createPostgresSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+describe("Secret Rotations", async () => {
+  const testCases = [
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (8.4.6) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3306
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (8.0.29) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3307
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (5.7.31) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3308
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.OracleDb,
+      name: "OracleDB (23.8) Secret Rotation",
+      dbCredentials: {
+        database: "FREEPDB1",
+        host: "127.0.0.1",
+        username: "system",
+        password: "pdb-password",
+        port: 1521
+      },
+      secretMapping: {
+        username: formatSqlUsername("ORACLEDB_USERNAME"),
+        password: formatSqlUsername("ORACLEDB_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.OracleDb,
+      name: "OracleDB (19.3) Secret Rotation",
+      skippable: true,
+      dbCredentials: {
+        password: process.env.E2E_TEST_ORACLE_DB_19_PASSWORD!,
+        host: process.env.E2E_TEST_ORACLE_DB_19_HOST!,
+        username: process.env.E2E_TEST_ORACLE_DB_19_USERNAME!,
+        port: 1521,
+        database: "ORCLPDB1"
+      },
+      secretMapping: {
+        username: formatSqlUsername("ORACLEDB_USERNAME"),
+        password: formatSqlUsername("ORACLEDB_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (17) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5433
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (16) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5434
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (10.12) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5435
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    }
+  ] as {
+    skippable?: boolean;
+    type: SecretRotationType;
+    name: string;
+    dbCredentials: TGenericSqlCredentials;
+    secretMapping: TSecretMapping;
+    userCredentials: TDatabaseUserCredentials[];
+  }[];
+
+  const createAppConnectionMap = {
+    [SecretRotationType.OracleDb]: createOracleDBAppConnection,
+    [SecretRotationType.MySQL]: createMySQLAppConnection,
+    [SecretRotationType.Postgres]: createPostgresAppConnection
+  };
+
+  const createRotationMap = {
+    [SecretRotationType.OracleDb]: createOracleDBSecretRotation,
+    [SecretRotationType.MySQL]: createMySQLSecretRotation,
+    [SecretRotationType.Postgres]: createPostgresSecretRotation
+  };
+
+  const appConnectionIds: { id: string; type: SecretRotationType }[] = [];
+  const secretRotationIds: { id: string; type: SecretRotationType }[] = [];
+
+  afterAll(async () => {
+    for (const { id, type } of secretRotationIds) {
+      await deleteSecretRotation(id, type);
+    }
+
+    for (const { id, type } of appConnectionIds) {
+      await deleteAppConnection(id, type);
+    }
+  });
+
+  testCases.forEach(({ skippable, dbCredentials, secretMapping, userCredentials, type, name }) => {
+    const shouldSkip = () => {
+      if (skippable) {
+        if (type === SecretRotationType.OracleDb) {
+          if (!process.env.E2E_TEST_ORACLE_DB_19_HOST) {
+            return true;
+          }
+        }
+      }
+
+      return false;
+    };
+
+    if (shouldSkip()) {
+      test.skip(`Skipping Secret Rotation for ${type} (${name}) because E2E_TEST_ORACLE_DB_19_HOST is not set`);
+    } else {
+      test.concurrent(
+        `Create secret rotation for ${name}`,
+        async () => {
+          const appConnectionId = await createAppConnectionMap[type](dbCredentials);
+
+          if (appConnectionId) {
+            appConnectionIds.push({ id: appConnectionId, type });
+          }
+
+          const res = await createRotationMap[type](appConnectionId, dbCredentials, userCredentials, secretMapping);
+
+          const resJson = JSON.parse(res.payload);
+
+          if (resJson.secretRotation) {
+            secretRotationIds.push({ id: resJson.secretRotation.id, type });
+          }
+
+          const startSecretValue = await getSecretValue(secretMapping.password);
+          expect(startSecretValue).toBeDefined();
+
+          let attempts = 0;
+          while (attempts < 60) {
+            const currentSecretValue = await getSecretValue(secretMapping.password);
+
+            if (currentSecretValue !== startSecretValue) {
+              break;
+            }
+
+            attempts += 1;
+            await new Promise((resolve) => setTimeout(resolve, 2_500));
+          }
+
+          if (attempts >= 60) {
+            throw new Error("Secret rotation failed to rotate after 60 attempts");
+          }
+
+          const finalSecretValue = await getSecretValue(secretMapping.password);
+          expect(finalSecretValue).not.toBe(startSecretValue);
+        },
+        {
+          timeout: 300_000
+        }
+      );
+    }
+  });
+});
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@@ -18,6 +18,7 @@ import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+import { bootstrapCheck } from "@app/server/boot-strap-check";

 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -63,6 +64,8 @@ export default {
      const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
      const keyStore = keyStoreFactory(envCfg);

+      await queue.initialize();
+
      const hsmModule = initializeHsmModule(envCfg);
      hsmModule.initialize();

@@ -78,9 +81,13 @@ export default {
        envConfig: envCfg
      });

+      await bootstrapCheck({ db });
+
      // @ts-expect-error type
      globalThis.testServer = server;
      // @ts-expect-error type
+      globalThis.testQueue = queue;
+      // @ts-expect-error type
      globalThis.testSuperAdminDAL = superAdminDAL;
      // @ts-expect-error type
      globalThis.jwtAuthToken = crypto.jwt().sign(
@@ -105,6 +112,8 @@ export default {
    // custom setup
    return {
      async teardown() {
+        // @ts-expect-error type
+        await globalThis.testQueue.shutdown();
        // @ts-expect-error type
        await globalThis.testServer.close();
        // @ts-expect-error type
@@ -112,7 +121,9 @@ export default {
        // @ts-expect-error type
        delete globalThis.testSuperAdminDAL;
        // @ts-expect-error type
-        delete globalThis.jwtToken;
+        delete globalThis.jwtAuthToken;
+        // @ts-expect-error type
+        delete globalThis.testQueue;
        // called after all tests with this env have been run
        await db.migrate.rollback(
          {
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -148,6 +148,7 @@ declare module "fastify" {
  interface Session {
    callbackPort: string;
    isAdminLogin: boolean;
+    orgSlug?: string;
  }

  interface FastifyRequest {
--- a/backend/src/db/manual-migrations/partition-audit-logs.ts
+++ b/backend/src/db/manual-migrations/partition-audit-logs.ts
@@ -84,6 +84,9 @@ const up = async (knex: Knex): Promise<void> => {
      t.index("expiresAt");
      t.index("orgId");
      t.index("projectId");
+      t.index("eventType");
+      t.index("userAgentType");
+      t.index("actor");
    });

    console.log("Adding GIN indices...");
@@ -119,8 +122,8 @@ const up = async (knex: Knex): Promise<void> => {
    console.log("Creating audit log partitions ahead of time... next date:", nextDateStr);
    await createAuditLogPartition(knex, nextDate, new Date(nextDate.getFullYear(), nextDate.getMonth() + 1));

-    // create partitions 4 years ahead
-    const partitionMonths = 4 * 12;
+    // create partitions 20 years ahead
+    const partitionMonths = 20 * 12;
    const partitionPromises: Promise<void>[] = [];
    for (let x = 1; x <= partitionMonths; x += 1) {
      partitionPromises.push(
--- a/backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts
+++ b/backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts
@@ -2,7 +2,7 @@
 import { Knex } from "knex";

 import { chunkArray } from "@app/lib/fn";
-import { logger } from "@app/lib/logger";
+import { initLogger, logger } from "@app/lib/logger";

 import { TableName } from "../schemas";
 import { TReminders, TRemindersInsert } from "../schemas/reminders";
@@ -107,5 +107,6 @@ export async function up(knex: Knex): Promise<void> {
 }

 export async function down(): Promise<void> {
+  initLogger();
  logger.info("Rollback not implemented for secret reminders fix migration");
 }
--- a/backend/src/db/migrations/20250805151349_last-logged-auth-method.ts
+++ b/backend/src/db/migrations/20250805151349_last-logged-auth-method.ts
@@ -0,0 +1,65 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
+  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
+    TableName.IdentityOrgMembership,
+    "lastLoginAuthMethod"
+  );
+  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
+  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
+  if (!lastUserLoggedInAuthMethod || !lastUserLoggedInTime) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      if (!lastUserLoggedInAuthMethod) {
+        t.string("lastLoginAuthMethod").nullable();
+      }
+      if (!lastUserLoggedInTime) {
+        t.datetime("lastLoginTime").nullable();
+      }
+    });
+  }
+
+  if (!lastIdentityLoggedInAuthMethod || !lastIdentityLoggedInTime) {
+    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
+      if (!lastIdentityLoggedInAuthMethod) {
+        t.string("lastLoginAuthMethod").nullable();
+      }
+      if (!lastIdentityLoggedInTime) {
+        t.datetime("lastLoginTime").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
+  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
+    TableName.IdentityOrgMembership,
+    "lastLoginAuthMethod"
+  );
+  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
+  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
+  if (lastUserLoggedInAuthMethod || lastUserLoggedInTime) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      if (lastUserLoggedInAuthMethod) {
+        t.dropColumn("lastLoginAuthMethod");
+      }
+      if (lastUserLoggedInTime) {
+        t.dropColumn("lastLoginTime");
+      }
+    });
+  }
+
+  if (lastIdentityLoggedInAuthMethod || lastIdentityLoggedInTime) {
+    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
+      if (lastIdentityLoggedInAuthMethod) {
+        t.dropColumn("lastLoginAuthMethod");
+      }
+      if (lastIdentityLoggedInTime) {
+        t.dropColumn("lastLoginTime");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250808021941_access-policy-max-time-period.ts
+++ b/backend/src/db/migrations/20250808021941_access-policy-max-time-period.ts
@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod"))) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.string("maxTimePeriod").nullable(); // Ex: 1h - Null is permanent
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod")) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("maxTimePeriod");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250808174003_add-user-alias-is-email-verified.ts
+++ b/backend/src/db/migrations/20250808174003_add-user-alias-is-email-verified.ts
@@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 1000;
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.UserAliases, "isEmailVerified"))) {
+    // Add the column
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.boolean("isEmailVerified").defaultTo(false);
+    });
+
+    const aliasesToUpdate: { aliasId: string; isEmailVerified: boolean }[] = await knex(TableName.UserAliases)
+      .join(TableName.Users, `${TableName.UserAliases}.userId`, `${TableName.Users}.id`)
+      .select([`${TableName.UserAliases}.id as aliasId`, `${TableName.Users}.isEmailVerified`]);
+
+    for (let i = 0; i < aliasesToUpdate.length; i += BATCH_SIZE) {
+      const batch = aliasesToUpdate.slice(i, i + BATCH_SIZE);
+
+      const trueIds = batch.filter((row) => row.isEmailVerified).map((row) => row.aliasId);
+
+      if (trueIds.length > 0) {
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.UserAliases).whereIn("id", trueIds).update({ isEmailVerified: true });
+      }
+    }
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.AuthTokens, "aliasId"))) {
+    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
+      t.string("aliasId").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.UserAliases, "isEmailVerified")) {
+    await knex.schema.alterTable(TableName.UserAliases, (t) => {
+      t.dropColumn("isEmailVerified");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.AuthTokens, "aliasId")) {
+    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
+      t.dropColumn("aliasId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250813020335_access-request-edit-cols.ts
+++ b/backend/src/db/migrations/20250813020335_access-request-edit-cols.ts
@@ -0,0 +1,38 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
+  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
+
+  if (!hasEditNoteCol || !hasEditedByUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      if (!hasEditedByUserId) {
+        t.uuid("editedByUserId").nullable();
+        t.foreign("editedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+      }
+
+      if (!hasEditNoteCol) {
+        t.string("editNote").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
+  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
+
+  if (hasEditNoteCol || hasEditedByUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      if (hasEditedByUserId) {
+        t.dropColumn("editedByUserId");
+      }
+
+      if (hasEditNoteCol) {
+        t.dropColumn("editNote");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250813214709_enforce-google-sso.ts
+++ b/backend/src/db/migrations/20250813214709_enforce-google-sso.ts
@@ -0,0 +1,39 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME = "googleSsoAuthEnforced";
+const GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME = "googleSsoAuthLastUsed";
+export async function up(knex: Knex): Promise<void> {
+  const hasGoogleSsoAuthEnforcedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME
+  );
+  const hasGoogleSsoAuthLastUsedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME
+  );
+
+  await knex.schema.alterTable(TableName.Organization, (table) => {
+    if (!hasGoogleSsoAuthEnforcedColumn)
+      table.boolean(GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME).defaultTo(false).notNullable();
+    if (!hasGoogleSsoAuthLastUsedColumn) table.timestamp(GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME).nullable();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGoogleSsoAuthEnforcedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME
+  );
+
+  const hasGoogleSsoAuthLastUsedColumn = await knex.schema.hasColumn(
+    TableName.Organization,
+    GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME
+  );
+
+  await knex.schema.alterTable(TableName.Organization, (table) => {
+    if (hasGoogleSsoAuthEnforcedColumn) table.dropColumn(GOOGLE_SSO_AUTH_ENFORCED_COLUMN_NAME);
+    if (hasGoogleSsoAuthLastUsedColumn) table.dropColumn(GOOGLE_SSO_AUTH_LAST_USED_COLUMN_NAME);
+  });
+}
--- a/backend/src/db/migrations/20250824173438_add-approval-secret-read-compat.ts
+++ b/backend/src/db/migrations/20250824173438_add-approval-secret-read-compat.ts
@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.boolean("shouldCheckSecretPermission").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("shouldCheckSecretPermission");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts
+++ b/backend/src/db/migrations/20250824192801_backfill-secret-read-compat-flag.ts
@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { selectAllTableCols } from "@app/lib/knex";
+
+import { TableName } from "../schemas";
+
+const BATCH_SIZE = 100;
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "shouldCheckSecretPermission")) {
+    // find all existing SecretApprovalPolicy rows to backfill shouldCheckSecretPermission flag
+    const rows = await knex(TableName.SecretApprovalPolicy).select(selectAllTableCols(TableName.SecretApprovalPolicy));
+
+    if (rows.length > 0) {
+      for (let i = 0; i < rows.length; i += BATCH_SIZE) {
+        const batch = rows.slice(i, i + BATCH_SIZE);
+        // eslint-disable-next-line no-await-in-loop
+        await knex(TableName.SecretApprovalPolicy)
+          .whereIn(
+            "id",
+            batch.map((row) => row.id)
+          )
+          .update({ shouldCheckSecretPermission: true });
+      }
+    }
+  }
+}
+
+export async function down(): Promise<void> {}
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@@ -17,7 +17,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  updatedAt: z.date(),
  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true)
+  allowedSelfApprovals: z.boolean().default(true),
+  maxTimePeriod: z.string().nullable().optional()
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@@ -20,7 +20,9 @@ export const AccessApprovalRequestsSchema = z.object({
  requestedByUserId: z.string().uuid(),
  note: z.string().nullable().optional(),
  privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending")
+  status: z.string().default("pending"),
+  editedByUserId: z.string().uuid().nullable().optional(),
+  editNote: z.string().nullable().optional()
 });

 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
--- a/backend/src/db/schemas/auth-tokens.ts
+++ b/backend/src/db/schemas/auth-tokens.ts
@@ -17,7 +17,8 @@ export const AuthTokensSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  userId: z.string().uuid().nullable().optional(),
-  orgId: z.string().uuid().nullable().optional()
+  orgId: z.string().uuid().nullable().optional(),
+  aliasId: z.string().nullable().optional()
 });

 export type TAuthTokens = z.infer<typeof AuthTokensSchema>;
--- a/backend/src/db/schemas/identity-org-memberships.ts
+++ b/backend/src/db/schemas/identity-org-memberships.ts
@@ -14,7 +14,9 @@ export const IdentityOrgMembershipsSchema = z.object({
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  lastLoginAuthMethod: z.string().nullable().optional(),
+  lastLoginTime: z.date().nullable().optional()
 });

 export type TIdentityOrgMemberships = z.infer<typeof IdentityOrgMembershipsSchema>;
--- a/backend/src/db/schemas/org-memberships.ts
+++ b/backend/src/db/schemas/org-memberships.ts
@@ -19,7 +19,9 @@ export const OrgMembershipsSchema = z.object({
  roleId: z.string().uuid().nullable().optional(),
  projectFavorites: z.string().array().nullable().optional(),
  isActive: z.boolean().default(true),
-  lastInvitedAt: z.date().nullable().optional()
+  lastInvitedAt: z.date().nullable().optional(),
+  lastLoginAuthMethod: z.string().nullable().optional(),
+  lastLoginTime: z.date().nullable().optional()
 });

 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -36,7 +36,9 @@ export const OrganizationsSchema = z.object({
  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
-  maxSharedSecretViewLimit: z.number().nullable().optional()
+  maxSharedSecretViewLimit: z.number().nullable().optional(),
+  googleSsoAuthEnforced: z.boolean().default(false),
+  googleSsoAuthLastUsed: z.date().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@@ -17,7 +17,8 @@ export const SecretApprovalPoliciesSchema = z.object({
  updatedAt: z.date(),
  enforcementLevel: z.string().default("hard"),
  deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true)
+  allowedSelfApprovals: z.boolean().default(true),
+  shouldCheckSecretPermission: z.boolean().nullable().optional()
 });

 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/user-aliases.ts
+++ b/backend/src/db/schemas/user-aliases.ts
@@ -16,7 +16,8 @@ export const UserAliasesSchema = z.object({
  emails: z.string().array().nullable().optional(),
  orgId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });

 export type TUserAliases = z.infer<typeof UserAliasesSchema>;
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@@ -3,12 +3,32 @@ import { z } from "zod";

 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";

