Merge pull request #4183 from Infisical/fix/oracle-app-connection

fix: resolved oracle failing in app connection

README.md

@@ -149,11 +149,8 @@ Not sure where to get started? You can:
 
 - Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.
 
-## Resources
+## We are hiring!
 
-- [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
-- [Slack](https://infisical.com/slack) for discussion with the community and Infisical team.
-- [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
-- [Twitter](https://twitter.com/infisical) for fast news
-- [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
-- [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
+If you're reading this, there is a strong chance you like the products we created.
+
+You might also make a great addition to our team. We're growing fast and would love for you to [join us](https://infisical.com/careers).

backend/e2e-test/mocks/queue.ts

@@ -24,6 +24,7 @@ export const mockQueue = (): TQueueServiceFactory => {
       events[name] = event;
     },
     getRepeatableJobs: async () => [],
+    getDelayedJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
     stopJobByIdPg: async () => {},

backend/src/@types/fastify.d.ts

@@ -93,6 +93,7 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -285,6 +286,7 @@ declare module "fastify" {
       secretScanningV2: TSecretScanningV2ServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
       pkiTemplate: TPkiTemplatesServiceFactory;
+      reminder: TReminderServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -504,6 +504,12 @@ import {
   TProjectMicrosoftTeamsConfigsInsert,
   TProjectMicrosoftTeamsConfigsUpdate
 } from "@app/db/schemas/project-microsoft-teams-configs";
+import { TReminders, TRemindersInsert, TRemindersUpdate } from "@app/db/schemas/reminders";
+import {
+  TRemindersRecipients,
+  TRemindersRecipientsInsert,
+  TRemindersRecipientsUpdate
+} from "@app/db/schemas/reminders-recipients";
 import {
   TSecretReminderRecipients,
   TSecretReminderRecipientsInsert,
@@ -1211,5 +1217,11 @@ declare module "knex/types/tables" {
       TSecretScanningConfigsInsert,
       TSecretScanningConfigsUpdate
     >;
+    [TableName.Reminder]: KnexOriginal.CompositeTableType<TReminders, TRemindersInsert, TRemindersUpdate>;
+    [TableName.ReminderRecipient]: KnexOriginal.CompositeTableType<
+      TRemindersRecipients,
+      TRemindersRecipientsInsert,
+      TRemindersRecipientsUpdate
+    >;
   }
 }

backend/src/db/migrations/20250701202824_add-reminder-table.ts

@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.Reminder))) {
+    await knex.schema.createTable(TableName.Reminder, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("secretId").nullable();
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      t.string("message", 1024).nullable();
+      t.integer("repeatDays").checkPositive().nullable();
+      t.timestamp("nextReminderDate").notNullable();
+      t.timestamps(true, true, true);
+      t.unique("secretId");
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ReminderRecipient))) {
+    await knex.schema.createTable(TableName.ReminderRecipient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("reminderId").notNullable();
+      t.foreign("reminderId").references("id").inTable(TableName.Reminder).onDelete("CASCADE");
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.index("reminderId");
+      t.index("userId");
+      t.unique(["reminderId", "userId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.Reminder);
+  await createOnUpdateTrigger(knex, TableName.ReminderRecipient);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.Reminder);
+  await dropOnUpdateTrigger(knex, TableName.ReminderRecipient);
+  await knex.schema.dropTableIfExists(TableName.ReminderRecipient);
+  await knex.schema.dropTableIfExists(TableName.Reminder);
+}

backend/src/db/migrations/20250717195959_gatewayid-for-app-conn.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AppConnection, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.uuid("gatewayId").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AppConnection, "gatewayId")) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250718133527_project-unify-revert.ts

@@ -0,0 +1,432 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+import { v4 as uuidV4 } from "uuid";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { ProjectType, TableName } from "../schemas";
+
+/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
+
+// Single query to get all projects that need any kind of kickout
+const getProjectsNeedingKickouts = async (
+  knex: Knex
+): Promise<
+  Array<{
+    id: string;
+    defaultProduct: string;
+    needsSecretManager: boolean;
+    needsCertManager: boolean;
+    needsSecretScanning: boolean;
+    needsKms: boolean;
+    needsSsh: boolean;
+  }>
+> => {
+  const result = await knex.raw(
+    `
+SELECT DISTINCT
+  p.id,
+  p."defaultProduct",
+  
+  -- Use CASE with direct joins instead of EXISTS subqueries
+  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
+  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
+  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
+  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
+  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
+
+FROM projects p
+LEFT JOIN (
+  SELECT DISTINCT e."projectId", 1 as secret_exists
+  FROM secrets_v2 s
+  JOIN secret_folders sf ON sf.id = s."folderId"
+  JOIN project_environments e ON e.id = sf."envId"
+) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ca_exists
+  FROM certificate_authorities
+) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as ssds_exists
+  FROM secret_scanning_data_sources
+) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
+
+LEFT JOIN (
+  SELECT DISTINCT "projectId", 1 as kms_exists
+  FROM kms_keys
+  WHERE "isReserved" = false
+) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
+
+LEFT JOIN (
+  SELECT DISTINCT sca."projectId", 1 as ssh_exists
+  FROM ssh_certificates sc
+  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
+) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
+
+WHERE p."defaultProduct" IS NOT NULL
+  AND (
+    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
+    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
+  )
+    `
+  );
+
+  return result.rows;
+};
+
+const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
+  const newProjectId = uuidV4();
+  const project = await knex(TableName.Project).where("id", projectId).first();
+  await knex(TableName.Project).insert({
+    ...project,
+    type: projectType,
+    defaultProduct: null,
+    // @ts-ignore id is required
+    id: newProjectId,
+    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
+  });
+
+  const customRoleMapping: Record<string, string> = {};
+  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
+  if (projectCustomRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectRoles,
+      projectCustomRoles.map((el) => {
+        const id = uuidV4();
+        customRoleMapping[el.id] = id;
+        return {
+          ...el,
+          id,
+          projectId: newProjectId,
+          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
+        };
+      })
+    );
+  }
+  const groupMembershipMapping: Record<string, string> = {};
+  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
+  if (groupMemberships.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembership,
+      groupMemberships.map((el) => {
+        const id = uuidV4();
+        groupMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    groupMemberships.map((el) => el.id)
+  );
+  if (groupMembershipRoles.length) {
+    await knex.batchInsert(
+      TableName.GroupProjectMembershipRole,
+      groupMembershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const identityProjectMembershipMapping: Record<string, string> = {};
+  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
+  if (identities.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembership,
+      identities.map((el) => {
+        const id = uuidV4();
+        identityProjectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
+    "projectMembershipId",
+    identities.map((el) => el.id)
+  );
+  if (identitiesRoles.length) {
+    await knex.batchInsert(
+      TableName.IdentityProjectMembershipRole,
+      identitiesRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const projectMembershipMapping: Record<string, string> = {};
+  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
+  if (projectUserMembers.length) {
+    await knex.batchInsert(
+      TableName.ProjectMembership,
+      projectUserMembers.map((el) => {
+        const id = uuidV4();
+        projectMembershipMapping[el.id] = id;
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
+    "projectMembershipId",
+    projectUserMembers.map((el) => el.id)
+  );
+  if (membershipRoles.length) {
+    await knex.batchInsert(
+      TableName.ProjectUserMembershipRole,
+      membershipRoles.map((el) => {
+        const id = uuidV4();
+        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
+        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
+        return { ...el, id, projectMembershipId, customRoleId };
+      })
+    );
+  }
+
+  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
+  if (kmsKeys.length) {
+    await knex.batchInsert(
+      TableName.KmsKey,
+      kmsKeys.map((el) => {
+        const id = uuidV4();
+        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
+        return { ...el, id, slug, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
+  if (projectBot) {
+    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
+    await knex(TableName.ProjectBot).insert(newProjectBot);
+  }
+
+  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
+  if (projectKeys.length) {
+    await knex.batchInsert(
+      TableName.ProjectKeys,
+      projectKeys.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
+  if (projectGateways.length) {
+    await knex.batchInsert(
+      TableName.ProjectGateway,
+      projectGateways.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
+  if (projectSlackConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectSlackConfigs,
+      projectSlackConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
+  if (projectMicrosoftTeamsConfigs.length) {
+    await knex.batchInsert(
+      TableName.ProjectMicrosoftTeamsConfigs,
+      projectMicrosoftTeamsConfigs.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
+  if (trustedIps.length) {
+    await knex.batchInsert(
+      TableName.TrustedIps,
+      trustedIps.map((el) => {
+        const id = uuidV4();
+        return { ...el, id, projectId: newProjectId };
+      })
+    );
+  }
+
+  return newProjectId;
+};
+
+const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
+  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
+  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
+  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
+  await knex(TableName.KmsKey)
+    .where("projectId", oldProjectId)
+    .andWhere("isReserved", false)
+    .update("projectId", newProjectId);
+  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
+  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
+  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
+  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
+};
+
+const BATCH_SIZE = 1000;
+const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
+
+export async function up(knex: Knex): Promise<void> {
+  const result = await knex.raw("SHOW statement_timeout");
+  const originalTimeout = result.rows[0].statement_timeout;
+
+  try {
+    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
+
+    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+    if (hasTemplateTypeColumn) {
+      await knex(TableName.ProjectTemplates).whereNull("type").update({
+        type: ProjectType.SecretManager
+      });
+      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
+      });
+    }
+
+    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+    if (hasTypeColumn && hasDefaultTypeColumn) {
+      await knex(TableName.Project).update({
+        // eslint-disable-next-line
+        // @ts-ignore this is because this field is created later
+        type: knex.raw(`"defaultProduct"`)
+      });
+
+      await knex.schema.alterTable(TableName.Project, (t) => {
+        t.string("type").notNullable().alter();
+        t.string("defaultProduct").nullable().alter();
+      });
+
+      // Get all projects that need kickouts in a single query
+      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
+
+      // Process projects in batches to avoid overwhelming the database
+      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
+        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
+        const processedIds: string[] = [];
+
+        for (const project of batch) {
+          const kickoutPromises: Promise<void>[] = [];
+
+          // Only add kickouts that are actually needed (flags are pre-computed)
+          if (project.needsSecretManager) {
+            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
+          }
+          if (project.needsCertManager) {
+            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
+          }
+          if (project.needsKms) {
+            kickoutPromises.push(kickOutKmsProject(knex, project.id));
+          }
+          if (project.needsSsh) {
+            kickoutPromises.push(kickOutSshProject(knex, project.id));
+          }
+          if (project.needsSecretScanning) {
+            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
+          }
+
+          // Execute all kickouts in parallel and handle any failures gracefully
+          if (kickoutPromises.length > 0) {
+            const results = await Promise.allSettled(kickoutPromises);
+
+            // Log any failures for debugging
+            results.forEach((res) => {
+              if (res.status === "rejected") {
+                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
+              }
+            });
+          }
+
+          processedIds.push(project.id);
+        }
+
+        // Clear defaultProduct for the processed batch
+        if (processedIds.length > 0) {
+          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
+        }
+      }
+    }
+  } finally {
+    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+  if (hasTypeColumn && hasDefaultTypeColumn) {
+    await knex(TableName.Project).update({
+      // eslint-disable-next-line
+      // @ts-ignore this is because this field is created later
+      defaultProduct: knex.raw(`
+    CASE 
+      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
+      ELSE "type" 
+    END
+  `)
+    });
+
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type").nullable().alter();
+      t.string("defaultProduct").notNullable().alter();
+    });
+  }
+
+  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+  if (hasTemplateTypeColumn) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      t.string("type").nullable().alter();
+    });
+  }
+}

backend/src/db/migrations/20250721101756_bump-aws-arn-field-size.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 4096).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 2048).notNullable().alter();
+    });
+  }
+}

backend/src/db/schemas/app-connections.ts

@@ -20,7 +20,8 @@ export const AppConnectionsSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/db/schemas/models.ts

@@ -160,7 +160,7 @@ export enum TableName {
   SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
-  SecretReminderRecipients = "secret_reminder_recipients",
+  SecretReminderRecipients = "secret_reminder_recipients", // TODO(Carlos): Remove this in the future after migrating to the new reminder recipients table
   GithubOrgSyncConfig = "github_org_sync_configs",
   FolderCommit = "folder_commits",
   FolderCommitChanges = "folder_commit_changes",
@@ -172,7 +172,10 @@ export enum TableName {
   SecretScanningResource = "secret_scanning_resources",
   SecretScanningScan = "secret_scanning_scans",
   SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs"
+  SecretScanningConfig = "secret_scanning_configs",
+  // reminders
+  Reminder = "reminders",
+  ReminderRecipient = "reminders_recipients"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -267,6 +270,16 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
+export enum ActionProjectType {
+  SecretManager = ProjectType.SecretManager,
+  CertificateManager = ProjectType.CertificateManager,
+  KMS = ProjectType.KMS,
+  SSH = ProjectType.SSH,
+  SecretScanning = ProjectType.SecretScanning,
+  // project operations that happen on all types
+  Any = "any"
+}
+
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().nullable().optional()
+  type: z.string().default("secret-manager")
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,12 +25,12 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string().nullable().optional(),
+  type: z.string(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().default("secret-manager")
+  defaultProduct: z.string().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/reminders-recipients.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RemindersRecipientsSchema = z.object({
+  id: z.string().uuid(),
+  reminderId: z.string().uuid(),
+  userId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TRemindersRecipients = z.infer<typeof RemindersRecipientsSchema>;
+export type TRemindersRecipientsInsert = Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>;
+export type TRemindersRecipientsUpdate = Partial<Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/reminders.ts

@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const RemindersSchema = z.object({
+  id: z.string().uuid(),
+  secretId: z.string().uuid().nullable().optional(),
+  message: z.string().nullable().optional(),
+  repeatDays: z.number().nullable().optional(),
+  nextReminderDate: z.date(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TReminders = z.infer<typeof RemindersSchema>;
+export type TRemindersInsert = Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>;
+export type TRemindersUpdate = Partial<Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/v1/pit-router.ts

