Update secret-approval-request-service.ts

Feat: Scoped JWT tokens

.env.example

@@ -3,6 +3,9 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
+# Required
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
@@ -13,9 +16,6 @@ POSTGRES_PASSWORD=infisical
 POSTGRES_USER=infisical
 POSTGRES_DB=infisical
 
-# Required
-DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
-
 # Redis
 REDIS_URL=redis://redis:6379
 
@@ -63,10 +63,3 @@ CLIENT_SECRET_GITHUB_LOGIN=
 
 CLIENT_ID_GITLAB_LOGIN=
 CLIENT_SECRET_GITLAB_LOGIN=
-
-CAPTCHA_SECRET=
-
-NEXT_PUBLIC_CAPTCHA_SITE_KEY=
-
-PLAIN_API_KEY=
-PLAIN_WISH_LABEL_IDS=

.github/resources/rename_migration_files.py

@@ -1,26 +0,0 @@
-import os
-from datetime import datetime, timedelta
-
-def rename_migrations():
-    migration_folder = "./backend/src/db/migrations"
-    with open("added_files.txt", "r") as file:
-        changed_files = file.readlines()
-    
-    # Find the latest file among the changed files
-    latest_timestamp = datetime.now() # utc time
-    for file_path in changed_files:
-        file_path = file_path.strip()
-        # each new file bump by 1s
-        latest_timestamp = latest_timestamp + timedelta(seconds=1)
-
-        new_filename = os.path.join(migration_folder, latest_timestamp.strftime("%Y%m%d%H%M%S") + f"_{file_path.split('_')[1]}")
-        old_filename = os.path.join(migration_folder, file_path)
-        os.rename(old_filename, new_filename)
-        print(f"Renamed {old_filename} to {new_filename}")
-
-    if len(changed_files) == 0:
-        print("No new files added to migration folder")
-
-if __name__ == "__main__":
-    rename_migrations()
-

.github/workflows/build-binaries.yml

@@ -1,99 +0,0 @@
-name: Build Binaries and Deploy
-
-on:
-    workflow_dispatch:
-        inputs:
-            version:
-                description: "Version number"
-                required: true
-                type: string
-
-defaults:
-    run:
-        working-directory: ./backend
-
-jobs:
-    build-and-deploy:
-        runs-on: ubuntu-20.04
-        strategy:
-            matrix:
-                arch: [x64, arm64]
-                os: [linux, win]
-                include:
-                    - os: linux
-                      target: node20-linux
-                    - os: win
-                      target: node20-win
-
-        steps:
-            - name: Checkout code
-              uses: actions/checkout@v3
-
-            - name: Set up Node.js
-              uses: actions/setup-node@v3
-              with:
-                  node-version: 20
-
-            - name: Install pkg
-              run: npm install -g @yao-pkg/pkg
-
-            - name: Install dependencies (backend)
-              run: npm install
-
-            - name: Install dependencies (frontend)
-              run: npm install --prefix ../frontend
-
-            - name: Prerequisites for pkg
-              run: npm run binary:build
-
-            - name: Package into node binary
-              run: |
-                  if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
-                  else
-                    pkg --no-bytecode --public-packages "*" --public --compress Brotli --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
-                  fi
-
-            # Set up .deb package structure (Debian/Ubuntu only)
-            - name: Set up .deb package structure
-              if: matrix.os == 'linux'
-              run: |
-                  mkdir -p infisical-core/DEBIAN
-                  mkdir -p infisical-core/usr/local/bin
-                  cp ./binary/infisical-core infisical-core/usr/local/bin/
-                  chmod +x infisical-core/usr/local/bin/infisical-core
-
-            - name: Create control file
-              if: matrix.os == 'linux'
-              run: |
-                  cat <<EOF > infisical-core/DEBIAN/control
-                  Package: infisical-core
-                  Version: ${{ github.event.inputs.version }}
-                  Section: base
-                  Priority: optional
-                  Architecture: ${{ matrix.arch == 'x64' && 'amd64' || matrix.arch }}
-                  Maintainer: Infisical <daniel@infisical.com>
-                  Description: Infisical Core standalone executable (app.infisical.com)
-                  EOF
-
-            # Build .deb file (Debian/Ubunutu only)
-            - name: Build .deb package
-              if: matrix.os == 'linux'
-              run: |
-                  dpkg-deb --build infisical-core
-                  mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb
-
-            - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
-
-            # Publish .deb file to Cloudsmith (Debian/Ubuntu only)
-            - name: Publish to Cloudsmith (Debian/Ubuntu)
-              if: matrix.os == 'linux'
-              working-directory: ./backend
-              run: cloudsmith push deb --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.deb
-
-            # Publish .exe file to Cloudsmith (Windows only)
-            - name: Publish to Cloudsmith (Windows)
-              if: matrix.os == 'win'
-              working-directory: ./backend
-              run: cloudsmith push raw infisical/infisical-core ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }}.exe --republish --no-wait-for-sync --version ${{ github.event.inputs.version }} --api-key ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/build-docker-image-to-prod.yml

@@ -41,7 +41,6 @@ jobs:
           load: true
           context: backend
           tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
       - name: ⏻ Spawn backend container and dependencies
         run: |
           docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
@@ -93,7 +92,6 @@ jobs:
           project: 64mmf0n610
           context: frontend
           tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
             NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/build-patroni-docker-img.yml

@@ -1,38 +0,0 @@
-name: Build patroni 
-on: [workflow_dispatch]
-
-jobs:
-  patroni-image:
-    name: Build patroni
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-        with:
-          repository: 'zalando/patroni'
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build backend and push to docker hub
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile
-          tags: |
-            infisical/patroni:${{ steps.commit.outputs.short }}
-            infisical/patroni:latest
-          platforms: linux/amd64,linux/arm64
-    
-  

.github/workflows/build-staging-and-deploy-aws.yml

@@ -1,154 +0,0 @@
-name: Deployment pipeline
-on: [workflow_dispatch]
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  infisical-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build backend and push to docker hub
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
-    
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    environment:
-      name: Gamma
-    steps:
-      - uses: twingate/github-action@v1
-        with:
-          # The Twingate Service Key used to connect Twingate to the proper service
-          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
-          #
-          # Required
-          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-core
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-gamma-stage
-          cluster: infisical-gamma-stage
-          wait-for-service-stability: true
-
-  production-postgres-deployment:
-    name: Deploy to production
-    runs-on: ubuntu-latest
-    needs: [gamma-deployment]
-    environment:
-      name: Production
-    steps:
-      - uses: twingate/github-action@v1
-        with:
-        # The Twingate Service Key used to connect Twingate to the proper service
-        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
-        #
-        # Required
-          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-core-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
-          wait-for-service-stability: true

.github/workflows/build-staging-and-deploy.yml

@@ -0,0 +1,120 @@
+name: Build, Publish and Deploy to Gamma
+on: [workflow_dispatch]
+
+jobs:
+  infisical-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: infisical/infisical:test
+      # - name: ⏻ Spawn backend container and dependencies
+      #   run: |
+      #     docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      # - name: 🧪 Test backend image
+      #   run: |
+      #     ./.github/resources/healthcheck.sh infisical-backend-test
+      # - name: ⏻ Shut down backend container and dependencies
+      #   run: |
+      #     docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile.standalone-infisical
+          tags: |
+            infisical/staging_infisical:${{ steps.commit.outputs.short }}
+            infisical/staging_infisical:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+  postgres-migration:
+    name: Run latest migration files
+    runs-on: ubuntu-latest
+    needs: [infisical-image]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2
+        with:
+          node-version: "20"
+      - name: Change directory to backend and install dependencies
+        env:
+          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+        run: |
+          cd backend
+          npm install
+          npm run migration:latest
+      # - name: Run postgres DB migration files
+      #   env:
+      #     DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
+      #   run: npm run migration:latest
+  gamma-deployment:
+    name: Deploy to gamma
+    runs-on: ubuntu-latest
+    needs: [postgres-migration]
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install infisical helm chart
+        run: |
+          helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+          helm repo update
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Save DigitalOcean kubeconfig with short-lived credentials
+        run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 infisical-gamma-postgres
+      - name: switch to gamma namespace
+        run: kubectl config set-context --current --namespace=gamma
+      - name: test kubectl
+        run: kubectl get ingress
+      - name: Download helm values to file and upgrade gamma deploy
+        run: |
+          wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
+          helm upgrade infisical infisical-helm-charts/infisical-standalone  --values values.yaml --wait --install
+          if [[ $(helm status infisical) == *"FAILED"* ]]; then
+            echo "Helm upgrade failed"
+            exit 1
+          else
+            echo "Helm upgrade was successful"
+          fi

.github/workflows/check-api-for-breaking-changes.yml

@@ -5,7 +5,6 @@ on:
     types: [opened, synchronize]
     paths:
       - "backend/src/server/routes/**"
-      - "backend/src/ee/routes/**"
 
 jobs:
   check-be-api-changes:
@@ -35,12 +34,11 @@ jobs:
             echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
             echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
             echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
+            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
         env:
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
           JWT_AUTH_SECRET: something-random
-          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - uses: actions/setup-go@v5
         with:
           go-version: '1.21.5'
@@ -74,4 +72,4 @@ jobs:
         run: |
           docker-compose -f "docker-compose.dev.yml" down
           docker stop infisical-api
-          docker remove infisical-api
+          docker remove infisical-api

.github/workflows/check-migration-file-edited.yml

@@ -1,25 +0,0 @@
-name: Check migration file edited
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-    paths:
-      - 'backend/src/db/migrations/**'
-
-jobs:
-  rename:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Check any migration files are modified, renamed or duplicated.
-        run: |
-          git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^M\|^R\|^C' || true | cut -f2 | xargs -r -n1 basename > edited_files.txt
-          if [ -s edited_files.txt ]; then
-            echo "Exiting migration files cannot be modified."
-            cat edited_files.txt
-            exit 1
-          fi

.github/workflows/release_build_infisical_cli.yml

@@ -1,75 +1,60 @@
 name: Build and release CLI
 
 on:
-    workflow_dispatch:
-
-    push:
-        # run only against tags
-        tags:
-            - "infisical-cli/v*.*.*"
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
 
 permissions:
-    contents: write
-    # packages: write
-    # issues: write
-jobs:
-    cli-integration-tests:
-        name: Run tests before deployment
-        uses: ./.github/workflows/run-cli-tests.yml
-        secrets:
-            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+  contents: write
+  # packages: write
+  # issues: write
 
-    goreleaser:
-        runs-on: ubuntu-20.04
-        needs: [cli-integration-tests]
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v2
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - run: git fetch --force --tags
-            - run: echo "Ref name ${{github.ref_name}}"
-            - uses: actions/setup-go@v3
-              with:
-                  go-version: ">=1.19.3"
-                  cache: true
-                  cache-dependency-path: cli/go.sum
-            - name: libssl1.1 => libssl1.0-dev for OSXCross
-              run: |
-                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt update && apt-cache policy libssl1.0-dev
-                  sudo apt-get install libssl1.0-dev
-            - name: OSXCross for CGO Support
-              run: |
-                  mkdir ../../osxcross
-                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-            - uses: goreleaser/goreleaser-action@v4
-              with:
-                  distribution: goreleaser-pro
-                  version: v1.26.2-pro
-                  args: release --clean
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-                  AUR_KEY: ${{ secrets.AUR_KEY }}
-                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-            - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
-            - name: Publish to CloudSmith
-              run: sh cli/upload_to_cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+jobs:
+  goreleaser:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: libssl1.1 => libssl1.0-dev for OSXCross
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt update && apt-cache policy libssl1.0-dev
+          sudo apt-get install libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/run-cli-tests.yml

@@ -1,55 +0,0 @@
-name: Go CLI Tests
-
-on:
-    pull_request:
-        types: [opened, synchronize]
-        paths:
-            - "cli/**"
-
-    workflow_dispatch:
-
-    workflow_call:
-        secrets:
-            CLI_TESTS_UA_CLIENT_ID:
-                required: true
-            CLI_TESTS_UA_CLIENT_SECRET:
-                required: true
-            CLI_TESTS_SERVICE_TOKEN:
-                required: true
-            CLI_TESTS_PROJECT_ID:
-                required: true
-            CLI_TESTS_ENV_SLUG:
-                required: true
-            CLI_TESTS_USER_EMAIL:
-                required: true
-            CLI_TESTS_USER_PASSWORD:
-                required: true
-            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
-                required: true
-jobs:
-    test:
-        defaults:
-            run:
-                working-directory: ./cli
-        runs-on: ubuntu-latest
-
-        steps:
-            - uses: actions/checkout@v4
-            - name: Setup Go
-              uses: actions/setup-go@v4
-              with:
-                  go-version: "1.21.x"
-            - name: Install dependencies
-              run: go get .
-            - name: Test with the Go CLI
-              env:
-                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-                  INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
-
-              run: go test -v -count=1 ./test

.gitignore

@@ -59,14 +59,9 @@ yarn-error.log*
 # Infisical init
 .infisical.json
 
-.infisicalignore
-
 # Editor specific
 .vscode/*
 
 frontend-build
 
 *.tgz
-cli/infisical-merge
-cli/test/infisical-merge
-/backend/binary

.infisicalignore

@@ -1,8 +1 @@
 .github/resources/docker-compose.be-test.yml:generic-api-key:16
-frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/IdentityRbacSection.tsx:generic-api-key:206
-frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
-docs/self-hosting/configuration/envars.mdx:generic-api-key:106
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
-docs/mint.json:generic-api-key:651

Dockerfile.standalone-infisical

@@ -1,7 +1,6 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
-ARG CAPTCHA_SITE_KEY=captcha-site-key
 
 FROM  node:20-alpine AS base
 
@@ -36,8 +35,6 @@ ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
-ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 
 # Build
 RUN npm run build
@@ -55,7 +52,6 @@ VOLUME /app/.next/cache/images
 COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
 RUN chown non-root-user:nodejs ./public/data
-
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 
@@ -94,18 +90,9 @@ RUN mkdir frontend-build
 
 # Production stage
 FROM base AS production
-RUN apk add --upgrade --no-cache ca-certificates
 RUN addgroup --system --gid 1001 nodejs \
   && adduser --system --uid 1001 non-root-user
 
-# Give non-root-user permission to update SSL certs
-RUN chown -R non-root-user /etc/ssl/certs
-RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
-RUN chmod -R u+rwx /etc/ssl/certs
-RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
-RUN chown non-root-user /usr/sbin/update-ca-certificates
-RUN chmod u+rx /usr/sbin/update-ca-certificates
-
 ## set pre baked keys
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
@@ -113,9 +100,6 @@ ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
 ARG INTERCOM_ID=intercom-id
 ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
   BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
-ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
 WORKDIR / 
 
@@ -134,6 +118,9 @@ WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true
 
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
+
 EXPOSE 8080
 EXPOSE 443
 

README.md

@@ -10,8 +10,7 @@
   <a href="https://infisical.com/">Infisical Cloud</a> |
   <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
   <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
-  <a href="https://www.infisical.com">Website</a> |
-  <a href="https://infisical.com/careers">Hiring (Remote/SF)</a>
+  <a href="https://www.infisical.com">Website</a>
 </h4>
 
 <p align="center">
@@ -48,26 +47,25 @@
 
 ## Introduction
 
-**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their application configuration and secrets like API keys and database credentials as well as manage their internal PKI.
+**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.
 
-We're on a mission to make security tooling more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.
+We're on a mission to make secret management more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.
 
 ## Features
 
-- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.).
-- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand.
-- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD.
-- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical.
-- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
+- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.). 
+- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand. 
+- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD. 
+- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical. 
+- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more. 
 - **[Infisical Kubernetes operator](https://infisical.com/docs/documentation/getting-started/kubernetes)** to managed secrets in k8s, automatically reload deployments, and more.
-- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic.
+- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic. 
 - **[Self-hosting and on-prem](https://infisical.com/docs/self-hosting/overview)** to get complete control over your data.
-- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state.
-- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project.
-- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities.
+- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state. 
+- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project. 
+- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities. 
 - **[Simple on-premise deployments](https://infisical.com/docs/self-hosting/overview)** to AWS, Digital Ocean, and more.
-- **[Internal PKI](https://infisical.com/docs/documentation/platform/pki/private-ca)** to create Private CA hierarchies and start issuing and managing X.509 digital certificates.
-- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git.
+- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git. 
 
 And much more.
 
@@ -75,9 +73,9 @@ And much more.
 
 Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/introduction)
 
-| Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                          |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+| Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
 
 ### Run Infisical locally
 
@@ -86,13 +84,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed
 Linux/macOS:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker compose -f docker-compose.prod.yml up
+git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.prod.yml up
 ```
 
 Windows Command Prompt:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up
+git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.prod.yml up
 ```
 
 Create an account at `http://localhost:80`

backend/.eslintrc.js

@@ -23,17 +23,16 @@ module.exports = {
   root: true,
   overrides: [
     {
-      files: ["./e2e-test/**/*", "./src/db/migrations/**/*"],
+      files: ["./e2e-test/**/*"],
       rules: {
         "@typescript-eslint/no-unsafe-member-access": "off",
         "@typescript-eslint/no-unsafe-assignment": "off",
         "@typescript-eslint/no-unsafe-argument": "off",
         "@typescript-eslint/no-unsafe-return": "off",
-        "@typescript-eslint/no-unsafe-call": "off"
+        "@typescript-eslint/no-unsafe-call": "off",
       }
     }
   ],
-
   rules: {
     "@typescript-eslint/no-empty-function": "off",
     "@typescript-eslint/no-unsafe-enum-comparison": "off",

backend/babel.config.json

@@ -1,4 +0,0 @@
-{
-  "presets": ["@babel/preset-env", "@babel/preset-react"],
-  "plugins": ["@babel/plugin-syntax-import-attributes", "babel-plugin-transform-import-meta"]
-}

backend/e2e-test/mocks/keystore.ts

@@ -1,5 +1,4 @@
 import { TKeyStoreFactory } from "@app/keystore/keystore";
-import { Lock } from "@app/lib/red-lock";
 
 export const mockKeyStore = (): TKeyStoreFactory => {
   const store: Record<string, string | number | Buffer> = {};
@@ -26,12 +25,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
     },
     incrementBy: async () => {
       return 1;
-    },
-    acquireLock: () => {
-      return Promise.resolve({
-        release: () => {}
-      }) as Promise<Lock>;
-    },
-    waitTillReady: async () => {}
+    }
   };
 };

backend/e2e-test/routes/v1/secret-import.spec.ts

@@ -46,7 +46,7 @@ const deleteSecretImport = async (id: string) => {
 
 describe("Secret Import Router", async () => {
   test.each([
-    { importEnv: "prod", importPath: "/" }, // one in root
+    { importEnv: "dev", importPath: "/" }, // one in root
     { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
   ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
     // check for default environments
@@ -66,7 +66,7 @@ describe("Secret Import Router", async () => {
   });
 
   test("Get secret imports", async () => {
-    const createdImport1 = await createSecretImport("/", "prod");
+    const createdImport1 = await createSecretImport("/", "dev");
     const createdImport2 = await createSecretImport("/", "staging");
     const res = await testServer.inject({
       method: "GET",
@@ -103,10 +103,10 @@ describe("Secret Import Router", async () => {
   });
 
   test("Update secret import position", async () => {
-    const prodImportDetails = { path: "/", envSlug: "prod" };
+    const devImportDetails = { path: "/", envSlug: "dev" };
     const stagingImportDetails = { path: "/", envSlug: "staging" };
 
-    const createdImport1 = await createSecretImport(prodImportDetails.path, prodImportDetails.envSlug);
+    const createdImport1 = await createSecretImport(devImportDetails.path, devImportDetails.envSlug);
     const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);
 
     const updateImportRes = await testServer.inject({
@@ -136,7 +136,7 @@ describe("Secret Import Router", async () => {
         position: 2,
         importEnv: expect.objectContaining({
           name: expect.any(String),
-          slug: expect.stringMatching(prodImportDetails.envSlug),
+          slug: expect.stringMatching(devImportDetails.envSlug),
           id: expect.any(String)
         })
       })
@@ -166,7 +166,7 @@ describe("Secret Import Router", async () => {
   });
 
   test("Delete secret import position", async () => {
-    const createdImport1 = await createSecretImport("/", "prod");
+    const createdImport1 = await createSecretImport("/", "dev");
     const createdImport2 = await createSecretImport("/", "staging");
     const deletedImport = await deleteSecretImport(createdImport1.id);
     // check for default environments

backend/e2e-test/routes/v3/secrets.spec.ts

@@ -942,113 +942,6 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       const secrets = await getSecrets(seedData1.environment.slug, path);
       expect(secrets).toEqual([]);
     });
-
-    test.each(testRawSecrets)("Bulk create secret raw in path $path", async ({ path, secret }) => {
-      const createSecretReqBody = {
-        projectSlug: seedData1.project.slug,
-        environment: seedData1.environment.slug,
-        secretPath: path,
-        secrets: [
-          {
-            secretKey: secret.key,
-            secretValue: secret.value,
-            secretComment: secret.comment
-          }
-        ]
-      };
-      const createSecRes = await testServer.inject({
-        method: "POST",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: createSecretReqBody
-      });
-      expect(createSecRes.statusCode).toBe(200);
-      const createdSecretPayload = JSON.parse(createSecRes.payload);
-      expect(createdSecretPayload).toHaveProperty("secrets");
-
-      // fetch secrets
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            key: secret.key,
-            value: secret.value,
-            type: SecretType.Shared
-          })
-        ])
-      );
-
-      await deleteRawSecret({ path, key: secret.key });
-    });
-
-    test.each(testRawSecrets)("Bulk update secret raw in path $path", async ({ secret, path }) => {
-      await createRawSecret({ path, ...secret });
-      const updateSecretReqBody = {
-        projectSlug: seedData1.project.slug,
-        environment: seedData1.environment.slug,
-        secretPath: path,
-        secrets: [
-          {
-            secretValue: "new-value",
-            secretKey: secret.key
-          }
-        ]
-      };
-      const updateSecRes = await testServer.inject({
-        method: "PATCH",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: updateSecretReqBody
-      });
-      expect(updateSecRes.statusCode).toBe(200);
-      const updatedSecretPayload = JSON.parse(updateSecRes.payload);
-      expect(updatedSecretPayload).toHaveProperty("secrets");
-
-      // fetch secrets
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            key: secret.key,
-            value: "new-value",
-            version: 2,
-            type: SecretType.Shared
-          })
-        ])
-      );
-
-      await deleteRawSecret({ path, key: secret.key });
-    });
-
-    test.each(testRawSecrets)("Bulk delete secret raw in path $path", async ({ path, secret }) => {
-      await createRawSecret({ path, ...secret });
-
-      const deletedSecretReqBody = {
-        projectSlug: seedData1.project.slug,
-        environment: seedData1.environment.slug,
-        secretPath: path,
-        secrets: [{ secretKey: secret.key }]
-      };
-      const deletedSecRes = await testServer.inject({
-        method: "DELETE",
-        url: `/api/v3/secrets/batch/raw`,
-        headers: {
-          authorization: `Bearer ${authToken}`
-        },
-        body: deletedSecretReqBody
-      });
-      expect(deletedSecRes.statusCode).toBe(200);
-      const deletedSecretPayload = JSON.parse(deletedSecRes.payload);
-      expect(deletedSecretPayload).toHaveProperty("secrets");
-
-      // fetch secrets
-      const secrets = await getSecrets(seedData1.environment.slug, path);
-      expect(secrets).toEqual([]);
-    });
   }
 );
 

backend/e2e-test/vitest-environment-knex.ts

@@ -3,6 +3,7 @@ import "ts-node/register";
 
 import dotenv from "dotenv";
 import jwt from "jsonwebtoken";
+import knex from "knex";
 import path from "path";
 
 import { seedData1 } from "@app/db/seed-data";
@@ -14,7 +15,6 @@ import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
 import { mockKeyStore } from "./mocks/keystore";
-import { initDbConnection } from "@app/db";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -23,21 +23,23 @@ export default {
   async setup() {
     const logger = await initLogger();
     const cfg = initEnvConfig(logger);
-    const db = initDbConnection({
-      dbConnectionUri: cfg.DB_CONNECTION_URI,
-      dbRootCert: cfg.DB_ROOT_CERT
-    });
-
-    try {
-      await db.migrate.latest({
+    const db = knex({
+      client: "pg",
+      connection: cfg.DB_CONNECTION_URI,
+      migrations: {
         directory: path.join(__dirname, "../src/db/migrations"),
         extension: "ts",
         tableName: "infisical_migrations"
-      });
-      await db.seed.run({
+      },
+      seeds: {
         directory: path.join(__dirname, "../src/db/seeds"),
         extension: "ts"
-      });
+      }
+    });
+
+    try {
+      await db.migrate.latest();
+      await db.seed.run();
       const smtp = mockSmtpServer();
       const queue = mockQueue();
       const keyStore = mockKeyStore();
@@ -72,14 +74,7 @@ export default {
         // @ts-expect-error type
         delete globalThis.jwtToken;
         // called after all tests with this env have been run
-        await db.migrate.rollback(
-          {
-            directory: path.join(__dirname, "../src/db/migrations"),
-            extension: "ts",
-            tableName: "infisical_migrations"
-          },
-          true
-        );
+        await db.migrate.rollback({}, true);
         await db.destroy();
       }
     };

backend/package.json

@@ -3,39 +3,11 @@
   "version": "1.0.0",
   "description": "",
   "main": "./dist/main.mjs",
-  "bin": "dist/main.js",
-  "pkg": {
-    "scripts": [
-      "dist/**/*.js",
-      "../frontend/node_modules/next/**/*.js",
-      "../frontend/.next/*/**/*.js",
-      "../frontend/node_modules/next/dist/server/**/*.js",
-      "../frontend/node_modules/@fortawesome/fontawesome-svg-core/**/*.js"
-    ],
-    "assets": [
-      "dist/**",
-      "!dist/**/*.js",
-      "node_modules/**",
-      "../frontend/node_modules/**",
-      "../frontend/.next/**",
-      "!../frontend/node_modules/next/dist/server/**/*.js",
-      "../frontend/node_modules/@fortawesome/fontawesome-svg-core/**/*",
-      "../frontend/public/**"
-    ],
-    "outputPath": "binary"
-  },
   "scripts": {
-    "binary:build": "npm run binary:clean && npm run build:frontend && npm run build && npm run binary:babel-frontend && npm run binary:babel-backend && npm run binary:rename-imports",
-    "binary:package": "pkg --no-bytecode --public-packages \"*\" --public --target host .",
-    "binary:babel-backend": " babel ./dist -d ./dist",
-    "binary:babel-frontend": "babel --copy-files ../frontend/.next/server -d ../frontend/.next/server",
-    "binary:clean": "rm -rf ./dist && rm -rf ./binary",
-    "binary:rename-imports": "ts-node ./scripts/rename-mjs.ts",
     "test": "echo \"Error: no test specified\" && exit 1",
     "dev": "tsx watch --clear-screen=false ./src/main.ts  | pino-pretty --colorize --colorizeObjects --singleLine",
     "dev:docker": "nodemon",
     "build": "tsup",
-    "build:frontend": "npm run build --prefix ../frontend",
     "start": "node dist/main.mjs",
     "type:check": "tsc --noEmit",
     "lint:fix": "eslint --fix --ext js,ts ./src",
@@ -59,11 +31,6 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "@babel/cli": "^7.18.10",
-    "@babel/core": "^7.18.10",
-    "@babel/plugin-syntax-import-attributes": "^7.24.7",
-    "@babel/preset-env": "^7.18.10",
-    "@babel/preset-react": "^7.24.7",
     "@types/bcrypt": "^5.0.2",
     "@types/jmespath": "^0.15.2",
     "@types/jsonwebtoken": "^9.0.5",
@@ -81,8 +48,6 @@
     "@types/uuid": "^9.0.7",
     "@typescript-eslint/eslint-plugin": "^6.20.0",
     "@typescript-eslint/parser": "^6.20.0",
-    "@yao-pkg/pkg": "^5.12.0",
-    "babel-plugin-transform-import-meta": "^2.2.1",
     "eslint": "^8.56.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-airbnb-typescript": "^17.1.0",
@@ -95,7 +60,7 @@
     "pino-pretty": "^10.2.3",
     "prompt-sync": "^4.2.0",
     "rimraf": "^5.0.5",
-    "ts-node": "^10.9.2",
+    "ts-node": "^10.9.1",
     "tsc-alias": "^1.8.8",
     "tsconfig-paths": "^4.2.0",
     "tsup": "^8.0.1",
@@ -106,9 +71,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-iam": "^3.525.0",
-    "@aws-sdk/client-kms": "^3.609.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
-    "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
     "@fastify/cookie": "^9.3.1",
     "@fastify/cors": "^8.5.0",
@@ -123,11 +86,8 @@
     "@node-saml/passport-saml": "^4.0.4",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
-    "@peculiar/asn1-schema": "^2.3.8",
-    "@peculiar/x509": "^1.10.0",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
-    "@sindresorhus/slugify": "1.1.0",
-    "@team-plain/typescript-sdk": "^4.6.1",
+    "@sindresorhus/slugify": "^2.2.1",
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
@@ -135,32 +95,23 @@
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.4.2",
-    "cassandra-driver": "^4.7.2",
-    "connect-redis": "^7.1.1",
-    "cron": "^3.1.7",
+    "bullmq": "^5.3.3",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
-    "google-auth-library": "^9.9.0",
-    "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",
-    "jwks-rsa": "^3.1.0",
     "knex": "^3.0.1",
-    "ldapjs": "^3.0.7",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "ms": "^2.1.3",
-    "mysql2": "^3.9.8",
-    "nanoid": "^3.3.4",
+    "mysql2": "^3.9.1",
+    "nanoid": "^5.0.4",
     "nodemailer": "^6.9.9",
-    "openid-client": "^5.6.5",
     "ora": "^7.0.1",
-    "oracledb": "^6.4.0",
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
@@ -172,7 +123,6 @@
     "posthog-node": "^3.6.2",
     "probot": "^13.0.0",
     "smee-client": "^2.0.0",
-    "tedious": "^18.2.1",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
     "uuid": "^9.0.1",

backend/scripts/create-backend-file.ts

@@ -103,15 +103,11 @@ export const ${dalName} = (db: TDbClient) => {
     `import { z } from "zod";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { readLimit } from "@app/server/config/rateLimiter";
 
 export const register${pascalCase}Router = async (server: FastifyZodProvider) => {
   server.route({
-    method: "GET",
     url: "/",
-    config: {
-      rateLimit: readLimit
-    },
+    method: "GET",
     schema: {
       params: z.object({}),
       response: {

backend/scripts/create-migration.ts

@@ -2,16 +2,15 @@
 import { execSync } from "child_process";
 import path from "path";
 import promptSync from "prompt-sync";
-import slugify from "@sindresorhus/slugify"
 
 const prompt = promptSync({ sigint: true });
 
 const migrationName = prompt("Enter name for migration: ");
 
-// Remove spaces from migration name and replace with hyphens
-const formattedMigrationName = slugify(migrationName);
-
 execSync(
-  `npx knex migrate:make --knexfile ${path.join(__dirname, "../src/db/knexfile.ts")} -x ts ${formattedMigrationName}`,
+  `npx knex migrate:make --knexfile ${path.join(
+    __dirname,
+    "../src/db/knexfile.ts"
+  )} -x ts ${migrationName}`,
   { stdio: "inherit" }
 );

backend/scripts/generate-schema-types.ts

@@ -35,8 +35,6 @@ const getZodPrimitiveType = (type: string) => {
       return "z.coerce.number()";
     case "text":
       return "z.string()";
-    case "bytea":
-      return "zodBuffer";
     default:
       throw new Error(`Invalid type: ${type}`);
   }
@@ -98,15 +96,10 @@ const main = async () => {
     const columnNames = Object.keys(columns);
 
     let schema = "";
-    const zodImportSet = new Set<string>();
     for (let colNum = 0; colNum < columnNames.length; colNum++) {
       const columnName = columnNames[colNum];
       const colInfo = columns[columnName];
       let ztype = getZodPrimitiveType(colInfo.type);
-      if (["zodBuffer"].includes(ztype)) {
-        zodImportSet.add(ztype);
-      }
-
       // don't put optional on id
       if (colInfo.defaultValue && columnName !== "id") {
         const { defaultValue } = colInfo;
@@ -128,8 +121,6 @@ const main = async () => {
       .split("_")
       .reduce((prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`, "");
 
-    const zodImports = Array.from(zodImportSet);
-
     // the insert and update are changed to zod input type to use default cases
     writeFileSync(
       path.join(__dirname, "../src/db/schemas", `${dashcase}.ts`),
@@ -140,8 +131,6 @@ const main = async () => {
 
 import { z } from "zod";
 