+const maxTimePeriodSchema = z
+  .string()
+  .trim()
+  .nullish()
+  .transform((val, ctx) => {
+    if (val === undefined) return undefined;
+    if (!val || val === "permanent") return null;
+    const parsedMs = ms(val);
+
+    if (typeof parsedMs !== "number" || parsedMs <= 0) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+      });
+      return z.NEVER;
+    }
+    return val;
+  });
+
 export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
  server.route({
    url: "/",
@@ -71,7 +91,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
            .optional(),
          approvals: z.number().min(1).default(1),
          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
+          allowedSelfApprovals: z.boolean().default(true),
+          maxTimePeriod: maxTimePeriodSchema
        })
        .refine(
          (val) => Boolean(val.environment) || Boolean(val.environments),
@@ -124,7 +145,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                .array()
                .nullable()
                .optional(),
-              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
+              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array(),
+              maxTimePeriod: z.string().nullable().optional()
            })
            .array()
            .nullable()
@@ -233,7 +255,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
            stepNumber: z.number().int()
          })
          .array()
-          .optional()
+          .optional(),
+        maxTimePeriod: maxTimePeriodSchema
      }),
      response: {
        200: z.object({
@@ -314,7 +337,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
              })
              .array()
              .nullable()
-              .optional()
+              .optional(),
+            maxTimePeriod: z.string().nullable().optional()
          })
        })
      }
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@@ -2,6 +2,7 @@ import { z } from "zod";

 import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
+import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -26,7 +27,23 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
      body: z.object({
        permissions: z.any().array(),
        isTemporary: z.boolean(),
-        temporaryRange: z.string().optional(),
+        temporaryRange: z
+          .string()
+          .optional()
+          .transform((val, ctx) => {
+            if (!val || val === "permanent") return undefined;
+
+            const parsedMs = ms(val);
+
+            if (typeof parsedMs !== "number" || parsedMs <= 0) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+              });
+              return z.NEVER;
+            }
+            return val;
+          }),
        note: z.string().max(255).optional()
      }),
      querystring: z.object({
@@ -116,6 +133,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              approvals: z.number(),
              approvers: z
                .object({
+                  isOrgMembershipActive: z.boolean().nullable().optional(),
                  userId: z.string().nullable().optional(),
                  sequence: z.number().nullable().optional(),
                  approvalsRequired: z.number().nullable().optional(),
@@ -128,10 +146,12 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
              envId: z.string(),
              enforcementLevel: z.string(),
              deletedAt: z.date().nullish(),
-              allowedSelfApprovals: z.boolean()
+              allowedSelfApprovals: z.boolean(),
+              maxTimePeriod: z.string().nullable().optional()
            }),
            reviewers: z
              .object({
+                isOrgMembershipActive: z.boolean().nullable().optional(),
                userId: z.string(),
                status: z.string()
              })
@@ -189,4 +209,47 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
      return { review };
    }
  });
+
+  server.route({
+    url: "/:requestId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        requestId: z.string().trim()
+      }),
+      body: z.object({
+        temporaryRange: z.string().transform((val, ctx) => {
+          const parsedMs = ms(val);
+
+          if (typeof parsedMs !== "number" || parsedMs <= 0) {
+            ctx.addIssue({
+              code: z.ZodIssueCode.custom,
+              message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+            });
+            return z.NEVER;
+          }
+          return val;
+        }),
+        editNote: z.string().max(255)
+      }),
+      response: {
+        200: z.object({
+          approval: AccessApprovalRequestsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { request } = await server.services.accessApprovalRequest.updateAccessApprovalRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        temporaryRange: req.body.temporaryRange,
+        editNote: req.body.editNote,
+        requestId: req.params.requestId
+      });
+      return { approval: request };
+    }
+  });
 };
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -379,14 +379,17 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {

  server.route({
    method: "POST",
-    url: "/config/:configId/test-connection",
+    url: "/config/test-connection",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    schema: {
-      params: z.object({
-        configId: z.string().trim()
+      body: z.object({
+        url: z.string().trim(),
+        bindDN: z.string().trim(),
+        bindPass: z.string().trim(),
+        caCert: z.string().trim()
      }),
      response: {
        200: z.boolean()
@@ -399,8 +402,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
        orgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        ldapConfigId: req.params.configId
+        ...req.body
      });
+
      return result;
    }
  });
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -294,22 +294,30 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
        200: z.object({
          approval: SecretApprovalRequestsSchema.merge(
            z.object({
-              // secretPath: z.string(),
              policy: z.object({
                id: z.string(),
                name: z.string(),
                approvals: z.number(),
-                approvers: approvalRequestUser.array(),
+                approvers: approvalRequestUser
+                  .extend({ isOrgMembershipActive: z.boolean().nullable().optional() })
+                  .array(),
                bypassers: approvalRequestUser.array(),
                secretPath: z.string().optional().nullable(),
                enforcementLevel: z.string(),
                deletedAt: z.date().nullish(),
-                allowedSelfApprovals: z.boolean()
+                allowedSelfApprovals: z.boolean(),
+                shouldCheckSecretPermission: z.boolean().nullable().optional()
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
              committerUser: approvalRequestUser.nullish(),
-              reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
+              reviewers: approvalRequestUser
+                .extend({
+                  status: z.string(),
+                  comment: z.string().optional(),
+                  isOrgMembershipActive: z.boolean().nullable().optional()
+                })
+                .array(),
              secretPath: z.string(),
              commits: secretRawSchema
                .omit({ _id: true, environment: true, workspace: true, type: true, version: true, secretValue: true })
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@@ -56,6 +56,7 @@ export interface TAccessApprovalPolicyDALFactory
      allowedSelfApprovals: boolean;
      secretPath: string;
      deletedAt?: Date | null | undefined;
+      maxTimePeriod?: string | null;
      projectId: string;
      bypassers: (
        | {
@@ -96,6 +97,7 @@ export interface TAccessApprovalPolicyDALFactory
        allowedSelfApprovals: boolean;
        secretPath: string;
        deletedAt?: Date | null | undefined;
+        maxTimePeriod?: string | null;
        environments: {
          id: string;
          name: string;
@@ -141,6 +143,7 @@ export interface TAccessApprovalPolicyDALFactory
        allowedSelfApprovals: boolean;
        secretPath: string;
        deletedAt?: Date | null | undefined;
+        maxTimePeriod?: string | null;
      }
    | undefined
  >;
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -100,7 +100,8 @@ export const accessApprovalPolicyServiceFactory = ({
    environments,
    enforcementLevel,
    allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    maxTimePeriod
  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -219,7 +220,8 @@ export const accessApprovalPolicyServiceFactory = ({
          secretPath,
          name,
          enforcementLevel,
-          allowedSelfApprovals
+          allowedSelfApprovals,
+          maxTimePeriod
        },
        tx
      );
@@ -318,7 +320,8 @@ export const accessApprovalPolicyServiceFactory = ({
    enforcementLevel,
    allowedSelfApprovals,
    approvalsRequired,
-    environments
+    environments,
+    maxTimePeriod
  }: TUpdateAccessApprovalPolicy) => {
    const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);

@@ -461,7 +464,8 @@ export const accessApprovalPolicyServiceFactory = ({
          secretPath,
          name,
          enforcementLevel,
-          allowedSelfApprovals
+          allowedSelfApprovals,
+          maxTimePeriod
        },
        tx
      );
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@@ -41,6 +41,7 @@ export type TCreateAccessApprovalPolicy = {
  enforcementLevel: EnforcementLevel;
  allowedSelfApprovals: boolean;
  approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
+  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateAccessApprovalPolicy = {
@@ -60,6 +61,7 @@ export type TUpdateAccessApprovalPolicy = {
  allowedSelfApprovals: boolean;
  approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
  environments?: string[];
+  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;

 export type TDeleteAccessApprovalPolicy = {
@@ -104,7 +106,8 @@ export interface TAccessApprovalPolicyServiceFactory {
    environment,
    enforcementLevel,
    allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    maxTimePeriod
  }: TCreateAccessApprovalPolicy) => Promise<{
    environment: {
      name: string;
@@ -135,6 +138,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath: string;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
  }>;
  deleteAccessApprovalPolicy: ({
    policyId,
@@ -159,6 +163,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath: string;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
    environment: {
      id: string;
      name: string;
@@ -185,7 +190,8 @@ export interface TAccessApprovalPolicyServiceFactory {
    enforcementLevel,
    allowedSelfApprovals,
    approvalsRequired,
-    environments
+    environments,
+    maxTimePeriod
  }: TUpdateAccessApprovalPolicy) => Promise<{
    environment: {
      id: string;
@@ -208,6 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath?: string | null | undefined;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
  }>;
  getAccessApprovalPolicyByProjectSlug: ({
    actorId,
@@ -242,6 +249,7 @@ export interface TAccessApprovalPolicyServiceFactory {
      allowedSelfApprovals: boolean;
      secretPath: string;
      deletedAt?: Date | null | undefined;
+      maxTimePeriod?: string | null;
      environment: {
        id: string;
        name: string;
@@ -298,6 +306,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    allowedSelfApprovals: boolean;
    secretPath: string;
    deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
    environment: {
      id: string;
      name: string;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@@ -5,6 +5,7 @@ import {
  AccessApprovalRequestsSchema,
  TableName,
  TAccessApprovalRequests,
+  TOrgMemberships,
  TUserGroupMembership,
  TUsers
 } from "@app/db/schemas";
@@ -63,6 +64,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
          enforcementLevel: string;
          allowedSelfApprovals: boolean;
          deletedAt: Date | null | undefined;
+          maxTimePeriod?: string | null;
        };
        projectId: string;
        environments: string[];
@@ -143,6 +145,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
          | {
              userId: string;
@@ -150,6 +153,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
        )[];
        bypassers: string[];
@@ -161,6 +165,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
        allowedSelfApprovals: boolean;
        envId: string;
        deletedAt: Date | null | undefined;
+        maxTimePeriod?: string | null;
      };
      projectId: string;
      environment: string;
@@ -200,6 +205,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
      reviewers: {
        userId: string;
        status: string;
+        isOrgMembershipActive: boolean;
      }[];
      approvers: (
        | {
@@ -208,6 +214,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
        | {
            userId: string;
@@ -215,6 +222,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
      )[];
      bypassers: string[];
@@ -286,6 +294,24 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            `requestedByUser.id`
          )

+          .leftJoin<TOrgMemberships>(
+            db(TableName.OrgMembership).as("approverOrgMembership"),
+            `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
+            `approverOrgMembership.userId`
+          )
+
+          .leftJoin<TOrgMemberships>(
+            db(TableName.OrgMembership).as("approverGroupOrgMembership"),
+            `${TableName.Users}.id`,
+            `approverGroupOrgMembership.userId`
+          )
+
+          .leftJoin<TOrgMemberships>(
+            db(TableName.OrgMembership).as("reviewerOrgMembership"),
+            `${TableName.AccessApprovalRequestReviewer}.reviewerUserId`,
+            `reviewerOrgMembership.userId`
+          )
+
          .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)

          .select(selectAllTableCols(TableName.AccessApprovalRequest))
@@ -297,7 +323,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
            db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
            db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
-            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
+
+            db.ref("isActive").withSchema("approverOrgMembership").as("approverIsOrgMembershipActive"),
+            db.ref("isActive").withSchema("approverGroupOrgMembership").as("approverGroupIsOrgMembershipActive"),
+            db.ref("isActive").withSchema("reviewerOrgMembership").as("reviewerIsOrgMembershipActive"),
+            db.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
          )
          .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
          .select(db.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"))
@@ -364,7 +395,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
              enforcementLevel: doc.policyEnforcementLevel,
              allowedSelfApprovals: doc.policyAllowedSelfApprovals,
              envId: doc.policyEnvId,
-              deletedAt: doc.policyDeletedAt
+              deletedAt: doc.policyDeletedAt,
+              maxTimePeriod: doc.policyMaxTimePeriod
            },
            requestedByUser: {
              userId: doc.requestedByUserId,
@@ -392,17 +424,26 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            {
              key: "reviewerUserId",
              label: "reviewers" as const,
-              mapper: ({ reviewerUserId: userId, reviewerStatus: status }) => (userId ? { userId, status } : undefined)
+              mapper: ({ reviewerUserId: userId, reviewerStatus: status, reviewerIsOrgMembershipActive }) =>
+                userId ? { userId, status, isOrgMembershipActive: reviewerIsOrgMembershipActive } : undefined
            },
            {
              key: "approverUserId",
              label: "approvers" as const,
-              mapper: ({ approverUserId, approverSequence, approvalsRequired, approverUsername, approverEmail }) => ({
+              mapper: ({
+                approverUserId,
+                approverSequence,
+                approvalsRequired,
+                approverUsername,
+                approverEmail,
+                approverIsOrgMembershipActive
+              }) => ({
                userId: approverUserId,
                sequence: approverSequence,
                approvalsRequired,
                email: approverEmail,
-                username: approverUsername
+                username: approverUsername,
+                isOrgMembershipActive: approverIsOrgMembershipActive
              })
            },
            {
@@ -413,13 +454,15 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
                approverSequence,
                approvalsRequired,
                approverGroupEmail,
-                approverGroupUsername
+                approverGroupUsername,
+                approverGroupIsOrgMembershipActive
              }) => ({
                userId: approverGroupUserId,
                sequence: approverSequence,
                approvalsRequired,
                email: approverGroupEmail,
-                username: approverGroupUsername
+                username: approverGroupUsername,
+                isOrgMembershipActive: approverGroupIsOrgMembershipActive
              })
            },
            { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
@@ -574,7 +617,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
        tx.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
+        tx.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
      );

  const findById: TAccessApprovalRequestDALFactory["findById"] = async (id, tx) => {
@@ -595,7 +639,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
            secretPath: el.policySecretPath,
            enforcementLevel: el.policyEnforcementLevel,
            allowedSelfApprovals: el.policyAllowedSelfApprovals,
-            deletedAt: el.policyDeletedAt
+            deletedAt: el.policyDeletedAt,
+            maxTimePeriod: el.policyMaxTimePeriod
          },
          requestedByUser: {
            userId: el.requestedByUserId,
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -54,7 +54,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
  accessApprovalRequestReviewerDAL: Pick<
    TAccessApprovalRequestReviewerDALFactory,
-    "create" | "find" | "findOne" | "transaction"
+    "create" | "find" | "findOne" | "transaction" | "delete"
  >;
  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
@@ -156,6 +156,15 @@ export const accessApprovalRequestServiceFactory = ({
      throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
    }

+    // Check if the requested time falls under policy.maxTimePeriod
+    if (policy.maxTimePeriod) {
+      if (!temporaryRange || ms(temporaryRange) > ms(policy.maxTimePeriod)) {
+        throw new BadRequestError({
+          message: `Requested access time range is limited to ${policy.maxTimePeriod} by policy`
+        });
+      }
+    }
+
    const approverIds: string[] = [];
    const approverGroupIds: string[] = [];

@@ -292,6 +301,155 @@ export const accessApprovalRequestServiceFactory = ({
    return { request: approval };
  };

+  const updateAccessApprovalRequest: TAccessApprovalRequestServiceFactory["updateAccessApprovalRequest"] = async ({
+    temporaryRange,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    editNote,
+    requestId
+  }) => {
+    const cfg = getConfig();
+
+    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
+    if (!accessApprovalRequest) {
+      throw new NotFoundError({ message: `Access request with ID '${requestId}' not found` });
+    }
+
+    const { policy, requestedByUser } = accessApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this access request has been deleted."
+      });
+    }
+
+    const { membership, hasRole } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: accessApprovalRequest.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
+
+    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
+
+    if (!hasRole(ProjectMembershipRole.Admin) && !isApprover) {
+      throw new ForbiddenRequestError({ message: "You are not authorized to modify this request" });
+    }
+
+    const project = await projectDAL.findById(accessApprovalRequest.projectId);
+
+    if (!project) {
+      throw new NotFoundError({
+        message: `The project associated with this access request was not found. [projectId=${accessApprovalRequest.projectId}]`
+      });
+    }
+
+    if (accessApprovalRequest.status !== ApprovalStatus.PENDING) {
+      throw new BadRequestError({ message: "The request has been closed" });
+    }
+
+    const editedByUser = await userDAL.findById(actorId);
+
+    if (!editedByUser) throw new NotFoundError({ message: "Editing user not found" });
+
+    if (accessApprovalRequest.isTemporary && accessApprovalRequest.temporaryRange) {
+      if (ms(temporaryRange) > ms(accessApprovalRequest.temporaryRange)) {
+        throw new BadRequestError({ message: "Updated access duration must be less than current access duration" });
+      }
+    }
+
+    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({
+      permissions: accessApprovalRequest.permissions
+    });
+
+    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
+      const approvalRequest = await accessApprovalRequestDAL.updateById(
+        requestId,
+        {
+          temporaryRange,
+          isTemporary: true,
+          editNote,
+          editedByUserId: actorId
+        },
+        tx
+      );
+
+      // reset review progress
+      await accessApprovalRequestReviewerDAL.delete(
+        {
+          requestId
+        },
+        tx
+      );
+
+      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
+      const editorFullName = `${editedByUser.firstName} ${editedByUser.lastName}`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
+
+      await triggerWorkflowIntegrationNotification({
+        input: {
+          notification: {
+            type: TriggerFeature.ACCESS_REQUEST_UPDATED,
+            payload: {
+              projectName: project.name,
+              requesterFullName,
+              isTemporary: true,
+              requesterEmail: requestedByUser.email as string,
+              secretPath,
+              environment: envSlug,
+              permissions: accessTypes,
+              approvalUrl,
+              editNote,
+              editorEmail: editedByUser.email as string,
+              editorFullName
+            }
+          },
+          projectId: project.id
+        },
+        dependencies: {
+          projectDAL,
+          projectSlackConfigDAL,
+          kmsService,
+          microsoftTeamsService,
+          projectMicrosoftTeamsConfigDAL
+        }
+      });
+
+      await smtpService.sendMail({
+        recipients: policy.approvers
+          .filter((approver) => Boolean(approver.email) && approver.userId !== editedByUser.id)
+          .map((approver) => approver.email!),
+        subjectLine: "Access Approval Request Updated",
+        substitutions: {
+          projectName: project.name,
+          requesterFullName,
+          requesterEmail: requestedByUser.email,
+          isTemporary: true,
+          expiresIn: msFn(ms(temporaryRange || ""), { long: true }),
+          secretPath,
+          environment: envSlug,
+          permissions: accessTypes,
+          approvalUrl,
+          editNote,
+          editorFullName,
+          editorEmail: editedByUser.email
+        },
+        template: SmtpTemplates.AccessApprovalRequestUpdated
+      });
+
+      return approvalRequest;
+    });
+
+    return { request: approval };
+  };
+
  const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
    projectSlug,
    authorUserId,
@@ -641,6 +799,7 @@ export const accessApprovalRequestServiceFactory = ({

  return {
    createAccessApprovalRequest,
+    updateAccessApprovalRequest,
    listApprovalRequests,
    reviewAccessRequest,
    getCount
--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@@ -30,6 +30,12 @@ export type TCreateAccessApprovalRequestDTO = {
  note?: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TUpdateAccessApprovalRequestDTO = {
+  requestId: string;
+  temporaryRange: string;
+  editNote: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TListApprovalRequestsDTO = {
  projectSlug: string;
  authorUserId?: string;
@@ -54,6 +60,23 @@ export interface TAccessApprovalRequestServiceFactory {
      privilegeDeletedAt?: Date | null | undefined;
    };
  }>;
+  updateAccessApprovalRequest: (arg: TUpdateAccessApprovalRequestDTO) => Promise<{
+    request: {
+      status: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      policyId: string;
+      isTemporary: boolean;
+      requestedByUserId: string;
+      privilegeId?: string | null | undefined;
+      requestedBy?: string | null | undefined;
+      temporaryRange?: string | null | undefined;
+      permissions?: unknown;
+      note?: string | null | undefined;
+      privilegeDeletedAt?: Date | null | undefined;
+    };
+  }>;
  listApprovalRequests: (arg: TListApprovalRequestsDTO) => Promise<{
    requests: {
      policy: {
@@ -64,6 +87,7 @@ export interface TAccessApprovalRequestServiceFactory {
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
          | {
              userId: string;
@@ -71,6 +95,7 @@ export interface TAccessApprovalRequestServiceFactory {
              approvalsRequired: number | null | undefined;
              email: string | null | undefined;
              username: string;
+              isOrgMembershipActive: boolean;
            }
        )[];
        bypassers: string[];
@@ -82,6 +107,7 @@ export interface TAccessApprovalRequestServiceFactory {
        allowedSelfApprovals: boolean;
        envId: string;
        deletedAt: Date | null | undefined;
+        maxTimePeriod?: string | null;
      };
      projectId: string;
      environment: string;
@@ -121,6 +147,7 @@ export interface TAccessApprovalRequestServiceFactory {
      reviewers: {
        userId: string;
        status: string;
+        isOrgMembershipActive: boolean;
      }[];
      approvers: (
        | {
@@ -129,6 +156,7 @@ export interface TAccessApprovalRequestServiceFactory {
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
        | {
            userId: string;
@@ -136,6 +164,7 @@ export interface TAccessApprovalRequestServiceFactory {
            approvalsRequired: number | null | undefined;
            email: string | null | undefined;
            username: string;
+            isOrgMembershipActive: boolean;
          }
      )[];
      bypassers: string[];
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@@ -14,7 +14,7 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { EventType, filterableSecretEvents } from "./audit-log-types";

 export interface TAuditLogDALFactory extends Omit<TOrmify<TableName.AuditLog>, "find"> {
-  pruneAuditLog: (tx?: knex.Knex) => Promise<void>;
+  pruneAuditLog: () => Promise<void>;
  find: (
    arg: Omit<TFindQuery, "actor" | "eventType"> & {
      actorId?: string | undefined;
@@ -41,6 +41,10 @@ type TFindQuery = {
  offset?: number;
 };