@@ -3,11 +3,14 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { isValidFolderName } from "@app/lib/validator";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
+import { SecretNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const commitHistoryItemSchema = z.object({
   id: z.string(),
@@ -413,4 +416,166 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
       return result;
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/batch/commit",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      hide: true,
+      description: "Commit changes",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        message: z
+          .string()
+          .trim()
+          .min(1)
+          .max(255)
+          .refine((message) => message.trim() !== "", {
+            message: "Commit message cannot be empty"
+          }),
+        changes: z.object({
+          secrets: z.object({
+            create: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema,
+                  secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+                  secretComment: z.string().trim().optional().default(""),
+                  skipMultilineEncoding: z.boolean().optional(),
+                  metadata: z.record(z.string()).optional(),
+                  secretMetadata: ResourceMetadataSchema.optional(),
+                  tagIds: z.string().array().optional()
+                })
+              )
+              .optional(),
+            update: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema,
+                  newSecretName: SecretNameSchema.optional(),
+                  secretValue: z
+                    .string()
+                    .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+                    .optional(),
+                  secretComment: z.string().trim().optional().default(""),
+                  skipMultilineEncoding: z.boolean().optional(),
+                  metadata: z.record(z.string()).optional(),
+                  secretMetadata: ResourceMetadataSchema.optional(),
+                  tagIds: z.string().array().optional()
+                })
+              )
+              .optional(),
+            delete: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema
+                })
+              )
+              .optional()
+          }),
+          folders: z.object({
+            create: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  description: z.string().optional()
+                })
+              )
+              .optional(),
+            update: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  description: z.string().nullable().optional(),
+                  id: z.string()
+                })
+              )
+              .optional(),
+            delete: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  id: z.string()
+                })
+              )
+              .optional()
+          })
+        })
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.processNewCommitRaw({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        projectId: req.body.projectId,
+        environment: req.body.environment,
+        secretPath: req.body.secretPath,
+        message: req.body.message,
+        changes: {
+          secrets: req.body.changes.secrets,
+          folders: req.body.changes.folders
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_PROCESS_NEW_COMMIT_RAW,
+          metadata: {
+            commitId: result.commitId,
+            approvalId: result.approvalId,
+            projectId: req.body.projectId,
+            environment: req.body.environment,
+            secretPath: req.body.secretPath,
+            message: req.body.message
+          }
+        }
+      });
+
+      for await (const event of result.secretMutationEvents) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          orgId: req.permission.orgId,
+          projectId: req.body.projectId,
+          event
+        });
+      }
+
+      return { message: "success" };
+    }
+  });
 };

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,6 +104,9 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
+      querystring: z.object({
+        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
+      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -112,7 +115,10 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
+        req.permission,
+        req.query.type
+      );
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -191,6 +197,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
+        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -6,6 +6,7 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
+import { registerOktaClientSecretRotationRouter } from "./okta-client-secret-rotation-router";
 import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -22,5 +23,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
-  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter
+  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
+  [SecretRotation.OktaClientSecret]: registerOktaClientSecretRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/okta-client-secret-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateOktaClientSecretRotationSchema,
+  OktaClientSecretRotationGeneratedCredentialsSchema,
+  OktaClientSecretRotationSchema,
+  UpdateOktaClientSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/okta-client-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerOktaClientSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.OktaClientSecret,
+    server,
+    responseSchema: OktaClientSecretRotationSchema,
+    createSchema: CreateOktaClientSecretRotationSchema,
+    updateSchema: UpdateOktaClientSecretRotationSchema,
+    generatedCredentialsSchema: OktaClientSecretRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -315,10 +315,12 @@ export const registerSecretRotationEndpoints = <
       querystring: z.object({
         deleteSecrets: z
           .enum(["true", "false"])
+          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).deleteSecrets),
         revokeGeneratedCredentials: z
           .enum(["true", "false"])
+          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
       }),

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -7,6 +7,7 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OktaClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -23,7 +24,8 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,
-  LdapPasswordRotationListItemSchema
+  LdapPasswordRotationListItemSchema,
+  OktaClientSecretRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -116,7 +117,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -272,7 +274,8 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
@@ -337,7 +340,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -533,7 +537,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -583,7 +588,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -622,7 +628,8 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -107,7 +107,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -216,7 +217,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -289,7 +290,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -335,7 +337,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (!membership) {
@@ -551,7 +554,7 @@ export const accessApprovalRequestServiceFactory = ({
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
                   environment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
+                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -582,7 +585,8 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -45,7 +45,10 @@ export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion(
 ]);
 
 export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, {
+    supportsPlatformManagedCredentials: true,
+    supportsGateways: true
+  })
 );
 
 export const UpdateOracleDBConnectionSchema = z
@@ -54,7 +57,12 @@ export const UpdateOracleDBConnectionSchema = z
       AppConnections.UPDATE(AppConnection.OracleDB).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, {
+      supportsPlatformManagedCredentials: true,
+      supportsGateways: true
+    })
+  );
 
 export const OracleDBConnectionListItemSchema = z.object({
   name: z.literal("OracleDB"),

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -37,7 +38,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     if (targetActorType === ActorType.USER) {
@@ -58,7 +60,8 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId
+      actorOrgId: actorPermissionDetails.orgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     const appCfg = getConfig();

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -37,7 +38,8 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.Any
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -449,6 +449,7 @@ export enum EventType {
   PIT_REVERT_COMMIT = "pit-revert-commit",
   PIT_GET_FOLDER_STATE = "pit-get-folder-state",
   PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
+  PIT_PROCESS_NEW_COMMIT_RAW = "pit-process-new-commit-raw",
   SECRET_SCANNING_DATA_SOURCE_LIST = "secret-scanning-data-source-list",
   SECRET_SCANNING_DATA_SOURCE_CREATE = "secret-scanning-data-source-create",
   SECRET_SCANNING_DATA_SOURCE_UPDATE = "secret-scanning-data-source-update",
@@ -467,7 +468,11 @@ export enum EventType {
 
   CREATE_PROJECT = "create-project",
   UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project"
+  DELETE_PROJECT = "delete-project",
+
+  CREATE_SECRET_REMINDER = "create-secret-reminder",
+  GET_SECRET_REMINDER = "get-secret-reminder",
+  DELETE_SECRET_REMINDER = "delete-secret-reminder"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1546,8 +1551,9 @@ interface UpdateFolderEvent {
   metadata: {
     environment: string;
     folderId: string;
-    oldFolderName: string;
+    oldFolderName?: string;
     newFolderName: string;
+    newFolderDescription?: string;
     folderPath: string;
   };
 }
@@ -3222,6 +3228,18 @@ interface PitCompareFolderStatesEvent {
   };
 }
 
+interface PitProcessNewCommitRawEvent {
+  type: EventType.PIT_PROCESS_NEW_COMMIT_RAW;
+  metadata: {
+    projectId: string;
+    environment: string;
+    secretPath: string;
+    message: string;
+    approvalId?: string;
+    commitId?: string;
+  };
+}
+
 interface SecretScanningDataSourceListEvent {
   type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST;
   metadata: {
@@ -3312,6 +3330,31 @@ interface SecretScanningConfigUpdateEvent {
   };
 }
 
+interface SecretReminderCreateEvent {
+  type: EventType.CREATE_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+    message?: string | null;
+    repeatDays?: number | null;
+    nextReminderDate?: string | null;
+    recipients?: string[] | null;
+  };
+}
+
+interface SecretReminderGetEvent {
+  type: EventType.GET_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+  };
+}
+
+interface SecretReminderDeleteEvent {
+  type: EventType.DELETE_SECRET_REMINDER;
+  metadata: {
+    secretId: string;
+  };
+}
+
 interface SecretScanningConfigReadEvent {
   type: EventType.SECRET_SCANNING_CONFIG_GET;
   metadata?: Record<string, never>; // not needed, based off projectId
@@ -3658,6 +3701,7 @@ export type Event =
   | PitRevertCommitEvent
   | PitCompareFolderStatesEvent
   | PitGetFolderStateEvent
+  | PitProcessNewCommitRawEvent
   | SecretScanningDataSourceListEvent
   | SecretScanningDataSourceGetEvent
   | SecretScanningDataSourceCreateEvent
@@ -3674,4 +3718,7 @@ export type Event =
   | OrgUpdateEvent
   | ProjectCreateEvent
   | ProjectUpdateEvent
-  | ProjectDeleteEvent;
+  | ProjectDeleteEvent
+  | SecretReminderCreateEvent
+  | SecretReminderGetEvent
+  | SecretReminderDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -77,7 +78,8 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -84,7 +85,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -200,7 +202,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -297,7 +300,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -385,7 +389,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -432,7 +437,8 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -78,7 +79,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -207,7 +209,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -358,7 +361,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -423,7 +427,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -487,7 +492,8 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId
+        actorOrgId,
+        actionProjectType: ActionProjectType.SecretManager
       });
 
       // verify user has access to each env in request
@@ -530,7 +536,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -578,7 +585,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -615,7 +623,8 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -659,7 +668,8 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/gateway/gateway-service.ts

@@ -566,6 +566,14 @@ export const gatewayServiceFactory = ({
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
     const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
+
+    const orgLicensePlan = await licenseService.getPlan(orgGatewayConfig.orgId);
+    if (!orgLicensePlan.gateway) {
+      throw new BadRequestError({
+        message: "Please upgrade your instance to Infisical's Enterprise plan to use gateways."
+      });
+    }
+
     const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: orgGatewayConfig.orgId

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -158,7 +160,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -169,7 +172,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -256,7 +260,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -267,7 +272,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -315,7 +321,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -349,7 +356,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -384,7 +392,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -72,7 +73,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -85,7 +87,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -172,7 +175,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -185,7 +189,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -288,7 +293,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -300,7 +306,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -359,7 +366,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -401,7 +409,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
@@ -78,7 +79,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -131,7 +133,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -162,7 +165,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -195,7 +199,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -216,7 +221,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -252,7 +258,8 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.KMS
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,6 +1,7 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 
 import { OrgPermissionSet } from "./org-permission";
@@ -20,6 +21,7 @@ export type TGetUserProjectPermissionArg = {
   userId: string;
   projectId: string;
   authMethod: ActorAuthMethod;
+  actionProjectType: ActionProjectType;
   userOrgId?: string;
 };
 
@@ -27,12 +29,14 @@ export type TGetIdentityProjectPermissionArg = {
   identityId: string;
   projectId: string;
   identityOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetServiceTokenProjectPermissionArg = {
   serviceTokenId: string;
   projectId: string;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TGetProjectPermissionArg = {
@@ -41,6 +45,7 @@ export type TGetProjectPermissionArg = {
   projectId: string;
   actorAuthMethod: ActorAuthMethod;
   actorOrgId?: string;
+  actionProjectType: ActionProjectType;
 };
 
 export type TPermissionServiceFactory = {
@@ -138,7 +143,13 @@ export type TPermissionServiceFactory = {
         };
       }
   >;
-  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({
+    userId,
+    projectId,
+    authMethod,
+    userOrgId,
+    actionProjectType
+  }: TGetUserProjectPermissionArg) => Promise<{
     permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
     membership: {
       id: string;

backend/src/ee/services/permission/permission-service.ts

@@ -5,6 +5,7 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
+  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
   ServiceTokenScopes,
@@ -213,7 +214,8 @@ export const permissionServiceFactory = ({
     userId,
     projectId,
     authMethod,
-    userOrgId
+    userOrgId,
+    actionProjectType
   }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@@ -240,6 +242,12 @@ export const permissionServiceFactory = ({
       userProjectPermission.orgRole
     );
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -287,7 +295,8 @@ export const permissionServiceFactory = ({
   const getIdentityProjectPermission = async ({
     identityId,
     projectId,
-    identityOrgId
+    identityOrgId,
+    actionProjectType
   }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
@@ -307,6 +316,12 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
+      throw new BadRequestError({
+        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -361,7 +376,8 @@ export const permissionServiceFactory = ({
   const getServiceTokenProjectPermission = async ({
     serviceTokenId,
     projectId,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetServiceTokenProjectPermissionArg) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@@ -386,6 +402,12 @@ export const permissionServiceFactory = ({
       });
     }
 
+    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
+      throw new BadRequestError({
+        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
+      });
+    }
+
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@@ -537,7 +559,8 @@ export const permissionServiceFactory = ({
     actorId: inputActorId,
     projectId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    actionProjectType
   }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
     let actor = inputActor;
     let actorId = inputActorId;
@@ -558,19 +581,22 @@ export const permissionServiceFactory = ({
           userId: actorId,
           projectId,
           authMethod: actorAuthMethod,
-          userOrgId: actorOrgId
+          userOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
         return getServiceTokenProjectPermission({
           serviceTokenId: actorId,
           projectId,
-          actorOrgId
+          actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
         return getIdentityProjectPermission({
           identityId: actorId,
           projectId,
-          identityOrgId: actorOrgId
+          identityOrgId: actorOrgId,
+          actionProjectType
         }) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({

backend/src/ee/services/pit/pit-service.ts

@@ -1,29 +1,53 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
+import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-import { ResourceType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { TFolderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import {
+  ResourceType,
+  TCommitResourceChangeDTO,
+  TFolderCommitServiceFactory
+} from "@app/services/folder-commit/folder-commit-service";
 import {
   isFolderCommitChange,
   isSecretCommitChange
 } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
+import { TProcessNewCommitRawDTO } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
+import { TSecretV2BridgeServiceFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-service";
+import { SecretOperations, SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
+import { TSecretApprovalPolicyServiceFactory } from "../secret-approval-policy/secret-approval-policy-service";
+import { TSecretApprovalRequestServiceFactory } from "../secret-approval-request/secret-approval-request-service";
 
 type TPitServiceFactoryDep = {
   folderCommitService: TFolderCommitServiceFactory;
   secretService: Pick<TSecretServiceFactory, "getSecretVersionsV2ByIds" | "getChangeVersions">;
-  folderService: Pick<TSecretFolderServiceFactory, "getFolderById" | "getFolderVersions">;
+  folderService: Pick<
+    TSecretFolderServiceFactory,
+    "getFolderById" | "getFolderVersions" | "createManyFolders" | "updateManyFolders" | "deleteManyFolders"
+  >;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds" | "findBySecretPath">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  secretApprovalRequestService: Pick<
+    TSecretApprovalRequestServiceFactory,
+    "generateSecretApprovalRequest" | "generateSecretApprovalRequestV2Bridge"
+  >;
+  secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug" | "findById">;
+  secretV2BridgeService: TSecretV2BridgeServiceFactory;
+  folderCommitDAL: Pick<TFolderCommitDALFactory, "transaction">;
 };
 
 export type TPitServiceFactory = ReturnType<typeof pitServiceFactory>;
@@ -34,7 +58,12 @@ export const pitServiceFactory = ({
   folderService,
   permissionService,
   folderDAL,
-  projectEnvDAL
+  projectEnvDAL,
+  secretApprovalRequestService,
+  secretApprovalPolicyService,
+  projectDAL,
+  secretV2BridgeService,
+  folderCommitDAL
 }: TPitServiceFactoryDep) => {
   const getCommitsCount = async ({
     actor,
@@ -320,7 +349,8 @@ export const pitServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(userPermission).throwUnlessCan(
@@ -471,6 +501,347 @@ export const pitServiceFactory = ({
     });
   };
 