-${zodImports.length ? `import { ${zodImports.join(",")} } from \"@app/lib/zod\";` : ""}
-
 import { TImmutableDBKeys } from "./models";
 
 export const ${pascalCase}Schema = z.object({${schema}});

backend/scripts/rename-mjs.ts

@@ -1,27 +0,0 @@
-/* eslint-disable @typescript-eslint/no-shadow */
-import fs from "node:fs";
-import path from "node:path";
-
-function replaceMjsOccurrences(directory: string) {
-  fs.readdir(directory, (err, files) => {
-    if (err) throw err;
-    files.forEach((file) => {
-      const filePath = path.join(directory, file);
-      if (fs.statSync(filePath).isDirectory()) {
-        replaceMjsOccurrences(filePath);
-      } else {
-        fs.readFile(filePath, "utf8", (err, data) => {
-          if (err) throw err;
-          const result = data.replace(/\.mjs/g, ".js");
-          fs.writeFile(filePath, result, "utf8", (err) => {
-            if (err) throw err;
-            // eslint-disable-next-line no-console
-            console.log(`Updated: ${filePath}`);
-          });
-        });
-      }
-    });
-  });
-}
-
-replaceMjsOccurrences("dist");

backend/src/@types/fastify.d.ts

@@ -1,23 +1,11 @@
 import "fastify";
 
 import { TUsers } from "@app/db/schemas";
-import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
-import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
-import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
-import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
-import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
-import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
-import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
-import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
-import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -33,18 +21,9 @@ import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
-import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
-import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
-import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
-import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
-import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
@@ -60,15 +39,12 @@ import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
-import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
-import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
-import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 
 declare module "fastify" {
@@ -86,7 +62,7 @@ declare module "fastify" {
       authMethod: ActorAuthMethod;
       type: ActorType;
       id: string;
-      orgId: string;
+      orgId?: string;
     };
     // passport data
     passportUser: {
@@ -107,11 +83,8 @@ declare module "fastify" {
       permission: TPermissionServiceFactory;
       org: TOrgServiceFactory;
       orgRole: TOrgRoleServiceFactory;
-      oidc: TOidcConfigServiceFactory;
       superAdmin: TSuperAdminServiceFactory;
       user: TUserServiceFactory;
-      group: TGroupServiceFactory;
-      groupProject: TGroupProjectServiceFactory;
       apiKey: TApiKeyServiceFactory;
       project: TProjectServiceFactory;
       projectMembership: TProjectMembershipServiceFactory;
@@ -119,7 +92,6 @@ declare module "fastify" {
       projectKey: TProjectKeyServiceFactory;
       projectRole: TProjectRoleServiceFactory;
       secret: TSecretServiceFactory;
-      secretReplication: TSecretReplicationServiceFactory;
       secretTag: TSecretTagServiceFactory;
       secretImport: TSecretImportServiceFactory;
       projectBot: TProjectBotServiceFactory;
@@ -131,15 +103,7 @@ declare module "fastify" {
       identity: TIdentityServiceFactory;
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
-      identityTokenAuth: TIdentityTokenAuthServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
-      identityGcpAuth: TIdentityGcpAuthServiceFactory;
-      identityAwsAuth: TIdentityAwsAuthServiceFactory;
-      identityAzureAuth: TIdentityAzureAuthServiceFactory;
-      identityOidcAuth: TIdentityOidcAuthServiceFactory;
-      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
-      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
       secretApprovalRequest: TSecretApprovalRequestServiceFactory;
       secretRotation: TSecretRotationServiceFactory;
@@ -148,23 +112,11 @@ declare module "fastify" {
       scim: TScimServiceFactory;
       ldap: TLdapConfigServiceFactory;
       auditLog: TAuditLogServiceFactory;
-      auditLogStream: TAuditLogStreamServiceFactory;
-      certificate: TCertificateServiceFactory;
-      certificateAuthority: TCertificateAuthorityServiceFactory;
-      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
       secretScanning: TSecretScanningServiceFactory;
       license: TLicenseServiceFactory;
       trustedIp: TTrustedIpServiceFactory;
       secretBlindIndex: TSecretBlindIndexServiceFactory;
       telemetry: TTelemetryServiceFactory;
-      dynamicSecret: TDynamicSecretServiceFactory;
-      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
-      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
-      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
-      secretSharing: TSecretSharingServiceFactory;
-      rateLimit: TRateLimitServiceFactory;
-      userEngagement: TUserEngagementServiceFactory;
-      externalKms: TExternalKmsServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -1,27 +1,12 @@
-import { Knex as KnexOriginal } from "knex";
+import { Knex } from "knex";
 
 import {
   TableName,
-  TAccessApprovalPolicies,
-  TAccessApprovalPoliciesApprovers,
-  TAccessApprovalPoliciesApproversInsert,
-  TAccessApprovalPoliciesApproversUpdate,
-  TAccessApprovalPoliciesInsert,
-  TAccessApprovalPoliciesUpdate,
-  TAccessApprovalRequests,
-  TAccessApprovalRequestsInsert,
-  TAccessApprovalRequestsReviewers,
-  TAccessApprovalRequestsReviewersInsert,
-  TAccessApprovalRequestsReviewersUpdate,
-  TAccessApprovalRequestsUpdate,
   TApiKeys,
   TApiKeysInsert,
   TApiKeysUpdate,
   TAuditLogs,
   TAuditLogsInsert,
-  TAuditLogStreams,
-  TAuditLogStreamsInsert,
-  TAuditLogStreamsUpdate,
   TAuditLogsUpdate,
   TAuthTokens,
   TAuthTokenSessions,
@@ -32,87 +17,27 @@ import {
   TBackupPrivateKey,
   TBackupPrivateKeyInsert,
   TBackupPrivateKeyUpdate,
-  TCertificateAuthorities,
-  TCertificateAuthoritiesInsert,
-  TCertificateAuthoritiesUpdate,
-  TCertificateAuthorityCerts,
-  TCertificateAuthorityCertsInsert,
-  TCertificateAuthorityCertsUpdate,
-  TCertificateAuthorityCrl,
-  TCertificateAuthorityCrlInsert,
-  TCertificateAuthorityCrlUpdate,
-  TCertificateAuthoritySecret,
-  TCertificateAuthoritySecretInsert,
-  TCertificateAuthoritySecretUpdate,
-  TCertificateBodies,
-  TCertificateBodiesInsert,
-  TCertificateBodiesUpdate,
-  TCertificates,
-  TCertificateSecrets,
-  TCertificateSecretsInsert,
-  TCertificateSecretsUpdate,
-  TCertificatesInsert,
-  TCertificatesUpdate,
-  TDynamicSecretLeases,
-  TDynamicSecretLeasesInsert,
-  TDynamicSecretLeasesUpdate,
-  TDynamicSecrets,
-  TDynamicSecretsInsert,
-  TDynamicSecretsUpdate,
-  TExternalKms,
-  TExternalKmsInsert,
-  TExternalKmsUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
   TGitAppOrg,
   TGitAppOrgInsert,
   TGitAppOrgUpdate,
-  TGroupProjectMembershipRoles,
-  TGroupProjectMembershipRolesInsert,
-  TGroupProjectMembershipRolesUpdate,
-  TGroupProjectMemberships,
-  TGroupProjectMembershipsInsert,
-  TGroupProjectMembershipsUpdate,
-  TGroups,
-  TGroupsInsert,
-  TGroupsUpdate,
   TIdentities,
   TIdentitiesInsert,
   TIdentitiesUpdate,
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAwsAuths,
-  TIdentityAwsAuthsInsert,
-  TIdentityAwsAuthsUpdate,
-  TIdentityAzureAuths,
-  TIdentityAzureAuthsInsert,
-  TIdentityAzureAuthsUpdate,
-  TIdentityGcpAuths,
-  TIdentityGcpAuthsInsert,
-  TIdentityGcpAuthsUpdate,
-  TIdentityKubernetesAuths,
-  TIdentityKubernetesAuthsInsert,
-  TIdentityKubernetesAuthsUpdate,
-  TIdentityOidcAuths,
-  TIdentityOidcAuthsInsert,
-  TIdentityOidcAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
-  TIdentityProjectAdditionalPrivilege,
-  TIdentityProjectAdditionalPrivilegeInsert,
-  TIdentityProjectAdditionalPrivilegeUpdate,
   TIdentityProjectMembershipRole,
   TIdentityProjectMembershipRoleInsert,
   TIdentityProjectMembershipRoleUpdate,
   TIdentityProjectMemberships,
   TIdentityProjectMembershipsInsert,
   TIdentityProjectMembershipsUpdate,
-  TIdentityTokenAuths,
-  TIdentityTokenAuthsInsert,
-  TIdentityTokenAuthsUpdate,
   TIdentityUaClientSecrets,
   TIdentityUaClientSecretsInsert,
   TIdentityUaClientSecretsUpdate,
@@ -128,27 +53,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
-  TInternalKms,
-  TInternalKmsInsert,
-  TInternalKmsUpdate,
-  TKmsKeys,
-  TKmsKeysInsert,
-  TKmsKeysUpdate,
-  TKmsKeyVersions,
-  TKmsKeyVersionsInsert,
-  TKmsKeyVersionsUpdate,
-  TKmsRootConfig,
-  TKmsRootConfigInsert,
-  TKmsRootConfigUpdate,
   TLdapConfigs,
   TLdapConfigsInsert,
   TLdapConfigsUpdate,
-  TLdapGroupMaps,
-  TLdapGroupMapsInsert,
-  TLdapGroupMapsUpdate,
-  TOidcConfigs,
-  TOidcConfigsInsert,
-  TOidcConfigsUpdate,
   TOrganizations,
   TOrganizationsInsert,
   TOrganizationsUpdate,
@@ -179,15 +86,9 @@ import {
   TProjects,
   TProjectsInsert,
   TProjectsUpdate,
-  TProjectUserAdditionalPrivilege,
-  TProjectUserAdditionalPrivilegeInsert,
-  TProjectUserAdditionalPrivilegeUpdate,
   TProjectUserMembershipRoles,
   TProjectUserMembershipRolesInsert,
   TProjectUserMembershipRolesUpdate,
-  TRateLimit,
-  TRateLimitInsert,
-  TRateLimitUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -224,9 +125,6 @@ import {
   TSecretImports,
   TSecretImportsInsert,
   TSecretImportsUpdate,
-  TSecretReferences,
-  TSecretReferencesInsert,
-  TSecretReferencesUpdate,
   TSecretRotationOutputs,
   TSecretRotationOutputsInsert,
   TSecretRotationOutputsUpdate,
@@ -237,9 +135,6 @@ import {
   TSecretScanningGitRisks,
   TSecretScanningGitRisksInsert,
   TSecretScanningGitRisksUpdate,
-  TSecretSharing,
-  TSecretSharingInsert,
-  TSecretSharingUpdate,
   TSecretsInsert,
   TSecretSnapshotFolders,
   TSecretSnapshotFoldersInsert,
@@ -281,9 +176,6 @@ import {
   TUserEncryptionKeys,
   TUserEncryptionKeysInsert,
   TUserEncryptionKeysUpdate,
-  TUserGroupMembership,
-  TUserGroupMembershipInsert,
-  TUserGroupMembershipUpdate,
   TUsers,
   TUsersInsert,
   TUsersUpdate,
@@ -292,383 +184,188 @@ import {
   TWebhooksUpdate
 } from "@app/db/schemas";
 