+const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
+const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
+const MAX_RETRY_ON_FAILURE = 3;
+
 export const auditLogDALFactory = (db: TDbClient) => {
  const auditLogOrm = ormify(db, TableName.AuditLog);

@@ -151,20 +155,20 @@ export const auditLogDALFactory = (db: TDbClient) => {
  };

  // delete all audit log that have expired
-  const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async (tx) => {
-    const runPrune = async (dbClient: knex.Knex) => {
-      const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
-      const MAX_RETRY_ON_FAILURE = 3;
+  const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async () => {
+    const today = new Date();
+    let deletedAuditLogIds: { id: string }[] = [];
+    let numberOfRetryOnFailure = 0;
+    let isRetrying = false;

-      const today = new Date();
-      let deletedAuditLogIds: { id: string }[] = [];
-      let numberOfRetryOnFailure = 0;
-      let isRetrying = false;
+    logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
+    do {
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        deletedAuditLogIds = await db.transaction(async (trx) => {
+          await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);

-      logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
-      do {
-        try {
-          const findExpiredLogSubQuery = dbClient(TableName.AuditLog)
+          const findExpiredLogSubQuery = trx(TableName.AuditLog)
            .where("expiresAt", "<", today)
            .where("createdAt", "<", today) // to use audit log partition
            .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
@@ -172,34 +176,25 @@ export const auditLogDALFactory = (db: TDbClient) => {
            .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);

          // eslint-disable-next-line no-await-in-loop
-          deletedAuditLogIds = await dbClient(TableName.AuditLog)
-            .whereIn("id", findExpiredLogSubQuery)
-            .del()
-            .returning("id");
-          numberOfRetryOnFailure = 0; // reset
-        } catch (error) {
-          numberOfRetryOnFailure += 1;
-          logger.error(error, "Failed to delete audit log on pruning");
-        } finally {
-          // eslint-disable-next-line no-await-in-loop
-          await new Promise((resolve) => {
-            setTimeout(resolve, 10); // time to breathe for db
-          });
-        }
-        isRetrying = numberOfRetryOnFailure > 0;
-      } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
-      logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
-    };
+          const results = await trx(TableName.AuditLog).whereIn("id", findExpiredLogSubQuery).del().returning("id");

-    if (tx) {
-      await runPrune(tx);
-    } else {
-      const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
-      await db.transaction(async (trx) => {
-        await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);
-        await runPrune(trx);
-      });
-    }
+          return results;
+        });
+
+        numberOfRetryOnFailure = 0; // reset
+      } catch (error) {
+        numberOfRetryOnFailure += 1;
+        deletedAuditLogIds = [];
+        logger.error(error, "Failed to delete audit log on pruning");
+      } finally {
+        // eslint-disable-next-line no-await-in-loop
+        await new Promise((resolve) => {
+          setTimeout(resolve, 10); // time to breathe for db
+        });
+      }
+      isRetrying = numberOfRetryOnFailure > 0;
+    } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
+    logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
  };

  const create: TAuditLogDALFactory["create"] = async (tx) => {
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@@ -1,8 +1,6 @@
 import { AxiosError, RawAxiosRequestHeaders } from "axios";

-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
-import { TEventBusService } from "@app/ee/services/event/event-bus-service";
-import { TopicName, toPublishableEvent } from "@app/ee/services/event/types";
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
@@ -22,7 +20,6 @@ type TAuditLogQueueServiceFactoryDep = {
  queueService: TQueueServiceFactory;
  projectDAL: Pick<TProjectDALFactory, "findById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  eventBusService: TEventBusService;
 };

 export type TAuditLogQueueServiceFactory = {
@@ -38,8 +35,7 @@ export const auditLogQueueServiceFactory = async ({
  queueService,
  projectDAL,
  licenseService,
-  auditLogStreamDAL,
-  eventBusService
+  auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
  const pushToLog = async (data: TCreateAuditLogDTO) => {
    await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
@@ -145,16 +141,6 @@ export const auditLogQueueServiceFactory = async ({
        )
      );
    }
-
-    const publishable = toPublishableEvent(event);
-
-    if (publishable) {
-      await eventBusService.publish(TopicName.CoreServers, {
-        type: ProjectType.SecretManager,
-        source: "infiscal",
-        data: publishable.data
-      });
-    }
  });

  return {
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
@@ -9,7 +9,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
  const appCfg = getConfig();

-  if (appCfg.isDevelopmentMode) return [host];
+  if (appCfg.isDevelopmentMode || appCfg.isTestMode) return [host];

  if (isGateway) return [host];

--- a/backend/src/ee/services/dynamic-secret/providers/couchbase.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/couchbase.ts
@@ -0,0 +1,289 @@
+import crypto from "node:crypto";
+
+import axios from "axios";
+import RE2 from "re2";
+
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator/validate-url";
+
+import { DynamicSecretCouchbaseSchema, PasswordRequirements, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
+
+type TCreateCouchbaseUser = {
+  name: string;
+  password: string;
+  access: {
+    privileges: string[];
+    resources: {
+      buckets: {
+        name: string;
+        scopes?: {
+          name: string;
+          collections?: string[];
+        }[];
+      }[];
+    };
+  }[];
+};
+
+type CouchbaseUserResponse = {
+  id: string;
+  uuid?: string;
+};
+
+const sanitizeCouchbaseUsername = (username: string): string => {
+  // Couchbase username restrictions:
+  // - Cannot contain: ) ( > < , ; : " \ / ] [ ? = } {
+  // - Cannot begin with @ character
+
+  const forbiddenCharsPattern = new RE2('[\\)\\(><,;:"\\\\\\[\\]\\?=\\}\\{]', "g");
+  let sanitized = forbiddenCharsPattern.replace(username, "-");
+
+  const leadingAtPattern = new RE2("^@+");
+  sanitized = leadingAtPattern.replace(sanitized, "");
+
+  if (!sanitized || sanitized.length === 0) {
+    return alphaNumericNanoId(12);
+  }
+
+  return sanitized;
+};
+
+/**
+ * Normalizes bucket configuration to handle wildcard (*) access consistently.
+ *
+ * Key behaviors:
+ * - If "*" appears anywhere (string or array), grants access to ALL buckets, scopes, and collections
+ *
+ * @param buckets - Either a string or array of bucket configurations
+ * @returns Normalized bucket resources for Couchbase API
+ */
+const normalizeBucketConfiguration = (
+  buckets:
+    | string
+    | Array<{
+        name: string;
+        scopes?: Array<{
+          name: string;
+          collections?: string[];
+        }>;
+      }>
+) => {
+  if (typeof buckets === "string") {
+    // Simple string format - either "*" or comma-separated bucket names
+    const bucketNames = buckets
+      .split(",")
+      .map((bucket) => bucket.trim())
+      .filter((bucket) => bucket.length > 0);
+
+    // If "*" is present anywhere, grant access to all buckets, scopes, and collections
+    if (bucketNames.includes("*") || buckets === "*") {
+      return [{ name: "*" }];
+    }
+    return bucketNames.map((bucketName) => ({ name: bucketName }));
+  }
+
+  // Array of bucket objects with scopes and collections
+  // Check if any bucket is "*" - if so, grant access to all buckets, scopes, and collections
+  const hasWildcardBucket = buckets.some((bucket) => bucket.name === "*");
+
+  if (hasWildcardBucket) {
+    return [{ name: "*" }];
+  }
+
+  return buckets.map((bucket) => ({
+    name: bucket.name,
+    scopes: bucket.scopes?.map((scope) => ({
+      name: scope.name,
+      collections: scope.collections || []
+    }))
+  }));
+};
+
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
+  const randomUsername = alphaNumericNanoId(12);
+  if (!usernameTemplate) return sanitizeCouchbaseUsername(randomUsername);
+
+  const compiledUsername = compileUsernameTemplate({
+    usernameTemplate,
+    randomUsername,
+    identity
+  });
+
+  return sanitizeCouchbaseUsername(compiledUsername);
+};
+
+const generatePassword = (requirements?: PasswordRequirements): string => {
+  const {
+    length = 12,
+    required = { lowercase: 1, uppercase: 1, digits: 1, symbols: 1 },
+    allowedSymbols = "!@#$%^()_+-=[]{}:,?/~`"
+  } = requirements || {};
+
+  const lowercase = "abcdefghijklmnopqrstuvwxyz";
+  const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const digits = "0123456789";
+  const symbols = allowedSymbols;
+
+  let password = "";
+  let remaining = length;
+
+  // Add required characters
+  for (let i = 0; i < required.lowercase; i += 1) {
+    password += lowercase[crypto.randomInt(lowercase.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.uppercase; i += 1) {
+    password += uppercase[crypto.randomInt(uppercase.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.digits; i += 1) {
+    password += digits[crypto.randomInt(digits.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.symbols; i += 1) {
+    password += symbols[crypto.randomInt(symbols.length)];
+    remaining -= 1;
+  }
+
+  // Fill remaining with random characters from all sets
+  const allChars = lowercase + uppercase + digits + symbols;
+  for (let i = 0; i < remaining; i += 1) {
+    password += allChars[crypto.randomInt(allChars.length)];
+  }
+
+  // Shuffle the password
+  return password
+    .split("")
+    .sort(() => crypto.randomInt(3) - 1)
+    .join("");
+};
+
+const couchbaseApiRequest = async (
+  method: string,
+  url: string,
+  apiKey: string,
+  data?: unknown
+): Promise<CouchbaseUserResponse> => {
+  await blockLocalAndPrivateIpAddresses(url);
+
+  try {
+    const response = await axios({
+      method: method.toLowerCase() as "get" | "post" | "put" | "delete",
+      url,
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      data: data || undefined,
+      timeout: 30000
+    });
+
+    return response.data as CouchbaseUserResponse;
+  } catch (err) {
+    const sanitizedErrorMessage = sanitizeString({
+      unsanitizedString: (err as Error)?.message,
+      tokens: [apiKey]
+    });
+    throw new BadRequestError({
+      message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+    });
+  }
+};
+
+export const CouchbaseProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: object) => {
+    const providerInputs = DynamicSecretCouchbaseSchema.parse(inputs);
+
+    await blockLocalAndPrivateIpAddresses(providerInputs.url);
+
+    return providerInputs;
+  };
+
+  const validateConnection = async (inputs: unknown): Promise<boolean> => {
+    try {
+      const providerInputs = await validateProviderInputs(inputs as object);
+
+      // Test connection by trying to get organization info
+      const url = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}`;
+      await couchbaseApiRequest("GET", url, providerInputs.auth.apiKey);
+
+      return true;
+    } catch (error) {
+      throw new BadRequestError({
+        message: `Failed to connect to Couchbase: ${error instanceof Error ? error.message : "Unknown error"}`
+      });
+    }
+  };
+
+  const create = async ({
+    inputs,
+    usernameTemplate,
+    identity
+  }: {
+    inputs: unknown;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const providerInputs = await validateProviderInputs(inputs as object);
+
+    const username = generateUsername(usernameTemplate, identity);
+
+    const password = generatePassword(providerInputs.passwordRequirements);
+
+    const createUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users`;
+
+    const bucketResources = normalizeBucketConfiguration(providerInputs.buckets);
+
+    const userData: TCreateCouchbaseUser = {
+      name: username,
+      password,
+      access: [
+        {
+          privileges: providerInputs.roles,
+          resources: {
+            buckets: bucketResources
+          }
+        }
+      ]
+    };
+
+    const response = await couchbaseApiRequest("POST", createUserUrl, providerInputs.auth.apiKey, userData);
+
+    const userUuid = response?.id || response?.uuid || username;
+
+    return {
+      entityId: userUuid,
+      data: {
+        username,
+        password
+      }
+    };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs as object);
+
+    const deleteUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users/${encodeURIComponent(entityId)}`;
+
+    await couchbaseApiRequest("DELETE", deleteUserUrl, providerInputs.auth.apiKey);
+
+    return { entityId };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // Couchbase Cloud API doesn't support renewing user credentials
+    // The user remains valid until explicitly deleted
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@@ -5,6 +5,7 @@ import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
+import { CouchbaseProvider } from "./couchbase";
 import { ElasticSearchProvider } from "./elastic-search";
 import { GcpIamProvider } from "./gcp-iam";
 import { GithubProvider } from "./github";
@@ -46,5 +47,6 @@ export const buildDynamicSecretProviders = ({
  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
  [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
  [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
-  [DynamicSecretProviders.Github]: GithubProvider()
+  [DynamicSecretProviders.Github]: GithubProvider(),
+  [DynamicSecretProviders.Couchbase]: CouchbaseProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -505,6 +505,91 @@ export const DynamicSecretGithubSchema = z.object({
    .describe("The private key generated for your GitHub App.")
 });

+export const DynamicSecretCouchbaseSchema = z.object({
+  url: z.string().url().trim().min(1).describe("Couchbase Cloud API URL"),
+  orgId: z.string().trim().min(1).describe("Organization ID"),
+  projectId: z.string().trim().min(1).describe("Project ID"),
+  clusterId: z.string().trim().min(1).describe("Cluster ID"),
+  roles: z.array(z.string().trim().min(1)).min(1).describe("Roles to assign to the user"),
+  buckets: z
+    .union([
+      z
+        .string()
+        .trim()
+        .min(1)
+        .default("*")
+        .refine((val) => {
+          if (val.includes(",")) {
+            const buckets = val
+              .split(",")
+              .map((b) => b.trim())
+              .filter((b) => b.length > 0);
+            if (buckets.includes("*") && buckets.length > 1) {
+              return false;
+            }
+          }
+          return true;
+        }, "Cannot combine '*' with other bucket names"),
+      z
+        .array(
+          z.object({
+            name: z.string().trim().min(1).describe("Bucket name"),
+            scopes: z
+              .array(
+                z.object({
+                  name: z.string().trim().min(1).describe("Scope name"),
+                  collections: z.array(z.string().trim().min(1)).optional().describe("Collection names")
+                })
+              )
+              .optional()
+              .describe("Scopes within the bucket")
+          })
+        )
+        .refine((buckets) => {
+          const hasWildcard = buckets.some((bucket) => bucket.name === "*");
+          if (hasWildcard && buckets.length > 1) {
+            return false;
+          }
+          return true;
+        }, "Cannot combine '*' bucket with other buckets")
+    ])
+    .default("*")
+    .describe(
+      "Bucket configuration: '*' for all buckets, scopes, and collections or array of bucket objects with specific scopes and collections"
+    ),
+  passwordRequirements: z
+    .object({
+      length: z.number().min(8, "Password must be at least 8 characters").max(128),
+      required: z
+        .object({
+          lowercase: z.number().min(1, "At least 1 lowercase character required"),
+          uppercase: z.number().min(1, "At least 1 uppercase character required"),
+          digits: z.number().min(1, "At least 1 digit required"),
+          symbols: z.number().min(1, "At least 1 special character required")
+        })
+        .refine((data) => {
+          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
+          return total <= 128;
+        }, "Sum of required characters cannot exceed 128"),
+      allowedSymbols: z
+        .string()
+        .refine((symbols) => {
+          const forbiddenChars = ["<", ">", ";", ".", "*", "&", "|", "£"];
+          return !forbiddenChars.some((char) => symbols?.includes(char));
+        }, "Cannot contain: < > ; . * & | £")
+        .optional()
+    })
+    .refine((data) => {
+      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
+      return total <= data.length;
+    }, "Sum of required characters cannot exceed the total length")
+    .optional()
+    .describe("Password generation requirements for Couchbase"),
+  auth: z.object({
+    apiKey: z.string().trim().min(1).describe("Couchbase Cloud API Key")
+  })
+});
+
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@@ -524,7 +609,8 @@ export enum DynamicSecretProviders {
  Kubernetes = "kubernetes",
  Vertica = "vertica",
  GcpIam = "gcp-iam",
-  Github = "github"
+  Github = "github",
+  Couchbase = "couchbase"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -546,7 +632,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Couchbase), inputs: DynamicSecretCouchbaseSchema })
 ]);

 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/event/event-bus-service.ts
+++ b/backend/src/ee/services/event/event-bus-service.ts
@@ -3,7 +3,7 @@ import { z } from "zod";

 import { logger } from "@app/lib/logger";