+  const processNewCommitRaw = async ({
+    actorId,
+    projectId,
+    environment,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    secretPath,
+    message,
+    changes = {
+      secrets: {
+        create: [],
+        update: [],
+        delete: []
+      },
+      folders: {
+        create: [],
+        update: [],
+        delete: []
+      }
+    }
+  }: {
+    actorId: string;
+    projectId: string;
+    environment: string;
+    actor: ActorType;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    secretPath: string;
+    message: string;
+    changes: TProcessNewCommitRawDTO;
+  }) => {
+    const policy =
+      actor === ActorType.USER
+        ? await secretApprovalPolicyService.getSecretApprovalPolicy(projectId, environment, secretPath)
+        : undefined;
+    const secretMutationEvents: Event[] = [];
+
+    const project = await projectDAL.findById(projectId);
+    if (project.enforceCapitalization) {
+      const caseViolatingSecretKeys = [
+        // Check create operations
+        ...(changes.secrets?.create
+          ?.filter((sec) => sec.secretKey !== sec.secretKey.toUpperCase())
+          .map((sec) => sec.secretKey) ?? []),
+
+        // Check update operations
+        ...(changes.secrets?.update
+          ?.filter((sec) => sec.newSecretName && sec.newSecretName !== sec.newSecretName.toUpperCase())
+          .map((sec) => sec.secretKey) ?? [])
+      ];
+
+      if (caseViolatingSecretKeys.length) {
+        throw new BadRequestError({
+          message: `Secret names must be in UPPERCASE per project requirements: ${caseViolatingSecretKeys.join(
+            ", "
+          )}. You can disable this requirement in project settings`
+        });
+      }
+    }
+
+    const response = await folderCommitDAL.transaction(async (trx) => {
+      const targetFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath, trx);
+      if (!targetFolder)
+        throw new NotFoundError({
+          message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`,
+          name: "CreateManySecret"
+        });
+      const commitChanges: TCommitResourceChangeDTO[] = [];
+      const folderChanges: { create: string[]; update: string[]; delete: string[] } = {
+        create: [],
+        update: [],
+        delete: []
+      };
+
+      if ((changes.folders?.create?.length ?? 0) > 0) {
+        const createdFolders = await folderService.createManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.create?.map((folder) => ({
+              name: folder.folderName,
+              environment,
+              path: secretPath,
+              description: folder.description
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+        const newFolderEvents = createdFolders.folders.map(
+          (folder) =>
+            ({
+              type: EventType.CREATE_FOLDER,
+              metadata: {
+                environment,
+                folderId: folder.id,
+                folderName: folder.name,
+                folderPath: secretPath,
+                ...(folder.description ? { description: folder.description } : {})
+              }
+            }) as Event
+        );
+        secretMutationEvents.push(...newFolderEvents);
+        folderChanges.create.push(...createdFolders.folders.map((folder) => folder.id));
+      }
+
+      if ((changes.folders?.update?.length ?? 0) > 0) {
+        const updatedFolders = await folderService.updateManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.update?.map((folder) => ({
+              environment,
+              path: secretPath,
+              id: folder.id,
+              name: folder.folderName,
+              description: folder.description
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+
+        const updatedFolderEvents = updatedFolders.newFolders.map(
+          (folder) =>
+            ({
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment,
+                folderId: folder.id,
+                folderPath: secretPath,
+                newFolderName: folder.name,
+                newFolderDescription: folder.description
+              }
+            }) as Event
+        );
+        secretMutationEvents.push(...updatedFolderEvents);
+        folderChanges.update.push(...updatedFolders.newFolders.map((folder) => folder.id));
+      }
+
+      if ((changes.folders?.delete?.length ?? 0) > 0) {
+        const deletedFolders = await folderService.deleteManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.delete?.map((folder) => ({
+              environment,
+              path: secretPath,
+              idOrName: folder.id
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+        const deletedFolderEvents = deletedFolders.folders.map(
+          (folder) =>
+            ({
+              type: EventType.DELETE_FOLDER,
+              metadata: {
+                environment,
+                folderId: folder.id,
+                folderPath: secretPath,
+                folderName: folder.name
+              }
+            }) as Event
+        );
+        secretMutationEvents.push(...deletedFolderEvents);
+        folderChanges.delete.push(...deletedFolders.folders.map((folder) => folder.id));
+      }
+
+      if (policy) {
+        if (
+          (changes.secrets?.create?.length ?? 0) > 0 ||
+          (changes.secrets?.update?.length ?? 0) > 0 ||
+          (changes.secrets?.delete?.length ?? 0) > 0
+        ) {
+          const approval = await secretApprovalRequestService.generateSecretApprovalRequestV2Bridge({
+            policy,
+            secretPath,
+            environment,
+            projectId,
+            actor,
+            actorId,
+            actorOrgId,
+            actorAuthMethod,
+            data: {
+              [SecretOperations.Create]:
+                changes.secrets?.create?.map((el) => ({
+                  tagIds: el.tagIds,
+                  secretValue: el.secretValue,
+                  secretComment: el.secretComment,
+                  metadata: el.metadata,
+                  skipMultilineEncoding: el.skipMultilineEncoding,
+                  secretKey: el.secretKey,
+                  secretMetadata: el.secretMetadata
+                })) ?? [],
+              [SecretOperations.Update]:
+                changes.secrets?.update?.map((el) => ({
+                  tagIds: el.tagIds,
+                  newSecretName: el.newSecretName,
+                  secretValue: el.secretValue,
+                  secretComment: el.secretComment,
+                  metadata: el.metadata,
+                  skipMultilineEncoding: el.skipMultilineEncoding,
+                  secretKey: el.secretKey,
+                  secretMetadata: el.secretMetadata
+                })) ?? [],
+              [SecretOperations.Delete]:
+                changes.secrets?.delete?.map((el) => ({
+                  secretKey: el.secretKey
+                })) ?? []
+            }
+          });
+          return {
+            approvalId: approval.id,
+            folderChanges,
+            secretMutationEvents
+          };
+        }
+        return {
+          folderChanges,
+          secretMutationEvents
+        };
+      }
+
+      if ((changes.secrets?.create?.length ?? 0) > 0) {
+        const newSecrets = await secretV2BridgeService.createManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.create ?? [],
+          tx: trx,
+          commitChanges
+        });
+        secretMutationEvents.push({
+          type: EventType.CREATE_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            secrets: newSecrets.map((secret) => ({
+              secretId: secret.id,
+              secretKey: secret.secretKey,
+              secretVersion: secret.version
+            }))
+          }
+        });
+      }
+      if ((changes.secrets?.update?.length ?? 0) > 0) {
+        const updatedSecrets = await secretV2BridgeService.updateManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.update ?? [],
+          mode: SecretUpdateMode.FailOnNotFound,
+          tx: trx,
+          commitChanges
+        });
+        secretMutationEvents.push({
+          type: EventType.UPDATE_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            secrets: updatedSecrets.map((secret) => ({
+              secretId: secret.id,
+              secretKey: secret.secretKey,
+              secretVersion: secret.version
+            }))
+          }
+        });
+      }
+      if ((changes.secrets?.delete?.length ?? 0) > 0) {
+        const deletedSecrets = await secretV2BridgeService.deleteManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.delete ?? [],
+          tx: trx,
+          commitChanges
+        });
+        secretMutationEvents.push({
+          type: EventType.DELETE_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            secrets: deletedSecrets.map((secret) => ({
+              secretId: secret.id,
+              secretKey: secret.secretKey,
+              secretVersion: secret.version
+            }))
+          }
+        });
+      }
+      if (commitChanges?.length > 0) {
+        const commit = await folderCommitService.createCommit(
+          {
+            actor: {
+              type: actor || ActorType.PLATFORM,
+              metadata: {
+                id: actorId
+              }
+            },
+            message,
+            folderId: targetFolder.id,
+            changes: commitChanges
+          },
+          trx
+        );
+        return {
+          folderChanges,
+          commitId: commit?.id,
+          secretMutationEvents
+        };
+      }
+      return {
+        folderChanges,
+        secretMutationEvents
+      };
+    });
+
+    return response;
+  };
+
   return {
     getCommitsCount,
     getCommitsForFolder,
@@ -478,6 +849,7 @@ export const pitServiceFactory = ({
     compareCommitChanges,
     rollbackToCommit,
     revertCommit,
-    getFolderStateAtCommit
+    getFolderStateAtCommit,
+    processNewCommitRaw
   };
 };

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   InfisicalProjectTemplate,
   TUnpackedPermission
@@ -6,18 +7,21 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"
 
 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
 
-export const getDefaultProjectTemplate = (orgId: string) => ({
+export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
   id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
+  type,
   name: InfisicalProjectTemplate.Default,
   createdAt: new Date(),
   updatedAt: new Date(),
-  description: `Infisical's default project template`,
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
-    name: string;
-    slug: string;
-    permissions: TUnpackedPermission[];
-  }>,
+  description: `Infisical's ${type} default project template`,
+  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
+  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
+    ({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })
+  ),
   orgId
 });
 

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { TProjectTemplates } from "@app/db/schemas";
+import { ProjectType, TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -29,11 +29,13 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
   ...rest,
   environments: environments as TProjectTemplateEnvironment[],
   roles: [
-    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
+    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
+      ({ name, slug, permissions }) => ({
+        name,
+        slug,
+        permissions: permissions as TUnpackedPermission[]
+      })
+    ),
     ...(roles as TProjectTemplateRole[]).map((role) => ({
       ...role,
       permissions: unpackPermissions(role.permissions)
@@ -46,7 +48,10 @@ export const projectTemplateServiceFactory = ({
   permissionService,
   projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
+    actor,
+    type
+  ) => {
     const plan = await licenseService.getPlan(actor.orgId);
 
     if (!plan.projectTemplates)
@@ -65,11 +70,14 @@ export const projectTemplateServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
 
     const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
+      orgId: actor.orgId,
+      ...(type ? { type } : {})
     });
 
     return [
-      getDefaultProjectTemplate(actor.orgId),
+      ...(type
+        ? [getDefaultProjectTemplate(actor.orgId, type)]
+        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
       ...projectTemplates.map((template) => $unpackProjectTemplate(template))
     ];
   };
@@ -134,7 +142,7 @@ export const projectTemplateServiceFactory = ({
   };
 
   const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, ...params },
+    { roles, environments, type, ...params },
     actor
   ) => {
     const plan = await licenseService.getPlan(actor.orgId);
@@ -154,6 +162,10 @@ export const projectTemplateServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
 
+    if (environments && type !== ProjectType.SecretManager) {
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+    }
+
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({
         // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@@ -176,8 +188,10 @@ export const projectTemplateServiceFactory = ({
     const projectTemplate = await projectTemplateDAL.create({
       ...params,
       roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId
+      environments:
+        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId,
+      type
     });
 
     return $unpackProjectTemplate(projectTemplate);
@@ -208,6 +222,11 @@ export const projectTemplateServiceFactory = ({
     );
 
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
+    if (projectTemplate.type !== ProjectType.SecretManager && environments)
+      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
+
+    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
+      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
 
     if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
       throw new BadRequestError({

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -15,6 +15,7 @@ export type TProjectTemplateRole = {
 
 export type TCreateProjectTemplateDTO = {
   name: string;
+  type: ProjectType;
   description?: string;
   roles: TProjectTemplateRole[];
   environments?: TProjectTemplateEnvironment[] | null;
@@ -29,11 +30,15 @@ export enum InfisicalProjectTemplate {
 }
 
 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
+  listProjectTemplatesByOrg: (
+    actor: OrgServiceActor,
+    type?: ProjectType
+  ) => Promise<
     (
       | {
           id: string;
           name: InfisicalProjectTemplate;
+          type: string;
           createdAt: Date;
           updatedAt: Date;
           description: string;
@@ -58,6 +63,7 @@ export type TProjectTemplateServiceFactory = {
         }
       | {
           environments: TProjectTemplateEnvironment[];
+          type: string;
           roles: {
             permissions: {
               action: string[];
@@ -94,6 +100,7 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
+    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -118,6 +125,7 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
+    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -140,6 +148,7 @@ export type TProjectTemplateServiceFactory = {
     name: string;
     orgId: string;
     id: string;
+    type: string;
     createdAt: Date;
     updatedAt: Date;
     description?: string | null | undefined;
@@ -162,6 +171,7 @@ export type TProjectTemplateServiceFactory = {
     }[];
     name: string;
     orgId: string;
+    type: string;
     id: string;
     createdAt: Date;
     updatedAt: Date;
@@ -184,6 +194,7 @@ export type TProjectTemplateServiceFactory = {
       name: string;
     }[];
     name: string;
+    type: string;
     orgId: string;
     id: string;
     createdAt: Date;