-declare module "knex" {
-  namespace Knex {
-    interface QueryInterface {
-      primaryNode(): KnexOriginal;
-      replicaNode(): KnexOriginal;
-    }
-  }
-}
-
 declare module "knex/types/tables" {
   interface Tables {
-    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
-    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
-    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
-      TCertificateAuthorities,
-      TCertificateAuthoritiesInsert,
-      TCertificateAuthoritiesUpdate
-    >;
-    [TableName.CertificateAuthorityCert]: KnexOriginal.CompositeTableType<
-      TCertificateAuthorityCerts,
-      TCertificateAuthorityCertsInsert,
-      TCertificateAuthorityCertsUpdate
-    >;
-    [TableName.CertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
-      TCertificateAuthoritySecret,
-      TCertificateAuthoritySecretInsert,
-      TCertificateAuthoritySecretUpdate
-    >;
-    [TableName.CertificateAuthorityCrl]: KnexOriginal.CompositeTableType<
-      TCertificateAuthorityCrl,
-      TCertificateAuthorityCrlInsert,
-      TCertificateAuthorityCrlUpdate
-    >;
-    [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
-    [TableName.CertificateBody]: KnexOriginal.CompositeTableType<
-      TCertificateBodies,
-      TCertificateBodiesInsert,
-      TCertificateBodiesUpdate
-    >;
-    [TableName.CertificateSecret]: KnexOriginal.CompositeTableType<
-      TCertificateSecrets,
-      TCertificateSecretsInsert,
-      TCertificateSecretsUpdate
-    >;
-    [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
-      TUserGroupMembership,
-      TUserGroupMembershipInsert,
-      TUserGroupMembershipUpdate
-    >;
-    [TableName.GroupProjectMembership]: KnexOriginal.CompositeTableType<
-      TGroupProjectMemberships,
-      TGroupProjectMembershipsInsert,
-      TGroupProjectMembershipsUpdate
-    >;
-    [TableName.GroupProjectMembershipRole]: KnexOriginal.CompositeTableType<
-      TGroupProjectMembershipRoles,
-      TGroupProjectMembershipRolesInsert,
-      TGroupProjectMembershipRolesUpdate
-    >;
-    [TableName.UserAliases]: KnexOriginal.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
-    [TableName.UserEncryptionKey]: KnexOriginal.CompositeTableType<
+    [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
+    [TableName.UserAliases]: Knex.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
+    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
       TUserEncryptionKeys,
       TUserEncryptionKeysInsert,
       TUserEncryptionKeysUpdate
     >;
-    [TableName.AuthTokens]: KnexOriginal.CompositeTableType<TAuthTokens, TAuthTokensInsert, TAuthTokensUpdate>;
-    [TableName.AuthTokenSession]: KnexOriginal.CompositeTableType<
+    [TableName.AuthTokens]: Knex.CompositeTableType<TAuthTokens, TAuthTokensInsert, TAuthTokensUpdate>;
+    [TableName.AuthTokenSession]: Knex.CompositeTableType<
       TAuthTokenSessions,
       TAuthTokenSessionsInsert,
       TAuthTokenSessionsUpdate
     >;
-    [TableName.BackupPrivateKey]: KnexOriginal.CompositeTableType<
+    [TableName.BackupPrivateKey]: Knex.CompositeTableType<
       TBackupPrivateKey,
       TBackupPrivateKeyInsert,
       TBackupPrivateKeyUpdate
     >;
-    [TableName.Organization]: KnexOriginal.CompositeTableType<
-      TOrganizations,
-      TOrganizationsInsert,
-      TOrganizationsUpdate
-    >;
-    [TableName.OrgMembership]: KnexOriginal.CompositeTableType<
-      TOrgMemberships,
-      TOrgMembershipsInsert,
-      TOrgMembershipsUpdate
-    >;
-    [TableName.OrgRoles]: KnexOriginal.CompositeTableType<TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate>;
-    [TableName.IncidentContact]: KnexOriginal.CompositeTableType<
+    [TableName.Organization]: Knex.CompositeTableType<TOrganizations, TOrganizationsInsert, TOrganizationsUpdate>;
+    [TableName.OrgMembership]: Knex.CompositeTableType<TOrgMemberships, TOrgMembershipsInsert, TOrgMembershipsUpdate>;
+    [TableName.OrgRoles]: Knex.CompositeTableType<TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate>;
+    [TableName.IncidentContact]: Knex.CompositeTableType<
       TIncidentContacts,
       TIncidentContactsInsert,
       TIncidentContactsUpdate
     >;
-    [TableName.UserAction]: KnexOriginal.CompositeTableType<TUserActions, TUserActionsInsert, TUserActionsUpdate>;
-    [TableName.SuperAdmin]: KnexOriginal.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
-    [TableName.ApiKey]: KnexOriginal.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
-    [TableName.Project]: KnexOriginal.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
-    [TableName.ProjectMembership]: KnexOriginal.CompositeTableType<
+    [TableName.UserAction]: Knex.CompositeTableType<TUserActions, TUserActionsInsert, TUserActionsUpdate>;
+    [TableName.SuperAdmin]: Knex.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
+    [TableName.ApiKey]: Knex.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
+    [TableName.Project]: Knex.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
+    [TableName.ProjectMembership]: Knex.CompositeTableType<
       TProjectMemberships,
       TProjectMembershipsInsert,
       TProjectMembershipsUpdate
     >;
-    [TableName.Environment]: KnexOriginal.CompositeTableType<
+    [TableName.Environment]: Knex.CompositeTableType<
       TProjectEnvironments,
       TProjectEnvironmentsInsert,
       TProjectEnvironmentsUpdate
     >;
-    [TableName.ProjectBot]: KnexOriginal.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
-    [TableName.ProjectUserMembershipRole]: KnexOriginal.CompositeTableType<
+    [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
+    [TableName.ProjectUserMembershipRole]: Knex.CompositeTableType<
       TProjectUserMembershipRoles,
       TProjectUserMembershipRolesInsert,
       TProjectUserMembershipRolesUpdate
     >;
-    [TableName.ProjectRoles]: KnexOriginal.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
-    [TableName.ProjectUserAdditionalPrivilege]: KnexOriginal.CompositeTableType<
-      TProjectUserAdditionalPrivilege,
-      TProjectUserAdditionalPrivilegeInsert,
-      TProjectUserAdditionalPrivilegeUpdate
-    >;
-    [TableName.ProjectKeys]: KnexOriginal.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
-    [TableName.Secret]: KnexOriginal.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
-    [TableName.SecretReference]: KnexOriginal.CompositeTableType<
-      TSecretReferences,
-      TSecretReferencesInsert,
-      TSecretReferencesUpdate
-    >;
-    [TableName.SecretBlindIndex]: KnexOriginal.CompositeTableType<
+    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
+    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
+    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
+    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
       TSecretBlindIndexes,
       TSecretBlindIndexesInsert,
       TSecretBlindIndexesUpdate
     >;
-    [TableName.SecretVersion]: KnexOriginal.CompositeTableType<
-      TSecretVersions,
-      TSecretVersionsInsert,
-      TSecretVersionsUpdate
-    >;
-    [TableName.SecretFolder]: KnexOriginal.CompositeTableType<
-      TSecretFolders,
-      TSecretFoldersInsert,
-      TSecretFoldersUpdate
-    >;
-    [TableName.SecretFolderVersion]: KnexOriginal.CompositeTableType<
+    [TableName.SecretVersion]: Knex.CompositeTableType<TSecretVersions, TSecretVersionsInsert, TSecretVersionsUpdate>;
+    [TableName.SecretFolder]: Knex.CompositeTableType<TSecretFolders, TSecretFoldersInsert, TSecretFoldersUpdate>;
+    [TableName.SecretFolderVersion]: Knex.CompositeTableType<
       TSecretFolderVersions,
       TSecretFolderVersionsInsert,
       TSecretFolderVersionsUpdate
     >;
-    [TableName.SecretSharing]: KnexOriginal.CompositeTableType<
-      TSecretSharing,
-      TSecretSharingInsert,
-      TSecretSharingUpdate
-    >;
-    [TableName.RateLimit]: KnexOriginal.CompositeTableType<TRateLimit, TRateLimitInsert, TRateLimitUpdate>;
-    [TableName.SecretTag]: KnexOriginal.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
-    [TableName.SecretImport]: KnexOriginal.CompositeTableType<
-      TSecretImports,
-      TSecretImportsInsert,
-      TSecretImportsUpdate
-    >;
-    [TableName.Integration]: KnexOriginal.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
-    [TableName.Webhook]: KnexOriginal.CompositeTableType<TWebhooks, TWebhooksInsert, TWebhooksUpdate>;
-    [TableName.ServiceToken]: KnexOriginal.CompositeTableType<
-      TServiceTokens,
-      TServiceTokensInsert,
-      TServiceTokensUpdate
-    >;
-    [TableName.IntegrationAuth]: KnexOriginal.CompositeTableType<
+    [TableName.SecretTag]: Knex.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
+    [TableName.SecretImport]: Knex.CompositeTableType<TSecretImports, TSecretImportsInsert, TSecretImportsUpdate>;
+    [TableName.Integration]: Knex.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
+    [TableName.Webhook]: Knex.CompositeTableType<TWebhooks, TWebhooksInsert, TWebhooksUpdate>;
+    [TableName.ServiceToken]: Knex.CompositeTableType<TServiceTokens, TServiceTokensInsert, TServiceTokensUpdate>;
+    [TableName.IntegrationAuth]: Knex.CompositeTableType<
       TIntegrationAuths,
       TIntegrationAuthsInsert,
       TIntegrationAuthsUpdate
     >;
-    [TableName.Identity]: KnexOriginal.CompositeTableType<TIdentities, TIdentitiesInsert, TIdentitiesUpdate>;
-    [TableName.IdentityTokenAuth]: KnexOriginal.CompositeTableType<
-      TIdentityTokenAuths,
-      TIdentityTokenAuthsInsert,
-      TIdentityTokenAuthsUpdate
-    >;
-    [TableName.IdentityUniversalAuth]: KnexOriginal.CompositeTableType<
+    [TableName.Identity]: Knex.CompositeTableType<TIdentities, TIdentitiesInsert, TIdentitiesUpdate>;
+    [TableName.IdentityUniversalAuth]: Knex.CompositeTableType<
       TIdentityUniversalAuths,
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
-    [TableName.IdentityKubernetesAuth]: KnexOriginal.CompositeTableType<
-      TIdentityKubernetesAuths,
-      TIdentityKubernetesAuthsInsert,
-      TIdentityKubernetesAuthsUpdate
-    >;
-    [TableName.IdentityGcpAuth]: KnexOriginal.CompositeTableType<
-      TIdentityGcpAuths,
-      TIdentityGcpAuthsInsert,
-      TIdentityGcpAuthsUpdate
-    >;
-    [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
-      TIdentityAwsAuths,
-      TIdentityAwsAuthsInsert,
-      TIdentityAwsAuthsUpdate
-    >;
-    [TableName.IdentityAzureAuth]: KnexOriginal.CompositeTableType<
-      TIdentityAzureAuths,
-      TIdentityAzureAuthsInsert,
-      TIdentityAzureAuthsUpdate
-    >;
-    [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
-      TIdentityOidcAuths,
-      TIdentityOidcAuthsInsert,
-      TIdentityOidcAuthsUpdate
-    >;
-    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
+    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,
       TIdentityUaClientSecretsUpdate
     >;
-    [TableName.IdentityAccessToken]: KnexOriginal.CompositeTableType<
+    [TableName.IdentityAccessToken]: Knex.CompositeTableType<
       TIdentityAccessTokens,
       TIdentityAccessTokensInsert,
       TIdentityAccessTokensUpdate
     >;
-    [TableName.IdentityOrgMembership]: KnexOriginal.CompositeTableType<
+    [TableName.IdentityOrgMembership]: Knex.CompositeTableType<
       TIdentityOrgMemberships,
       TIdentityOrgMembershipsInsert,
       TIdentityOrgMembershipsUpdate
     >;
-    [TableName.IdentityProjectMembership]: KnexOriginal.CompositeTableType<
+    [TableName.IdentityProjectMembership]: Knex.CompositeTableType<
       TIdentityProjectMemberships,
       TIdentityProjectMembershipsInsert,
       TIdentityProjectMembershipsUpdate
     >;
-    [TableName.IdentityProjectMembershipRole]: KnexOriginal.CompositeTableType<
+    [TableName.IdentityProjectMembershipRole]: Knex.CompositeTableType<
       TIdentityProjectMembershipRole,
       TIdentityProjectMembershipRoleInsert,
       TIdentityProjectMembershipRoleUpdate
     >;
-    [TableName.IdentityProjectAdditionalPrivilege]: KnexOriginal.CompositeTableType<
-      TIdentityProjectAdditionalPrivilege,
-      TIdentityProjectAdditionalPrivilegeInsert,
-      TIdentityProjectAdditionalPrivilegeUpdate
-    >;
-
-    [TableName.AccessApprovalPolicy]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPolicies,
-      TAccessApprovalPoliciesInsert,
-      TAccessApprovalPoliciesUpdate
-    >;
-
-    [TableName.AccessApprovalPolicyApprover]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesApprovers,
-      TAccessApprovalPoliciesApproversInsert,
-      TAccessApprovalPoliciesApproversUpdate
-    >;
-
-    [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
-      TAccessApprovalRequests,
-      TAccessApprovalRequestsInsert,
-      TAccessApprovalRequestsUpdate
-    >;
-
-    [TableName.AccessApprovalRequestReviewer]: KnexOriginal.CompositeTableType<
-      TAccessApprovalRequestsReviewers,
-      TAccessApprovalRequestsReviewersInsert,
-      TAccessApprovalRequestsReviewersUpdate
-    >;
-
-    [TableName.ScimToken]: KnexOriginal.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
-    [TableName.SecretApprovalPolicy]: KnexOriginal.CompositeTableType<
+    [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
+    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
       TSecretApprovalPolicies,
       TSecretApprovalPoliciesInsert,
       TSecretApprovalPoliciesUpdate
     >;
-    [TableName.SecretApprovalPolicyApprover]: KnexOriginal.CompositeTableType<
+    [TableName.SecretApprovalPolicyApprover]: Knex.CompositeTableType<
       TSecretApprovalPoliciesApprovers,
       TSecretApprovalPoliciesApproversInsert,
       TSecretApprovalPoliciesApproversUpdate
     >;
-    [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
+    [TableName.SecretApprovalRequest]: Knex.CompositeTableType<
       TSecretApprovalRequests,
       TSecretApprovalRequestsInsert,
       TSecretApprovalRequestsUpdate
     >;
-    [TableName.SecretApprovalRequestReviewer]: KnexOriginal.CompositeTableType<
+    [TableName.SecretApprovalRequestReviewer]: Knex.CompositeTableType<
       TSecretApprovalRequestsReviewers,
       TSecretApprovalRequestsReviewersInsert,
       TSecretApprovalRequestsReviewersUpdate
     >;
-    [TableName.SecretApprovalRequestSecret]: KnexOriginal.CompositeTableType<
+    [TableName.SecretApprovalRequestSecret]: Knex.CompositeTableType<
       TSecretApprovalRequestsSecrets,
       TSecretApprovalRequestsSecretsInsert,
       TSecretApprovalRequestsSecretsUpdate
     >;
-    [TableName.SecretApprovalRequestSecretTag]: KnexOriginal.CompositeTableType<
+    [TableName.SecretApprovalRequestSecretTag]: Knex.CompositeTableType<
       TSecretApprovalRequestSecretTags,
       TSecretApprovalRequestSecretTagsInsert,
       TSecretApprovalRequestSecretTagsUpdate
     >;
-    [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
+    [TableName.SecretRotation]: Knex.CompositeTableType<
       TSecretRotations,
       TSecretRotationsInsert,
       TSecretRotationsUpdate
     >;
-    [TableName.SecretRotationOutput]: KnexOriginal.CompositeTableType<
+    [TableName.SecretRotationOutput]: Knex.CompositeTableType<
       TSecretRotationOutputs,
       TSecretRotationOutputsInsert,
       TSecretRotationOutputsUpdate
     >;
-    [TableName.Snapshot]: KnexOriginal.CompositeTableType<
-      TSecretSnapshots,
-      TSecretSnapshotsInsert,
-      TSecretSnapshotsUpdate
-    >;
-    [TableName.SnapshotSecret]: KnexOriginal.CompositeTableType<
+    [TableName.Snapshot]: Knex.CompositeTableType<TSecretSnapshots, TSecretSnapshotsInsert, TSecretSnapshotsUpdate>;
+    [TableName.SnapshotSecret]: Knex.CompositeTableType<
       TSecretSnapshotSecrets,
       TSecretSnapshotSecretsInsert,
       TSecretSnapshotSecretsUpdate
     >;
-    [TableName.SnapshotFolder]: KnexOriginal.CompositeTableType<
+    [TableName.SnapshotFolder]: Knex.CompositeTableType<
       TSecretSnapshotFolders,
       TSecretSnapshotFoldersInsert,
       TSecretSnapshotFoldersUpdate
     >;
-    [TableName.DynamicSecret]: KnexOriginal.CompositeTableType<
-      TDynamicSecrets,
-      TDynamicSecretsInsert,
-      TDynamicSecretsUpdate
-    >;
-    [TableName.DynamicSecretLease]: KnexOriginal.CompositeTableType<
-      TDynamicSecretLeases,
-      TDynamicSecretLeasesInsert,
-      TDynamicSecretLeasesUpdate
-    >;
-    [TableName.SamlConfig]: KnexOriginal.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
-    [TableName.OidcConfig]: KnexOriginal.CompositeTableType<TOidcConfigs, TOidcConfigsInsert, TOidcConfigsUpdate>;
-    [TableName.LdapConfig]: KnexOriginal.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
-    [TableName.LdapGroupMap]: KnexOriginal.CompositeTableType<
-      TLdapGroupMaps,
-      TLdapGroupMapsInsert,
-      TLdapGroupMapsUpdate
-    >;
-    [TableName.OrgBot]: KnexOriginal.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
-    [TableName.AuditLog]: KnexOriginal.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
-    [TableName.AuditLogStream]: KnexOriginal.CompositeTableType<
-      TAuditLogStreams,
-      TAuditLogStreamsInsert,
-      TAuditLogStreamsUpdate
-    >;
-    [TableName.GitAppInstallSession]: KnexOriginal.CompositeTableType<
+    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
+    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
+    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
+    [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
+    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
       TGitAppInstallSessions,
       TGitAppInstallSessionsInsert,
       TGitAppInstallSessionsUpdate
     >;
-    [TableName.GitAppOrg]: KnexOriginal.CompositeTableType<TGitAppOrg, TGitAppOrgInsert, TGitAppOrgUpdate>;
-    [TableName.SecretScanningGitRisk]: KnexOriginal.CompositeTableType<
+    [TableName.GitAppOrg]: Knex.CompositeTableType<TGitAppOrg, TGitAppOrgInsert, TGitAppOrgUpdate>;
+    [TableName.SecretScanningGitRisk]: Knex.CompositeTableType<
       TSecretScanningGitRisks,
       TSecretScanningGitRisksInsert,
       TSecretScanningGitRisksUpdate
     >;
-    [TableName.TrustedIps]: KnexOriginal.CompositeTableType<TTrustedIps, TTrustedIpsInsert, TTrustedIpsUpdate>;
+    [TableName.TrustedIps]: Knex.CompositeTableType<TTrustedIps, TTrustedIpsInsert, TTrustedIpsUpdate>;
     // Junction tables
-    [TableName.JnSecretTag]: KnexOriginal.CompositeTableType<
+    [TableName.JnSecretTag]: Knex.CompositeTableType<
       TSecretTagJunction,
       TSecretTagJunctionInsert,
       TSecretTagJunctionUpdate
     >;
-    [TableName.SecretVersionTag]: KnexOriginal.CompositeTableType<
+    [TableName.SecretVersionTag]: Knex.CompositeTableType<
       TSecretVersionTagJunction,
       TSecretVersionTagJunctionInsert,
       TSecretVersionTagJunctionUpdate
     >;
-    // KMS service
-    [TableName.KmsServerRootConfig]: KnexOriginal.CompositeTableType<
-      TKmsRootConfig,
-      TKmsRootConfigInsert,
-      TKmsRootConfigUpdate
-    >;
-    [TableName.InternalKms]: KnexOriginal.CompositeTableType<TInternalKms, TInternalKmsInsert, TInternalKmsUpdate>;
-    [TableName.ExternalKms]: KnexOriginal.CompositeTableType<TExternalKms, TExternalKmsInsert, TExternalKmsUpdate>;
-    [TableName.KmsKey]: KnexOriginal.CompositeTableType<TKmsKeys, TKmsKeysInsert, TKmsKeysUpdate>;
-    [TableName.KmsKeyVersion]: KnexOriginal.CompositeTableType<
-      TKmsKeyVersions,
-      TKmsKeyVersionsInsert,
-      TKmsKeyVersionsUpdate
-    >;
   }
 }

backend/src/db/instance.ts

@@ -1,38 +1,8 @@
-import knex, { Knex } from "knex";
+import knex from "knex";
 
 export type TDbClient = ReturnType<typeof initDbConnection>;
-export const initDbConnection = ({
-  dbConnectionUri,
-  dbRootCert,
-  readReplicas = []
-}: {
-  dbConnectionUri: string;
-  dbRootCert?: string;
-  readReplicas?: {
-    dbConnectionUri: string;
-    dbRootCert?: string;
-  }[];
-}) => {
-  // akhilmhdh: the default Knex is knex.Knex<any, any[]>. but when assigned with knex({<config>}) the value is knex.Knex<any, unknown[]>
-  // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[]
-  // eslint-disable-next-line
-  let db: Knex<any, unknown[]>;
-  // eslint-disable-next-line
-  let readReplicaDbs: Knex<any, unknown[]>[];
-  // @ts-expect-error the querybuilder type is expected but our intension is to return  a knex instance
-  knex.QueryBuilder.extend("primaryNode", () => {
-    return db;
-  });
-
-  // @ts-expect-error the querybuilder type is expected but our intension is to return  a knex instance
-  knex.QueryBuilder.extend("replicaNode", () => {
-    if (!readReplicaDbs.length) return db;
-
-    const selectedReplica = readReplicaDbs[Math.floor(Math.random() * readReplicaDbs.length)];
-    return selectedReplica;
-  });
-
-  db = knex({
+export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnectionUri: string; dbRootCert?: string }) => {
+  const db = knex({
     client: "pg",
     connection: {
       connectionString: dbConnectionUri,
@@ -52,21 +22,5 @@ export const initDbConnection = ({
     }
   });
 