-import { EventSchema, TopicName } from "./types";
+import { BusEventSchema, TopicName } from "./types";

 export const eventBusFactory = (redis: Redis) => {
  const publisher = redis.duplicate();
@@ -28,7 +28,7 @@ export const eventBusFactory = (redis: Redis) => {
   * @param topic - The topic to publish the event to.
   * @param event - The event data to publish.
   */
-  const publish = async <T extends z.input<typeof EventSchema>>(topic: TopicName, event: T) => {
+  const publish = async <T extends z.input<typeof BusEventSchema>>(topic: TopicName, event: T) => {
    const json = JSON.stringify(event);

    return publisher.publish(topic, json, (err) => {
@@ -44,7 +44,7 @@ export const eventBusFactory = (redis: Redis) => {
   * @template T - The type of the event data, which should match the schema defined in EventSchema.
   * @returns A function that can be called to unsubscribe from the event bus.
   */
-  const subscribe = <T extends z.infer<typeof EventSchema>>(fn: (data: T) => Promise<void> | void) => {
+  const subscribe = <T extends z.infer<typeof BusEventSchema>>(fn: (data: T) => Promise<void> | void) => {
    // Not using async await cause redis client's `on` method does not expect async listeners.
    const listener = (channel: string, message: string) => {
      try {
--- a/backend/src/ee/services/event/event-sse-service.ts
+++ b/backend/src/ee/services/event/event-sse-service.ts
@@ -7,7 +7,7 @@ import { logger } from "@app/lib/logger";

 import { TEventBusService } from "./event-bus-service";
 import { createEventStreamClient, EventStreamClient, IEventStreamClientOpts } from "./event-sse-stream";
-import { EventData, RegisteredEvent, toBusEventName } from "./types";
+import { BusEvent, RegisteredEvent } from "./types";

 const AUTH_REFRESH_INTERVAL = 60 * 1000;
 const HEART_BEAT_INTERVAL = 15 * 1000;
@@ -69,8 +69,8 @@ export const sseServiceFactory = (bus: TEventBusService, redis: Redis) => {
    }
  };

-  function filterEventsForClient(client: EventStreamClient, event: EventData, registered: RegisteredEvent[]) {
-    const eventType = toBusEventName(event.data.eventType);
+  function filterEventsForClient(client: EventStreamClient, event: BusEvent, registered: RegisteredEvent[]) {
+    const eventType = event.data.event;
    const match = registered.find((r) => r.event === eventType);
    if (!match) return;

--- a/backend/src/ee/services/event/event-sse-stream.ts
+++ b/backend/src/ee/services/event/event-sse-stream.ts
@@ -12,7 +12,7 @@ import { KeyStorePrefixes } from "@app/keystore/keystore";
 import { conditionsMatcher } from "@app/lib/casl";
 import { logger } from "@app/lib/logger";

-import { EventData, RegisteredEvent } from "./types";
+import { BusEvent, RegisteredEvent } from "./types";

 export const getServerSentEventsHeaders = () =>
  ({
@@ -55,7 +55,7 @@ export type EventStreamClient = {
  id: string;
  stream: Readable;
  open: () => Promise<void>;
-  send: (data: EventMessage | EventData) => void;
+  send: (data: EventMessage | BusEvent) => void;
  ping: () => Promise<void>;
  refresh: () => Promise<void>;
  close: () => void;
@@ -73,15 +73,12 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien
    return {
      subject: options.type,
      action: "subscribe",
-      conditions: {
-        eventType: r.event,
-        ...(hasConditions
-          ? {
-              environment: r.conditions?.environmentSlug ?? "",
-              secretPath: { $glob: secretPath }
-            }
-          : {})
-      }
+      conditions: hasConditions
+        ? {
+            environment: r.conditions?.environmentSlug ?? "",
+            secretPath: { $glob: secretPath }
+          }
+        : undefined
    };
  });

@@ -98,7 +95,7 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien
  // We will manually push data to the stream
  stream._read = () => {};

-  const send = (data: EventMessage | EventData) => {
+  const send = (data: EventMessage | BusEvent) => {
    const chunk = serializeSseEvent(data);
    if (!stream.push(chunk)) {
      logger.debug("Backpressure detected: dropped manual event");
@@ -126,7 +123,7 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien

    await redis.set(key, "1", "EX", 60);

-    stream.push("1");
+    send({ type: "ping" });
  };

  const close = () => {
--- a/backend/src/ee/services/event/types.ts
+++ b/backend/src/ee/services/event/types.ts
@@ -1,7 +1,8 @@
 import { z } from "zod";

 import { ProjectType } from "@app/db/schemas";
-import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
+
+import { ProjectPermissionSecretEventActions } from "../permission/project-permission";

 export enum TopicName {
  CoreServers = "infisical::core-servers"
@@ -10,84 +11,44 @@ export enum TopicName {
 export enum BusEventName {
  CreateSecret = "secret:create",
  UpdateSecret = "secret:update",
-  DeleteSecret = "secret:delete"
+  DeleteSecret = "secret:delete",
+  ImportMutation = "secret:import-mutation"
 }

-type PublisableEventTypes =
-  | EventType.CREATE_SECRET
-  | EventType.CREATE_SECRETS
-  | EventType.DELETE_SECRET
-  | EventType.DELETE_SECRETS
-  | EventType.UPDATE_SECRETS
-  | EventType.UPDATE_SECRET;
-
-export function toBusEventName(input: EventType) {
-  switch (input) {
-    case EventType.CREATE_SECRET:
-    case EventType.CREATE_SECRETS:
-      return BusEventName.CreateSecret;
-    case EventType.UPDATE_SECRET:
-    case EventType.UPDATE_SECRETS:
-      return BusEventName.UpdateSecret;
-    case EventType.DELETE_SECRET:
-    case EventType.DELETE_SECRETS:
-      return BusEventName.DeleteSecret;
-    default:
-      return null;
-  }
-}
-
-const isBulkEvent = (event: Event): event is Extract<Event, { metadata: { secrets: Array<unknown> } }> => {
-  return event.type.endsWith("-secrets"); // Feels so wrong
-};
-
-export const toPublishableEvent = (event: Event) => {
-  const name = toBusEventName(event.type);
-
-  if (!name) return null;
-
-  const e = event as Extract<Event, { type: PublisableEventTypes }>;
-
-  if (isBulkEvent(e)) {
-    return {
-      name,
-      isBulk: true,
-      data: {
-        eventType: e.type,
-        payload: e.metadata.secrets.map((s) => ({
-          environment: e.metadata.environment,
-          secretPath: e.metadata.secretPath,
-          ...s
-        }))
-      }
-    } as const;
-  }
-
-  return {
-    name,
-    isBulk: false,
-    data: {
-      eventType: e.type,
-      payload: {
-        ...e.metadata,
-        environment: e.metadata.environment
-      }
+export const Mappings = {
+  BusEventToAction(input: BusEventName) {
+    switch (input) {
+      case BusEventName.CreateSecret:
+        return ProjectPermissionSecretEventActions.SubscribeCreated;
+      case BusEventName.DeleteSecret:
+        return ProjectPermissionSecretEventActions.SubscribeDeleted;
+      case BusEventName.ImportMutation:
+        return ProjectPermissionSecretEventActions.SubscribeImportMutations;
+      case BusEventName.UpdateSecret:
+        return ProjectPermissionSecretEventActions.SubscribeUpdated;
+      default:
+        throw new Error("Unknown bus event name");
    }
-  } as const;
+  }
 };

 export const EventName = z.nativeEnum(BusEventName);

 const EventSecretPayload = z.object({
-  secretPath: z.string().optional(),
  secretId: z.string(),
+  secretPath: z.string().optional(),
  secretKey: z.string(),
  environment: z.string()
 });

+const EventImportMutationPayload = z.object({
+  secretPath: z.string(),
+  environment: z.string()
+});
+
 export type EventSecret = z.infer<typeof EventSecretPayload>;

-export const EventSchema = z.object({
+export const BusEventSchema = z.object({
  datacontenttype: z.literal("application/json").optional().default("application/json"),
  type: z.nativeEnum(ProjectType),
  source: z.string(),
@@ -95,25 +56,38 @@ export const EventSchema = z.object({
    .string()
    .optional()
    .default(() => new Date().toISOString()),
-  data: z.discriminatedUnion("eventType", [
+  data: z.discriminatedUnion("event", [
    z.object({
      specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRET, EventType.UPDATE_SECRET, EventType.DELETE_SECRET]),
-      payload: EventSecretPayload
+      event: z.enum([BusEventName.CreateSecret, BusEventName.DeleteSecret, BusEventName.UpdateSecret]),
+      payload: z.union([EventSecretPayload, EventSecretPayload.array()])
    }),
    z.object({
      specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRETS, EventType.UPDATE_SECRETS, EventType.DELETE_SECRETS]),
-      payload: EventSecretPayload.array()
+      event: z.enum([BusEventName.ImportMutation]),
+      payload: z.union([EventImportMutationPayload, EventImportMutationPayload.array()])
    })
    // Add more event types as needed
  ])
 });

-export type EventData = z.infer<typeof EventSchema>;
+export type BusEvent = z.infer<typeof BusEventSchema>;
+
+type PublishableEventPayload = z.input<typeof BusEventSchema>["data"];
+type PublishableSecretEvent = Extract<
+  PublishableEventPayload,
+  { event: Exclude<BusEventName, BusEventName.ImportMutation> }
+>["payload"];
+
+export type PublishableEvent = {
+  created?: PublishableSecretEvent;
+  updated?: PublishableSecretEvent;
+  deleted?: PublishableSecretEvent;
+  importMutation?: Extract<PublishableEventPayload, { event: BusEventName.ImportMutation }>["payload"];
+};

 export const EventRegisterSchema = z.object({
-  event: EventName,
+  event: z.nativeEnum(BusEventName),
  conditions: z
    .object({
      secretPath: z.string().optional().default("/"),
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -1,4 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
+import { Knex } from "knex";

 import { OrgMembershipStatus, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
@@ -45,7 +46,7 @@ import { searchGroups, testLDAPConfig } from "./ldap-fns";
 import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";

 type TLdapConfigServiceFactoryDep = {
-  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
+  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne" | "transaction">;
  ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
  orgDAL: Pick<
@@ -131,6 +132,19 @@ export const ldapConfigServiceFactory = ({
      orgId
    });

+    const isConnected = await testLDAPConfig({
+      bindDN,
+      bindPass,
+      caCert,
+      url
+    });
+
+    if (!isConnected) {
+      throw new BadRequestError({
+        message: "Failed to establish connection to LDAP directory. Please verify that your credentials are correct."
+      });
+    }
+
    const ldapConfig = await ldapConfigDAL.create({
      orgId,
      isActive,
@@ -148,6 +162,50 @@ export const ldapConfigServiceFactory = ({
    return ldapConfig;
  };

+  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }, tx?: Knex) => {
+    const ldapConfig = await ldapConfigDAL.findOne(filter, tx);
+    if (!ldapConfig) {
+      throw new NotFoundError({
+        message: `Failed to find organization LDAP data in organization with ID '${filter.orgId}'`
+      });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: ldapConfig.orgId
+    });
+
+    let bindDN = "";
+    if (ldapConfig.encryptedLdapBindDN) {
+      bindDN = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindDN }).toString();
+    }
+
+    let bindPass = "";
+    if (ldapConfig.encryptedLdapBindPass) {
+      bindPass = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindPass }).toString();
+    }
+
+    let caCert = "";
+    if (ldapConfig.encryptedLdapCaCertificate) {
+      caCert = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapCaCertificate }).toString();
+    }
+
+    return {
+      id: ldapConfig.id,
+      organization: ldapConfig.orgId,
+      isActive: ldapConfig.isActive,
+      url: ldapConfig.url,
+      bindDN,
+      bindPass,
+      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
+      searchBase: ldapConfig.searchBase,
+      searchFilter: ldapConfig.searchFilter,
+      groupSearchBase: ldapConfig.groupSearchBase,
+      groupSearchFilter: ldapConfig.groupSearchFilter,
+      caCert
+    };
+  };
+
  const updateLdapCfg = async ({
    actor,
    actorId,
@@ -202,53 +260,25 @@ export const ldapConfigServiceFactory = ({
      updateQuery.encryptedLdapCaCertificate = encryptor({ plainText: Buffer.from(caCert) }).cipherTextBlob;
    }

-    const [ldapConfig] = await ldapConfigDAL.update({ orgId }, updateQuery);
+    const config = await ldapConfigDAL.transaction(async (tx) => {
+      const [updatedLdapCfg] = await ldapConfigDAL.update({ orgId }, updateQuery, tx);
+      const decryptedLdapCfg = await getLdapCfg({ orgId }, tx);

-    return ldapConfig;
-  };
+      const isSoftDeletion = !decryptedLdapCfg.url && !decryptedLdapCfg.bindDN && !decryptedLdapCfg.bindPass;
+      if (!isSoftDeletion) {
+        const isConnected = await testLDAPConfig(decryptedLdapCfg);
+        if (!isConnected) {
+          throw new BadRequestError({
+            message:
+              "Failed to establish connection to LDAP directory. Please verify that your credentials are correct."
+          });
+        }
+      }

-  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }) => {
-    const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) {
-      throw new NotFoundError({
-        message: `Failed to find organization LDAP data in organization with ID '${filter.orgId}'`
-      });
-    }
-
-    const { decryptor } = await kmsService.createCipherPairWithDataKey({
-      type: KmsDataKey.Organization,
-      orgId: ldapConfig.orgId
+      return updatedLdapCfg;
    });

-    let bindDN = "";
-    if (ldapConfig.encryptedLdapBindDN) {
-      bindDN = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindDN }).toString();
-    }
-
-    let bindPass = "";
-    if (ldapConfig.encryptedLdapBindPass) {
-      bindPass = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapBindPass }).toString();
-    }
-
-    let caCert = "";
-    if (ldapConfig.encryptedLdapCaCertificate) {
-      caCert = decryptor({ cipherTextBlob: ldapConfig.encryptedLdapCaCertificate }).toString();
-    }
-
-    return {
-      id: ldapConfig.id,
-      organization: ldapConfig.orgId,
-      isActive: ldapConfig.isActive,
-      url: ldapConfig.url,
-      bindDN,
-      bindPass,
-      uniqueUserAttribute: ldapConfig.uniqueUserAttribute,
-      searchBase: ldapConfig.searchBase,
-      searchFilter: ldapConfig.searchFilter,
-      groupSearchBase: ldapConfig.groupSearchBase,
-      groupSearchFilter: ldapConfig.groupSearchFilter,
-      caCert
-    };
+    return config;
  };

  const getLdapCfgWithPermissionCheck = async ({
@@ -370,15 +400,13 @@ export const ldapConfigServiceFactory = ({

      userAlias = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
-        if (serverCfg.trustLdapEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email: email.toLowerCase(),
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
+        newUser = await userDAL.findOne(
+          {
+            email: email.toLowerCase(),
+            isEmailVerified: true
+          },
+          tx
+        );

        if (!newUser) {
          const uniqueUsername = await normalizeUsername(username, userDAL);
@@ -403,7 +431,8 @@ export const ldapConfigServiceFactory = ({
            aliasType: UserAliasType.LDAP,
            externalId,
            emails: [email],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustLdapEmails
          },
          tx
        );
@@ -526,16 +555,14 @@ export const ldapConfigServiceFactory = ({
      return newUser;
    });

-    const isUserCompleted = Boolean(user.isAccepted);
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-
+    const isUserCompleted = Boolean(user.isAccepted) && userAlias.isEmailVerified;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        hasExchangedPrivateKey: true,
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
@@ -543,6 +570,7 @@ export const ldapConfigServiceFactory = ({
        organizationSlug: organization.slug,
        authMethod: AuthMethod.LDAP,
        authType: UserAliasType.LDAP,
+        aliasId: userAlias.id,
        isUserCompleted,
        ...(relayState
          ? {
@@ -556,10 +584,11 @@ export const ldapConfigServiceFactory = ({
      }
    );

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService.sendMail({
@@ -694,7 +723,17 @@ export const ldapConfigServiceFactory = ({
    return deletedGroupMap;
  };

-  const testLDAPConnection = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TTestLdapConnectionDTO) => {
+  const testLDAPConnection = async ({
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId,
+    bindDN,
+    bindPass,
+    caCert,
+    url
+  }: TTestLdapConnectionDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);

@@ -704,11 +743,12 @@ export const ldapConfigServiceFactory = ({
        message: "Failed to test LDAP connection due to plan restriction. Upgrade plan to test the LDAP connection."
      });

-    const ldapConfig = await getLdapCfg({
-      orgId
+    return testLDAPConfig({
+      bindDN,
+      bindPass,
+      caCert,
+      url
    });
-
-    return testLDAPConfig(ldapConfig);
  };

  return {
--- a/backend/src/ee/services/ldap-config/ldap-config-types.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-types.ts
@@ -83,6 +83,4 @@ export type TDeleteLdapGroupMapDTO = {
  ldapGroupMapId: string;
 } & TOrgPermission;

-export type TTestLdapConnectionDTO = {
-  ldapConfigId: string;
-} & TOrgPermission;
+export type TTestLdapConnectionDTO = TOrgPermission & TTestLDAPConfigDTO;
--- a/backend/src/ee/services/license/mocks/license-fns.ts
+++ b/backend/src/ee/services/license/mocks/license-fns.ts
@@ -31,7 +31,7 @@ export const getDefaultOnPremFeatures = () => {
    caCrl: false,
    sshHostGroups: false,
    enterpriseSecretSyncs: false,
-    enterpriseAppConnections: false,
+    enterpriseAppConnections: true,
    machineIdentityAuthTemplates: false
  };
 };
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@@ -32,6 +32,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  auditLogStreams: false,
  auditLogStreamLimit: 3,
  samlSSO: false,
+  enforceGoogleSSO: false,
  hsm: false,
  oidcSSO: false,
  scim: false,
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@@ -47,6 +47,7 @@ export type TFeatureSet = {
  auditLogStreamLimit: 3;
  githubOrgSync: false;
  samlSSO: false;
+  enforceGoogleSSO: false;
  hsm: false;
  oidcSSO: false;
  secretAccessInsights: false;
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -180,7 +180,7 @@ export const oidcConfigServiceFactory = ({
    }

    const appCfg = getConfig();
-    const userAlias = await userAliasDAL.findOne({
+    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
      aliasType: UserAliasType.OIDC
@@ -231,32 +231,29 @@ export const oidcConfigServiceFactory = ({
    } else {
      user = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
+        // we prioritize getting the most complete user to create the new alias under
+        newUser = await userDAL.findOne(
+          {
+            email,
+            isEmailVerified: true
+          },
+          tx
+        );

-        if (serverCfg.trustOidcEmails) {
-          // we prioritize getting the most complete user to create the new alias under
+        if (!newUser) {
+          // this fetches user entries created via invites
          newUser = await userDAL.findOne(
            {
-              email,
-              isEmailVerified: true
+              username: email
            },
            tx
          );

-          if (!newUser) {
-            // this fetches user entries created via invites
-            newUser = await userDAL.findOne(
-              {
-                username: email
-              },
-              tx
-            );
-
-            if (newUser && !newUser.isEmailVerified) {
-              // we automatically mark it as email-verified because we've configured trust for OIDC emails
-              newUser = await userDAL.updateById(newUser.id, {
-                isEmailVerified: true
-              });
-            }
+          if (newUser && !newUser.isEmailVerified) {
+            // we automatically mark it as email-verified because we've configured trust for OIDC emails
+            newUser = await userDAL.updateById(newUser.id, {
+              isEmailVerified: serverCfg.trustOidcEmails
+            });
          }
        }