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,7 +61,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@@ -69,7 +70,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -164,7 +166,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@@ -172,7 +175,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -272,7 +276,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
 
@@ -317,7 +322,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 
@@ -343,7 +349,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
 

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -110,7 +111,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -304,7 +306,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -459,7 +462,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -498,7 +502,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
@@ -542,7 +547,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
@@ -568,7 +574,8 @@ export const secretApprovalPolicyServiceFactory = ({
       actorId,
       projectId: sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts

@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
         firstName: reviewerUser.firstName,
         projectName: project.name,
         organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval?requestId=${secretApprovalRequest.id}`
       },
       template: SmtpTemplates.SecretApprovalRequestNeedsReview
     });

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1,7 +1,9 @@
 /* eslint-disable no-nested-ternary */
 import { ForbiddenError, subject } from "@casl/ability";
+import { Knex } from "knex";
 
 import {
+  ActionProjectType,
   ProjectMembershipRole,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
@@ -183,7 +185,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
@@ -210,7 +213,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -262,7 +266,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -411,7 +416,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -480,7 +486,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId: secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -536,7 +543,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     if (
@@ -954,7 +962,7 @@ export const secretApprovalRequestServiceFactory = ({
           bypassReason,
           secretPath: policy.secretPath,
           environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
+          approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`
         },
         template: SmtpTemplates.AccessSecretRequestBypassed
       });
@@ -1088,7 +1096,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@@ -1368,8 +1377,9 @@ export const secretApprovalRequestServiceFactory = ({
     policy,
     projectId,
     secretPath,
-    environment
-  }: TGenerateSecretApprovalRequestV2BridgeDTO) => {
+    environment,
+    trx: providedTx
+  }: TGenerateSecretApprovalRequestV2BridgeDTO & { trx?: Knex }) => {
     if (actor === ActorType.SERVICE || actor === ActorType.Machine)
       throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
 
@@ -1378,7 +1388,8 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
@@ -1595,7 +1606,7 @@ export const secretApprovalRequestServiceFactory = ({
       );
     });
 
-    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
+    const executeApprovalRequestCreation = async (tx: Knex) => {
       const doc = await secretApprovalRequestDAL.create(
         {
           folderId,
@@ -1657,7 +1668,11 @@ export const secretApprovalRequestServiceFactory = ({
       }
 
       return { ...doc, commits: approvalCommits };
-    });
+    };
+
+    const secretApprovalRequest = providedTx
+      ? await executeApprovalRequestCreation(providedTx)
+      : await secretApprovalRequestDAL.transaction(executeApprovalRequestCreation);
 
     const user = await userDAL.findById(actorId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });

backend/src/ee/services/secret-rotation-v2/okta-client-secret/index.ts

@@ -0,0 +1,3 @@
+export * from "./okta-client-secret-rotation-constants";
+export * from "./okta-client-secret-rotation-schemas";
+export * from "./okta-client-secret-rotation-types";

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-constants.ts

@@ -0,0 +1,15 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "Okta Client Secret",
+  type: SecretRotation.OktaClientSecret,
+  connection: AppConnection.Okta,
+  template: {
+    secretsMapping: {
+      clientId: "OKTA_CLIENT_ID",
+      clientSecret: "OKTA_CLIENT_SECRET"
+    }
+  }
+};

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-fns.ts

@@ -0,0 +1,273 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
+import {
+  TRotationFactory,
+  TRotationFactoryGetSecretsPayload,
+  TRotationFactoryIssueCredentials,
+  TRotationFactoryRevokeCredentials,
+  TRotationFactoryRotateCredentials
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { request } from "@app/lib/config/request";
+import { delay as delayMs } from "@app/lib/delay";
+import { BadRequestError } from "@app/lib/errors";
+import { getOktaInstanceUrl } from "@app/services/app-connection/okta";
+
+import {
+  TOktaClientSecret,
+  TOktaClientSecretRotationGeneratedCredentials,
+  TOktaClientSecretRotationWithConnection
+} from "./okta-client-secret-rotation-types";
+
+type OktaErrorResponse = { errorCode: string; errorSummary: string; errorCauses?: { errorSummary: string }[] };
+
+const isOktaErrorResponse = (data: unknown): data is OktaErrorResponse => {
+  return (
+    typeof data === "object" &&
+    data !== null &&
+    "errorSummary" in data &&
+    typeof (data as OktaErrorResponse).errorSummary === "string"
+  );
+};
+
+const createErrorMessage = (error: unknown) => {
+  if (error instanceof AxiosError) {
+    if (error.response?.data && isOktaErrorResponse(error.response.data)) {
+      const oktaError = error.response.data;
+      if (oktaError.errorCauses && oktaError.errorCauses.length > 0) {
+        return oktaError.errorCauses[0].errorSummary;
+      }
+      return oktaError.errorSummary;
+    }
+    if (error.message) {
+      return error.message;
+    }
+  }
+  return "Unknown error";
+};
+
+// Delay between each revocation call in revokeCredentials
+const DELAY_MS = 1000;
+
+export const oktaClientSecretRotationFactory: TRotationFactory<
+  TOktaClientSecretRotationWithConnection,
+  TOktaClientSecretRotationGeneratedCredentials
+> = (secretRotation) => {
+  const {
+    connection,
+    parameters: { clientId },
+    secretsMapping
+  } = secretRotation;
+
+  /**
+   * Creates a new client secret for the Okta app.
+   */
+  const $rotateClientSecret = async () => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.post<TOktaClientSecret>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets`,
+        {},
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      if (!data.client_secret || !data.id) {
+        throw new Error("Invalid response from Okta: missing 'client_secret' or secret 'id'.");
+      }
+
+      return {
+        clientSecret: data.client_secret,
+        secretId: data.id,
+        clientId
+      };
+    } catch (error: unknown) {
+      if (
+        error instanceof AxiosError &&
+        error.response?.data &&
+        isOktaErrorResponse(error.response.data) &&
+        error.response.data.errorCode === "E0000001"
+      ) {
+        // Okta has a maximum of 2 secrets per app, thus we must warn the users in case they already have 2
+        throw new BadRequestError({
+          message: `Failed to add client secret to Okta app ${clientId}: You must have only a single secret for the Okta app prior to creating this secret rotation.`
+        });
+      }
+
+      throw new BadRequestError({
+        message: `Failed to add client secret to Okta app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * List client secrets.
+   */
+  const $listClientSecrets = async () => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.get<TOktaClientSecret[]>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets`,
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      return data;
+    } catch (error: unknown) {
+      throw new BadRequestError({
+        message: `Failed to list client secrets for Okta app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * Checks if a credential with the given secretId exists.
+   */
+  const credentialExists = async (secretId: string): Promise<boolean> => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.get<TOktaClientSecret>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}`,
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      return data.id === secretId;
+    } catch (_) {
+      return false;
+    }
+  };
+
+  /**
+   * Revokes a client secret from the Okta app using its secretId.
+   * First checks if the credential exists before attempting revocation.
+   */
+  const revokeCredential = async (secretId: string) => {
+    // Check if credential exists before attempting revocation
+    const exists = await credentialExists(secretId);
+    if (!exists) {
+      return; // Credential doesn't exist, nothing to revoke
+    }
+
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      // First deactivate the secret
+      await request.post(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}/lifecycle/deactivate`,
+        undefined,
+        {
+          headers: {
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      // Then delete it
+      await request.delete(`${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}`, {
+        headers: {
+          Authorization: `SSWS ${connection.credentials.apiToken}`
+        }
+      });
+    } catch (error: unknown) {
+      if (
+        error instanceof AxiosError &&
+        error.response?.data &&
+        isOktaErrorResponse(error.response.data) &&
+        error.response.data.errorCode === "E0000001"
+      ) {
+        // If this is the last secret, we cannot revoke it
+        return;
+      }
+
+      throw new BadRequestError({
+        message: `Failed to remove client secret with secretId ${secretId} from app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * Issues a new set of credentials.
+   */
+  const issueCredentials: TRotationFactoryIssueCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+    return callback(credentials);
+  };
+
+  /**
+   * Revokes a list of credentials.
+   */
+  const revokeCredentials: TRotationFactoryRevokeCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    credentials,
+    callback
+  ) => {
+    if (!credentials?.length) return callback();
+
+    for (const { secretId } of credentials) {
+      await revokeCredential(secretId);
+      await delayMs(DELAY_MS);
+    }
+    return callback();
+  };
+
+  /**
+   * Rotates credentials by issuing new ones and revoking the old.
+   */
+  const rotateCredentials: TRotationFactoryRotateCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    oldCredentials,
+    callback,
+    activeCredentials
+  ) => {
+    // Since in Okta you can only have a maximum of 2 secrets at a time, we must delete any other secret besides the current one PRIOR to generating the second secret
+    if (oldCredentials?.secretId) {
+      await revokeCredential(oldCredentials.secretId);
+    } else if (activeCredentials) {
+      // On the first rotation oldCredentials won't be set so we must find the second secret manually
+      const secrets = await $listClientSecrets();
+
+      if (secrets.length > 1) {
+        const nonActiveSecret = secrets.find((secret) => secret.id !== activeCredentials.secretId);
+        if (nonActiveSecret) {
+          await revokeCredential(nonActiveSecret.id);
+        }
+      }
+    }
+
+    const newCredentials = await $rotateClientSecret();
+    return callback(newCredentials);
+  };
+
+  /**
+   * Maps the generated credentials into the secret payload format.
+   */
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TOktaClientSecretRotationGeneratedCredentials> = ({
+    clientSecret
+  }) => [
+    { key: secretsMapping.clientId, value: clientId },
+    { key: secretsMapping.clientSecret, value: clientSecret }
+  ];
+
+  return {
+    issueCredentials,
+    revokeCredentials,
+    rotateCredentials,
+    getSecretsPayload
+  };
+};

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-schemas.ts

@@ -0,0 +1,68 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import { SecretRotations } from "@app/lib/api-docs";
+import { SecretNameSchema } from "@app/server/lib/schemas";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OktaClientSecretRotationGeneratedCredentialsSchema = z
+  .object({
+    clientId: z.string(),
+    clientSecret: z.string(),
+    secretId: z.string()
+  })
+  .array()
+  .min(1)
+  .max(2);
+
+const OktaClientSecretRotationParametersSchema = z.object({
+  clientId: z
+    .string()
+    .trim()
+    .min(1, "Client ID Required")
+    .describe(SecretRotations.PARAMETERS.OKTA_CLIENT_SECRET.clientId)
+});
+
+const OktaClientSecretRotationSecretsMappingSchema = z.object({
+  clientId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.OKTA_CLIENT_SECRET.clientId),
+  clientSecret: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.OKTA_CLIENT_SECRET.clientSecret)
+});
+
+export const OktaClientSecretRotationTemplateSchema = z.object({
+  secretsMapping: z.object({
+    clientId: z.string(),
+    clientSecret: z.string()
+  })
+});
+
+export const OktaClientSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.OktaClientSecret).extend({
+  type: z.literal(SecretRotation.OktaClientSecret),
+  parameters: OktaClientSecretRotationParametersSchema,
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema
+});
+
+export const CreateOktaClientSecretRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.OktaClientSecret
+).extend({
+  parameters: OktaClientSecretRotationParametersSchema,
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema
+});
+
+export const UpdateOktaClientSecretRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.OktaClientSecret
+).extend({
+  parameters: OktaClientSecretRotationParametersSchema.optional(),
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema.optional()
+});
+
+export const OktaClientSecretRotationListItemSchema = z.object({
+  name: z.literal("Okta Client Secret"),
+  connection: z.literal(AppConnection.Okta),
+  type: z.literal(SecretRotation.OktaClientSecret),
+  template: OktaClientSecretRotationTemplateSchema
+});

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-types.ts

@@ -0,0 +1,40 @@
+import { z } from "zod";
+
+import { TOktaConnection } from "@app/services/app-connection/okta";
+
+import {
+  CreateOktaClientSecretRotationSchema,
+  OktaClientSecretRotationGeneratedCredentialsSchema,
+  OktaClientSecretRotationListItemSchema,
+  OktaClientSecretRotationSchema
+} from "./okta-client-secret-rotation-schemas";
+
+export type TOktaClientSecretRotation = z.infer<typeof OktaClientSecretRotationSchema>;
+
+export type TOktaClientSecretRotationInput = z.infer<typeof CreateOktaClientSecretRotationSchema>;
+
+export type TOktaClientSecretRotationListItem = z.infer<typeof OktaClientSecretRotationListItemSchema>;
+
+export type TOktaClientSecretRotationWithConnection = TOktaClientSecretRotation & {
+  connection: TOktaConnection;
+};
+
+export type TOktaClientSecretRotationGeneratedCredentials = z.infer<
+  typeof OktaClientSecretRotationGeneratedCredentialsSchema
+>;
+
+export interface TOktaClientSecretRotationParameters {
+  clientId: string;
+  secretId: string;
+}
+
+export interface TOktaClientSecretRotationSecretsMapping {
+  clientId: string;
+  clientSecret: string;
+  secretId: string;
+}
+
+export interface TOktaClientSecret {
+  id: string;
+  client_secret: string;
+}

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -6,7 +6,8 @@ export enum SecretRotation {
   Auth0ClientSecret = "auth0-client-secret",
   AzureClientSecret = "azure-client-secret",
   AwsIamUserSecret = "aws-iam-user-secret",
-  LdapPassword = "ldap-password"
+  LdapPassword = "ldap-password",
+  OktaClientSecret = "okta-client-secret"
 }
 
 export enum SecretRotationStatus {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -10,6 +10,7 @@ import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret"
 import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
+import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -30,7 +31,8 @@ const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2List
   [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AzureClientSecret]: AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,
-  [SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION
+  [SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION,
+  [SecretRotation.OktaClientSecret]: OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION
 };
 
 export const listSecretRotationOptions = () => {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -9,7 +9,8 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
   [SecretRotation.AzureClientSecret]: "Azure Client Secret",
   [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
-  [SecretRotation.LdapPassword]: "LDAP Password"
+  [SecretRotation.LdapPassword]: "LDAP Password",
+  [SecretRotation.OktaClientSecret]: "Okta Client Secret"
 };
 