-  readReplicaDbs = readReplicas.map((el) => {
-    const replicaDbCertificate = el.dbRootCert || dbRootCert;
-    return knex({
-      client: "pg",
-      connection: {
-        connectionString: el.dbConnectionUri,
-        ssl: replicaDbCertificate
-          ? {
-              rejectUnauthorized: true,
-              ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii")
-            }
-          : false
-      }
-    });
-  });
-
   return db;
 };

backend/src/db/migrations/20240318164718_dynamic-secret.ts

@@ -1,58 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.DynamicSecret);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.DynamicSecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").notNullable();
-      t.string("type").notNullable();
-      t.string("defaultTTL").notNullable();
-      t.string("maxTTL");
-      t.string("inputIV").notNullable();
-      t.text("inputCiphertext").notNullable();
-      t.string("inputTag").notNullable();
-      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.uuid("folderId").notNullable();
-      // for background process communication
-      t.string("status");
-      t.string("statusDetails");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.unique(["name", "folderId"]);
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.DynamicSecret);
-
-  const doesTableDynamicSecretLease = await knex.schema.hasTable(TableName.DynamicSecretLease);
-  if (!doesTableDynamicSecretLease) {
-    await knex.schema.createTable(TableName.DynamicSecretLease, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").notNullable();
-      t.string("externalEntityId").notNullable();
-      t.datetime("expireAt").notNullable();
-      // for background process communication
-      t.string("status");
-      t.string("statusDetails");
-      t.uuid("dynamicSecretId").notNullable();
-      t.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.DynamicSecretLease);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.DynamicSecretLease);
-  await knex.schema.dropTableIfExists(TableName.DynamicSecretLease);
-
-  await dropOnUpdateTrigger(knex, TableName.DynamicSecret);
-  await knex.schema.dropTableIfExists(TableName.DynamicSecret);
-}

backend/src/db/migrations/20240326172010_project-user-additional-privilege.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ProjectUserAdditionalPrivilege))) {
-    await knex.schema.createTable(TableName.ProjectUserAdditionalPrivilege, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("slug", 60).notNullable();
-      t.uuid("projectMembershipId").notNullable();
-      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      t.boolean("isTemporary").notNullable().defaultTo(false);
-      t.string("temporaryMode");
-      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
-      t.datetime("temporaryAccessStartTime");
-      t.datetime("temporaryAccessEndTime");
-      t.jsonb("permissions").notNullable();
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.ProjectUserAdditionalPrivilege);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.ProjectUserAdditionalPrivilege);
-  await knex.schema.dropTableIfExists(TableName.ProjectUserAdditionalPrivilege);
-}

backend/src/db/migrations/20240326172011_machine-identity-additional-privilege.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityProjectAdditionalPrivilege))) {
-    await knex.schema.createTable(TableName.IdentityProjectAdditionalPrivilege, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("slug", 60).notNullable();
-      t.uuid("projectMembershipId").notNullable();
-      t.foreign("projectMembershipId")
-        .references("id")
-        .inTable(TableName.IdentityProjectMembership)
-        .onDelete("CASCADE");
-      t.boolean("isTemporary").notNullable().defaultTo(false);
-      t.string("temporaryMode");
-      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
-      t.datetime("temporaryAccessStartTime");
-      t.datetime("temporaryAccessEndTime");
-      t.jsonb("permissions").notNullable();
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityProjectAdditionalPrivilege);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.IdentityProjectAdditionalPrivilege);
-  await knex.schema.dropTableIfExists(TableName.IdentityProjectAdditionalPrivilege);
-}

backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts

@@ -1,112 +0,0 @@
-import { Knex } from "knex";
-import { z } from "zod";
-
-import { TableName, TOrgMemberships } from "../schemas";
-
-const validateOrgMembership = (membershipToValidate: TOrgMemberships, firstMembership: TOrgMemberships) => {
-  const firstOrgId = firstMembership.orgId;
-  const firstUserId = firstMembership.userId;
-
-  if (membershipToValidate.id === firstMembership.id) {
-    return;
-  }
-
-  if (membershipToValidate.inviteEmail !== firstMembership.inviteEmail) {
-    throw new Error(`Invite emails are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
-  }
-  if (membershipToValidate.orgId !== firstMembership.orgId) {
-    throw new Error(`OrgIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
-  }
-  if (membershipToValidate.role !== firstMembership.role) {
-    throw new Error(`Roles are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
-  }
-  if (membershipToValidate.roleId !== firstMembership.roleId) {
-    throw new Error(`RoleIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
-  }
-  if (membershipToValidate.status !== firstMembership.status) {
-    throw new Error(`Statuses are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
-  }
-  if (membershipToValidate.userId !== firstMembership.userId) {
-    throw new Error(`UserIds are different for the same userId and orgId: ${firstUserId}, ${firstOrgId}`);
-  }
-};
-
-export async function up(knex: Knex): Promise<void> {
-  const RowSchema = z.object({
-    userId: z.string(),
-    orgId: z.string(),
-    cnt: z.string()
-  });
-
-  // Transactional find and delete duplicate rows
-  await knex.transaction(async (tx) => {
-    const duplicateRows = await tx(TableName.OrgMembership)
-      .select("userId", "orgId") // Select the userId and orgId so we can group by them
-      .whereNotNull("userId") // Ensure that the userId is not null
-      .count("* as cnt") // Count the number of rows for each userId and orgId, so we can make sure there are more than 1 row (a duplicate)
-      .groupBy("userId", "orgId")
-      .havingRaw("count(*) > ?", [1]); // Using havingRaw for direct SQL expressions
-
-    // Parse the rows to ensure they are in the correct format, and for type safety
-    const parsedRows = RowSchema.array().parse(duplicateRows);
-
-    // For each of the duplicate rows, loop through and find the actual memberships to delete
-    for (const row of parsedRows) {
-      const count = Number(row.cnt);
-
-      // An extra check to ensure that the count is actually a number, and the number is greater than 2
-      if (typeof count !== "number" || count < 2) {
-        // eslint-disable-next-line no-continue
-        continue;
-      }
-
-      // Find all the organization memberships that have the same userId and orgId
-      // eslint-disable-next-line no-await-in-loop
-      const rowsToDelete = await tx(TableName.OrgMembership).where({
-        userId: row.userId,
-        orgId: row.orgId
-      });
-
-      // Ensure that all the rows have exactly the same value, except id, createdAt, updatedAt
-      for (const rowToDelete of rowsToDelete) {
-        validateOrgMembership(rowToDelete, rowsToDelete[0]);
-      }
-
-      // Find the row with the latest createdAt, which we will keep
-
-      let lowestCreatedAt: number | null = null;
-      let latestCreatedRow: TOrgMemberships | null = null;
-
-      for (const rowToDelete of rowsToDelete) {
-        if (lowestCreatedAt === null || rowToDelete.createdAt.getTime() < lowestCreatedAt) {
-          lowestCreatedAt = rowToDelete.createdAt.getTime();
-          latestCreatedRow = rowToDelete;
-        }
-      }
-      if (!latestCreatedRow) {
-        throw new Error("Failed to find last created membership");
-      }
-
-      // Filter out the latest row from the rows to delete
-      const membershipIdsToDelete = rowsToDelete.map((r) => r.id).filter((id) => id !== latestCreatedRow!.id);
-
-      // eslint-disable-next-line no-await-in-loop
-      const numberOfRowsDeleted = await tx(TableName.OrgMembership).whereIn("id", membershipIdsToDelete).delete();
-
-      // eslint-disable-next-line no-console
-      console.log(
-        `Deleted ${numberOfRowsDeleted} duplicate organization memberships for ${row.userId} and ${row.orgId}`
-      );
-    }
-  });
-
-  await knex.schema.alterTable(TableName.OrgMembership, (table) => {
-    table.unique(["userId", "orgId"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.OrgMembership, (table) => {
-    table.dropUnique(["userId", "orgId"]);
-  });
-}

backend/src/db/migrations/20240412174842_group.ts

@@ -1,82 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Groups))) {
-    await knex.schema.createTable(TableName.Groups, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.unique(["orgId", "slug"]);
-      t.string("role").notNullable();
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.Groups);
-
-  if (!(await knex.schema.hasTable(TableName.UserGroupMembership))) {
-    await knex.schema.createTable(TableName.UserGroupMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid()); // link to user and link to groups cascade on groups
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("groupId").notNullable();
-      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.UserGroupMembership);
-
-  if (!(await knex.schema.hasTable(TableName.GroupProjectMembership))) {
-    await knex.schema.createTable(TableName.GroupProjectMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("groupId").notNullable();
-      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.GroupProjectMembership);
-
-  if (!(await knex.schema.hasTable(TableName.GroupProjectMembershipRole))) {
-    await knex.schema.createTable(TableName.GroupProjectMembershipRole, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.uuid("projectMembershipId").notNullable();
-      t.foreign("projectMembershipId").references("id").inTable(TableName.GroupProjectMembership).onDelete("CASCADE");
-      // until role is changed/removed the role should not deleted
-      t.uuid("customRoleId");
-      t.foreign("customRoleId").references("id").inTable(TableName.ProjectRoles);
-      t.boolean("isTemporary").notNullable().defaultTo(false);
-      t.string("temporaryMode");
-      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
-      t.datetime("temporaryAccessStartTime");
-      t.datetime("temporaryAccessEndTime");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.GroupProjectMembershipRole);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.GroupProjectMembershipRole);
-  await dropOnUpdateTrigger(knex, TableName.GroupProjectMembershipRole);
-
-  await knex.schema.dropTableIfExists(TableName.UserGroupMembership);
-  await dropOnUpdateTrigger(knex, TableName.UserGroupMembership);
-
-  await knex.schema.dropTableIfExists(TableName.GroupProjectMembership);
-  await dropOnUpdateTrigger(knex, TableName.GroupProjectMembership);
-
-  await knex.schema.dropTableIfExists(TableName.Groups);
-  await dropOnUpdateTrigger(knex, TableName.Groups);
-}

backend/src/db/migrations/20240414192520_drop-role-roleid-project-membership.ts

@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { ProjectMembershipRole, TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
-  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
-  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
-    if (doesProjectRoleFieldExist) t.dropColumn("roleId");
-    if (doesProjectRoleIdFieldExist) t.dropColumn("role");
-  });
-
-  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
-  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
-    TableName.IdentityProjectMembership,
-    "roleId"
-  );
-  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
-    if (doesIdentityProjectRoleFieldExist) t.dropColumn("roleId");
-    if (doesIdentityProjectRoleIdFieldExist) t.dropColumn("role");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesProjectRoleFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "role");
-  const doesProjectRoleIdFieldExist = await knex.schema.hasColumn(TableName.ProjectMembership, "roleId");
-  await knex.schema.alterTable(TableName.ProjectMembership, (t) => {
-    if (!doesProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
-    if (!doesProjectRoleIdFieldExist) {
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-    }
-  });
-
-  const doesIdentityProjectRoleFieldExist = await knex.schema.hasColumn(TableName.IdentityProjectMembership, "role");
-  const doesIdentityProjectRoleIdFieldExist = await knex.schema.hasColumn(
-    TableName.IdentityProjectMembership,
-    "roleId"
-  );
-  await knex.schema.alterTable(TableName.IdentityProjectMembership, (t) => {
-    if (!doesIdentityProjectRoleFieldExist) t.string("role").defaultTo(ProjectMembershipRole.Member);
-    if (!doesIdentityProjectRoleIdFieldExist) {
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-    }
-  });
-}

backend/src/db/migrations/20240417032913_pending-group-addition.ts

@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.UserGroupMembership, (t) => {
-    t.boolean("isPending").notNullable().defaultTo(false);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.UserGroupMembership, (t) => {
-    t.dropColumn("isPending");
-  });
-}

backend/src/db/migrations/20240423023203_ldap-config-groups.ts

@@ -1,34 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.LdapGroupMap))) {
-    await knex.schema.createTable(TableName.LdapGroupMap, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("ldapConfigId").notNullable();
-      t.foreign("ldapConfigId").references("id").inTable(TableName.LdapConfig).onDelete("CASCADE");
-      t.string("ldapGroupCN").notNullable();
-      t.uuid("groupId").notNullable();
-      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      t.unique(["ldapGroupCN", "groupId", "ldapConfigId"]);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.LdapGroupMap);
-
-  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-    t.string("groupSearchBase").notNullable().defaultTo("");
-    t.string("groupSearchFilter").notNullable().defaultTo("");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.LdapGroupMap);
-  await dropOnUpdateTrigger(knex, TableName.LdapGroupMap);
-  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-    t.dropColumn("groupSearchBase");
-    t.dropColumn("groupSearchFilter");
-  });
-}

backend/src/db/migrations/20240424235842_user-search-filter.ts

@@ -1,15 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-    t.string("searchFilter").notNullable().defaultTo("");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-    t.dropColumn("searchFilter");
-  });
-}

backend/src/db/migrations/20240429154610_audit-log-index.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist && doesCreatedAtExist) t.index(["projectId", "createdAt"]);
-      if (doesOrgIdExist && doesCreatedAtExist) t.index(["orgId", "createdAt"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist && doesCreatedAtExist) t.dropIndex(["projectId", "createdAt"]);
-      if (doesOrgIdExist && doesCreatedAtExist) t.dropIndex(["orgId", "createdAt"]);
-    });
-  }
-}

backend/src/db/migrations/20240503101144_audit-log-stream.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AuditLogStream))) {
-    await knex.schema.createTable(TableName.AuditLogStream, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("url").notNullable();
-      t.text("encryptedHeadersCiphertext");
-      t.text("encryptedHeadersIV");
-      t.text("encryptedHeadersTag");
-      t.string("encryptedHeadersAlgorithm");
-      t.string("encryptedHeadersKeyEncoding");
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.AuditLogStream);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.AuditLogStream);
-  await knex.schema.dropTableIfExists(TableName.AuditLogStream);
-}

backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts

@@ -1,54 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isUsersTablePresent = await knex.schema.hasTable(TableName.Users);
-  if (isUsersTablePresent) {
-    const hasIsEmailVerifiedColumn = await knex.schema.hasColumn(TableName.Users, "isEmailVerified");
-
-    if (!hasIsEmailVerifiedColumn) {
-      await knex.schema.alterTable(TableName.Users, (t) => {
-        t.boolean("isEmailVerified").defaultTo(false);
-      });
-    }
-
-    // Backfilling the isEmailVerified to true where isAccepted is true
-    await knex(TableName.Users).update({ isEmailVerified: true }).where("isAccepted", true);
-  }
-
-  const isUserAliasTablePresent = await knex.schema.hasTable(TableName.UserAliases);
-  if (isUserAliasTablePresent) {
-    await knex.schema.alterTable(TableName.UserAliases, (t) => {
-      t.string("username").nullable().alter();
-    });
-  }
-
-  const isSuperAdminTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
-  if (isSuperAdminTablePresent) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.boolean("trustSamlEmails").defaultTo(false);
-      t.boolean("trustLdapEmails").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Users, "isEmailVerified")) {
-    await knex.schema.alterTable(TableName.Users, (t) => {
-      t.dropColumn("isEmailVerified");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustSamlEmails")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("trustSamlEmails");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustLdapEmails")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("trustLdapEmails");
-    });
-  }
-}

backend/src/db/migrations/20240507162140_access-approval-policy.ts

@@ -1,41 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicy))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicy, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("approvals").defaultTo(1).notNullable();
-      t.string("secretPath");
-
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyApprover, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("approverId").notNullable();
-      t.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyApprover);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicy);
-
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
-}

backend/src/db/migrations/20240507162141_access.ts

@@ -1,51 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequest))) {
-    await knex.schema.createTable(TableName.AccessApprovalRequest, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-
-      t.uuid("privilegeId").nullable();
-      t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
-
-      t.uuid("requestedBy").notNullable();
-      t.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-
-      // We use these values to create the actual privilege at a later point in time.
-      t.boolean("isTemporary").notNullable();
-      t.string("temporaryRange").nullable();
-
-      t.jsonb("permissions").notNullable();
-
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
-
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequestReviewer))) {
-    await knex.schema.createTable(TableName.AccessApprovalRequestReviewer, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("member").notNullable();
-      t.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      t.string("status").notNullable();
-      t.uuid("requestId").notNullable();
-      t.foreign("requestId").references("id").inTable(TableName.AccessApprovalRequest).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequestReviewer);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequest);
-
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
-}