@@ -276,13 +273,14 @@ export const oidcConfigServiceFactory = ({
          );
        }

-        await userAliasDAL.create(
+        userAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            aliasType: UserAliasType.OIDC,
            externalId,
            emails: email ? [email] : [],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustOidcEmails
          },
          tx
        );
@@ -404,20 +402,20 @@ export const oidcConfigServiceFactory = ({

    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-    const isUserCompleted = Boolean(user.isAccepted);
+    const isUserCompleted = Boolean(user.isAccepted) && userAlias.isEmailVerified;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
        organizationSlug: organization.slug,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
+        aliasId: userAlias.id,
        authMethod: AuthMethod.OIDC,
        authType: UserAliasType.OIDC,
        isUserCompleted,
@@ -431,10 +429,11 @@ export const oidcConfigServiceFactory = ({

    await oidcConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService
--- a/backend/src/ee/services/permission/default-roles.ts
+++ b/backend/src/ee/services/permission/default-roles.ts
@@ -13,6 +13,7 @@ import {
  ProjectPermissionPkiSubscriberActions,
  ProjectPermissionPkiTemplateActions,
  ProjectPermissionSecretActions,
+  ProjectPermissionSecretEventActions,
  ProjectPermissionSecretRotationActions,
  ProjectPermissionSecretScanningConfigActions,
  ProjectPermissionSecretScanningDataSourceActions,
@@ -161,8 +162,7 @@ const buildAdminPermissionRules = () => {
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Create,
      ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
@@ -253,6 +253,16 @@ const buildAdminPermissionRules = () => {
    ProjectPermissionSub.SecretScanningConfigs
  );

+  can(
+    [
+      ProjectPermissionSecretEventActions.SubscribeCreated,
+      ProjectPermissionSecretEventActions.SubscribeDeleted,
+      ProjectPermissionSecretEventActions.SubscribeUpdated,
+      ProjectPermissionSecretEventActions.SubscribeImportMutations
+    ],
+    ProjectPermissionSub.SecretEvents
+  );
+
  return rules;
 };

@@ -266,8 +276,7 @@ const buildMemberPermissionRules = () => {
      ProjectPermissionSecretActions.ReadValue,
      ProjectPermissionSecretActions.Edit,
      ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
@@ -457,6 +466,16 @@ const buildMemberPermissionRules = () => {

  can([ProjectPermissionSecretScanningConfigActions.Read], ProjectPermissionSub.SecretScanningConfigs);

+  can(
+    [
+      ProjectPermissionSecretEventActions.SubscribeCreated,
+      ProjectPermissionSecretEventActions.SubscribeDeleted,
+      ProjectPermissionSecretEventActions.SubscribeUpdated,
+      ProjectPermissionSecretEventActions.SubscribeImportMutations
+    ],
+    ProjectPermissionSub.SecretEvents
+  );
+
  return rules;
 };

@@ -507,6 +526,16 @@ const buildViewerPermissionRules = () => {

  can([ProjectPermissionSecretScanningConfigActions.Read], ProjectPermissionSub.SecretScanningConfigs);

+  can(
+    [
+      ProjectPermissionSecretEventActions.SubscribeCreated,
+      ProjectPermissionSecretEventActions.SubscribeDeleted,
+      ProjectPermissionSecretEventActions.SubscribeUpdated,
+      ProjectPermissionSecretEventActions.SubscribeImportMutations
+    ],
+    ProjectPermissionSub.SecretEvents
+  );
+
  return rules;
 };

--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -35,6 +35,7 @@ export interface TPermissionDALFactory {
      projectFavorites?: string[] | null | undefined;
      customRoleSlug?: string | null | undefined;
      orgAuthEnforced?: boolean | null | undefined;
+      orgGoogleSsoAuthEnforced: boolean;
    } & {
      groups: {
        id: string;
@@ -87,6 +88,7 @@ export interface TPermissionDALFactory {
        }[];
        orgId: string;
        orgAuthEnforced: boolean | null | undefined;
+        orgGoogleSsoAuthEnforced: boolean;
        orgRole: OrgMembershipRole;
        userId: string;
        projectId: string;
@@ -350,6 +352,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
          db.ref("permissions").withSchema(TableName.OrgRoles),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("googleSsoAuthEnforced").withSchema(TableName.Organization).as("orgGoogleSsoAuthEnforced"),
          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
          db.ref("groupId").withSchema("userGroups"),
          db.ref("groupOrgId").withSchema("userGroups"),
@@ -369,6 +372,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          OrgMembershipsSchema.extend({
            permissions: z.unknown(),
            orgAuthEnforced: z.boolean().optional().nullable(),
+            orgGoogleSsoAuthEnforced: z.boolean(),
            bypassOrgAuthEnabled: z.boolean(),
            customRoleSlug: z.string().optional().nullable(),
            shouldUseNewPrivilegeSystem: z.boolean()
@@ -988,6 +992,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("googleSsoAuthEnforced").withSchema(TableName.Organization).as("orgGoogleSsoAuthEnforced"),
          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
          db.ref("role").withSchema(TableName.OrgMembership).as("orgRole"),
          db.ref("orgId").withSchema(TableName.Project),
@@ -1003,6 +1008,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
          orgId,
          username,
          orgAuthEnforced,
+          orgGoogleSsoAuthEnforced,
          orgRole,
          membershipId,
          groupMembershipId,
@@ -1016,6 +1022,7 @@ export const permissionDALFactory = (db: TDbClient): TPermissionDALFactory => {
        }) => ({
          orgId,
          orgAuthEnforced,
+          orgGoogleSsoAuthEnforced,
          orgRole: orgRole as OrgMembershipRole,
          userId,
          projectId,
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -121,6 +121,7 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
 function validateOrgSSO(
  actorAuthMethod: ActorAuthMethod,
  isOrgSsoEnforced: TOrganizations["authEnforced"],
+  isOrgGoogleSsoEnforced: TOrganizations["googleSsoAuthEnforced"],
  isOrgSsoBypassEnabled: TOrganizations["bypassOrgAuthEnabled"],
  orgRole: OrgMembershipRole
 ) {
@@ -128,10 +129,16 @@ function validateOrgSSO(
    throw new UnauthorizedError({ name: "No auth method defined" });
  }

-  if (isOrgSsoEnforced && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
+  if ((isOrgSsoEnforced || isOrgGoogleSsoEnforced) && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
    return;
  }

+  // case: google sso is enforced, but the actor is not using google sso
+  if (isOrgGoogleSsoEnforced && actorAuthMethod !== null && actorAuthMethod !== AuthMethod.GOOGLE) {
+    throw new ForbiddenRequestError({ name: "Org auth enforced. Cannot access org-scoped resource" });
+  }
+
+  // case: SAML SSO is enforced, but the actor is not using SAML SSO
  if (
    isOrgSsoEnforced &&
    actorAuthMethod !== null &&
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -146,6 +146,7 @@ export const permissionServiceFactory = ({
    validateOrgSSO(
      authMethod,
      membership.orgAuthEnforced,
+      membership.orgGoogleSsoAuthEnforced,
      membership.bypassOrgAuthEnabled,
      membership.role as OrgMembershipRole
    );
@@ -238,6 +239,7 @@ export const permissionServiceFactory = ({
    validateOrgSSO(
      authMethod,
      userProjectPermission.orgAuthEnforced,
+      userProjectPermission.orgGoogleSsoAuthEnforced,
      userProjectPermission.bypassOrgAuthEnabled,
      userProjectPermission.orgRole
    );
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -36,8 +36,7 @@ export enum ProjectPermissionSecretActions {
  ReadValue = "readValue",
  Create = "create",
  Edit = "edit",
-  Delete = "delete",
-  Subscribe = "subscribe"
+  Delete = "delete"
 }

 export enum ProjectPermissionCmekActions {
@@ -158,6 +157,13 @@ export enum ProjectPermissionSecretScanningConfigActions {
  Update = "update-configs"
 }

+export enum ProjectPermissionSecretEventActions {
+  SubscribeCreated = "subscribe-on-created",
+  SubscribeUpdated = "subscribe-on-updated",
+  SubscribeDeleted = "subscribe-on-deleted",
+  SubscribeImportMutations = "subscribe-on-import-mutations"
+}
+
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@@ -197,7 +203,8 @@ export enum ProjectPermissionSub {
  Kmip = "kmip",
  SecretScanningDataSources = "secret-scanning-data-sources",
  SecretScanningFindings = "secret-scanning-findings",
-  SecretScanningConfigs = "secret-scanning-configs"
+  SecretScanningConfigs = "secret-scanning-configs",
+  SecretEvents = "secret-events"
 }

 export type SecretSubjectFields = {
@@ -205,7 +212,13 @@ export type SecretSubjectFields = {
  secretPath: string;
  secretName?: string;
  secretTags?: string[];
-  eventType?: string;
+};
+
+export type SecretEventSubjectFields = {
+  environment: string;
+  secretPath: string;
+  secretName?: string;
+  secretTags?: string[];
 };

 export type SecretFolderSubjectFields = {
@@ -344,7 +357,11 @@ export type ProjectPermissionSet =
  | [ProjectPermissionCommitsActions, ProjectPermissionSub.Commits]
  | [ProjectPermissionSecretScanningDataSourceActions, ProjectPermissionSub.SecretScanningDataSources]
  | [ProjectPermissionSecretScanningFindingActions, ProjectPermissionSub.SecretScanningFindings]
-  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs];
+  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs]
+  | [
+      ProjectPermissionSecretEventActions,
+      ProjectPermissionSub.SecretEvents | (ForcedSubject<ProjectPermissionSub.SecretEvents> & SecretEventSubjectFields)
+    ];

 const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
 const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
@@ -877,7 +894,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
-
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretEvents).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretEventActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: SecretSyncConditionV2Schema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
  ...GeneralPermissionSchema
 ]);

--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -246,7 +246,7 @@ export const samlConfigServiceFactory = ({
      });
    }

-    const userAlias = await userAliasDAL.findOne({
+    let userAlias = await userAliasDAL.findOne({
      externalId,
      orgId,
      aliasType: UserAliasType.SAML
@@ -320,15 +320,13 @@ export const samlConfigServiceFactory = ({

      user = await userDAL.transaction(async (tx) => {
        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
+        newUser = await userDAL.findOne(
+          {
+            email,
+            isEmailVerified: true
+          },
+          tx
+        );

        if (!newUser) {
          const uniqueUsername = await normalizeUsername(`${firstName ?? ""}-${lastName ?? ""}`, userDAL);
@@ -346,13 +344,14 @@ export const samlConfigServiceFactory = ({
          );
        }

-        await userAliasDAL.create(
+        userAlias = await userAliasDAL.create(
          {
            userId: newUser.id,
            aliasType: UserAliasType.SAML,
            externalId,
            emails: email ? [email] : [],
-            orgId
+            orgId,
+            isEmailVerified: serverCfg.trustSamlEmails
          },
          tx
        );
@@ -410,21 +409,21 @@ export const samlConfigServiceFactory = ({
    }
    await licenseService.updateSubscriptionOrgMemberCount(organization.id);

-    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified);
-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
+    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified && userAlias.isEmailVerified);
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
        username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
+        ...(user.email && { email: user.email, isEmailVerified: userAlias.isEmailVerified }),
        firstName,
        lastName,
        organizationName: organization.name,
        organizationId: organization.id,
        organizationSlug: organization.slug,
        authMethod: authProvider,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
+        aliasId: userAlias.id,
        authType: UserAliasType.SAML,
        isUserCompleted,
        ...(relayState
@@ -441,10 +440,11 @@ export const samlConfigServiceFactory = ({

    await samlConfigDAL.update({ orgId }, { lastUsed: new Date() });

-    if (user.email && !user.isEmailVerified) {
+    if (user.email && !userAlias.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
+        userId: user.id,
+        aliasId: userAlias.id
      });

      await smtpService.sendMail({
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -4,6 +4,7 @@ import { TDbClient } from "@app/db";
 import {
  SecretApprovalRequestsSchema,
  TableName,
+  TOrgMemberships,
  TSecretApprovalRequests,
  TSecretApprovalRequestsSecrets,
  TUserGroupMembership,
@@ -107,11 +108,32 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalRequestReviewer}.reviewerUserId`,
        `secretApprovalReviewerUser.id`
      )
+
+      .leftJoin<TOrgMemberships>(
+        db(TableName.OrgMembership).as("approverOrgMembership"),
+        `${TableName.SecretApprovalPolicyApprover}.approverUserId`,
+        `approverOrgMembership.userId`
+      )
+
+      .leftJoin<TOrgMemberships>(
+        db(TableName.OrgMembership).as("approverGroupOrgMembership"),
+        `secretApprovalPolicyGroupApproverUser.id`,
+        `approverGroupOrgMembership.userId`
+      )
+
+      .leftJoin<TOrgMemberships>(
+        db(TableName.OrgMembership).as("reviewerOrgMembership"),
+        `${TableName.SecretApprovalRequestReviewer}.reviewerUserId`,
+        `reviewerOrgMembership.userId`
+      )
+
      .select(selectAllTableCols(TableName.SecretApprovalRequest))
      .select(
        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
        tx.ref("userId").withSchema("approverUserGroupMembership").as("approverGroupUserId"),
        tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
+        tx.ref("isActive").withSchema("approverOrgMembership").as("approverIsOrgMembershipActive"),
+        tx.ref("isActive").withSchema("approverGroupOrgMembership").as("approverGroupIsOrgMembershipActive"),
        tx.ref("email").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupEmail"),
        tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
        tx.ref("username").withSchema("secretApprovalPolicyGroupApproverUser").as("approverGroupUsername"),
@@ -148,6 +170,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("username").withSchema("secretApprovalReviewerUser").as("reviewerUsername"),
        tx.ref("firstName").withSchema("secretApprovalReviewerUser").as("reviewerFirstName"),
        tx.ref("lastName").withSchema("secretApprovalReviewerUser").as("reviewerLastName"),
+        tx.ref("isActive").withSchema("reviewerOrgMembership").as("reviewerIsOrgMembershipActive"),
        tx.ref("id").withSchema(TableName.SecretApprovalPolicy).as("policyId"),
        tx.ref("name").withSchema(TableName.SecretApprovalPolicy).as("policyName"),
        tx.ref("projectId").withSchema(TableName.Environment),
@@ -157,7 +180,11 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
        tx.ref("allowedSelfApprovals").withSchema(TableName.SecretApprovalPolicy).as("policyAllowedSelfApprovals"),
        tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt")
+        tx.ref("deletedAt").withSchema(TableName.SecretApprovalPolicy).as("policyDeletedAt"),
+        tx
+          .ref("shouldCheckSecretPermission")
+          .withSchema(TableName.SecretApprovalPolicy)
+          .as("policySecretReadAccessCompat")
      );

  const findById = async (id: string, tx?: Knex) => {
@@ -197,7 +224,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            enforcementLevel: el.policyEnforcementLevel,
            envId: el.policyEnvId,
            deletedAt: el.policyDeletedAt,
-            allowedSelfApprovals: el.policyAllowedSelfApprovals
+            allowedSelfApprovals: el.policyAllowedSelfApprovals,
+            shouldCheckSecretPermission: el.policySecretReadAccessCompat
          }
        }),
        childrenMapper: [
@@ -211,9 +239,21 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              reviewerLastName: lastName,
              reviewerUsername: username,
              reviewerFirstName: firstName,
-              reviewerComment: comment
+              reviewerComment: comment,
+              reviewerIsOrgMembershipActive: isOrgMembershipActive
            }) =>
-              userId ? { userId, status, email, firstName, lastName, username, comment: comment ?? "" } : undefined
+              userId
+                ? {
+                    userId,
+                    status,
+                    email,
+                    firstName,
+                    lastName,
+                    username,
+                    comment: comment ?? "",
+                    isOrgMembershipActive
+                  }
+                : undefined
          },
          {
            key: "approverUserId",
@@ -223,13 +263,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              approverEmail: email,
              approverUsername: username,
              approverLastName: lastName,
-              approverFirstName: firstName
+              approverFirstName: firstName,
+              approverIsOrgMembershipActive: isOrgMembershipActive
            }) => ({
              userId,
              email,
              firstName,
              lastName,
-              username
+              username,
+              isOrgMembershipActive
            })
          },
          {
@@ -240,13 +282,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              approverGroupEmail: email,
              approverGroupUsername: username,
              approverGroupLastName: lastName,
-              approverGroupFirstName: firstName
+              approverGroupFirstName: firstName,
+              approverGroupIsOrgMembershipActive: isOrgMembershipActive
            }) => ({
              userId,
              email,
              firstName,
              lastName,
-              username
+              username,
+              isOrgMembershipActive
            })
          },
          {
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -258,6 +258,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
+
    if (!secretApprovalRequest)
      throw new NotFoundError({ message: `Secret approval request with ID '${id}' not found` });