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
@@ -20,5 +21,6 @@ export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnectio
   [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
   [SecretRotation.AzureClientSecret]: AppConnection.AzureClientSecrets,
   [SecretRotation.AwsIamUserSecret]: AppConnection.AWS,
-  [SecretRotation.LdapPassword]: AppConnection.LDAP
+  [SecretRotation.LdapPassword]: AppConnection.LDAP,
+  [SecretRotation.OktaClientSecret]: AppConnection.Okta
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts

@@ -167,7 +167,7 @@ export const secretRotationV2QueueServiceFactory = async ({
             environment: environment.name,
             projectName: project.name,
             rotationUrl: encodeURI(
-              `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
+              `${appCfg.SITE_URL}/projects/secret-management/${projectId}/secrets/${environment.slug}`
             )
           }
         });

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -2,8 +2,9 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";
 
-import { SecretType, TableName } from "@app/db/schemas";
+import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -82,6 +83,7 @@ import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secre
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
 import { awsIamUserSecretRotationFactory } from "./aws-iam-user-secret/aws-iam-user-secret-rotation-fns";
+import { oktaClientSecretRotationFactory } from "./okta-client-secret/okta-client-secret-rotation-fns";
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 
 export type TSecretRotationV2ServiceFactoryDep = {
@@ -107,6 +109,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
   queueService: Pick<TQueueServiceFactory, "queuePg">;
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">;
   folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;
@@ -126,7 +129,8 @@ const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplem
   [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AzureClientSecret]: azureClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation
+  [SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.OktaClientSecret]: oktaClientSecretRotationFactory as TRotationFactoryImplementation
 };
 
 export const secretRotationV2ServiceFactory = ({
@@ -148,7 +152,8 @@ export const secretRotationV2ServiceFactory = ({
   keyStore,
   queueService,
   folderCommitService,
-  appConnectionDAL
+  appConnectionDAL,
+  gatewayService
 }: TSecretRotationV2ServiceFactoryDep) => {
   const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
     const appCfg = getConfig();
@@ -218,7 +223,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -269,7 +274,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -315,7 +320,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -380,7 +385,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -424,7 +429,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -461,7 +466,8 @@ export const secretRotationV2ServiceFactory = ({
         rotationInterval: payload.rotationInterval
       } as TSecretRotationV2WithConnection,
       appConnectionDAL,
-      kmsService
+      kmsService,
+      gatewayService
     );
 
     // even though we have a db constraint we want to check before any rotation of credentials is attempted
@@ -625,7 +631,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -775,7 +781,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -824,7 +830,8 @@ export const secretRotationV2ServiceFactory = ({
           connection: appConnection
         } as TSecretRotationV2WithConnection,
         appConnectionDAL,
-        kmsService
+        kmsService,
+        gatewayService
       );
 
       const generatedCredentials = await decryptSecretRotationCredentials({
@@ -907,7 +914,8 @@ export const secretRotationV2ServiceFactory = ({
           connection: appConnection
         } as TSecretRotationV2WithConnection,
         appConnectionDAL,
-        kmsService
+        kmsService,
+        gatewayService
       );
 
       const updatedRotation = await rotationFactory.rotateCredentials(
@@ -1105,7 +1113,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1152,7 +1160,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1204,7 +1212,7 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretManager,
       projectId
     });
 
@@ -1320,7 +1328,8 @@ export const secretRotationV2ServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -1,4 +1,5 @@
 import { AuditLogInfo } from "@app/ee/services/audit-log/audit-log-types";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TSqlCredentialsRotationGeneratedCredentials } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { OrderByDirection } from "@app/lib/types";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
@@ -45,6 +46,13 @@ import {
   TMySqlCredentialsRotationListItem,
   TMySqlCredentialsRotationWithConnection
 } from "./mysql-credentials";
+import {
+  TOktaClientSecretRotation,
+  TOktaClientSecretRotationGeneratedCredentials,
+  TOktaClientSecretRotationInput,
+  TOktaClientSecretRotationListItem,
+  TOktaClientSecretRotationWithConnection
+} from "./okta-client-secret";
 import {
   TOracleDBCredentialsRotation,
   TOracleDBCredentialsRotationInput,
@@ -68,7 +76,8 @@ export type TSecretRotationV2 =
   | TAuth0ClientSecretRotation
   | TAzureClientSecretRotation
   | TLdapPasswordRotation
-  | TAwsIamUserSecretRotation;
+  | TAwsIamUserSecretRotation
+  | TOktaClientSecretRotation;
 
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
@@ -78,14 +87,16 @@ export type TSecretRotationV2WithConnection =
   | TAuth0ClientSecretRotationWithConnection
   | TAzureClientSecretRotationWithConnection
   | TLdapPasswordRotationWithConnection
-  | TAwsIamUserSecretRotationWithConnection;
+  | TAwsIamUserSecretRotationWithConnection
+  | TOktaClientSecretRotationWithConnection;
 
 export type TSecretRotationV2GeneratedCredentials =
   | TSqlCredentialsRotationGeneratedCredentials
   | TAuth0ClientSecretRotationGeneratedCredentials
   | TAzureClientSecretRotationGeneratedCredentials
   | TLdapPasswordRotationGeneratedCredentials
-  | TAwsIamUserSecretRotationGeneratedCredentials;
+  | TAwsIamUserSecretRotationGeneratedCredentials
+  | TOktaClientSecretRotationGeneratedCredentials;
 
 export type TSecretRotationV2Input =
   | TPostgresCredentialsRotationInput
@@ -95,7 +106,8 @@ export type TSecretRotationV2Input =
   | TAuth0ClientSecretRotationInput
   | TAzureClientSecretRotationInput
   | TLdapPasswordRotationInput
-  | TAwsIamUserSecretRotationInput;
+  | TAwsIamUserSecretRotationInput
+  | TOktaClientSecretRotationInput;
 
 export type TSecretRotationV2ListItem =
   | TPostgresCredentialsRotationListItem
@@ -105,7 +117,8 @@ export type TSecretRotationV2ListItem =
   | TAuth0ClientSecretRotationListItem
   | TAzureClientSecretRotationListItem
   | TLdapPasswordRotationListItem
-  | TAwsIamUserSecretRotationListItem;
+  | TAwsIamUserSecretRotationListItem
+  | TOktaClientSecretRotationListItem;
 
 export type TSecretRotationV2TemporaryParameters = TLdapPasswordRotationInput["temporaryParameters"] | undefined;
 
@@ -239,7 +252,8 @@ export type TRotationFactory<
 > = (
   secretRotation: T,
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => {
   issueCredentials: TRotationFactoryIssueCredentials<C, P>;
   revokeCredentials: TRotationFactoryRevokeCredentials<C>;

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -6,6 +6,7 @@ import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
 import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OktaClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
@@ -17,5 +18,6 @@ export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationSchema,
   AzureClientSecretRotationSchema,
   LdapPasswordRotationSchema,
-  AwsIamUserSecretRotationSchema
+  AwsIamUserSecretRotationSchema,
+  OktaClientSecretRotationSchema
 ]);

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import {
   TRotationFactory,
   TRotationFactoryGetSecretsPayload,
@@ -5,7 +7,10 @@ import {
   TRotationFactoryRevokeCredentials,
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { getSqlConnectionClient, SQL_CONNECTION_ALTER_LOGIN_STATEMENT } from "@app/services/app-connection/shared/sql";
+import {
+  executeWithPotentialGateway,
+  SQL_CONNECTION_ALTER_LOGIN_STATEMENT
+} from "@app/services/app-connection/shared/sql";
 
 import { generatePassword } from "../utils";
 import {
@@ -30,7 +35,7 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
 export const sqlCredentialsRotationFactory: TRotationFactory<
   TSqlCredentialsRotationWithConnection,
   TSqlCredentialsRotationGeneratedCredentials
-> = (secretRotation) => {
+> = (secretRotation, _appConnectionDAL, _kmsService, gatewayService) => {
   const {
     connection,
     parameters: { username1, username2 },
@@ -38,29 +43,38 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     secretsMapping
   } = secretRotation;
 
-  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
-    const client = await getSqlConnectionClient({
-      ...connection,
-      credentials: {
-        ...connection.credentials,
-        ...credentials
-      }
-    });
+  const executeOperation = <T>(
+    operation: (client: Knex) => Promise<T>,
+    credentialsOverride?: TSqlCredentialsRotationGeneratedCredentials[number]
+  ) => {
+    const finalCredentials = {
+      ...connection.credentials,
+      ...credentialsOverride
+    };
 
+    return executeWithPotentialGateway(
+      {
+        ...connection,
+        credentials: finalCredentials
+      },
+      gatewayService,
+      (client) => operation(client)
+    );
+  };
+
+  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     try {
-      await client.raw("SELECT 1");
+      await executeOperation(async (client) => {
+        await client.raw("SELECT 1");
+      }, credentials);
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
-    } finally {
-      await client.destroy();
     }
   };
 
   const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     // For SQL, since we get existing users, we change both their passwords
     // on issue to invalidate their existing passwords
     const credentialsSet = [
@@ -69,15 +83,15 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     ];
 
     try {
-      await client.transaction(async (tx) => {
-        for await (const credentials of credentialsSet) {
-          await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
-        }
+      await executeOperation(async (client) => {
+        await client.transaction(async (tx) => {
+          for await (const credentials of credentialsSet) {
+            await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+          }
+        });
       });
     } catch (error) {
       throw new Error(redactPasswords(error, credentialsSet));
-    } finally {
-      await client.destroy();
     }
 
     for await (const credentials of credentialsSet) {
@@ -91,21 +105,19 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     credentialsToRevoke,
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
 
     try {
-      await client.transaction(async (tx) => {
-        for await (const credentials of revokedCredentials) {
-          // invalidate previous passwords
-          await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
-        }
+      await executeOperation(async (client) => {
+        await client.transaction(async (tx) => {
+          for await (const credentials of revokedCredentials) {
+            // invalidate previous passwords
+            await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+          }
+        });
       });
     } catch (error) {
       throw new Error(redactPasswords(error, revokedCredentials));
-    } finally {
-      await client.destroy();
     }
 
     return callback();
@@ -115,17 +127,15 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     _,
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     // generate new password for the next active user
     const credentials = { username: activeIndex === 0 ? username2 : username1, password: generatePassword() };
 
     try {
-      await client.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+      await executeOperation(async (client) => {
+        await client.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+      });
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
-    } finally {
-      await client.destroy();
     }
 
     await $validateCredentials(credentials);

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -66,7 +66,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -97,7 +98,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -213,7 +215,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Read,
@@ -263,7 +266,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Edit,
@@ -283,7 +287,8 @@ export const secretRotationServiceFactory = ({
       actorId,
       projectId: doc.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionSecretRotationActions.Delete,

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -567,14 +567,18 @@ export const secretScanningV2QueueServiceFactory = async ({
         const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
         const project = await projectDAL.findById(projectId);
 
-        const projectAdmins = projectMembers.filter((member) =>
-          member.roles.some((role) => role.role === ProjectMembershipRole.Admin)
-        );
+        const recipients = projectMembers.filter((member) => {
+          const isAdmin = member.roles.some((role) => role.role === ProjectMembershipRole.Admin);
+          const isCompleted = payload.status === SecretScanningScanStatus.Completed;
+          // We assume that the committer is one of the project members
+          const isCommitter = isCompleted && payload.authorEmail === member.user.email;
+          return isAdmin || isCommitter;
+        });
 
         const timestamp = new Date().toISOString();
 
         await smtpService.sendMail({
-          recipients: projectAdmins.map((member) => member.user.email!).filter(Boolean),
+          recipients: recipients.map((member) => member.user.email!).filter(Boolean),
           template:
             payload.status === SecretScanningScanStatus.Completed
               ? SmtpTemplates.SecretScanningV2SecretsDetected
@@ -592,7 +596,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                   numberOfSecrets: payload.numberOfSecrets,
                   isDiffScan: payload.isDiffScan,
                   url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/findings?search=scanId:${payload.scanId}`
+                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/findings?search=scanId:${payload.scanId}`
                   ),
                   timestamp
                 }
@@ -603,7 +607,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                   timestamp,
                   errorMessage: payload.errorMessage,
                   url: encodeURI(
-                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/data-sources/${dataSource.type}/${dataSource.id}`
+                    `${appCfg.SITE_URL}/projects/secret-scanning/${projectId}/data-sources/${dataSource.type}/${dataSource.id}`
                   )
                 }
         });

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { join } from "path";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -94,7 +95,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -156,7 +157,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -201,7 +202,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -235,7 +236,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: payload.projectId
     });
 
@@ -348,7 +349,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -401,6 +402,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -474,7 +476,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -538,7 +540,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -583,7 +585,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -626,7 +628,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -669,7 +671,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: dataSource.projectId
     });
 
@@ -702,7 +704,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -736,7 +738,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -776,7 +778,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId: finding.projectId
     });
 
@@ -807,7 +809,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 
@@ -842,7 +844,7 @@ export const secretScanningV2ServiceFactory = ({
       actorId: actor.id,
       actorAuthMethod: actor.authMethod,
       actorOrgId: actor.orgId,
-
+      actionProjectType: ActionProjectType.SecretScanning,
       projectId
     });
 

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -2,7 +2,7 @@
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
 import { ForbiddenError } from "@casl/ability";
 