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("stsEndpoint").notNullable();
-      t.string("allowedPrincipalArns").notNullable();
-      t.string("allowedAccountIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}

backend/src/db/migrations/20240514041650_identity-gcp-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
-    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("allowedServiceAccounts").notNullable();
-      t.string("allowedProjects").notNullable();
-      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}

backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
-    await knex.schema.createTable(TableName.SecretReference, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("environment").notNullable();
-      t.string("secretPath").notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretReference);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretReference);
-  await dropOnUpdateTrigger(knex, TableName.SecretReference);
-}

backend/src/db/migrations/20240518142614_kubernetes-auth.ts

@@ -1,36 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
-    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("kubernetesHost").notNullable();
-      t.text("encryptedCaCert").notNullable();
-      t.string("caCertIV").notNullable();
-      t.string("caCertTag").notNullable();
-      t.text("encryptedTokenReviewerJwt").notNullable();
-      t.string("tokenReviewerJwtIV").notNullable();
-      t.string("tokenReviewerJwtTag").notNullable();
-      t.string("allowedNamespaces").notNullable();
-      t.string("allowedNames").notNullable();
-      t.string("allowedAudience").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}

backend/src/db/migrations/20240520064127_add-integration-sync-status.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (!hasIsSyncedColumn) {
-      t.boolean("isSynced").nullable();
-    }
-
-    if (!hasSyncMessageColumn) {
-      t.text("syncMessage").nullable();
-    }
-
-    if (!hasLastSyncJobId) {
-      t.string("lastSyncJobId").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (hasIsSyncedColumn) {
-      t.dropColumn("isSynced");
-    }
-
-    if (hasSyncMessageColumn) {
-      t.dropColumn("syncMessage");
-    }
-
-    if (hasLastSyncJobId) {
-      t.dropColumn("lastSyncJobId");
-    }
-  });
-}

backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.index("projectId");
-      if (doesOrgIdExist) t.index("orgId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.dropIndex("projectId");
-      if (doesOrgIdExist) t.dropIndex("orgId");
-    });
-  }
-}

backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}

backend/src/db/migrations/20240522204414_index-secret-version-envId.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}

backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}

backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}

backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
-    });
-  }
-}

backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.index("expiresAt");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.dropIndex("expiresAt");
-    });
-  }
-}

backend/src/db/migrations/20240527073740_identity-azure-auth.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
-    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("tenantId").notNullable();
-      t.string("resource").notNullable();
-      t.string("allowedServicePrincipalIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
-}

backend/src/db/migrations/20240528153905_add-user-account-mfa-locking.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasConsecutiveFailedMfaAttempts = await knex.schema.hasColumn(TableName.Users, "consecutiveFailedMfaAttempts");
-  const hasIsLocked = await knex.schema.hasColumn(TableName.Users, "isLocked");
-  const hasTemporaryLockDateEnd = await knex.schema.hasColumn(TableName.Users, "temporaryLockDateEnd");
-
-  await knex.schema.alterTable(TableName.Users, (t) => {
-    if (!hasConsecutiveFailedMfaAttempts) {
-      t.integer("consecutiveFailedMfaAttempts").defaultTo(0);
-    }
-
-    if (!hasIsLocked) {
-      t.boolean("isLocked").defaultTo(false);
-    }
-
-    if (!hasTemporaryLockDateEnd) {
-      t.dateTime("temporaryLockDateEnd").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasConsecutiveFailedMfaAttempts = await knex.schema.hasColumn(TableName.Users, "consecutiveFailedMfaAttempts");
-  const hasIsLocked = await knex.schema.hasColumn(TableName.Users, "isLocked");
-  const hasTemporaryLockDateEnd = await knex.schema.hasColumn(TableName.Users, "temporaryLockDateEnd");
-
-  await knex.schema.alterTable(TableName.Users, (t) => {
-    if (hasConsecutiveFailedMfaAttempts) {
-      t.dropColumn("consecutiveFailedMfaAttempts");
-    }
-
-    if (hasIsLocked) {
-      t.dropColumn("isLocked");
-    }
-
-    if (hasTemporaryLockDateEnd) {
-      t.dropColumn("temporaryLockDateEnd");
-    }
-  });
-}

backend/src/db/migrations/20240528190137_secret_sharing.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSharing))) {
-    await knex.schema.createTable(TableName.SecretSharing, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.text("encryptedValue").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.text("hashedHex").notNullable();
-      t.timestamp("expiresAt").notNullable();
-      t.uuid("userId").notNullable();
-      t.uuid("orgId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSharing);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSharing);
-}

backend/src/db/migrations/20240529060752_snap-shot-secret-index-secretversionid.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSecretVersionIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "secretVersionId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSecretVersionIdExist) t.index("secretVersionId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSecretVersionIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "secretVersionId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSecretVersionIdExist) t.dropIndex("secretVersionId");
-    });
-  }
-}

backend/src/db/migrations/20240529203152_secret_sharing.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretSharing))) {
-    await knex.schema.createTable(TableName.SecretSharing, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.text("encryptedValue").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.text("hashedHex").notNullable();
-      t.timestamp("expiresAt").notNullable();
-      t.uuid("userId").notNullable();
-      t.uuid("orgId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretSharing);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretSharing);
-}

backend/src/db/migrations/20240530044702_universal-text-in-secret-sharing.ts

@@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasExpiresAfterViewsColumn = await knex.schema.hasColumn(TableName.SecretSharing, "expiresAfterViews");
-  const hasSecretNameColumn = await knex.schema.hasColumn(TableName.SecretSharing, "name");
-
-  await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-    if (!hasExpiresAfterViewsColumn) {
-      t.integer("expiresAfterViews");
-    }
-
-    if (hasSecretNameColumn) {
-      t.dropColumn("name");
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasExpiresAfterViewsColumn = await knex.schema.hasColumn(TableName.SecretSharing, "expiresAfterViews");
-  const hasSecretNameColumn = await knex.schema.hasColumn(TableName.SecretSharing, "name");
-
-  await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-    if (hasExpiresAfterViewsColumn) {
-      t.dropColumn("expiresAfterViews");
-    }
-
-    if (!hasSecretNameColumn) {
-      t.string("name").notNullable();
-    }
-  });
-}

backend/src/db/migrations/20240531220007_secret-replication.ts

@@ -1,85 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSecretImportIsReplicationExist = await knex.schema.hasColumn(TableName.SecretImport, "isReplication");
-  const doesSecretImportIsReplicationSuccessExist = await knex.schema.hasColumn(
-    TableName.SecretImport,
-    "isReplicationSuccess"
-  );
-  const doesSecretImportReplicationStatusExist = await knex.schema.hasColumn(
-    TableName.SecretImport,
-    "replicationStatus"
-  );
-  const doesSecretImportLastReplicatedExist = await knex.schema.hasColumn(TableName.SecretImport, "lastReplicated");
-  const doesSecretImportIsReservedExist = await knex.schema.hasColumn(TableName.SecretImport, "isReserved");
-
-  if (await knex.schema.hasTable(TableName.SecretImport)) {
-    await knex.schema.alterTable(TableName.SecretImport, (t) => {
-      if (!doesSecretImportIsReplicationExist) t.boolean("isReplication").defaultTo(false);
-      if (!doesSecretImportIsReplicationSuccessExist) t.boolean("isReplicationSuccess").nullable();
-      if (!doesSecretImportReplicationStatusExist) t.text("replicationStatus").nullable();
-      if (!doesSecretImportLastReplicatedExist) t.datetime("lastReplicated").nullable();
-      if (!doesSecretImportIsReservedExist) t.boolean("isReserved").defaultTo(false);
-    });
-  }
-
-  const doesSecretFolderReservedExist = await knex.schema.hasColumn(TableName.SecretFolder, "isReserved");
-  if (await knex.schema.hasTable(TableName.SecretFolder)) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      if (!doesSecretFolderReservedExist) t.boolean("isReserved").defaultTo(false);
-    });
-  }
-
-  const doesSecretApprovalRequestIsReplicatedExist = await knex.schema.hasColumn(
-    TableName.SecretApprovalRequest,
-    "isReplicated"
-  );
-  if (await knex.schema.hasTable(TableName.SecretApprovalRequest)) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
-      if (!doesSecretApprovalRequestIsReplicatedExist) t.boolean("isReplicated");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSecretImportIsReplicationExist = await knex.schema.hasColumn(TableName.SecretImport, "isReplication");
-  const doesSecretImportIsReplicationSuccessExist = await knex.schema.hasColumn(
-    TableName.SecretImport,
-    "isReplicationSuccess"
-  );
-  const doesSecretImportReplicationStatusExist = await knex.schema.hasColumn(
-    TableName.SecretImport,
-    "replicationStatus"
-  );
-  const doesSecretImportLastReplicatedExist = await knex.schema.hasColumn(TableName.SecretImport, "lastReplicated");
-  const doesSecretImportIsReservedExist = await knex.schema.hasColumn(TableName.SecretImport, "isReserved");
-
-  if (await knex.schema.hasTable(TableName.SecretImport)) {
-    await knex.schema.alterTable(TableName.SecretImport, (t) => {
-      if (doesSecretImportIsReplicationExist) t.dropColumn("isReplication");
-      if (doesSecretImportIsReplicationSuccessExist) t.dropColumn("isReplicationSuccess");
-      if (doesSecretImportReplicationStatusExist) t.dropColumn("replicationStatus");
-      if (doesSecretImportLastReplicatedExist) t.dropColumn("lastReplicated");
-      if (doesSecretImportIsReservedExist) t.dropColumn("isReserved");
-    });
-  }
-
-  const doesSecretFolderReservedExist = await knex.schema.hasColumn(TableName.SecretFolder, "isReserved");
-  if (await knex.schema.hasTable(TableName.SecretFolder)) {
-    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
-      if (doesSecretFolderReservedExist) t.dropColumn("isReserved");
-    });
-  }
-
-  const doesSecretApprovalRequestIsReplicatedExist = await knex.schema.hasColumn(
-    TableName.SecretApprovalRequest,
-    "isReplicated"
-  );
-  if (await knex.schema.hasTable(TableName.SecretApprovalRequest)) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
-      if (doesSecretApprovalRequestIsReplicatedExist) t.dropColumn("isReplicated");
-    });
-  }
-}

backend/src/db/migrations/20240603075514_kms.ts

@@ -1,56 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.KmsServerRootConfig))) {
-    await knex.schema.createTable(TableName.KmsServerRootConfig, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.binary("encryptedRootKey").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.KmsServerRootConfig);
-
-  if (!(await knex.schema.hasTable(TableName.KmsKey))) {
-    await knex.schema.createTable(TableName.KmsKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.binary("encryptedKey").notNullable();
-      t.string("encryptionAlgorithm").notNullable();
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("description");
-      t.boolean("isDisabled").defaultTo(false);
-      t.boolean("isReserved").defaultTo(true);
-      t.string("projectId");
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("orgId");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.KmsKey);
-
-  if (!(await knex.schema.hasTable(TableName.KmsKeyVersion))) {
-    await knex.schema.createTable(TableName.KmsKeyVersion, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.binary("encryptedKey").notNullable();
-      t.integer("version").notNullable();
-      t.uuid("kmsKeyId").notNullable();
-      t.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.KmsKeyVersion);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.KmsServerRootConfig);
-  await dropOnUpdateTrigger(knex, TableName.KmsServerRootConfig);
-
-  await knex.schema.dropTableIfExists(TableName.KmsKeyVersion);
-  await dropOnUpdateTrigger(knex, TableName.KmsKeyVersion);
-
-  await knex.schema.dropTableIfExists(TableName.KmsKey);
-  await dropOnUpdateTrigger(knex, TableName.KmsKey);
-}

backend/src/db/migrations/20240609133400_private-key-handoff.ts

@@ -1,61 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesPasswordFieldExist = await knex.schema.hasColumn(TableName.UserEncryptionKey, "hashedPassword");
-  const doesPrivateKeyFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKey"
-  );
-  const doesPrivateKeyIVFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKeyIV"
-  );
-  const doesPrivateKeyTagFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKeyTag"
-  );
-  const doesPrivateKeyEncodingFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKeyEncoding"
-  );
-  if (await knex.schema.hasTable(TableName.UserEncryptionKey)) {
-    await knex.schema.alterTable(TableName.UserEncryptionKey, (t) => {
-      if (!doesPasswordFieldExist) t.string("hashedPassword");
-      if (!doesPrivateKeyFieldExist) t.text("serverEncryptedPrivateKey");
-      if (!doesPrivateKeyIVFieldExist) t.text("serverEncryptedPrivateKeyIV");
-      if (!doesPrivateKeyTagFieldExist) t.text("serverEncryptedPrivateKeyTag");
-      if (!doesPrivateKeyEncodingFieldExist) t.text("serverEncryptedPrivateKeyEncoding");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesPasswordFieldExist = await knex.schema.hasColumn(TableName.UserEncryptionKey, "hashedPassword");
-  const doesPrivateKeyFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKey"
-  );
-  const doesPrivateKeyIVFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKeyIV"
-  );
-  const doesPrivateKeyTagFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKeyTag"
-  );
-  const doesPrivateKeyEncodingFieldExist = await knex.schema.hasColumn(
-    TableName.UserEncryptionKey,
-    "serverEncryptedPrivateKeyEncoding"
-  );
-  if (await knex.schema.hasTable(TableName.UserEncryptionKey)) {
-    await knex.schema.alterTable(TableName.UserEncryptionKey, (t) => {
-      if (doesPasswordFieldExist) t.dropColumn("hashedPassword");
-      if (doesPrivateKeyFieldExist) t.dropColumn("serverEncryptedPrivateKey");
-      if (doesPrivateKeyIVFieldExist) t.dropColumn("serverEncryptedPrivateKeyIV");
-      if (doesPrivateKeyTagFieldExist) t.dropColumn("serverEncryptedPrivateKeyTag");
-      if (doesPrivateKeyEncodingFieldExist) t.dropColumn("serverEncryptedPrivateKeyEncoding");
-    });
-  }
-}

backend/src/db/migrations/20240610181521_add-consecutive-failed-password-attempts-user.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasConsecutiveFailedPasswordAttempts = await knex.schema.hasColumn(
-    TableName.Users,
-    "consecutiveFailedPasswordAttempts"
-  );
-
-  await knex.schema.alterTable(TableName.Users, (tb) => {
-    if (!hasConsecutiveFailedPasswordAttempts) {
-      tb.integer("consecutiveFailedPasswordAttempts").defaultTo(0);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasConsecutiveFailedPasswordAttempts = await knex.schema.hasColumn(
-    TableName.Users,
-    "consecutiveFailedPasswordAttempts"
-  );
-
-  await knex.schema.alterTable(TableName.Users, (tb) => {
-    if (hasConsecutiveFailedPasswordAttempts) {
-      tb.dropColumn("consecutiveFailedPasswordAttempts");
-    }
-  });
-}

backend/src/db/migrations/20240612200518_add-pit-version-limit.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasPitVersionLimitColumn = await knex.schema.hasColumn(TableName.Project, "pitVersionLimit");
-  await knex.schema.alterTable(TableName.Project, (tb) => {
-    if (!hasPitVersionLimitColumn) {
-      tb.integer("pitVersionLimit").notNullable().defaultTo(10);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasPitVersionLimitColumn = await knex.schema.hasColumn(TableName.Project, "pitVersionLimit");
-  await knex.schema.alterTable(TableName.Project, (tb) => {
-    if (hasPitVersionLimitColumn) {
-      tb.dropColumn("pitVersionLimit");
-    }
-  });
-}

backend/src/db/migrations/20240614010847_custom-rate-limits-for-self-hosting.ts

@@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.RateLimit))) {
-    await knex.schema.createTable(TableName.RateLimit, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("readRateLimit").defaultTo(600).notNullable();
-      t.integer("writeRateLimit").defaultTo(200).notNullable();
-      t.integer("secretsRateLimit").defaultTo(60).notNullable();
-      t.integer("authRateLimit").defaultTo(60).notNullable();
-      t.integer("inviteUserRateLimit").defaultTo(30).notNullable();
-      t.integer("mfaRateLimit").defaultTo(20).notNullable();
-      t.integer("creationLimit").defaultTo(30).notNullable();
-      t.integer("publicEndpointLimit").defaultTo(30).notNullable();
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.RateLimit);
-
-    // create init rate limit entry with defaults
-    await knex(TableName.RateLimit).insert({});
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.RateLimit);
-  await dropOnUpdateTrigger(knex, TableName.RateLimit);
-}

backend/src/db/migrations/20240614115952_tag-machine-identity.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { ActorType } from "@app/services/auth/auth-type";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCreatedByActorType = await knex.schema.hasColumn(TableName.SecretTag, "createdByActorType");
-  await knex.schema.alterTable(TableName.SecretTag, (tb) => {
-    if (!hasCreatedByActorType) {
-      tb.string("createdByActorType").notNullable().defaultTo(ActorType.USER);
-      tb.dropForeign("createdBy");
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCreatedByActorType = await knex.schema.hasColumn(TableName.SecretTag, "createdByActorType");
-  await knex.schema.alterTable(TableName.SecretTag, (tb) => {
-    if (hasCreatedByActorType) {
-      tb.dropColumn("createdByActorType");
-      tb.foreign("createdBy").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    }
-  });
-}