@@ -280,13 +281,22 @@ export const secretApprovalRequestServiceFactory = ({
    ) {
      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
-    const getHasSecretReadAccess = (environment: string, tags: { slug: string }[], secretPath?: string) => {
-      const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
-        environment,
-        secretPath: secretPath || "/",
-        secretTags: tags.map((i) => i.slug)
-      });
-      return canRead;
+    const getHasSecretReadAccess = (
+      shouldCheckSecretPermission: boolean | null | undefined,
+      environment: string,
+      tags: { slug: string }[],
+      secretPath?: string
+    ) => {
+      if (shouldCheckSecretPermission) {
+        const canRead = hasSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
+          environment,
+          secretPath: secretPath || "/",
+          secretTags: tags.map((i) => i.slug)
+        });
+        return canRead;
+      }
+
+      return true;
    };

    let secrets;
@@ -308,8 +318,18 @@ export const secretApprovalRequestServiceFactory = ({
        version: el.version,
        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
        isRotatedSecret: el.secret?.isRotatedSecret ?? false,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
-        secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+        secretValueHidden: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        ),
+        secretValue: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        )
          ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
          : el.secret && el.secret.isRotatedSecret
            ? undefined
@@ -325,11 +345,17 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secret.id,
              version: el.secret.version,
              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValue: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              )
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secret.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secret.encryptedValue }).toString()
@@ -345,11 +371,17 @@ export const secretApprovalRequestServiceFactory = ({
              id: el.secretVersion.id,
              version: el.secretVersion.version,
              secretValueHidden: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
                secretApprovalRequest.environment,
                el.tags,
                secretPath?.[0]?.path
              ),
-              secretValue: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path)
+              secretValue: !getHasSecretReadAccess(
+                secretApprovalRequest.policy.shouldCheckSecretPermission,
+                secretApprovalRequest.environment,
+                el.tags,
+                secretPath?.[0]?.path
+              )
                ? INFISICAL_SECRET_VALUE_HIDDEN_MASK
                : el.secretVersion.encryptedValue
                  ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedValue }).toString()
@@ -367,7 +399,12 @@ export const secretApprovalRequestServiceFactory = ({
      const encryptedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
      secrets = encryptedSecrets.map((el) => ({
        ...el,
-        secretValueHidden: !getHasSecretReadAccess(secretApprovalRequest.environment, el.tags, secretPath?.[0]?.path),
+        secretValueHidden: !getHasSecretReadAccess(
+          secretApprovalRequest.policy.shouldCheckSecretPermission,
+          secretApprovalRequest.environment,
+          el.tags,
+          secretPath?.[0]?.path
+        ),
        ...decryptSecretWithBot(el, botKey),
        secret: el.secret
          ? {
@@ -952,13 +989,39 @@ export const secretApprovalRequestServiceFactory = ({
    if (!folder) {
      throw new NotFoundError({ message: `Folder with ID '${folderId}' not found in project with ID '${projectId}'` });
    }
+
+    const { secrets } = mergeStatus;
+
    await secretQueueService.syncSecrets({
      projectId,
      orgId: actorOrgId,
      secretPath: folder.path,
      environmentSlug: folder.environmentSlug,
      actorId,
-      actor
+      actor,
+      event: {
+        created: secrets.created.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        })),
+        updated: secrets.updated.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        })),
+        deleted: secrets.deleted.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        }))
+      }
    });

    if (isSoftEnforcement) {
@@ -1421,6 +1484,7 @@ export const secretApprovalRequestServiceFactory = ({

    const commits: Omit<TSecretApprovalRequestsSecretsV2Insert, "requestId">[] = [];
    const commitTagIds: Record<string, string[]> = {};
+    const existingTagIds: Record<string, string[]> = {};

    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
@@ -1486,6 +1550,11 @@ export const secretApprovalRequestServiceFactory = ({
          type: SecretType.Shared
        }))
      );
+
+      secretsToUpdateStoredInDB.forEach((el) => {
+        if (el.tags?.length) existingTagIds[el.key] = el.tags.map((i) => i.id);
+      });
+
      if (secretsToUpdateStoredInDB.length !== secretsToUpdate.length)
        throw new NotFoundError({
          message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
@@ -1529,7 +1598,10 @@ export const secretApprovalRequestServiceFactory = ({
            secretMetadata
          }) => {
            const secretId = updatingSecretsGroupByKey[secretKey][0].id;
-            if (tagIds?.length) commitTagIds[newSecretName ?? secretKey] = tagIds;
+            if (tagIds?.length || existingTagIds[secretKey]?.length) {
+              commitTagIds[newSecretName ?? secretKey] = tagIds || existingTagIds[secretKey];
+            }
+
            return {
              ...latestSecretVersions[secretId],
              secretMetadata,
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
@@ -2,6 +2,7 @@ import { AxiosError } from "axios";

 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";

 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
@@ -13,9 +14,11 @@ import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
 import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
+import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
-import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
+import { TSecretRotationV2ServiceFactory, TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
 import {
+  TSecretRotationRotateSecretsJobPayload,
  TSecretRotationV2,
  TSecretRotationV2GeneratedCredentials,
  TSecretRotationV2ListItem,
@@ -74,6 +77,10 @@ export const getNextUtcRotationInterval = (rotateAtUtc?: TSecretRotationV2["rota
  const appCfg = getConfig();

  if (appCfg.isRotationDevelopmentMode) {
+    if (appCfg.isTestMode) {
+      // if its test mode, it should always rotate
+      return new Date(Date.now() + 365 * 24 * 60 * 60 * 1000); // Current time + 1 year
+    }
    return getNextUTCMinuteInterval(rotateAtUtc);
  }

@@ -263,3 +270,51 @@ export const throwOnImmutableParameterUpdate = (
    // do nothing
  }
 };
+
+export const rotateSecretsFns = async ({
+  job,
+  secretRotationV2DAL,
+  secretRotationV2Service
+}: {
+  job: {
+    data: TSecretRotationRotateSecretsJobPayload;
+    id: string;
+    retryCount: number;
+    retryLimit: number;
+  };
+  secretRotationV2DAL: Pick<TSecretRotationV2DALFactory, "findById">;
+  secretRotationV2Service: Pick<TSecretRotationV2ServiceFactory, "rotateGeneratedCredentials">;
+}) => {
+  const { rotationId, queuedAt, isManualRotation } = job.data;
+  const { retryCount, retryLimit } = job;
+
+  const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
+
+  try {
+    const secretRotation = await secretRotationV2DAL.findById(rotationId);
+
+    if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
+
+    if (!secretRotation.isAutoRotationEnabled) {
+      logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
+    }
+
+    if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
+      // rotated since being queued, skip rotation
+      logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
+      return;
+    }
+
+    await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
+      jobId: job.id,
+      shouldSendNotification: true,
+      isFinalAttempt: retryCount === retryLimit,
+      isManualRotation
+    });
+
+    logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
+  } catch (error) {
+    logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
+    throw error;
+  }
+};
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
@@ -1,9 +1,12 @@
+import { v4 as uuidv4 } from "uuid";
+
 import { ProjectMembershipRole } from "@app/db/schemas";
 import { TSecretRotationV2DALFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-dal";
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
  getNextUtcRotationInterval,
-  getSecretRotationRotateSecretJobOptions
+  getSecretRotationRotateSecretJobOptions,
+  rotateSecretsFns
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-fns";
 import { SECRET_ROTATION_NAME_MAP } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
@@ -63,14 +66,34 @@ export const secretRotationV2QueueServiceFactory = async ({
              rotation.lastRotatedAt
            ).toISOString()}] [rotateAt=${new Date(rotation.nextRotationAt!).toISOString()}]`
          );
-          await queueService.queuePg(
-            QueueJobs.SecretRotationV2RotateSecrets,
-            {
-              rotationId: rotation.id,
-              queuedAt: currentTime
-            },
-            getSecretRotationRotateSecretJobOptions(rotation)
-          );
+
+          const data = {
+            rotationId: rotation.id,
+            queuedAt: currentTime
+          } as TSecretRotationRotateSecretsJobPayload;
+
+          if (appCfg.isTestMode) {
+            logger.warn("secretRotationV2Queue: Manually rotating secrets for test mode");
+            await rotateSecretsFns({
+              job: {
+                id: uuidv4(),
+                data,
+                retryCount: 0,
+                retryLimit: 0
+              },
+              secretRotationV2DAL,
+              secretRotationV2Service
+            });
+          } else {
+            await queueService.queuePg(
+              QueueJobs.SecretRotationV2RotateSecrets,
+              {
+                rotationId: rotation.id,
+                queuedAt: currentTime
+              },
+              getSecretRotationRotateSecretJobOptions(rotation)
+            );
+          }
        }
      } catch (error) {
        logger.error(error, "secretRotationV2Queue: Queue Rotations Error:");
@@ -87,38 +110,14 @@ export const secretRotationV2QueueServiceFactory = async ({
  await queueService.startPg<QueueName.SecretRotationV2>(
    QueueJobs.SecretRotationV2RotateSecrets,
    async ([job]) => {
-      const { rotationId, queuedAt, isManualRotation } = job.data as TSecretRotationRotateSecretsJobPayload;
-      const { retryCount, retryLimit } = job;
-
-      const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
-
-      try {
-        const secretRotation = await secretRotationV2DAL.findById(rotationId);
-
-        if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
-
-        if (!secretRotation.isAutoRotationEnabled) {
-          logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
-        }
-
-        if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
-          // rotated since being queued, skip rotation
-          logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
-          return;
-        }
-
-        await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
-          jobId: job.id,
-          shouldSendNotification: true,
-          isFinalAttempt: retryCount === retryLimit,
-          isManualRotation
-        });
-
-        logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
-      } catch (error) {
-        logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
-        throw error;
-      }
+      await rotateSecretsFns({
+        job: {
+          ...job,
+          data: job.data as TSecretRotationRotateSecretsJobPayload
+        },
+        secretRotationV2DAL,
+        secretRotationV2Service
+      });
    },
    {
      batchSize: 1,
--- a/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts
+++ b/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts
@@ -58,9 +58,9 @@ export function scanDirectory(inputPath: string, outputPath: string, configPath?
  });
 }

-export function scanFile(inputPath: string): Promise<void> {
+export function scanFile(inputPath: string, configPath?: string): Promise<void> {
  return new Promise((resolve, reject) => {
-    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git`;
+    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git ${configPath ? `-c ${configPath}` : ""}`;
    exec(command, (error) => {
      if (error && error.code === 77) {
        reject(error);
@@ -166,6 +166,20 @@ export const parseScanErrorMessage = (err: unknown): string => {
    : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };

+const generateSecretValuePolicyConfiguration = (entropy: number): string => `
+# Extend default configuration to preserve existing rules
+[extend]
+useDefault = true
+
+# Add custom high-entropy rule
+[[rules]]
+id = "high-entropy"
+description = "Will scan for high entropy secrets"
+regex = '''.*'''
+entropy = ${entropy}
+keywords = []
+`;
+
 export const scanSecretPolicyViolations = async (
  projectId: string,
  secretPath: string,
@@ -188,14 +202,25 @@ export const scanSecretPolicyViolations = async (

  const tempFolder = await createTempFolder();
  try {
+    const configPath = join(tempFolder, "infisical-scan.toml");
+
+    const secretPolicyConfiguration = generateSecretValuePolicyConfiguration(
+      appCfg.PARAMS_FOLDER_SECRET_DETECTION_ENTROPY
+    );
+
+    await writeTextToFile(configPath, secretPolicyConfiguration);
+
    const scanPromises = secrets
      .filter((secret) => !ignoreValues.includes(secret.secretValue))
      .map(async (secret) => {
-        const secretFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
-        await writeTextToFile(secretFilePath, `${secret.secretKey}=${secret.secretValue}`);
+        const secretKeyValueFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        const secretValueOnlyFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        await writeTextToFile(secretKeyValueFilePath, `${secret.secretKey}=${secret.secretValue}`);
+        await writeTextToFile(secretValueOnlyFilePath, secret.secretValue);

        try {
-          await scanFile(secretFilePath);
+          await scanFile(secretKeyValueFilePath);
+          await scanFile(secretValueOnlyFilePath, configPath);
        } catch (error) {
          throw new BadRequestError({
            message: `Secret value detected in ${secret.secretKey}. Please add this instead to the designated secrets path in the project.`,
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -2491,6 +2491,7 @@ export const SecretSyncs = {
    },
    RENDER: {
      serviceId: "The ID of the Render service to sync secrets to.",
+      environmentGroupId: "The ID of the Render environment group to sync secrets to.",
      scope: "The Render scope that secrets should be synced to.",
      type: "The Render resource type to sync secrets to."
    },
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -79,6 +79,7 @@ const envSchema = z
    QUEUE_WORKER_PROFILE: z.nativeEnum(QueueWorkerProfile).default(QueueWorkerProfile.All),
    HTTPS_ENABLED: zodStrBool,
    ROTATION_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
+    DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
    // smtp options
    SMTP_HOST: zpStr(z.string().optional()),
    SMTP_IGNORE_TLS: zodStrBool.default("false"),
@@ -215,6 +216,7 @@ const envSchema = z
          return JSON.parse(val) as { secretPath: string; projectId: string }[];
        })
    ),
+    PARAMS_FOLDER_SECRET_DETECTION_ENTROPY: z.coerce.number().optional().default(3.7),

    // HSM
    HSM_LIB_PATH: zpStr(z.string().optional()),
@@ -346,7 +348,11 @@ const envSchema = z
    isSmtpConfigured: Boolean(data.SMTP_HOST),
    isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
    isDevelopmentMode: data.NODE_ENV === "development",
-    isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
+    isTestMode: data.NODE_ENV === "test",
+    isRotationDevelopmentMode:
+      (data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE) || data.NODE_ENV === "test",
+    isDailyResourceCleanUpDevelopmentMode:
+      data.NODE_ENV === "development" && data.DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE,
    isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
    isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
    REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()
--- a/backend/src/lib/template/dot-access.ts
+++ b/backend/src/lib/template/dot-access.ts
@@ -1,11 +1,11 @@
 /**
 * Safely retrieves a value from a nested object using dot notation path
 */
-export const getStringValueByDot = (
+export const getValueByDot = (
  obj: Record<string, unknown> | null | undefined,
  path: string,
-  defaultValue?: string
-): string | undefined => {
+  defaultValue?: string | number | boolean
+): string | number | boolean | undefined => {
  // Handle null or undefined input
  if (!obj) {
    return defaultValue;
@@ -26,7 +26,7 @@ export const getStringValueByDot = (
    current = (current as Record<string, unknown>)[part];
  }

-  if (typeof current !== "string") {
+  if (typeof current !== "string" && typeof current !== "number" && typeof current !== "boolean") {
    return defaultValue;
  }

--- a/backend/src/lib/workflow-integrations/trigger-notification.ts
+++ b/backend/src/lib/workflow-integrations/trigger-notification.ts
@@ -20,7 +20,10 @@ export const triggerWorkflowIntegrationNotification = async (dto: TTriggerWorkfl
    const slackConfig = await projectSlackConfigDAL.getIntegrationDetailsByProject(projectId);

    if (slackConfig) {
-      if (notification.type === TriggerFeature.ACCESS_REQUEST) {
+      if (
+        notification.type === TriggerFeature.ACCESS_REQUEST ||
+        notification.type === TriggerFeature.ACCESS_REQUEST_UPDATED
+      ) {
        const targetChannelIds = slackConfig.accessRequestChannels?.split(", ") || [];
        if (targetChannelIds.length && slackConfig.isAccessRequestNotificationEnabled) {
          await sendSlackNotification({
@@ -50,7 +53,10 @@ export const triggerWorkflowIntegrationNotification = async (dto: TTriggerWorkfl
    }

    if (microsoftTeamsConfig) {
-      if (notification.type === TriggerFeature.ACCESS_REQUEST) {
+      if (
+        notification.type === TriggerFeature.ACCESS_REQUEST ||
+        notification.type === TriggerFeature.ACCESS_REQUEST_UPDATED
+      ) {
        if (microsoftTeamsConfig.isAccessRequestNotificationEnabled && microsoftTeamsConfig.accessRequestChannels) {
          const { success, data } = validateMicrosoftTeamsChannelsSchema.safeParse(
            microsoftTeamsConfig.accessRequestChannels
--- a/backend/src/lib/workflow-integrations/types.ts
+++ b/backend/src/lib/workflow-integrations/types.ts
@@ -6,7 +6,8 @@ import { TProjectSlackConfigDALFactory } from "@app/services/slack/project-slack

 export enum TriggerFeature {
  SECRET_APPROVAL = "secret-approval",
-  ACCESS_REQUEST = "access-request"
+  ACCESS_REQUEST = "access-request",
+  ACCESS_REQUEST_UPDATED = "access-request-updated"
 }

 export type TNotification =
@@ -34,6 +35,22 @@ export type TNotification =
        approvalUrl: string;
        note?: string;
      };
+    }
+  | {
+      type: TriggerFeature.ACCESS_REQUEST_UPDATED;
+      payload: {
+        requesterFullName: string;
+        requesterEmail: string;
+        isTemporary: boolean;
+        secretPath: string;
+        environment: string;
+        projectName: string;
+        permissions: string[];
+        approvalUrl: string;
+        editNote?: string;
+        editorFullName?: string;
+        editorEmail?: string;
+      };
    };

 export type TTriggerWorkflowNotificationDTO = {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -45,6 +45,8 @@ import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { HsmModule } from "@app/ee/services/hsm/hsm-types";
+import { identityAuthTemplateDALFactory } from "@app/ee/services/identity-auth-template/identity-auth-template-dal";
+import { identityAuthTemplateServiceFactory } from "@app/ee/services/identity-auth-template/identity-auth-template-service";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
@@ -179,8 +181,6 @@ import { identityAccessTokenDALFactory } from "@app/services/identity-access-tok
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { identityAliCloudAuthDALFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-dal";
 import { identityAliCloudAuthServiceFactory } from "@app/services/identity-alicloud-auth/identity-alicloud-auth-service";
-import { identityAuthTemplateDALFactory } from "@app/ee/services/identity-auth-template/identity-auth-template-dal";
-import { identityAuthTemplateServiceFactory } from "@app/ee/services/identity-auth-template/identity-auth-template-service";
 import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
 import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { identityAzureAuthDALFactory } from "@app/services/identity-azure-auth/identity-azure-auth-dal";
@@ -560,8 +560,7 @@ export const registerRoutes = async (
    queueService,
    projectDAL,
    licenseService,
-    auditLogStreamDAL,
-    eventBusService
+    auditLogStreamDAL
  });

  const auditLogService = auditLogServiceFactory({ auditLogDAL, permissionService, auditLogQueue });
@@ -727,7 +726,8 @@ export const registerRoutes = async (
    permissionService,
    groupProjectDAL,
    smtpService,
-    projectMembershipDAL
+    projectMembershipDAL,
+    userAliasDAL
  });

  const totpService = totpServiceFactory({
@@ -849,8 +849,6 @@ export const registerRoutes = async (
    projectDAL,
    permissionService,
    projectUserMembershipRoleDAL,
-    projectBotDAL,
-    projectKeyDAL,
    projectMembershipDAL
  });

@@ -1123,7 +1121,9 @@ export const registerRoutes = async (
    resourceMetadataDAL,
    folderCommitService,
    secretSyncQueue,
-    reminderService
+    reminderService,
+    eventBusService,
+    licenseService
  });

  const projectService = projectServiceFactory({
@@ -1974,7 +1974,7 @@ export const registerRoutes = async (

  await telemetryQueue.startTelemetryCheck();
  await telemetryQueue.startAggregatedEventsJob();
-  await dailyResourceCleanUp.startCleanUp();
+  await dailyResourceCleanUp.init();
  await dailyReminderQueueService.startDailyRemindersJob();
  await dailyReminderQueueService.startSecretReminderMigrationJob();
  await dailyExpiringPkiItemAlert.startSendingAlerts();
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@@ -583,16 +583,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
        email: z.string().email().trim(),
        password: z.string().trim(),
        firstName: z.string().trim(),
-        lastName: z.string().trim().optional(),
-        protectedKey: z.string().trim(),
-        protectedKeyIV: z.string().trim(),
-        protectedKeyTag: z.string().trim(),
-        publicKey: z.string().trim(),
-        encryptedPrivateKey: z.string().trim(),
-        encryptedPrivateKeyIV: z.string().trim(),
-        encryptedPrivateKeyTag: z.string().trim(),
-        salt: z.string().trim(),
-        verifier: z.string().trim()
+        lastName: z.string().trim().optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/app-connection-routers/render-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/render-connection-router.ts
@@ -49,4 +49,32 @@ export const registerRenderConnectionRouter = async (server: FastifyZodProvider)
      return services;
    }
  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/environment-groups`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const groups = await server.services.appConnection.render.listEnvironmentGroups(connectionId, req.permission);
+
+      return groups;
+    }
+  });
 };
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@@ -67,7 +67,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
        })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT], { requireOrg: false }),
    handler: () => ({ message: "Authenticated" as const })
  });