-import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -103,7 +103,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
@@ -139,7 +140,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
@@ -167,7 +169,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId: snapshot.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
@@ -391,7 +394,8 @@ export const secretSnapshotServiceFactory = ({
       actorId,
       projectId: snapshot.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -58,7 +59,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -130,7 +132,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -198,7 +201,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -224,7 +228,8 @@ export const sshCertificateTemplateServiceFactory = ({
       actorId,
       projectId: certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
@@ -79,7 +80,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
@@ -171,7 +173,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -267,7 +270,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -290,7 +294,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
@@ -316,7 +321,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@@ -354,7 +360,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@@ -393,7 +400,8 @@ export const sshHostGroupServiceFactory = ({
       actorId,
       projectId: sshHostGroup.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);

backend/src/ee/services/ssh-host/ssh-host-fns.ts

@@ -1,5 +1,6 @@
 import { Knex } from "knex";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -62,7 +63,8 @@ export const createSshLoginMappings = async ({
             userId: user.id,
             projectId,
             authMethod: actorAuthMethod,
-            userOrgId: actorOrgId
+            userOrgId: actorOrgId,
+            actionProjectType: ActionProjectType.SSH
           });
         }
 

backend/src/ee/services/ssh-host/ssh-host-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -111,7 +112,8 @@ export const sshHostServiceFactory = ({
           actorId,
           projectId: project.id,
           actorAuthMethod,
-          actorOrgId
+          actorOrgId,
+          actionProjectType: ActionProjectType.SSH
         });
 
         const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
@@ -144,7 +146,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -273,7 +276,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -334,7 +338,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -362,7 +367,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -401,7 +407,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     const internalPrincipals = await convertActorToPrincipals({
@@ -520,7 +527,8 @@ export const sshHostServiceFactory = ({
       actorId,
       projectId: host.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/ssh/ssh-certificate-authority-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -72,7 +73,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -107,7 +109,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -175,7 +178,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -213,7 +217,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -254,7 +259,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -375,7 +381,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -472,7 +479,8 @@ export const sshCertificateAuthorityServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.SSH
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/trusted-ip/trusted-ip-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -35,7 +36,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
     const trustedIps = await trustedIpDAL.find({
@@ -59,7 +61,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
@@ -104,7 +107,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
@@ -149,7 +153,8 @@ export const trustedIpServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 

backend/src/lib/api-docs/constants.ts

@@ -2289,6 +2289,13 @@ export const AppConnections = {
     SUPABASE: {
       accessKey: "The Key used to access Supabase.",
       instanceUrl: "The URL used to access Supabase."
+    },
+    DIGITAL_OCEAN_APP_PLATFORM: {
+      apiToken: "The API token used to authenticate with Digital Ocean App Platform."
+    },
+    OKTA: {
+      instanceUrl: "The URL used to access your Okta organization.",
+      apiToken: "The API token used to authenticate with Okta."
     }
   }
 };
@@ -2502,6 +2509,11 @@ export const SecretSyncs = {
     SUPABASE: {
       projectId: "The ID of the Supabase project to sync secrets to.",
       projectName: "The name of the Supabase project to sync secrets to."
+    },
+    BITBUCKET: {
+      workspaceSlug: "The Bitbucket Workspace slug to sync secrets to.",
+      repositorySlug: "The Bitbucket Repository slug to sync secrets to.",
+      environmentId: "The Bitbucket Deployment Environment uuid to sync secrets to."
     }
   }
 };
@@ -2594,6 +2606,9 @@ export const SecretRotations = {
     AWS_IAM_USER_SECRET: {
       userName: "The name of the client to rotate credentials for.",
       region: "The AWS region the client is present in."
+    },
+    OKTA_CLIENT_SECRET: {
+      clientId: "The ID of the Okta Application to rotate the client secret for."
     }
   },
   SECRETS_MAPPING: {
@@ -2616,6 +2631,10 @@ export const SecretRotations = {
     AWS_IAM_USER_SECRET: {
       accessKeyId: "The name of the secret that the access key ID will be mapped to.",
       secretAccessKey: "The name of the secret that the rotated secret access key will be mapped to."
+    },
+    OKTA_CLIENT_SECRET: {
+      clientId: "The name of the secret that the client ID will be mapped to.",
+      clientSecret: "The name of the secret that the rotated client secret will be mapped to."
     }
   }
 };

backend/src/lib/crypto/cryptography/crypto.ts

@@ -93,7 +93,13 @@ const cryptographyFactory = () => {
   };
 
   const verifyFipsLicense = (licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">) => {
-    if (isFipsModeEnabled({ skipInitializationCheck: true }) && !licenseService.onPremFeatures?.fips) {
+    const appCfg = getConfig();
+
+    if (
+      !appCfg.isDevelopmentMode &&
+      isFipsModeEnabled({ skipInitializationCheck: true }) &&
+      !licenseService.onPremFeatures?.fips
+    ) {
       throw new CryptographyError({
         message: "FIPS mode is enabled but your license does not include FIPS support. Please contact support."
       });

backend/src/queue/queue-service.ts

@@ -64,7 +64,9 @@ export enum QueueName {
   FolderTreeCheckpoint = "folder-tree-checkpoint",
   InvalidateCache = "invalidate-cache",
   SecretScanningV2 = "secret-scanning-v2",
-  TelemetryAggregatedEvents = "telemetry-aggregated-events"
+  TelemetryAggregatedEvents = "telemetry-aggregated-events",
+  DailyReminders = "daily-reminders",
+  SecretReminderMigration = "secret-reminder-migration"
 }
 
 export enum QueueJobs {
@@ -104,7 +106,9 @@ export enum QueueJobs {
   SecretScanningV2SendNotification = "secret-scanning-v2-notification",
   CaOrderCertificateForSubscriber = "ca-order-certificate-for-subscriber",
   PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal",
-  TelemetryAggregatedEvents = "telemetry-aggregated-events"
+  TelemetryAggregatedEvents = "telemetry-aggregated-events",
+  DailyReminders = "daily-reminders",
+  SecretReminderMigration = "secret-reminder-migration"
 }
 
 export type TQueueJobTypes = {
@@ -291,6 +295,14 @@ export type TQueueJobTypes = {
       caType: CaType;
     };
   };
+  [QueueName.DailyReminders]: {
+    name: QueueJobs.DailyReminders;
+    payload: undefined;
+  };
+  [QueueName.SecretReminderMigration]: {
+    name: QueueJobs.SecretReminderMigration;
+    payload: undefined;
+  };
   [QueueName.PkiSubscriber]: {
     name: QueueJobs.PkiSubscriberDailyAutoRenewal;
     payload: undefined;
@@ -390,6 +402,11 @@ export type TQueueServiceFactory = {
     startOffset?: number,
     endOffset?: number
   ) => Promise<{ key: string; name: string; id: string | null }[]>;
+  getDelayedJobs: (
+    name: QueueName,
+    startOffset?: number,
+    endOffset?: number
+  ) => Promise<{ delay: number; timestamp: number; repeatJobKey?: string; data?: unknown }[]>;
 };
 
 export const queueServiceFactory = (
@@ -552,6 +569,13 @@ export const queueServiceFactory = (
     return q.getRepeatableJobs(startOffset, endOffset);
   };
 
+  const getDelayedJobs: TQueueServiceFactory["getDelayedJobs"] = (name, startOffset, endOffset) => {
+    const q = queueContainer[name];
+    if (!q) throw new Error(`Queue '${name}' not initialized`);
+
+    return q.getDelayed(startOffset, endOffset);
+  };
+
   const stopRepeatableJobByJobId: TQueueServiceFactory["stopRepeatableJobByJobId"] = async (name, jobId) => {
     const q = queueContainer[name];
     const job = await q.getJob(jobId);
@@ -598,6 +622,7 @@ export const queueServiceFactory = (
     stopJobById,
     stopJobByIdPg,
     getRepeatableJobs,
+    getDelayedJobs,
     startPg,
     queuePg,
     schedulePg

backend/src/server/lib/cookie.ts

@@ -0,0 +1,43 @@
+import { FastifyReply } from "fastify";
+
+import { getConfig } from "@app/lib/config/env";
+import { logger } from "@app/lib/logger";
+
+/**
+ * `aod` (Auth Origin Domain) cookie is used to store the origin domain of the application when user was last authenticated.
+ *  This is useful for determining the target domain for authentication redirects, especially in cloud deployments.
+ *  It is set only in cloud mode to ensure that the cookie is shared across subdomains.
+ */
+export function addAuthOriginDomainCookie(res: FastifyReply) {
+  try {
+    const appCfg = getConfig();
+
+    // Only set the cookie if the app is running in cloud mode
+    if (!appCfg.isCloud) return;
+
+    const siteUrl = appCfg.SITE_URL!;
+    let domain: string;
+
+    const { hostname } = new URL(siteUrl);
+
+    const parts = hostname.split(".");
+
+    if (parts.length >= 2) {
+      // For `app.infisical.com` => `.infisical.com`
+      domain = `.${parts.slice(-2).join(".")}`;
+    } else {
+      // If somehow only "example", fallback to itself
+      domain = `.${hostname}`;
+    }
+
+    void res.setCookie("aod", siteUrl, {
+      domain,
+      path: "/",
+      sameSite: "strict",
+      httpOnly: false,
+      secure: appCfg.HTTPS_ENABLED
+    });
+  } catch (error) {
+    logger.error(error, "Failed to set auth origin domain cookie");
+  }
+}

backend/src/server/routes/index.ts

@@ -246,6 +246,10 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
+import { reminderDALFactory } from "@app/services/reminder/reminder-dal";
+import { dailyReminderQueueServiceFactory } from "@app/services/reminder/reminder-queue";
+import { reminderServiceFactory } from "@app/services/reminder/reminder-service";
+import { reminderRecipientDALFactory } from "@app/services/reminder-recipients/reminder-recipient-dal";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
@@ -371,6 +375,9 @@ export const registerRoutes = async (
   const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
   const secretVersionTagV2BridgeDAL = secretVersionV2TagBridgeDALFactory(db);
 
+  const reminderDAL = reminderDALFactory(db);
+  const reminderRecipientDAL = reminderRecipientDALFactory(db);
+
   const integrationDAL = integrationDALFactory(db);
   const integrationAuthDAL = integrationAuthDALFactory(db);
   const webhookDAL = webhookDALFactory(db);
@@ -734,9 +741,17 @@ export const registerRoutes = async (
 
   const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
 
+  const reminderService = reminderServiceFactory({
+    reminderDAL,
+    reminderRecipientDAL,
+    smtpService,
+    projectMembershipDAL,
+    permissionService,
+    secretV2BridgeDAL
+  });
+
   const orgService = orgServiceFactory({
     userAliasDAL,
-    queueService,
     identityMetadataDAL,
     secretDAL,
     secretV2BridgeDAL,
@@ -762,7 +777,8 @@ export const registerRoutes = async (
     orgBotDAL,
     oidcConfigDAL,
     loginService,
-    projectBotService
+    projectBotService,
+    reminderService
   });
   const signupService = authSignupServiceFactory({
     tokenService,
@@ -1060,7 +1076,6 @@ export const registerRoutes = async (
     secretImportDAL,
     projectEnvDAL,
     webhookDAL,
-    orgDAL,
     auditLogService,
     userDAL,
     projectMembershipDAL,
@@ -1082,11 +1097,11 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     projectKeyDAL,
     projectUserMembershipRoleDAL,
-    secretReminderRecipientsDAL,
     orgService,
     resourceMetadataDAL,
     folderCommitService,
-    secretSyncQueue
+    secretSyncQueue,
+    reminderService
   });
 
   const projectService = projectServiceFactory({
@@ -1095,7 +1110,6 @@ export const registerRoutes = async (
     projectSshConfigDAL,
     secretDAL,
     secretV2BridgeDAL,
-    queueService,
     projectQueue: projectQueueService,
     projectBotService,
     identityProjectDAL,
@@ -1132,7 +1146,8 @@ export const registerRoutes = async (
     microsoftTeamsIntegrationDAL,
     projectTemplateService,
     groupProjectDAL,
-    smtpService
+    smtpService,
+    reminderService
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -1231,6 +1246,7 @@ export const registerRoutes = async (
     kmsService,
     snapshotService,
     resourceMetadataDAL,
+    reminderService,
     keyStore
   });
 
@@ -1284,7 +1300,8 @@ export const registerRoutes = async (
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
     secretApprovalRequestService,
-    licenseService
+    licenseService,
+    reminderService
   });
 
   const secretSharingService = secretSharingServiceFactory({
@@ -1538,7 +1555,12 @@ export const registerRoutes = async (
     folderService,
     permissionService,
     folderDAL,
-    projectEnvDAL
+    projectEnvDAL,
+    secretApprovalRequestService,
+    secretApprovalPolicyService,
+    projectDAL,
+    secretV2BridgeService,
+    folderCommitDAL
   });
 
   const identityOidcAuthService = identityOidcAuthServiceFactory({
@@ -1611,7 +1633,6 @@ export const registerRoutes = async (
     auditLogDAL,
     queueService,
     secretVersionDAL,
-    secretDAL,
     secretFolderVersionDAL: folderVersionDAL,
     snapshotDAL,
     identityAccessTokenDAL,
@@ -1622,6 +1643,13 @@ export const registerRoutes = async (
     orgService
   });
 
+  const dailyReminderQueueService = dailyReminderQueueServiceFactory({
+    reminderService,
+    queueService,
+    secretDAL: secretV2BridgeDAL,
+    secretReminderRecipientsDAL
+  });
+
   const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
     queueService,
     pkiAlertService
@@ -1706,7 +1734,9 @@ export const registerRoutes = async (
     appConnectionDAL,
     permissionService,
     kmsService,
-    licenseService
+    licenseService,
+    gatewayService,
+    gatewayDAL
   });
 
   const secretSyncService = secretSyncServiceFactory({
@@ -1804,7 +1834,8 @@ export const registerRoutes = async (
     snapshotService,
     secretQueueService,
     queueService,
-    appConnectionDAL
+    appConnectionDAL,
+    gatewayService
   });
 
   const certificateAuthorityService = certificateAuthorityServiceFactory({
@@ -1918,6 +1949,8 @@ export const registerRoutes = async (
   await telemetryQueue.startTelemetryCheck();
   await telemetryQueue.startAggregatedEventsJob();
   await dailyResourceCleanUp.startCleanUp();
+  await dailyReminderQueueService.startDailyRemindersJob();
+  await dailyReminderQueueService.startSecretReminderMigrationJob();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
   await pkiSubscriberQueue.startDailyAutoRenewalJob();
   await kmsService.startService();
@@ -2028,7 +2061,8 @@ export const registerRoutes = async (
     assumePrivileges: assumePrivilegeService,
     githubOrgSync: githubOrgSyncConfigService,
     folderCommit: folderCommitService,
-    secretScanningV2: secretScanningV2Service
+    secretScanningV2: secretScanningV2Service,
+    reminder: reminderService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/admin-router.ts