backend/src/db/migrations/20240614154212_certificate-mgmt.ts

@@ -1,137 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Project)) {
-    const doesProjectCertificateKeyIdExist = await knex.schema.hasColumn(TableName.Project, "kmsCertificateKeyId");
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      if (!doesProjectCertificateKeyIdExist) {
-        t.uuid("kmsCertificateKeyId").nullable();
-        t.foreign("kmsCertificateKeyId").references("id").inTable(TableName.KmsKey);
-      }
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.CertificateAuthority))) {
-    await knex.schema.createTable(TableName.CertificateAuthority, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("parentCaId").nullable();
-      t.foreign("parentCaId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.string("type").notNullable(); // root / intermediate
-      t.string("status").notNullable(); // active / pending-certificate
-      t.string("friendlyName").notNullable();
-      t.string("organization").notNullable();
-      t.string("ou").notNullable();
-      t.string("country").notNullable();
-      t.string("province").notNullable();
-      t.string("locality").notNullable();
-      t.string("commonName").notNullable();
-      t.string("dn").notNullable();
-      t.string("serialNumber").nullable().unique();
-      t.integer("maxPathLength").nullable();
-      t.string("keyAlgorithm").notNullable();
-      t.datetime("notBefore").nullable();
-      t.datetime("notAfter").nullable();
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.CertificateAuthorityCert))) {
-    // table to keep track of certificates belonging to CA
-    await knex.schema.createTable(TableName.CertificateAuthorityCert, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("caId").notNullable().unique();
-      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.binary("encryptedCertificate").notNullable();
-      t.binary("encryptedCertificateChain").notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.CertificateAuthoritySecret))) {
-    await knex.schema.createTable(TableName.CertificateAuthoritySecret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("caId").notNullable().unique();
-      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.binary("encryptedPrivateKey").notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.CertificateAuthorityCrl))) {
-    await knex.schema.createTable(TableName.CertificateAuthorityCrl, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("caId").notNullable().unique();
-      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.binary("encryptedCrl").notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.Certificate))) {
-    await knex.schema.createTable(TableName.Certificate, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("caId").notNullable();
-      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.string("status").notNullable(); // active / pending-certificate
-      t.string("serialNumber").notNullable().unique();
-      t.string("friendlyName").notNullable();
-      t.string("commonName").notNullable();
-      t.datetime("notBefore").notNullable();
-      t.datetime("notAfter").notNullable();
-      t.datetime("revokedAt").nullable();
-      t.integer("revocationReason").nullable(); // integer based on crl reason in RFC 5280
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.CertificateBody))) {
-    await knex.schema.createTable(TableName.CertificateBody, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.uuid("certId").notNullable().unique();
-      t.foreign("certId").references("id").inTable(TableName.Certificate).onDelete("CASCADE");
-      t.binary("encryptedCertificate").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.CertificateAuthority);
-  await createOnUpdateTrigger(knex, TableName.CertificateAuthorityCert);
-  await createOnUpdateTrigger(knex, TableName.CertificateAuthoritySecret);
-  await createOnUpdateTrigger(knex, TableName.Certificate);
-  await createOnUpdateTrigger(knex, TableName.CertificateBody);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // project
-  if (await knex.schema.hasTable(TableName.Project)) {
-    const doesProjectCertificateKeyIdExist = await knex.schema.hasColumn(TableName.Project, "kmsCertificateKeyId");
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      if (doesProjectCertificateKeyIdExist) t.dropColumn("kmsCertificateKeyId");
-    });
-  }
-
-  // certificates
-  await knex.schema.dropTableIfExists(TableName.CertificateBody);
-  await dropOnUpdateTrigger(knex, TableName.CertificateBody);
-
-  await knex.schema.dropTableIfExists(TableName.Certificate);
-  await dropOnUpdateTrigger(knex, TableName.Certificate);
-
-  // certificate authorities
-  await knex.schema.dropTableIfExists(TableName.CertificateAuthoritySecret);
-  await dropOnUpdateTrigger(knex, TableName.CertificateAuthoritySecret);
-
-  await knex.schema.dropTableIfExists(TableName.CertificateAuthorityCrl);
-  await dropOnUpdateTrigger(knex, TableName.CertificateAuthorityCrl);
-
-  await knex.schema.dropTableIfExists(TableName.CertificateAuthorityCert);
-  await dropOnUpdateTrigger(knex, TableName.CertificateAuthorityCert);
-
-  await knex.schema.dropTableIfExists(TableName.CertificateAuthority);
-  await dropOnUpdateTrigger(knex, TableName.CertificateAuthority);
-}

backend/src/db/migrations/20240614184133_make-secret-sharing-public.ts

@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasOrgIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "orgId");
-  const hasUserIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "userId");
-
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-      if (hasOrgIdColumn) t.uuid("orgId").nullable().alter();
-      if (hasUserIdColumn) t.uuid("userId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasOrgIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "orgId");
-  const hasUserIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "userId");
-
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-      if (hasOrgIdColumn) t.uuid("orgId").notNullable().alter();
-      if (hasUserIdColumn) t.uuid("userId").notNullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20240624161942_add-oidc-auth.ts

@@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.OidcConfig))) {
-    await knex.schema.createTable(TableName.OidcConfig, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("discoveryURL");
-      tb.string("issuer");
-      tb.string("authorizationEndpoint");
-      tb.string("jwksUri");
-      tb.string("tokenEndpoint");
-      tb.string("userinfoEndpoint");
-      tb.text("encryptedClientId").notNullable();
-      tb.string("configurationType").notNullable();
-      tb.string("clientIdIV").notNullable();
-      tb.string("clientIdTag").notNullable();
-      tb.text("encryptedClientSecret").notNullable();
-      tb.string("clientSecretIV").notNullable();
-      tb.string("clientSecretTag").notNullable();
-      tb.string("allowedEmailDomains").nullable();
-      tb.boolean("isActive").notNullable();
-      tb.timestamps(true, true, true);
-      tb.uuid("orgId").notNullable().unique();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization);
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
-    if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails"))) {
-      await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
-        tb.boolean("trustOidcEmails").defaultTo(false);
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.OidcConfig);
-
-  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
-    if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails")) {
-      await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-        t.dropColumn("trustOidcEmails");
-      });
-    }
-  }
-}

backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts

@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-const DEFAULT_AUTH_ORG_ID_FIELD = "defaultAuthOrgId";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
-
-  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-    if (!hasDefaultOrgColumn) {
-      t.uuid(DEFAULT_AUTH_ORG_ID_FIELD).nullable();
-      t.foreign(DEFAULT_AUTH_ORG_ID_FIELD).references("id").inTable(TableName.Organization).onDelete("SET NULL");
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
-
-  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-    if (hasDefaultOrgColumn) {
-      t.dropForeign([DEFAULT_AUTH_ORG_ID_FIELD]);
-      t.dropColumn(DEFAULT_AUTH_ORG_ID_FIELD);
-    }
-  });
-}

backend/src/db/migrations/20240624221840_certificate-alt-names.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    const hasAltNamesColumn = await knex.schema.hasColumn(TableName.Certificate, "altNames");
-    if (!hasAltNamesColumn) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("altNames").defaultTo("");
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    if (await knex.schema.hasColumn(TableName.Certificate, "altNames")) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.dropColumn("altNames");
-      });
-    }
-  }
-}

backend/src/db/migrations/20240626111536_integration-auth-aws-assume-role.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasAwsAssumeRoleCipherText = await knex.schema.hasColumn(
-    TableName.IntegrationAuth,
-    "awsAssumeIamRoleArnCipherText"
-  );
-  const hasAwsAssumeRoleIV = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnIV");
-  const hasAwsAssumeRoleTag = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnTag");
-  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
-    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
-      if (!hasAwsAssumeRoleCipherText) t.text("awsAssumeIamRoleArnCipherText");
-      if (!hasAwsAssumeRoleIV) t.text("awsAssumeIamRoleArnIV");
-      if (!hasAwsAssumeRoleTag) t.text("awsAssumeIamRoleArnTag");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasAwsAssumeRoleCipherText = await knex.schema.hasColumn(
-    TableName.IntegrationAuth,
-    "awsAssumeIamRoleArnCipherText"
-  );
-  const hasAwsAssumeRoleIV = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnIV");
-  const hasAwsAssumeRoleTag = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnTag");
-  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
-    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
-      if (hasAwsAssumeRoleCipherText) t.dropColumn("awsAssumeIamRoleArnCipherText");
-      if (hasAwsAssumeRoleIV) t.dropColumn("awsAssumeIamRoleArnIV");
-      if (hasAwsAssumeRoleTag) t.dropColumn("awsAssumeIamRoleArnTag");
-    });
-  }
-}

backend/src/db/migrations/20240626115035_admin-login-method-config.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "enabledLoginMethods"))) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
-      tb.specificType("enabledLoginMethods", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "enabledLoginMethods")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("enabledLoginMethods");
-    });
-  }
-}

backend/src/db/migrations/20240626171758_add-ldap-unique-user-attribute.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute"))) {
-    await knex.schema.alterTable(TableName.LdapConfig, (tb) => {
-      tb.string("uniqueUserAttribute").notNullable().defaultTo("");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute")) {
-    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
-      t.dropColumn("uniqueUserAttribute");
-    });
-  }
-}

backend/src/db/migrations/20240626171943_configurable-audit-log-retention.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays"))) {
-    await knex.schema.alterTable(TableName.Project, (tb) => {
-      tb.integer("auditLogsRetentionDays").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays")) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("auditLogsRetentionDays");
-    });
-  }
-}

backend/src/db/migrations/20240627173239_add-oidc-updated-at-trigger.ts

@@ -1,12 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  await createOnUpdateTrigger(knex, TableName.OidcConfig);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.OidcConfig);
-}

backend/src/db/migrations/20240701143900_member-project-favorite.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.OrgMembership, "projectFavorites"))) {
-    await knex.schema.alterTable(TableName.OrgMembership, (tb) => {
-      tb.specificType("projectFavorites", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.OrgMembership, "projectFavorites")) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      t.dropColumn("projectFavorites");
-    });
-  }
-}

backend/src/db/migrations/20240702055253_add-encrypted-webhook-url.ts

@@ -1,53 +0,0 @@
-import { Knex } from "knex";
-
-import { WebhookType } from "@app/services/webhook/webhook-types";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasUrlCipherText = await knex.schema.hasColumn(TableName.Webhook, "urlCipherText");
-  const hasUrlIV = await knex.schema.hasColumn(TableName.Webhook, "urlIV");
-  const hasUrlTag = await knex.schema.hasColumn(TableName.Webhook, "urlTag");
-  const hasType = await knex.schema.hasColumn(TableName.Webhook, "type");
-
-  if (await knex.schema.hasTable(TableName.Webhook)) {
-    await knex.schema.alterTable(TableName.Webhook, (tb) => {
-      if (!hasUrlCipherText) {
-        tb.text("urlCipherText");
-      }
-      if (!hasUrlIV) {
-        tb.string("urlIV");
-      }
-      if (!hasUrlTag) {
-        tb.string("urlTag");
-      }
-      if (!hasType) {
-        tb.string("type").defaultTo(WebhookType.GENERAL);
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasUrlCipherText = await knex.schema.hasColumn(TableName.Webhook, "urlCipherText");
-  const hasUrlIV = await knex.schema.hasColumn(TableName.Webhook, "urlIV");
-  const hasUrlTag = await knex.schema.hasColumn(TableName.Webhook, "urlTag");
-  const hasType = await knex.schema.hasColumn(TableName.Webhook, "type");
-
-  if (await knex.schema.hasTable(TableName.Webhook)) {
-    await knex.schema.alterTable(TableName.Webhook, (t) => {
-      if (hasUrlCipherText) {
-        t.dropColumn("urlCipherText");
-      }
-      if (hasUrlIV) {
-        t.dropColumn("urlIV");
-      }
-      if (hasUrlTag) {
-        t.dropColumn("urlTag");
-      }
-      if (hasType) {
-        t.dropColumn("type");
-      }
-    });
-  }
-}

backend/src/db/migrations/20240702131735_secret-approval-groups.ts

@@ -1,188 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // migrate secret approval policy approvers to user id
-  const hasApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
-  const hasApproverId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverId");
-  if (!hasApproverUserId) {
-    // add the new fields
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
-      // if (hasApproverId) tb.setNullable("approverId");
-      tb.uuid("approverUserId");
-      tb.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-
-    // convert project membership id => user id
-    await knex(TableName.SecretApprovalPolicyApprover).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      approverUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.SecretApprovalPolicyApprover}.approverId`]))
-    });
-    // drop the old field
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
-      if (hasApproverId) tb.dropColumn("approverId");
-      tb.uuid("approverUserId").notNullable().alter();
-    });
-  }
-
-  // migrate secret approval request committer and statusChangeBy to user id
-  const hasSecretApprovalRequestTable = await knex.schema.hasTable(TableName.SecretApprovalRequest);
-  const hasCommitterUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
-  const hasCommitterId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerId");
-  const hasStatusChangeBy = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeBy");
-  const hasStatusChangedByUserId = await knex.schema.hasColumn(
-    TableName.SecretApprovalRequest,
-    "statusChangedByUserId"
-  );
-  if (hasSecretApprovalRequestTable) {
-    // new fields
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      // if (hasCommitterId) tb.setNullable("committerId");
-      if (!hasCommitterUserId) {
-        tb.uuid("committerUserId");
-        tb.foreign("committerUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      }
-      if (!hasStatusChangedByUserId) {
-        tb.uuid("statusChangedByUserId");
-        tb.foreign("statusChangedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      }
-    });
-
-    // copy the assigned project membership => user id to new fields
-    await knex(TableName.SecretApprovalRequest).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      committerUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.SecretApprovalRequest}.committerId`])),
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      statusChangedByUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.SecretApprovalRequest}.statusChangeBy`]))
-    });
-    // drop old fields
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      if (hasStatusChangeBy) tb.dropColumn("statusChangeBy");
-      if (hasCommitterId) tb.dropColumn("committerId");
-      tb.uuid("committerUserId").notNullable().alter();
-    });
-  }
-
-  // migrate secret approval request reviewer to user id
-  const hasMemberId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "member");
-  const hasReviewerUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "reviewerUserId");
-  if (!hasReviewerUserId) {
-    // new fields
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
-      // if (hasMemberId) tb.setNullable("member");
-      tb.uuid("reviewerUserId");
-      tb.foreign("reviewerUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    });
-    // copy project membership => user id to new fields
-    await knex(TableName.SecretApprovalRequestReviewer).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      reviewerUserId: knex(TableName.ProjectMembership)
-        .select("userId")
-        .where("id", knex.raw("??", [`${TableName.SecretApprovalRequestReviewer}.member`]))
-    });
-    // drop table
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
-      if (hasMemberId) tb.dropColumn("member");
-      tb.uuid("reviewerUserId").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
-  const hasApproverId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverId");
-  if (hasApproverUserId) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
-      if (!hasApproverId) {
-        tb.uuid("approverId");
-        tb.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      }
-    });
-
-    if (!hasApproverId) {
-      await knex(TableName.SecretApprovalPolicyApprover).update({
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        approverId: knex(TableName.ProjectMembership)
-          .select("id")
-          .where("userId", knex.raw("??", [`${TableName.SecretApprovalPolicyApprover}.approverUserId`]))
-      });
-      await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
-        tb.dropColumn("approverUserId");
-        tb.uuid("approverId").notNullable().alter();
-      });
-    }
-  }
-
-  const hasSecretApprovalRequestTable = await knex.schema.hasTable(TableName.SecretApprovalRequest);
-  const hasCommitterUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
-  const hasCommitterId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerId");
-  const hasStatusChangeBy = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeBy");
-  const hasStatusChangedByUser = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangedByUserId");
-  if (hasSecretApprovalRequestTable) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      // if (hasCommitterId) tb.uuid("committerId").notNullable().alter();
-      if (!hasCommitterId) {
-        tb.uuid("committerId");
-        tb.foreign("committerId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      }
-      if (!hasStatusChangeBy) {
-        tb.uuid("statusChangeBy");
-        tb.foreign("statusChangeBy").references("id").inTable(TableName.ProjectMembership).onDelete("SET NULL");
-      }
-    });
-
-    await knex(TableName.SecretApprovalRequest).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      committerId: knex(TableName.ProjectMembership)
-        .select("id")
-        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.committerUserId`])),
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      statusChangeBy: knex(TableName.ProjectMembership)
-        .select("id")
-        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.statusChangedByUserId`]))
-    });
-
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      if (hasCommitterUserId) tb.dropColumn("committerUserId");
-      if (hasStatusChangedByUser) tb.dropColumn("statusChangedByUserId");
-      if (hasCommitterId) tb.uuid("committerId").notNullable().alter();
-    });
-  }
-
-  const hasMemberId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "member");
-  const hasReviewerUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "reviewerUserId");
-  if (hasReviewerUserId) {
-    if (!hasMemberId) {
-      await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
-        // if (hasMemberId) tb.uuid("member").notNullable().alter();
-        tb.uuid("member");
-        tb.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      });
-    }
-    await knex(TableName.SecretApprovalRequestReviewer).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      member: knex(TableName.ProjectMembership)
-        .select("id")
-        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequestReviewer}.reviewerUserId`]))
-    });
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
-      tb.uuid("member").notNullable().alter();
-      tb.dropColumn("reviewerUserId");
-    });
-  }
-}

backend/src/db/migrations/20240702175124_identity-token-auth.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.createTable(TableName.IdentityTokenAuth, (t) => {
-    t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-    t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-    t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-    t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-    t.jsonb("accessTokenTrustedIps").notNullable();
-    t.timestamps(true, true, true);
-    t.uuid("identityId").notNullable().unique();
-    t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-  });
-
-  await createOnUpdateTrigger(knex, TableName.IdentityTokenAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityTokenAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityTokenAuth);
-}

backend/src/db/migrations/20240704161322_identity-access-token-name.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.IdentityAccessToken)) {
-    const hasNameColumn = await knex.schema.hasColumn(TableName.IdentityAccessToken, "name");
-    if (!hasNameColumn) {
-      await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-        t.string("name").nullable();
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.IdentityAccessToken)) {
-    if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "name")) {
-      await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-        t.dropColumn("name");
-      });
-    }
-  }
-}