--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import { z } from "zod";

 import { SecretFoldersSchema, SecretImportsSchema, UsersSchema } from "@app/db/schemas";
+import { RemindersSchema } from "@app/db/schemas/reminders";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionSecretActions } from "@app/ee/services/permission/project-permission";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -628,7 +629,10 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
              secretValueHidden: z.boolean(),
              secretPath: z.string().optional(),
              secretMetadata: ResourceMetadataSchema.optional(),
-              tags: SanitizedTagSchema.array().optional()
+              tags: SanitizedTagSchema.array().optional(),
+              reminder: RemindersSchema.extend({
+                recipients: z.string().array().optional()
+              }).nullish()
            })
            .array()
            .optional(),
@@ -706,7 +710,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {

      let imports: Awaited<ReturnType<typeof server.services.secretImport.getImports>> | undefined;
      let folders: Awaited<ReturnType<typeof server.services.folder.getFolders>> | undefined;
-      let secrets: Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"] | undefined;
+      let secrets:
+        | (Awaited<ReturnType<typeof server.services.secret.getSecretsRaw>>["secrets"][number] & {
+            reminder: Awaited<ReturnType<typeof server.services.reminder.getRemindersForDashboard>>[string] | null;
+          })[]
+        | undefined;
      let dynamicSecrets: Awaited<ReturnType<typeof server.services.dynamicSecret.listDynamicSecretsByEnv>> | undefined;
      let secretRotations:
        | Awaited<ReturnType<typeof server.services.secretRotationV2.getDashboardSecretRotations>>
@@ -904,7 +912,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          });

          if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
-            secrets = (
+            const rawSecrets = (
              await server.services.secret.getSecretsRaw({
                actorId: req.permission.id,
                actor: req.permission.type,
@@ -925,6 +933,15 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
                includeMetadataInSearch: true
              })
            ).secrets;
+
+            const reminders = await server.services.reminder.getRemindersForDashboard(
+              rawSecrets.map((secret) => secret.id)
+            );
+
+            secrets = rawSecrets.map((secret) => ({
+              ...secret,
+              reminder: reminders[secret.id] ?? null
+            }));
          }
        }
      } catch (error) {
--- a/backend/src/server/routes/v1/event-router.ts
+++ b/backend/src/server/routes/v1/event-router.ts
@@ -5,8 +5,8 @@ import { z } from "zod";

 import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { getServerSentEventsHeaders } from "@app/ee/services/event/event-sse-stream";
-import { EventRegisterSchema } from "@app/ee/services/event/types";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { EventRegisterSchema, Mappings } from "@app/ee/services/event/types";
+import { ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { ApiDocsTags, EventSubscriptions } from "@app/lib/api-docs";
 import { BadRequestError, ForbiddenRequestError, RateLimitError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -82,21 +82,19 @@ export const registerEventRouter = async (server: FastifyZodProvider) => {
            req.body.register.forEach((r) => {
              const fields = {
                environment: r.conditions?.environmentSlug ?? "",
-                secretPath: r.conditions?.secretPath ?? "/",
-                eventType: r.event
+                secretPath: r.conditions?.secretPath ?? "/"
              };

-              const allowed = info.permission.can(
-                ProjectPermissionSecretActions.Subscribe,
-                subject(ProjectPermissionSub.Secrets, fields)
-              );
+              const action = Mappings.BusEventToAction(r.event);
+
+              const allowed = info.permission.can(action, subject(ProjectPermissionSub.SecretEvents, fields));

              if (!allowed) {
                throw new ForbiddenRequestError({
                  name: "PermissionDenied",
-                  message: `You are not allowed to subscribe on secrets`,
+                  message: `You are not allowed to subscribe on ${ProjectPermissionSub.SecretEvents}`,
                  details: {
-                    event: fields.eventType,
+                    action,
                    environmentSlug: fields.environment,
                    secretPath: fields.secretPath
                  }
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -478,4 +478,30 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      return { identityMemberships };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/details",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          identityDetails: z.object({
+            organization: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            })
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN], { requireOrg: false }),
+    handler: async (req) => {
+      const organization = await server.services.org.findIdentityOrganization(req.permission.id);
+      return { identityDetails: { organization } };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -279,6 +279,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        name: GenericResourceNameSchema.optional(),
        slug: slugSchema({ max: 64 }).optional(),
        authEnforced: z.boolean().optional(),
+        googleSsoAuthEnforced: z.boolean().optional(),
        scimEnabled: z.boolean().optional(),
        defaultMembershipRoleSlug: slugSchema({ max: 64, field: "Default Membership Role" }).optional(),
        enforceMfa: z.boolean().optional(),
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@@ -108,7 +108,11 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
              firstName: true,
              lastName: true,
              id: true
-            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            })
+              .merge(UserEncryptionKeysSchema.pick({ publicKey: true }))
+              .extend({
+                isOrgMembershipActive: z.boolean()
+              }),
            project: SanitizedProjectSchema.pick({ name: true, id: true }),
            roles: z.array(
              z.object({
--- a/backend/src/server/routes/v1/secret-folder-router.ts
+++ b/backend/src/server/routes/v1/secret-folder-router.ts
@@ -45,7 +45,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
          .transform(removeTrailingSlash)
          .describe(FOLDERS.CREATE.path)
          .optional(),
-        // backward compatiability with cli
+        // backward compatibility with cli
        directory: z
          .string()
          .trim()
@@ -58,7 +58,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      }),
      response: {
        200: z.object({
-          folder: SecretFoldersSchema
+          folder: SecretFoldersSchema.extend({
+            path: z.string()
+          })
        })
      }
    },
@@ -130,7 +132,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
          .transform(removeTrailingSlash)
          .describe(FOLDERS.UPDATE.path)
          .optional(),
-        // backward compatiability with cli
+        // backward compatibility with cli
        directory: z
          .string()
          .trim()
@@ -143,7 +145,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
      }),
      response: {
        200: z.object({
-          folder: SecretFoldersSchema
+          folder: SecretFoldersSchema.extend({
+            path: z.string()
+          })
        })
      }
    },
@@ -359,7 +363,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
          .transform(removeTrailingSlash)
          .describe(FOLDERS.LIST.path)
          .optional(),
-        // backward compatiability with cli
+        // backward compatibility with cli
        directory: z
          .string()
          .trim()
--- a/backend/src/server/routes/v1/sso-router.ts
+++ b/backend/src/server/routes/v1/sso-router.ts
@@ -54,6 +54,8 @@ export const registerOauthMiddlewares = (server: FastifyZodProvider) => {
          try {
            // @ts-expect-error this is because this is express type and not fastify
            const callbackPort = req.session.get("callbackPort");
+            // @ts-expect-error this is because this is express type and not fastify
+            const orgSlug = req.session.get("orgSlug");

            const email = profile?.emails?.[0]?.value;
            if (!email)
@@ -67,7 +69,8 @@ export const registerOauthMiddlewares = (server: FastifyZodProvider) => {
              firstName: profile?.name?.givenName || "",
              lastName: profile?.name?.familyName || "",
              authMethod: AuthMethod.GOOGLE,
-              callbackPort
+              callbackPort,
+              orgSlug
            });
            cb(null, { isUserCompleted, providerAuthToken });
          } catch (error) {
@@ -215,6 +218,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
    schema: {
      querystring: z.object({
        callback_port: z.string().optional(),
+        org_slug: z.string().optional(),
        is_admin_login: z
          .string()
          .optional()
@@ -223,12 +227,15 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
    },
    preValidation: [
      async (req, res) => {
-        const { callback_port: callbackPort, is_admin_login: isAdminLogin } = req.query;
+        const { callback_port: callbackPort, is_admin_login: isAdminLogin, org_slug: orgSlug } = req.query;
        // ensure fresh session state per login attempt
        await req.session.regenerate();
        if (callbackPort) {
          req.session.set("callbackPort", callbackPort);
        }
+        if (orgSlug) {
+          req.session.set("orgSlug", orgSlug);
+        }
        if (isAdminLogin) {
          req.session.set("isAdminLogin", isAdminLogin);
        }
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@@ -283,6 +283,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
+      description: "Get project details by slug",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      params: z.object({
        slug: slugSchema({ max: 36 }).describe("The slug of the project to get.")
      }),
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -18,14 +18,14 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        username: z.string().trim()
+        token: z.string().trim()
      }),
      response: {
        200: z.object({})
      }
    },
    handler: async (req) => {
-      await server.services.user.sendEmailVerificationCode(req.body.username);
+      await server.services.user.sendEmailVerificationCode(req.body.token);
      return {};
    }
  });
--- a/backend/src/server/routes/v3/external-migration-router.ts
+++ b/backend/src/server/routes/v3/external-migration-router.ts
@@ -19,7 +19,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const data = await req.file({
        limits: {
@@ -69,7 +69,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
        mappingType: z.nativeEnum(VaultMappingType)
      })
    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      await server.services.migration.importVaultData({
        actorId: req.permission.id,
--- a/backend/src/services/app-connection/github/github-connection-fns.ts
+++ b/backend/src/services/app-connection/github/github-connection-fns.ts
@@ -1,5 +1,3 @@
-import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
 import { AxiosError, AxiosRequestConfig, AxiosResponse } from "axios";
 import https from "https";
 import RE2 from "re2";
@@ -8,6 +6,7 @@ import { verifyHostInputValidity } from "@app/ee/services/dynamic-secret/dynamic
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { getConfig } from "@app/lib/config/env";
 import { request as httpRequest } from "@app/lib/config/request";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, InternalServerError } from "@app/lib/errors";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
@@ -114,10 +113,13 @@ export const requestWithGitHubGateway = async <T>(
  );
 };

-export const getGitHubAppAuthToken = async (appConnection: TGitHubConnection) => {
+export const getGitHubAppAuthToken = async (
+  appConnection: TGitHubConnection,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
  const appCfg = getConfig();
  const appId = appCfg.INF_APP_CONNECTION_GITHUB_APP_ID;
-  const appPrivateKey = appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;
+  let appPrivateKey = appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY;

  if (!appId || !appPrivateKey) {
    throw new InternalServerError({
@@ -125,33 +127,65 @@ export const getGitHubAppAuthToken = async (appConnection: TGitHubConnection) =>
    });
  }

+  appPrivateKey = appPrivateKey
+    .split("\n")
+    .map((line) => line.trim())
+    .join("\n");
+
  if (appConnection.method !== GitHubConnectionMethod.App) {
    throw new InternalServerError({ message: "Cannot generate GitHub App token for non-app connection" });
  }

-  const appAuth = createAppAuth({
-    appId,
-    privateKey: appPrivateKey,
-    installationId: appConnection.credentials.installationId,
-    request: request.defaults({
-      baseUrl: `https://${await getGitHubInstanceApiUrl(appConnection)}`
-    })
-  });
+  const now = Math.floor(Date.now() / 1000);
+  const payload = {
+    iat: now,
+    exp: now + 5 * 60,
+    iss: appId
+  };

-  const { token } = await appAuth({ type: "installation" });
-  return token;
+  const appJwt = crypto.jwt().sign(payload, appPrivateKey, { algorithm: "RS256" });
+
+  const apiBaseUrl = await getGitHubInstanceApiUrl(appConnection);
+  const { installationId } = appConnection.credentials;
+
+  const response = await requestWithGitHubGateway<{ token: string; expires_at: string }>(
+    appConnection,
+    gatewayService,
+    {
+      url: `https://${apiBaseUrl}/app/installations/${installationId}/access_tokens`,
+      method: "POST",
+      headers: {
+        Accept: "application/vnd.github+json",
+        Authorization: `Bearer ${appJwt}`,
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    }
+  );
+
+  return response.data.token;
+};
+
+const parseGitHubLinkHeader = (linkHeader: string | undefined): Record<string, string> => {
+  if (!linkHeader) return {};
+
+  const links: Record<string, string> = {};
+  const segments = linkHeader.split(",");
+  const re = new RE2(/<([^>]+)>;\s*rel="([^"]+)"/);
+
+  for (const segment of segments) {
+    const match = re.exec(segment.trim());
+    if (match) {
+      const url = match[1];
+      const rel = match[2];
+      links[rel] = url;
+    }
+  }
+  return links;
 };

 function extractNextPageUrl(linkHeader: string | undefined): string | null {
-  if (!linkHeader) return null;
-
-  const links = linkHeader.split(",");
-  const nextLink = links.find((link) => link.includes('rel="next"'));
-
-  if (!nextLink) return null;
-
-  const match = new RE2(/<([^>]+)>/).exec(nextLink);
-  return match ? match[1] : null;
+  const links = parseGitHubLinkHeader(linkHeader);
+  return links.next || null;
 }

 export const makePaginatedGitHubRequest = async <T, R = T[]>(
@@ -163,28 +197,86 @@ export const makePaginatedGitHubRequest = async <T, R = T[]>(
  const { credentials, method } = appConnection;

  const token =
-    method === GitHubConnectionMethod.OAuth ? credentials.accessToken : await getGitHubAppAuthToken(appConnection);
-  let url: string | null = `https://${await getGitHubInstanceApiUrl(appConnection)}${path}`;
+    method === GitHubConnectionMethod.OAuth
+      ? credentials.accessToken
+      : await getGitHubAppAuthToken(appConnection, gatewayService);
+
+  const baseUrl = `https://${await getGitHubInstanceApiUrl(appConnection)}${path}`;
+  const initialUrlObj = new URL(baseUrl);
+  initialUrlObj.searchParams.set("per_page", "100");
+
  let results: T[] = [];
-  let i = 0;
+  const maxIterations = 1000;

-  while (url && i < 1000) {
-    // eslint-disable-next-line no-await-in-loop
-    const response: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
-      url,
-      method: "GET",
-      headers: {
-        Accept: "application/vnd.github+json",
-        Authorization: `Bearer ${token}`,
-        "X-GitHub-Api-Version": "2022-11-28"
-      }
-    });
+  // Make initial request to get link header
+  const firstResponse: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
+    url: initialUrlObj.toString(),
+    method: "GET",
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${token}`,
+      "X-GitHub-Api-Version": "2022-11-28"
+    }
+  });

-    const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
-    results = results.concat(items);
+  const firstPageItems = dataMapper ? dataMapper(firstResponse.data) : (firstResponse.data as unknown as T[]);
+  results = results.concat(firstPageItems);

-    url = extractNextPageUrl(response.headers.link as string | undefined);
-    i += 1;
+  const linkHeader = parseGitHubLinkHeader(firstResponse.headers.link as string | undefined);
+  const lastPageUrl = linkHeader.last;
+
+  // If there's a last page URL, get its page number and concurrently fetch every page starting from 2 to last
+  if (lastPageUrl) {
+    const lastPageParam = new URL(lastPageUrl).searchParams.get("page");
+    const totalPages = lastPageParam ? parseInt(lastPageParam, 10) : 1;
+
+    const pageRequests: Promise<AxiosResponse<R>>[] = [];
+
+    for (let pageNum = 2; pageNum <= totalPages && pageNum - 1 < maxIterations; pageNum += 1) {
+      const pageUrlObj = new URL(initialUrlObj.toString());
+      pageUrlObj.searchParams.set("page", pageNum.toString());
+
+      pageRequests.push(
+        requestWithGitHubGateway<R>(appConnection, gatewayService, {
+          url: pageUrlObj.toString(),
+          method: "GET",
+          headers: {
+            Accept: "application/vnd.github+json",
+            Authorization: `Bearer ${token}`,
+            "X-GitHub-Api-Version": "2022-11-28"
+          }
+        })
+      );
+    }
+    const responses = await Promise.all(pageRequests);
+
+    for (const response of responses) {
+      const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
+      results = results.concat(items);
+    }
+  } else {
+    // Fallback in case last link isn't present
+    let url: string | null = extractNextPageUrl(firstResponse.headers.link as string | undefined);
+    let i = 1;
+
+    while (url && i < maxIterations) {
+      // eslint-disable-next-line no-await-in-loop
+      const response: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
+        url,
+        method: "GET",
+        headers: {
+          Accept: "application/vnd.github+json",
+          Authorization: `Bearer ${token}`,
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      });
+
+      const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
+      results = results.concat(items);
+
+      url = extractNextPageUrl(response.headers.link as string | undefined);
+      i += 1;
+    }
  }

  return results;
--- a/backend/src/services/app-connection/render/render-connection-fns.ts
+++ b/backend/src/services/app-connection/render/render-connection-fns.ts
@@ -8,9 +8,11 @@ import { IntegrationUrls } from "@app/services/integration-auth/integration-list
 import { AppConnection } from "../app-connection-enums";
 import { RenderConnectionMethod } from "./render-connection-enums";
 import {
+  TRawRenderEnvironmentGroup,
  TRawRenderService,
  TRenderConnection,
  TRenderConnectionConfig,
+  TRenderEnvironmentGroup,
  TRenderService
 } from "./render-connection-types";

@@ -32,7 +34,11 @@ export const listRenderServices = async (appConnection: TRenderConnection): Prom
  const perPage = 100;
  let cursor;