@@ -12,6 +12,7 @@ import { getConfig, overridableKeys } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -593,6 +594,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return {
         message: "Successfully set up admin account",
         user: user.user,

backend/src/server/routes/v1/app-connection-routers/app-connection-endpoints.ts

@@ -25,12 +25,14 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     credentials: I["credentials"];
     description?: string | null;
     isPlatformManagedCredentials?: boolean;
+    gatewayId?: string | null;
   }>;
   updateSchema: z.ZodType<{
     name?: string;
     credentials?: I["credentials"];
     description?: string | null;
     isPlatformManagedCredentials?: boolean;
+    gatewayId?: string | null;
   }>;
   sanitizedResponseSchema: z.ZodTypeAny;
 }) => {
@@ -224,10 +226,10 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { name, method, credentials, description, isPlatformManagedCredentials } = req.body;
+      const { name, method, credentials, description, isPlatformManagedCredentials, gatewayId } = req.body;
 
       const appConnection = (await server.services.appConnection.createAppConnection(
-        { name, method, app, credentials, description, isPlatformManagedCredentials },
+        { name, method, app, credentials, description, isPlatformManagedCredentials, gatewayId },
         req.permission
       )) as T;
 
@@ -270,11 +272,11 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { name, credentials, description, isPlatformManagedCredentials } = req.body;
+      const { name, credentials, description, isPlatformManagedCredentials, gatewayId } = req.body;
       const { connectionId } = req.params;
 
       const appConnection = (await server.services.appConnection.updateAppConnection(
-        { name, credentials, connectionId, description, isPlatformManagedCredentials },
+        { name, credentials, connectionId, description, isPlatformManagedCredentials, gatewayId },
         req.permission
       )) as T;
 

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -51,6 +51,10 @@ import {
   DatabricksConnectionListItemSchema,
   SanitizedDatabricksConnectionSchema
 } from "@app/services/app-connection/databricks";
+import {
+  DigitalOceanConnectionListItemSchema,
+  SanitizedDigitalOceanConnectionSchema
+} from "@app/services/app-connection/digital-ocean";
 import { FlyioConnectionListItemSchema, SanitizedFlyioConnectionSchema } from "@app/services/app-connection/flyio";
 import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
@@ -71,6 +75,7 @@ import {
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
 import { MySqlConnectionListItemSchema, SanitizedMySqlConnectionSchema } from "@app/services/app-connection/mysql";
+import { OktaConnectionListItemSchema, SanitizedOktaConnectionSchema } from "@app/services/app-connection/okta";
 import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
@@ -138,7 +143,9 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedZabbixConnectionSchema.options,
   ...SanitizedRailwayConnectionSchema.options,
   ...SanitizedChecklyConnectionSchema.options,
-  ...SanitizedSupabaseConnectionSchema.options
+  ...SanitizedSupabaseConnectionSchema.options,
+  ...SanitizedDigitalOceanConnectionSchema.options,
+  ...SanitizedOktaConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -175,7 +182,9 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   ZabbixConnectionListItemSchema,
   RailwayConnectionListItemSchema,
   ChecklyConnectionListItemSchema,
-  SupabaseConnectionListItemSchema
+  SupabaseConnectionListItemSchema,
+  DigitalOceanConnectionListItemSchema,
+  OktaConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/bitbucket-connection-router.ts

@@ -85,4 +85,40 @@ export const registerBitbucketConnectionRouter = async (server: FastifyZodProvid
       return { repositories };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/environments`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        workspaceSlug: z.string().min(1).max(255),
+        repositorySlug: z.string().min(1).max(255)
+      }),
+      response: {
+        200: z.object({
+          environments: z.object({ slug: z.string(), name: z.string(), uuid: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        params: { connectionId },
+        query: { workspaceSlug, repositorySlug }
+      } = req;
+
+      const environments = await server.services.appConnection.bitbucket.listEnvironments(
+        { connectionId, workspaceSlug, repositorySlug },
+        req.permission
+      );
+
+      return { environments };
+    }
+  });
 };

backend/src/server/routes/v1/app-connection-routers/digital-ocean-connection-router.ts

@@ -0,0 +1,57 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateDigitalOceanConnectionSchema,
+  SanitizedDigitalOceanConnectionSchema,
+  UpdateDigitalOceanConnectionSchema
+} from "@app/services/app-connection/digital-ocean";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerDigitalOceanConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.DigitalOcean,
+    server,
+    createSchema: CreateDigitalOceanConnectionSchema,
+    updateSchema: UpdateDigitalOceanConnectionSchema,
+    sanitizedResponseSchema: SanitizedDigitalOceanConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          apps: z
+            .object({
+              id: z.string(),
+              spec: z.object({
+                name: z.string()
+              })
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const apps = await server.services.appConnection.digitalOcean.listApps(connectionId, req.permission);
+
+      return { apps };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -14,6 +14,7 @@ import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerChecklyConnectionRouter } from "./checkly-connection-router";
 import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
+import { registerDigitalOceanConnectionRouter } from "./digital-ocean-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
@@ -25,6 +26,7 @@ import { registerHumanitecConnectionRouter } from "./humanitec-connection-router
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerMySqlConnectionRouter } from "./mysql-connection-router";
+import { registerOktaConnectionRouter } from "./okta-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerRailwayConnectionRouter } from "./railway-connection-router";
 import { registerRenderConnectionRouter } from "./render-connection-router";
@@ -72,5 +74,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Zabbix]: registerZabbixConnectionRouter,
     [AppConnection.Railway]: registerRailwayConnectionRouter,
     [AppConnection.Checkly]: registerChecklyConnectionRouter,
-    [AppConnection.Supabase]: registerSupabaseConnectionRouter
+    [AppConnection.Supabase]: registerSupabaseConnectionRouter,
+    [AppConnection.DigitalOcean]: registerDigitalOceanConnectionRouter,
+    [AppConnection.Okta]: registerOktaConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/okta-connection-router.ts

@@ -0,0 +1,52 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateOktaConnectionSchema,
+  SanitizedOktaConnectionSchema,
+  UpdateOktaConnectionSchema
+} from "@app/services/app-connection/okta";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerOktaConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Okta,
+    server,
+    sanitizedResponseSchema: SanitizedOktaConnectionSchema,
+    createSchema: CreateOktaConnectionSchema,
+    updateSchema: UpdateOktaConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          apps: z.object({ id: z.string(), label: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        params: { connectionId }
+      } = req;
+
+      const apps = await server.services.appConnection.okta.listApps(connectionId, req.permission);
+      return { apps };
+    }
+  });
+};

backend/src/server/routes/v1/auth-router.ts

@@ -42,6 +42,14 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         maxAge: 0
       });
 
+      void res.cookie("aod", "", {
+        httpOnly: false,
+        path: "/",
+        sameSite: "lax",
+        secure: appCfg.HTTPS_ENABLED,
+        maxAge: 0
+      });
+
       return { message: "Successfully logged out" };
     }
   });

backend/src/server/routes/v1/dashboard-router.ts

@@ -904,7 +904,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
             projectId,
             path: secretPath,
             search,
-            tagSlugs: tags
+            tagSlugs: tags,
+            includeTagsInSearch: true,
+            includeMetadataInSearch: true
           });
 
           if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
@@ -924,7 +926,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
                 search,
                 limit: remainingLimit,
                 offset: adjustedOffset,
-                tagSlugs: tags
+                tagSlugs: tags,
+                includeTagsInSearch: true,
+                includeMetadataInSearch: true
               })
             ).secrets;
           }
@@ -1097,7 +1101,8 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           filters: {
             ...sharedFilters,
             tagSlugs: tags,
-            includeTagsInSearch: true
+            includeTagsInSearch: true,
+            includeMetadataInSearch: true
           }
         },
         req.permission

backend/src/server/routes/v1/index.ts

@@ -42,6 +42,7 @@ import { registerProjectEnvRouter } from "./project-env-router";
 import { registerProjectKeyRouter } from "./project-key-router";
 import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
+import { SECRET_REMINDER_REGISTER_ROUTER_MAP } from "./reminder-routers";
 import { registerSecretFolderRouter } from "./secret-folder-router";
 import { registerSecretImportRouter } from "./secret-import-router";
 import { registerSecretRequestsRouter } from "./secret-requests-router";
@@ -172,4 +173,14 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     },
     { prefix: "/secret-syncs" }
   );
+
+  await server.register(
+    async (reminderRouter) => {
+      // register service specific reminder endpoints (reminders/secret)
+      for await (const [reminderType, router] of Object.entries(SECRET_REMINDER_REGISTER_ROUTER_MAP)) {
+        await reminderRouter.register(router, { prefix: `/${reminderType}` });
+      }
+    },
+    { prefix: "/reminders" }
+  );
 };

backend/src/server/routes/v1/project-router.ts

@@ -158,7 +158,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         includeRoles: z
           .enum(["true", "false"])
           .default("false")
-          .transform((value) => value === "true")
+          .transform((value) => value === "true"),
+        type: z.nativeEnum(ProjectType).optional()
       }),
       response: {
         200: z.object({
@@ -177,7 +178,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        type: req.query.type
       });
       return { workspaces };
     }
@@ -1050,6 +1052,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         limit: z.number().default(100),
         offset: z.number().default(0),
+        type: z.nativeEnum(ProjectType).optional(),
         orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
         orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
         name: z

backend/src/server/routes/v1/reminder-routers/index.ts

@@ -0,0 +1,8 @@
+import { ReminderType } from "@app/services/reminder/reminder-enums";
+
+import { registerSecretReminderRouter } from "./secret-reminder-router";
+
+export const SECRET_REMINDER_REGISTER_ROUTER_MAP: Record<ReminderType, (server: FastifyZodProvider) => Promise<void>> =
+  {
+    [ReminderType.SECRETS]: registerSecretReminderRouter
+  };

backend/src/server/routes/v1/reminder-routers/secret-reminder-router.ts

@@ -0,0 +1,154 @@
+import { z } from "zod";
+
+import { RemindersSchema } from "@app/db/schemas/reminders";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerSecretReminderRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/:secretId",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string().uuid()
+      }),
+      body: z
+        .object({
+          message: z.string().trim().max(1024).optional(),
+          repeatDays: z.number().min(1).nullable().optional(),
+          nextReminderDate: z.string().datetime().nullable().optional(),
+          recipients: z.string().array().optional()
+        })
+        .refine((data) => {
+          return data.repeatDays || data.nextReminderDate;
+        }, "At least one of repeatDays or nextReminderDate is required"),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.reminder.createReminder({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        reminder: {
+          secretId: req.params.secretId,
+          message: req.body.message,
+          repeatDays: req.body.repeatDays,
+          nextReminderDate: req.body.nextReminderDate,
+          recipients: req.body.recipients
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.CREATE_SECRET_REMINDER,
+          metadata: {
+            secretId: req.params.secretId,
+            message: req.body.message,
+            repeatDays: req.body.repeatDays,
+            nextReminderDate: req.body.nextReminderDate,
+            recipients: req.body.recipients
+          }
+        }
+      });
+
+      return { message: "Successfully created reminder" };
+    }
+  });
+
+  server.route({
+    url: "/:secretId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          reminder: RemindersSchema.extend({
+            recipients: z.string().array().optional()
+          })
+            .optional()
+            .nullable()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const reminder = await server.services.reminder.getReminder({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        secretId: req.params.secretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_SECRET_REMINDER,
+          metadata: {
+            secretId: req.params.secretId
+          }
+        }
+      });
+      return { reminder };
+    }
+  });
+
+  server.route({
+    url: "/:secretId",
+    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.reminder.deleteReminder({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        secretId: req.params.secretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.DELETE_SECRET_REMINDER,
+          metadata: {
+            secretId: req.params.secretId
+          }
+        }
+      });
+      return { message: "Successfully deleted reminder" };
+    }
+  });
+};

backend/src/server/routes/v1/secret-sync-routers/bitbucket-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  BitbucketSyncSchema,
+  CreateBitbucketSyncSchema,
+  UpdateBitbucketSyncSchema
+} from "@app/services/secret-sync/bitbucket";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerBitbucketSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Bitbucket,
+    server,
+    responseSchema: BitbucketSyncSchema,
+    createSchema: CreateBitbucketSyncSchema,
+    updateSchema: UpdateBitbucketSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/digital-ocean-app-platform-sync-router.ts