backend/src/db/migrations/20240708100026_external-kms.ts

@@ -1,256 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { TableName } from "../schemas";
-
-const createInternalKmsTableAndBackfillData = async (knex: Knex) => {
-  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
-  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
-
-  // building the internal kms table by filling from old kms table
-  if (doesOldKmsKeyTableExist && !doesInternalKmsTableExist) {
-    await knex.schema.createTable(TableName.InternalKms, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.binary("encryptedKey").notNullable();
-      tb.string("encryptionAlgorithm").notNullable();
-      tb.integer("version").defaultTo(1).notNullable();
-      tb.uuid("kmsKeyId").unique().notNullable();
-      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
-    });
-
-    // copy the old kms and backfill
-    const oldKmsKey = await knex(TableName.KmsKey).select("version", "encryptedKey", "encryptionAlgorithm", "id");
-    if (oldKmsKey.length) {
-      await knex(TableName.InternalKms).insert(
-        oldKmsKey.map((el) => ({
-          encryptionAlgorithm: el.encryptionAlgorithm,
-          encryptedKey: el.encryptedKey,
-          kmsKeyId: el.id,
-          version: el.version
-        }))
-      );
-    }
-  }
-};
-
-const renameKmsKeyVersionTableAsInternalKmsKeyVersion = async (knex: Knex) => {
-  const doesOldKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
-  const doesNewKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
-
-  if (doesOldKmsKeyVersionTableExist && !doesNewKmsKeyVersionTableExist) {
-    // because we haven't started using versioning for kms thus no data exist
-    await knex.schema.renameTable(TableName.KmsKeyVersion, TableName.InternalKmsKeyVersion);
-    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "kmsKeyId");
-    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "internalKmsId");
-
-    await knex.schema.alterTable(TableName.InternalKmsKeyVersion, (tb) => {
-      if (hasKmsKeyIdColumn) tb.dropColumn("kmsKeyId");
-      if (!hasInternalKmsIdColumn) {
-        tb.uuid("internalKmsId").notNullable();
-        tb.foreign("internalKmsId").references("id").inTable(TableName.InternalKms).onDelete("CASCADE");
-      }
-    });
-  }
-};
-
-const createExternalKmsKeyTable = async (knex: Knex) => {
-  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
-  if (!doesExternalKmsServiceExist) {
-    await knex.schema.createTable(TableName.ExternalKms, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("provider").notNullable();
-      tb.binary("encryptedProviderInputs").notNullable();
-      tb.string("status");
-      tb.string("statusDetails");
-      tb.uuid("kmsKeyId").unique().notNullable();
-      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
-    });
-  }
-};
-
-const removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData = async (knex: Knex) => {
-  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
-
-  // building the internal kms table by filling from old kms table
-  if (doesOldKmsKeyTableExist) {
-    const hasSlugColumn = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
-    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
-    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
-    const hasTimestamps = await knex.schema.hasColumn(TableName.KmsKey, "createdAt");
-    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
-    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
-
-    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
-      if (!hasSlugColumn) tb.string("slug", 32);
-      if (hasEncryptedKeyColumn) tb.dropColumn("encryptedKey");
-      if (hasEncryptionAlgorithmColumn) tb.dropColumn("encryptionAlgorithm");
-      if (hasVersionColumn) tb.dropColumn("version");
-      if (!hasTimestamps) tb.timestamps(true, true, true);
-    });
-
-    // backfill all org id in kms key because its gonna be changed to non nullable
-    if (hasProjectId && hasOrgId) {
-      await knex(TableName.KmsKey)
-        .whereNull("orgId")
-        .update({
-          // eslint-disable-next-line
-          // @ts-ignore because generate schema happens after this
-          orgId: knex(TableName.Project)
-            .select("orgId")
-            .where("id", knex.raw("??", [`${TableName.KmsKey}.projectId`]))
-        });
-    }
-
-    // backfill slugs in kms
-    const missingSlugs = await knex(TableName.KmsKey).whereNull("slug").select("id");
-    if (missingSlugs.length) {
-      await knex(TableName.KmsKey)
-        // eslint-disable-next-line
-        // @ts-ignore because generate schema happens after this
-        .insert(missingSlugs.map(({ id }) => ({ id, slug: slugify(alphaNumericNanoId(8).toLowerCase()) })))
-        .onConflict("id")
-        .merge();
-    }
-
-    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
-      if (hasOrgId) tb.uuid("orgId").notNullable().alter();
-      tb.string("slug", 32).notNullable().alter();
-      if (hasProjectId) tb.dropColumn("projectId");
-      if (hasOrgId) tb.unique(["orgId", "slug"]);
-    });
-  }
-};
-
-/*
- * The goal for this migration is split the existing kms key into three table
- * the kms-key table would be a container table that contains
- * the internal kms key table and external kms table
- */
-export async function up(knex: Knex): Promise<void> {
-  await createInternalKmsTableAndBackfillData(knex);
-  await renameKmsKeyVersionTableAsInternalKmsKeyVersion(knex);
-  await removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData(knex);
-  await createExternalKmsKeyTable(knex);
-
-  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
-  if (!doesOrgKmsKeyExist) {
-    await knex.schema.alterTable(TableName.Organization, (tb) => {
-      tb.uuid("kmsDefaultKeyId").nullable();
-      tb.foreign("kmsDefaultKeyId").references("id").inTable(TableName.KmsKey);
-    });
-  }
-
-  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
-  if (!doesProjectKmsSecretManagerKeyExist) {
-    await knex.schema.alterTable(TableName.Project, (tb) => {
-      tb.uuid("kmsSecretManagerKeyId").nullable();
-      tb.foreign("kmsSecretManagerKeyId").references("id").inTable(TableName.KmsKey);
-    });
-  }
-}
-
-const renameInternalKmsKeyVersionBackToKmsKeyVersion = async (knex: Knex) => {
-  const doesInternalKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
-  const doesKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
-  if (doesInternalKmsKeyVersionTableExist && !doesKmsKeyVersionTableExist) {
-    // because we haven't started using versioning for kms thus no data exist
-    await knex.schema.renameTable(TableName.InternalKmsKeyVersion, TableName.KmsKeyVersion);
-    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "internalKmsId");
-    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "kmsKeyId");
-
-    await knex.schema.alterTable(TableName.KmsKeyVersion, (tb) => {
-      if (hasInternalKmsIdColumn) tb.dropColumn("internalKmsId");
-      if (!hasKmsKeyIdColumn) {
-        tb.uuid("kmsKeyId").notNullable();
-        tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
-      }
-    });
-  }
-};
-
-const bringBackKmsKeyFields = async (knex: Knex) => {
-  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
-  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
-  if (doesOldKmsKeyTableExist && doesInternalKmsTableExist) {
-    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
-    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
-    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
-    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
-    const hasNullableOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
-    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
-
-    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
-      if (!hasEncryptedKeyColumn) tb.binary("encryptedKey");
-      if (!hasEncryptionAlgorithmColumn) tb.string("encryptionAlgorithm");
-      if (!hasVersionColumn) tb.integer("version").defaultTo(1);
-      if (hasNullableOrgId) tb.uuid("orgId").nullable().alter();
-      if (!hasProjectIdColumn) {
-        tb.string("projectId");
-        tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      }
-      if (hasSlug) tb.dropColumn("slug");
-    });
-  }
-};
-
-const backfillKmsKeyFromInternalKmsTable = async (knex: Knex) => {
-  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
-  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
-  if (doesInternalKmsTableExist && doesOldKmsKeyTableExist) {
-    // backfill kms key with internal kms data
-    await knex(TableName.KmsKey).update({
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      encryptedKey: knex(TableName.InternalKms)
-        .select("encryptedKey")
-        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      encryptionAlgorithm: knex(TableName.InternalKms)
-        .select("encryptionAlgorithm")
-        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
-      // eslint-disable-next-line
-      // @ts-ignore because generate schema happens after this
-      projectId: knex(TableName.Project)
-        .select("id")
-        .where("kmsCertificateKeyId", knex.raw("??", [`${TableName.KmsKey}.id`]))
-    });
-  }
-};
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
-  if (doesOrgKmsKeyExist) {
-    await knex.schema.alterTable(TableName.Organization, (tb) => {
-      tb.dropColumn("kmsDefaultKeyId");
-    });
-  }
-
-  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
-  if (doesProjectKmsSecretManagerKeyExist) {
-    await knex.schema.alterTable(TableName.Project, (tb) => {
-      tb.dropColumn("kmsSecretManagerKeyId");
-    });
-  }
-
-  await renameInternalKmsKeyVersionBackToKmsKeyVersion(knex);
-  await bringBackKmsKeyFields(knex);
-  await backfillKmsKeyFromInternalKmsTable(knex);
-
-  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
-  if (doesOldKmsKeyTableExist) {
-    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
-      tb.binary("encryptedKey").notNullable().alter();
-      tb.string("encryptionAlgorithm").notNullable().alter();
-    });
-  }
-
-  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
-  if (doesInternalKmsTableExist) await knex.schema.dropTable(TableName.InternalKms);
-
-  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
-  if (doesExternalKmsServiceExist) await knex.schema.dropTable(TableName.ExternalKms);
-}

backend/src/db/migrations/20240710045107_identity-oidc-auth.ts

@@ -1,34 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityOidcAuth))) {
-    await knex.schema.createTable(TableName.IdentityOidcAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("oidcDiscoveryUrl").notNullable();
-      t.text("encryptedCaCert").notNullable();
-      t.string("caCertIV").notNullable();
-      t.string("caCertTag").notNullable();
-      t.string("boundIssuer").notNullable();
-      t.string("boundAudiences").notNullable();
-      t.jsonb("boundClaims").notNullable();
-      t.string("boundSubject");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.IdentityOidcAuth);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityOidcAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityOidcAuth);
-}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesApproversSchema = z.object({
-  id: z.string().uuid(),
-  approverId: z.string().uuid(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
-export type TAccessApprovalPoliciesApproversInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesApproversSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesApproversUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesApproversSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests-reviewers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalRequestsReviewersSchema = z.object({
-  id: z.string().uuid(),
-  member: z.string().uuid(),
-  status: z.string(),
-  requestId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
-export type TAccessApprovalRequestsReviewersInsert = Omit<
-  z.input<typeof AccessApprovalRequestsReviewersSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalRequestsReviewersUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalRequestsReviewersSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalRequestsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  privilegeId: z.string().uuid().nullable().optional(),
-  requestedBy: z.string().uuid(),
-  isTemporary: z.boolean(),
-  temporaryRange: z.string().nullable().optional(),
-  permissions: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
-export type TAccessApprovalRequestsInsert = Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>;
-export type TAccessApprovalRequestsUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/audit-log-streams.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AuditLogStreamsSchema = z.object({
-  id: z.string().uuid(),
-  url: z.string(),
-  encryptedHeadersCiphertext: z.string().nullable().optional(),
-  encryptedHeadersIV: z.string().nullable().optional(),
-  encryptedHeadersTag: z.string().nullable().optional(),
-  encryptedHeadersAlgorithm: z.string().nullable().optional(),
-  encryptedHeadersKeyEncoding: z.string().nullable().optional(),
-  orgId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAuditLogStreams = z.infer<typeof AuditLogStreamsSchema>;
-export type TAuditLogStreamsInsert = Omit<z.input<typeof AuditLogStreamsSchema>, TImmutableDBKeys>;
-export type TAuditLogStreamsUpdate = Partial<Omit<z.input<typeof AuditLogStreamsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/certificate-authorities.ts

@@ -1,37 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateAuthoritiesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  parentCaId: z.string().uuid().nullable().optional(),
-  projectId: z.string(),
-  type: z.string(),
-  status: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional()
-});
-
-export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;
-export type TCertificateAuthoritiesInsert = Omit<z.input<typeof CertificateAuthoritiesSchema>, TImmutableDBKeys>;
-export type TCertificateAuthoritiesUpdate = Partial<
-  Omit<z.input<typeof CertificateAuthoritiesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/certificate-authority-certs.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateAuthorityCertsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  caId: z.string().uuid(),
-  encryptedCertificate: zodBuffer,
-  encryptedCertificateChain: zodBuffer
-});
-
-export type TCertificateAuthorityCerts = z.infer<typeof CertificateAuthorityCertsSchema>;
-export type TCertificateAuthorityCertsInsert = Omit<z.input<typeof CertificateAuthorityCertsSchema>, TImmutableDBKeys>;
-export type TCertificateAuthorityCertsUpdate = Partial<
-  Omit<z.input<typeof CertificateAuthorityCertsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/certificate-authority-crl.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateAuthorityCrlSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  caId: z.string().uuid(),
-  encryptedCrl: zodBuffer
-});
-
-export type TCertificateAuthorityCrl = z.infer<typeof CertificateAuthorityCrlSchema>;
-export type TCertificateAuthorityCrlInsert = Omit<z.input<typeof CertificateAuthorityCrlSchema>, TImmutableDBKeys>;
-export type TCertificateAuthorityCrlUpdate = Partial<
-  Omit<z.input<typeof CertificateAuthorityCrlSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/certificate-authority-secret.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateAuthoritySecretSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  caId: z.string().uuid(),
-  encryptedPrivateKey: zodBuffer
-});
-
-export type TCertificateAuthoritySecret = z.infer<typeof CertificateAuthoritySecretSchema>;
-export type TCertificateAuthoritySecretInsert = Omit<
-  z.input<typeof CertificateAuthoritySecretSchema>,
-  TImmutableDBKeys
->;
-export type TCertificateAuthoritySecretUpdate = Partial<
-  Omit<z.input<typeof CertificateAuthoritySecretSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/certificate-bodies.ts

@@ -1,22 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateBodiesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  certId: z.string().uuid(),
-  encryptedCertificate: zodBuffer
-});
-
-export type TCertificateBodies = z.infer<typeof CertificateBodiesSchema>;
-export type TCertificateBodiesInsert = Omit<z.input<typeof CertificateBodiesSchema>, TImmutableDBKeys>;
-export type TCertificateBodiesUpdate = Partial<Omit<z.input<typeof CertificateBodiesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/certificate-secrets.ts

@@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificateSecretsSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  certId: z.string().uuid(),
-  pk: z.string(),
-  sk: z.string()
-});
-
-export type TCertificateSecrets = z.infer<typeof CertificateSecretsSchema>;
-export type TCertificateSecretsInsert = Omit<z.input<typeof CertificateSecretsSchema>, TImmutableDBKeys>;
-export type TCertificateSecretsUpdate = Partial<Omit<z.input<typeof CertificateSecretsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/certificates.ts

@@ -1,28 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const CertificatesSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  caId: z.string().uuid(),
-  status: z.string(),
-  serialNumber: z.string(),
-  friendlyName: z.string(),
-  commonName: z.string(),
-  notBefore: z.date(),
-  notAfter: z.date(),
-  revokedAt: z.date().nullable().optional(),
-  revocationReason: z.number().nullable().optional(),
-  altNames: z.string().default("").nullable().optional()
-});
-
-export type TCertificates = z.infer<typeof CertificatesSchema>;
-export type TCertificatesInsert = Omit<z.input<typeof CertificatesSchema>, TImmutableDBKeys>;
-export type TCertificatesUpdate = Partial<Omit<z.input<typeof CertificatesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/dynamic-secret-leases.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const DynamicSecretLeasesSchema = z.object({
-  id: z.string().uuid(),
-  version: z.number(),
-  externalEntityId: z.string(),
-  expireAt: z.date(),
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  dynamicSecretId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TDynamicSecretLeases = z.infer<typeof DynamicSecretLeasesSchema>;
-export type TDynamicSecretLeasesInsert = Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>;
-export type TDynamicSecretLeasesUpdate = Partial<Omit<z.input<typeof DynamicSecretLeasesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -1,31 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const DynamicSecretsSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  version: z.number(),
-  type: z.string(),
-  defaultTTL: z.string(),
-  maxTTL: z.string().nullable().optional(),
-  inputIV: z.string(),
-  inputCiphertext: z.string(),
-  inputTag: z.string(),
-  algorithm: z.string().default("aes-256-gcm"),
-  keyEncoding: z.string().default("utf8"),
-  folderId: z.string().uuid(),
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
-export type TDynamicSecretsInsert = Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>;
-export type TDynamicSecretsUpdate = Partial<Omit<z.input<typeof DynamicSecretsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/external-kms.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ExternalKmsSchema = z.object({
-  id: z.string().uuid(),
-  provider: z.string(),
-  encryptedProviderInputs: zodBuffer,
-  status: z.string().nullable().optional(),
-  statusDetails: z.string().nullable().optional(),
-  kmsKeyId: z.string().uuid()
-});
-
-export type TExternalKms = z.infer<typeof ExternalKmsSchema>;
-export type TExternalKmsInsert = Omit<z.input<typeof ExternalKmsSchema>, TImmutableDBKeys>;
-export type TExternalKmsUpdate = Partial<Omit<z.input<typeof ExternalKmsSchema>, TImmutableDBKeys>>;