+  let maxIterations = 10;
+
  while (hasMorePages) {
+    if (maxIterations <= 0) break;
+
    const res: TRawRenderService[] = (
      await request.get<TRawRenderService[]>(`${IntegrationUrls.RENDER_API_URL}/v1/services`, {
        params: new URLSearchParams({
@@ -59,6 +65,8 @@ export const listRenderServices = async (appConnection: TRenderConnection): Prom
    } else {
      cursor = res[res.length - 1].cursor;
    }
+
+    maxIterations -= 1;
  }

  return services;
@@ -86,3 +94,52 @@ export const validateRenderConnectionCredentials = async (config: TRenderConnect

  return inputCredentials;
 };
+
+export const listRenderEnvironmentGroups = async (
+  appConnection: TRenderConnection
+): Promise<TRenderEnvironmentGroup[]> => {
+  const {
+    credentials: { apiKey }
+  } = appConnection;
+
+  const groups: TRenderEnvironmentGroup[] = [];
+  let hasMorePages = true;
+  const perPage = 100;
+  let cursor;
+  let maxIterations = 10;
+
+  while (hasMorePages) {
+    if (maxIterations <= 0) break;
+
+    const res: TRawRenderEnvironmentGroup[] = (
+      await request.get<TRawRenderEnvironmentGroup[]>(`${IntegrationUrls.RENDER_API_URL}/v1/env-groups`, {
+        params: new URLSearchParams({
+          ...(cursor ? { cursor: String(cursor) } : {}),
+          limit: String(perPage)
+        }),
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          Accept: "application/json",
+          "Accept-Encoding": "application/json"
+        }
+      })
+    ).data;
+
+    res.forEach((item) => {
+      groups.push({
+        name: item.envGroup.name,
+        id: item.envGroup.id
+      });
+    });
+
+    if (res.length < perPage) {
+      hasMorePages = false;
+    } else {
+      cursor = res[res.length - 1].cursor;
+    }
+
+    maxIterations -= 1;
+  }
+
+  return groups;
+};
--- a/backend/src/services/app-connection/render/render-connection-service.ts
+++ b/backend/src/services/app-connection/render/render-connection-service.ts
@@ -2,7 +2,7 @@ import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";

 import { AppConnection } from "../app-connection-enums";
-import { listRenderServices } from "./render-connection-fns";
+import { listRenderEnvironmentGroups, listRenderServices } from "./render-connection-fns";
 import { TRenderConnection } from "./render-connection-types";

 type TGetAppConnectionFunc = (
@@ -24,7 +24,20 @@ export const renderConnectionService = (getAppConnection: TGetAppConnectionFunc)
    }
  };

+  const listEnvironmentGroups = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Render, connectionId, actor);
+    try {
+      const groups = await listRenderEnvironmentGroups(appConnection);
+
+      return groups;
+    } catch (error) {
+      logger.error(error, "Failed to list environment groups for Render connection");
+      return [];
+    }
+  };
+
  return {
-    listServices
+    listServices,
+    listEnvironmentGroups
  };
 };
--- a/backend/src/services/app-connection/render/render-connection-types.ts
+++ b/backend/src/services/app-connection/render/render-connection-types.ts
@@ -33,3 +33,16 @@ export type TRawRenderService = {
    name: string;
  };
 };
+
+export type TRenderEnvironmentGroup = {
+  name: string;
+  id: string;
+};
+
+export type TRawRenderEnvironmentGroup = {
+  cursor: string;
+  envGroup: {
+    id: string;
+    name: string;
+  };
+};
--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@@ -75,7 +75,7 @@ export const getTokenConfig = (tokenType: TokenType) => {
 };

 export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAuthTokenServiceFactoryDep) => {
-  const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
+  const createTokenForUser = async ({ type, userId, orgId, aliasId }: TCreateTokenForUserDTO) => {
    const { token, ...tkCfg } = getTokenConfig(type);
    const appCfg = getConfig();
    const tokenHash = await crypto.hashing().createHash(token, appCfg.SALT_ROUNDS);
@@ -88,7 +88,8 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
          type,
          userId,
          orgId,
-          triesLeft: tkCfg?.triesLeft
+          triesLeft: tkCfg?.triesLeft,
+          aliasId
        },
        tx
      );
--- a/backend/src/services/auth-token/auth-token-types.ts
+++ b/backend/src/services/auth-token/auth-token-types.ts
@@ -14,6 +14,7 @@ export type TCreateTokenForUserDTO = {
  type: TokenType;
  userId: string;
  orgId?: string;
+  aliasId?: string;
 };

 export type TCreateOrgInviteTokenDTO = {
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -148,9 +148,15 @@ export const authLoginServiceFactory = ({

    if (organizationId) {
      const org = await orgDAL.findById(organizationId);
-      if (org && org.userTokenExpiration) {
-        tokenSessionExpiresIn = getMinExpiresIn(cfg.JWT_AUTH_LIFETIME, org.userTokenExpiration);
-        refreshTokenExpiresIn = org.userTokenExpiration;
+      if (org) {
+        await orgMembershipDAL.update(
+          { userId: user.id, orgId: org.id },
+          { lastLoginAuthMethod: authMethod, lastLoginTime: new Date() }
+        );
+        if (org.userTokenExpiration) {
+          tokenSessionExpiresIn = getMinExpiresIn(cfg.JWT_AUTH_LIFETIME, org.userTokenExpiration);
+          refreshTokenExpiresIn = org.userTokenExpiration;
+        }
      }
    }

@@ -442,15 +448,41 @@ export const authLoginServiceFactory = ({

    // Check if the user actually has access to the specified organization.
    const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
-    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId && org.userStatus !== "invited");
+
+    const selectedOrgMembership = userOrgs.find((org) => org.id === organizationId && org.userStatus !== "invited");
+
    const selectedOrg = await orgDAL.findById(organizationId);

-    if (!hasOrganizationMembership) {
+    // Check if authEnforced is true, if that's the case, throw an error
+    if (selectedOrg.authEnforced) {
+      throw new BadRequestError({
+        message: "Authentication is required by your organization before you can log in."
+      });
+    }
+
+    if (!selectedOrgMembership) {
      throw new ForbiddenRequestError({
        message: `User does not have access to the organization named ${selectedOrg?.name}`
      });
    }

+    if (selectedOrg.googleSsoAuthEnforced && decodedToken.authMethod !== AuthMethod.GOOGLE) {
+      const canBypass = selectedOrg.bypassOrgAuthEnabled && selectedOrgMembership.userRole === OrgMembershipRole.Admin;
+
+      if (!canBypass) {
+        throw new ForbiddenRequestError({
+          message: "Google SSO is enforced for this organization. Please use Google SSO to login.",
+          error: "GoogleSsoEnforced"
+        });
+      }
+    }
+
+    if (decodedToken.authMethod === AuthMethod.GOOGLE) {
+      await orgDAL.updateById(selectedOrg.id, {
+        googleSsoAuthLastUsed: new Date()
+      });
+    }
+
    const shouldCheckMfa = selectedOrg.enforceMfa || user.isMfaEnabled;
    const orgMfaMethod = selectedOrg.enforceMfa ? (selectedOrg.selectedMfaMethod ?? MfaMethod.EMAIL) : undefined;
    const userMfaMethod = user.isMfaEnabled ? (user.selectedMfaMethod ?? MfaMethod.EMAIL) : undefined;
@@ -496,7 +528,8 @@ export const authLoginServiceFactory = ({
      selectedOrg.authEnforced &&
      selectedOrg.bypassOrgAuthEnabled &&
      !isAuthMethodSaml(decodedToken.authMethod) &&
-      decodedToken.authMethod !== AuthMethod.OIDC
+      decodedToken.authMethod !== AuthMethod.OIDC &&
+      decodedToken.authMethod !== AuthMethod.GOOGLE
    ) {
      await auditLogService.createAuditLog({
        orgId: organizationId,
@@ -699,7 +732,7 @@ export const authLoginServiceFactory = ({
  /*
   * OAuth2 login for google,github, and other oauth2 provider
   * */
-  const oauth2Login = async ({ email, firstName, lastName, authMethod, callbackPort }: TOauthLoginDTO) => {
+  const oauth2Login = async ({ email, firstName, lastName, authMethod, callbackPort, orgSlug }: TOauthLoginDTO) => {
    // akhilmhdh: case sensitive email resolution
    const usersByUsername = await userDAL.findUserByUsername(email);
    let user = usersByUsername?.length > 1 ? usersByUsername.find((el) => el.username === email) : usersByUsername?.[0];
@@ -753,6 +786,8 @@ export const authLoginServiceFactory = ({

    const appCfg = getConfig();

+    let orgId = "";
+    let orgName: undefined | string;
    if (!user) {
      // Create a new user based on oAuth
      if (!serverCfg?.allowSignUp) throw new BadRequestError({ message: "Sign up disabled", name: "Oauth 2 login" });
@@ -778,7 +813,6 @@ export const authLoginServiceFactory = ({
      });

      if (authMethod === AuthMethod.GITHUB && serverCfg.defaultAuthOrgId && !appCfg.isCloud) {
-        let orgId = "";
        const defaultOrg = await orgDAL.findOrgById(serverCfg.defaultAuthOrgId);
        if (!defaultOrg) {
          throw new BadRequestError({
@@ -818,18 +852,45 @@ export const authLoginServiceFactory = ({
      }
    }

-    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
+    if (!orgId && orgSlug) {
+      const org = await orgDAL.findOrgBySlug(orgSlug);
+
+      if (org) {
+        // checks for the membership and only sets the orgId / orgName if the user is a member of the specified org
+        const orgMembership = await orgDAL.findMembership({
+          [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
+          [`${TableName.OrgMembership}.orgId` as "orgId"]: org.id,
+          [`${TableName.OrgMembership}.isActive` as "isActive"]: true,
+          [`${TableName.OrgMembership}.status` as "status"]: OrgMembershipStatus.Accepted
+        });
+
+        if (orgMembership) {
+          orgId = org.id;
+          orgName = org.name;
+        }
+      }
+    }
+
    const isUserCompleted = user.isAccepted;
    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
+
+        ...(orgId && orgSlug && orgName !== undefined
+          ? {
+              organizationId: orgId,
+              organizationName: orgName,
+              organizationSlug: orgSlug
+            }
+          : {}),
+
        username: user.username,
        email: user.email,
        isEmailVerified: user.isEmailVerified,
        firstName: user.firstName,
        lastName: user.lastName,
-        hasExchangedPrivateKey: Boolean(userEnc?.serverEncryptedPrivateKey),
+        hasExchangedPrivateKey: true,
        authMethod,
        isUserCompleted,
        ...(callbackPort
@@ -874,8 +935,7 @@ export const authLoginServiceFactory = ({
    const userEnc =
      usersByUsername?.length > 1 ? usersByUsername.find((el) => el.username === email) : usersByUsername?.[0];

-    if (!userEnc?.serverEncryptedPrivateKey)
-      throw new BadRequestError({ message: "Key handoff incomplete. Please try logging in again." });
+    if (!userEnc) throw new BadRequestError({ message: "User encryption not found" });

    const token = await generateUserTokens({
      user: { ...userEnc, id: userEnc.userId },
--- a/backend/src/services/auth/auth-login-type.ts
+++ b/backend/src/services/auth/auth-login-type.ts
@@ -32,6 +32,7 @@ export type TOauthLoginDTO = {
  lastName?: string;
  authMethod: AuthMethod;
  callbackPort?: string;
+  orgSlug?: string;
 };

 export type TOauthTokenExchangeDTO = {
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
@@ -32,8 +32,8 @@ import {
  keyAlgorithmToAlgCfg
 } from "../certificate-authority-fns";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
-import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";
 import { validateAndMapAltNameType } from "../certificate-authority-validators";
+import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";

 type TInternalCertificateAuthorityFnsDeps = {
  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa" | "findById">;
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
@@ -52,6 +52,7 @@ import {
 } from "../certificate-authority-fns";
 import { TCertificateAuthorityQueueFactory } from "../certificate-authority-queue";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";
 import { TInternalCertificateAuthorityDALFactory } from "./internal-certificate-authority-dal";
 import {
  TCreateCaDTO,
@@ -68,7 +69,6 @@ import {
  TSignIntermediateDTO,
  TUpdateCaDTO
 } from "./internal-certificate-authority-types";
-import { validateAndMapAltNameType } from "../certificate-authority-validators";

 type TInternalCertificateAuthorityServiceFactoryDep = {
  certificateAuthorityDAL: Pick<
--- a/backend/src/services/external-migration/external-migration-fns/vault.ts
+++ b/backend/src/services/external-migration/external-migration-fns/vault.ts
@@ -254,29 +254,26 @@ export const transformToInfisicalFormatNamespaceToProjects = (
    let currentFolderId: string | undefined;
    let currentPath = "";

-    if (path.includes("/")) {
-      const pathParts = path.split("/").filter(Boolean);
+    const pathParts = path.split("/").filter(Boolean);
+    const folderParts = pathParts;

-      const folderParts = pathParts;
+    // create nested folder structure for the entire path
+    for (const folderName of folderParts) {
+      currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
+      const folderKey = `${namespace}:${mount}:${currentPath}`;

-      // create nested folder structure for the entire path
-      for (const folderName of folderParts) {
-        currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
-        const folderKey = `${namespace}:${mount}:${currentPath}`;
-
-        if (!folderMap.has(folderKey)) {
-          const folderId = uuidv4();
-          folderMap.set(folderKey, folderId);
-          folders.push({
-            id: folderId,
-            name: folderName,
-            environmentId,
-            parentFolderId: currentFolderId || environmentId
-          });
-          currentFolderId = folderId;
-        } else {
-          currentFolderId = folderMap.get(folderKey)!;
-        }
+      if (!folderMap.has(folderKey)) {
+        const folderId = uuidv4();
+        folderMap.set(folderKey, folderId);
+        folders.push({
+          id: folderId,
+          name: folderName,
+          environmentId,
+          parentFolderId: currentFolderId || environmentId
+        });
+        currentFolderId = folderId;
+      } else {
+        currentFolderId = folderMap.get(folderKey)!;
      }
    }

--- a/backend/src/services/group-project/group-project-dal.ts
+++ b/backend/src/services/group-project/group-project-dal.ts
@@ -156,6 +156,7 @@ export const groupProjectDALFactory = (db: TDbClient) => {
        `${TableName.GroupProjectMembershipRole}.customRoleId`,
        `${TableName.ProjectRoles}.id`
      )
+      .join(TableName.OrgMembership, `${TableName.Users}.id`, `${TableName.OrgMembership}.userId`)
      .select(
        db.ref("id").withSchema(TableName.UserGroupMembership),
        db.ref("createdAt").withSchema(TableName.UserGroupMembership),
@@ -176,7 +177,8 @@ export const groupProjectDALFactory = (db: TDbClient) => {
        db.ref("temporaryRange").withSchema(TableName.GroupProjectMembershipRole),
        db.ref("temporaryAccessStartTime").withSchema(TableName.GroupProjectMembershipRole),
        db.ref("temporaryAccessEndTime").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("name").as("projectName").withSchema(TableName.Project)
+        db.ref("name").as("projectName").withSchema(TableName.Project),
+        db.ref("isActive").withSchema(TableName.OrgMembership)
      )
      .where({ isGhost: false });

@@ -192,7 +194,8 @@ export const groupProjectDALFactory = (db: TDbClient) => {
        id,
        userId,
        projectName,
-        createdAt
+        createdAt,
+        isActive
      }) => ({
        isGroupMember: true,
        id,
@@ -202,7 +205,7 @@ export const groupProjectDALFactory = (db: TDbClient) => {
          id: projectId,
          name: projectName
        },
-        user: { email, username, firstName, lastName, id: userId, publicKey, isGhost },
+        user: { email, username, firstName, lastName, id: userId, publicKey, isGhost, isOrgMembershipActive: isActive },
        createdAt
      }),
      key: "id",
--- a/backend/src/services/identity-alicloud-auth/identity-alicloud-auth-service.ts
+++ b/backend/src/services/identity-alicloud-auth/identity-alicloud-auth-service.ts
@@ -38,7 +38,7 @@ type TIdentityAliCloudAuthServiceFactoryDep = {
    TIdentityAliCloudAuthDALFactory,
    "findOne" | "transaction" | "create" | "updateById" | "delete"
  >;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
@@ -64,6 +64,8 @@ export const identityAliCloudAuthServiceFactory = ({
      identityId: identityAliCloudAuth.identityId
    });

+    if (!identityMembershipOrg) throw new UnauthorizedError({ message: "Identity not attached to a organization" });
+
    const requestUrl = new URL("https://sts.aliyuncs.com");

    for (const key of Object.keys(params)) {
@@ -87,6 +89,14 @@ export const identityAliCloudAuthServiceFactory = ({

    // Generate the token
    const identityAccessToken = await identityAliCloudAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.ALICLOUD_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityAliCloudAuth.identityId,
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -36,7 +36,7 @@ import {
 type TIdentityAwsAuthServiceFactoryDep = {
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
@@ -91,6 +91,7 @@ export const identityAwsAuthServiceFactory = ({
    }

    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
+    if (!identityMembershipOrg) throw new UnauthorizedError({ message: "Identity not attached to a organization" });

    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
    const body: string = Buffer.from(iamRequestBody, "base64").toString();
@@ -152,6 +153,14 @@ export const identityAwsAuthServiceFactory = ({
    }

    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.AWS_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityAwsAuth.identityId,
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -33,7 +33,7 @@ type TIdentityAzureAuthServiceFactoryDep = {
    TIdentityAzureAuthDALFactory,
    "findOne" | "transaction" | "create" | "updateById" | "delete"
  >;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -80,6 +80,14 @@ export const identityAzureAuthServiceFactory = ({
    }

    const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.AZURE_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityAzureAuth.identityId,
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -31,7 +31,7 @@ import {

 type TIdentityGcpAuthServiceFactoryDep = {
  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -119,6 +119,14 @@ export const identityGcpAuthServiceFactory = ({
    }

    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.GCP_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityGcpAuth.identityId,
--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
@@ -21,7 +21,7 @@ import {
  UnauthorizedError
 } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-import { getStringValueByDot } from "@app/lib/template/dot-access";
+import { getValueByDot } from "@app/lib/template/dot-access";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
@@ -43,7 +43,7 @@ import {

 type TIdentityJwtAuthServiceFactoryDep = {
  identityJwtAuthDAL: TIdentityJwtAuthDALFactory;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "updateById">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -189,7 +189,7 @@ export const identityJwtAuthServiceFactory = ({
    if (identityJwtAuth.boundClaims) {
      Object.keys(identityJwtAuth.boundClaims).forEach((claimKey) => {
        const claimValue = (identityJwtAuth.boundClaims as Record<string, string>)[claimKey];
-        const value = getStringValueByDot(tokenData, claimKey) || "";
+        const value = getValueByDot(tokenData, claimKey);

        if (!value) {
          throw new UnauthorizedError({
@@ -198,9 +198,7 @@ export const identityJwtAuthServiceFactory = ({
        }

        // handle both single and multi-valued claims
-        if (
-          !claimValue.split(", ").some((claimEntry) => doesFieldValueMatchJwtPolicy(tokenData[claimKey], claimEntry))
-        ) {
+        if (!claimValue.split(", ").some((claimEntry) => doesFieldValueMatchJwtPolicy(value, claimEntry))) {
          throw new UnauthorizedError({
            message: `Access denied: claim mismatch for field ${claimKey}`
          });
@@ -209,6 +207,14 @@ export const identityJwtAuthServiceFactory = ({
    }

    const identityAccessToken = await identityJwtAuthDAL.transaction(async (tx) => {
+      await identityOrgMembershipDAL.updateById(
+        identityMembershipOrg.id,
+        {
+          lastLoginAuthMethod: IdentityAuthMethod.JWT_AUTH,
+          lastLoginTime: new Date()
+        },
+        tx
+      );
      const newToken = await identityAccessTokenDAL.create(
        {
          identityId: identityJwtAuth.identityId,
--- a/Show More
+++ b/Show More