@@ -0,0 +1,17 @@
+import {
+  CreateDigitalOceanAppPlatformSyncSchema,
+  DigitalOceanAppPlatformSyncSchema,
+  UpdateDigitalOceanAppPlatformSyncSchema
+} from "@app/services/secret-sync/digital-ocean-app-platform";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerDigitalOceanAppPlatformSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.DigitalOceanAppPlatform,
+    server,
+    responseSchema: DigitalOceanAppPlatformSyncSchema,
+    createSchema: CreateDigitalOceanAppPlatformSyncSchema,
+    updateSchema: UpdateDigitalOceanAppPlatformSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -7,11 +7,13 @@ import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-
 import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
+import { registerBitbucketSyncRouter } from "./bitbucket-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerChecklySyncRouter } from "./checkly-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerCloudflareWorkersSyncRouter } from "./cloudflare-workers-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
+import { registerDigitalOceanAppPlatformSyncRouter } from "./digital-ocean-app-platform-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
@@ -57,5 +59,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Supabase]: registerSupabaseSyncRouter,
   [SecretSync.Zabbix]: registerZabbixSyncRouter,
   [SecretSync.Railway]: registerRailwaySyncRouter,
-  [SecretSync.Checkly]: registerChecklySyncRouter
+  [SecretSync.Checkly]: registerChecklySyncRouter,
+  [SecretSync.DigitalOceanAppPlatform]: registerDigitalOceanAppPlatformSyncRouter,
+  [SecretSync.Bitbucket]: registerBitbucketSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -21,6 +21,7 @@ import {
 } from "@app/services/secret-sync/azure-app-configuration";
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
+import { BitbucketSyncListItemSchema, BitbucketSyncSchema } from "@app/services/secret-sync/bitbucket";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import { ChecklySyncListItemSchema, ChecklySyncSchema } from "@app/services/secret-sync/checkly/checkly-sync-schemas";
 import {
@@ -32,6 +33,10 @@ import {
   CloudflareWorkersSyncSchema
 } from "@app/services/secret-sync/cloudflare-workers/cloudflare-workers-schemas";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
+import {
+  DigitalOceanAppPlatformSyncListItemSchema,
+  DigitalOceanAppPlatformSyncSchema
+} from "@app/services/secret-sync/digital-ocean-app-platform";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
@@ -75,7 +80,9 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   SupabaseSyncSchema,
   ZabbixSyncSchema,
   RailwaySyncSchema,
-  ChecklySyncSchema
+  ChecklySyncSchema,
+  DigitalOceanAppPlatformSyncSchema,
+  BitbucketSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -102,11 +109,12 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   GitLabSyncListItemSchema,
   CloudflarePagesSyncListItemSchema,
   CloudflareWorkersSyncListItemSchema,
-
+  DigitalOceanAppPlatformSyncListItemSchema,
   ZabbixSyncListItemSchema,
   RailwaySyncListItemSchema,
   ChecklySyncListItemSchema,
-  SupabaseSyncListItemSchema
+  SupabaseSyncListItemSchema,
+  BitbucketSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/sso-router.ts

@@ -22,6 +22,7 @@ import { logger } from "@app/lib/logger";
 import { ms } from "@app/lib/ms";
 import { fetchGithubEmails, fetchGithubUser } from "@app/lib/requests/github";
 import { authRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { AuthMethod } from "@app/services/auth/auth-type";
 import { OrgAuthMethod } from "@app/services/org/org-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
@@ -475,6 +476,8 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return {
         encryptionVersion: data.user.encryptionVersion,
         token: data.token.access,

backend/src/server/routes/v2/mfa-router.ts

@@ -4,6 +4,7 @@ import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { mfaRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { AuthModeMfaJwtTokenPayload, AuthTokenType, MfaMethod } from "@app/services/auth/auth-type";
 
 export const registerMfaRouter = async (server: FastifyZodProvider) => {
@@ -131,6 +132,8 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return {
         ...user,
         token: token.access,

backend/src/server/routes/v2/organization-router.ts

@@ -10,6 +10,7 @@ import {
 import { ApiDocsTags, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@@ -396,6 +397,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         secure: cfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return { organization, accessToken: tokens.accessToken };
     }
   });

backend/src/server/routes/v3/login-router.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { INFISICAL_PROVIDER_GITHUB_ACCESS_TOKEN } from "@app/lib/config/const";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 
 export const registerLoginRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -93,6 +94,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
         secure: cfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       void res.cookie("infisical-project-assume-privileges", "", {
         httpOnly: true,
         path: "/",
@@ -155,6 +158,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       void res.cookie("infisical-project-assume-privileges", "", {
         httpOnly: true,
         path: "/",

backend/src/server/routes/v3/signup-router.ts

@@ -4,6 +4,7 @@ import { UsersSchema } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError } from "@app/lib/errors";
 import { authRateLimit, smtpRateLimit } from "@app/server/config/rateLimiter";
+import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -170,6 +171,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
         secure: appCfg.HTTPS_ENABLED
       });
 
+      addAuthOriginDomainCookie(res);
+
       return { message: "Successfully set up account", user, token: accessToken, organizationId };
     }
   });
@@ -239,6 +242,8 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       });
       // TODO(akhilmhdh-pg): add telemetry service
 
+      addAuthOriginDomainCookie(res);
+
       return { message: "Successfully set up account", user, token: accessToken };
     }
   });

backend/src/services/app-connection/1password/1password-connection-fns.ts

@@ -31,12 +31,16 @@ export const validateOnePassConnectionCredentials = async (config: TOnePassConne
   const { apiToken } = config.credentials;
 
   try {
-    await request.get(`${instanceUrl}/v1/vaults`, {
+    const res = await request.get(`${instanceUrl}/v1/vaults`, {
       headers: {
         Authorization: `Bearer ${apiToken}`,
         Accept: "application/json"
       }
     });
+
+    if (!Array.isArray(res.data)) {
+      throw new AxiosError("Invalid response from 1Password API");
+    }
   } catch (error: unknown) {
     if (error instanceof AxiosError) {
       throw new BadRequestError({

backend/src/services/app-connection/app-connection-enums.ts

@@ -32,7 +32,9 @@ export enum AppConnection {
   Railway = "railway",
   Bitbucket = "bitbucket",
   Checkly = "checkly",
-  Supabase = "supabase"
+  Supabase = "supabase",
+  DigitalOcean = "digital-ocean",
+  Okta = "okta"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -5,6 +5,7 @@ import {
   validateOCIConnectionCredentials
 } from "@app/ee/services/app-connections/oci";
 import { getOracleDBConnectionListItem, OracleDBConnectionMethod } from "@app/ee/services/app-connections/oracledb";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
@@ -67,6 +68,11 @@ import {
   getDatabricksConnectionListItem,
   validateDatabricksConnectionCredentials
 } from "./databricks";
+import {
+  DigitalOceanConnectionMethod,
+  getDigitalOceanConnectionListItem,
+  validateDigitalOceanConnectionCredentials
+} from "./digital-ocean";
 import { FlyioConnectionMethod, getFlyioConnectionListItem, validateFlyioConnectionCredentials } from "./flyio";
 import { GcpConnectionMethod, getGcpConnectionListItem, validateGcpConnectionCredentials } from "./gcp";
 import { getGitHubConnectionListItem, GitHubConnectionMethod, validateGitHubConnectionCredentials } from "./github";
@@ -91,6 +97,7 @@ import { getLdapConnectionListItem, LdapConnectionMethod, validateLdapConnection
 import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
 import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
 import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
+import { getOktaConnectionListItem, OktaConnectionMethod, validateOktaConnectionCredentials } from "./okta";
 import { getPostgresConnectionListItem, PostgresConnectionMethod } from "./postgres";
 import { getRailwayConnectionListItem, validateRailwayConnectionCredentials } from "./railway";
 import { RenderConnectionMethod } from "./render/render-connection-enums";
@@ -154,7 +161,9 @@ export const listAppConnectionOptions = () => {
     getRailwayConnectionListItem(),
     getBitbucketConnectionListItem(),
     getChecklyConnectionListItem(),
-    getSupabaseConnectionListItem()
+    getSupabaseConnectionListItem(),
+    getDigitalOceanConnectionListItem(),
+    getOktaConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -201,7 +210,8 @@ export const decryptAppConnectionCredentials = async ({
 };
 
 export const validateAppConnectionCredentials = async (
-  appConnection: TAppConnectionConfig
+  appConnection: TAppConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ): Promise<TAppConnection["credentials"]> => {
   const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TAppConnectionCredentialsValidator> = {
     [AppConnection.AWS]: validateAwsConnectionCredentials as TAppConnectionCredentialsValidator,
@@ -239,10 +249,12 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Railway]: validateRailwayConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Bitbucket]: validateBitbucketConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Checkly]: validateChecklyConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Supabase]: validateSupabaseConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.DigitalOcean]: validateDigitalOceanConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
-  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
+  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection, gatewayService);
 };
 
 export const getAppConnectionMethodName = (method: TAppConnection["method"]) => {
@@ -278,6 +290,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case CloudflareConnectionMethod.APIToken:
     case BitbucketConnectionMethod.ApiToken:
     case ZabbixConnectionMethod.ApiToken:
+    case DigitalOceanConnectionMethod.ApiToken:
+    case OktaConnectionMethod.ApiToken:
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
@@ -365,7 +379,9 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Railway]: platformManagedCredentialsNotSupported,
   [AppConnection.Bitbucket]: platformManagedCredentialsNotSupported,
   [AppConnection.Checkly]: platformManagedCredentialsNotSupported,
-  [AppConnection.Supabase]: platformManagedCredentialsNotSupported
+  [AppConnection.Supabase]: platformManagedCredentialsNotSupported,
+  [AppConnection.DigitalOcean]: platformManagedCredentialsNotSupported,
+  [AppConnection.Okta]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -34,7 +34,9 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Railway]: "Railway",
   [AppConnection.Bitbucket]: "Bitbucket",
   [AppConnection.Checkly]: "Checkly",
-  [AppConnection.Supabase]: "Supabase"
+  [AppConnection.Supabase]: "Supabase",
+  [AppConnection.DigitalOcean]: "DigitalOcean App Platform",
+  [AppConnection.Okta]: "Okta"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -71,5 +73,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Railway]: AppConnectionPlanType.Regular,
   [AppConnection.Bitbucket]: AppConnectionPlanType.Regular,
   [AppConnection.Checkly]: AppConnectionPlanType.Regular,
-  [AppConnection.Supabase]: AppConnectionPlanType.Regular
+  [AppConnection.Supabase]: AppConnectionPlanType.Regular,
+  [AppConnection.DigitalOcean]: AppConnectionPlanType.Regular,
+  [AppConnection.Okta]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-schemas.ts

@@ -18,7 +18,7 @@ export const BaseAppConnectionSchema = AppConnectionsSchema.omit({
 
 export const GenericCreateAppConnectionFieldsSchema = (
   app: AppConnection,
-  { supportsPlatformManagedCredentials = false }: TAppConnectionBaseConfig = {}
+  { supportsPlatformManagedCredentials = false, supportsGateways = false }: TAppConnectionBaseConfig = {}
 ) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(AppConnections.CREATE(app).name),
@@ -30,12 +30,23 @@ export const GenericCreateAppConnectionFieldsSchema = (
       .describe(AppConnections.CREATE(app).description),
     isPlatformManagedCredentials: supportsPlatformManagedCredentials
       ? z.boolean().optional().default(false).describe(AppConnections.CREATE(app).isPlatformManagedCredentials)
-      : z.literal(false).optional().describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
+      : z
+          .literal(false, {
+            errorMap: () => ({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          })
+          .optional()
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`),
+    gatewayId: supportsGateways
+      ? z.string().uuid().nullish().describe("The Gateway ID to use for this connection.")
+      : z
+          .undefined({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          .or(z.null({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` }))
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
   });
 
 export const GenericUpdateAppConnectionFieldsSchema = (
   app: AppConnection,
-  { supportsPlatformManagedCredentials = false }: TAppConnectionBaseConfig = {}
+  { supportsPlatformManagedCredentials = false, supportsGateways = false }: TAppConnectionBaseConfig = {}
 ) =>
   z.object({
     name: slugSchema({ field: "name" }).describe(AppConnections.UPDATE(app).name).optional(),
@@ -47,5 +58,16 @@ export const GenericUpdateAppConnectionFieldsSchema = (
       .describe(AppConnections.UPDATE(app).description),
     isPlatformManagedCredentials: supportsPlatformManagedCredentials
       ? z.boolean().optional().describe(AppConnections.UPDATE(app).isPlatformManagedCredentials)
-      : z.literal(false).optional().describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
+      : z
+          .literal(false, {
+            errorMap: () => ({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          })
+          .optional()
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`),
+    gatewayId: supportsGateways
+      ? z.string().uuid().nullish().describe("The Gateway ID to use for this connection.")
+      : z
+          .undefined({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` })
+          .or(z.null({ message: `Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections` }))
+          .describe(`Not supported for ${APP_CONNECTION_NAME_MAP[app]} Connections.`)
   });

backend/src/services/app-connection/app-connection-service.ts

@@ -3,8 +3,14 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { ValidateOCIConnectionCredentialsSchema } from "@app/ee/services/app-connections/oci";
 import { ociConnectionService } from "@app/ee/services/app-connections/oci/oci-connection-service";
 import { ValidateOracleDBConnectionCredentialsSchema } from "@app/ee/services/app-connections/oracledb";
+import { TGatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  OrgPermissionAppConnectionActions,
+  OrgPermissionGatewayActions,
+  OrgPermissionSubjects
+} from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { DatabaseErrorCode } from "@app/lib/error-codes";
@@ -55,6 +61,8 @@ import { ValidateCloudflareConnectionCredentialsSchema } from "./cloudflare/clou
 import { cloudflareConnectionService } from "./cloudflare/cloudflare-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
 import { databricksConnectionService } from "./databricks/databricks-connection-service";
+import { ValidateDigitalOceanConnectionCredentialsSchema } from "./digital-ocean";
+import { digitalOceanAppPlatformConnectionService } from "./digital-ocean/digital-ocean-connection-service";
 import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
 import { flyioConnectionService } from "./flyio/flyio-connection-service";
 import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
@@ -73,6 +81,8 @@ import { humanitecConnectionService } from "./humanitec/humanitec-connection-ser
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
 import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
+import { ValidateOktaConnectionCredentialsSchema } from "./okta";
+import { oktaConnectionService } from "./okta/okta-connection-service";
 import { ValidatePostgresConnectionCredentialsSchema } from "./postgres";
 import { ValidateRailwayConnectionCredentialsSchema } from "./railway";
 import { railwayConnectionService } from "./railway/railway-connection-service";
@@ -96,6 +106,8 @@ export type TAppConnectionServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+  gatewayDAL: Pick<TGatewayDALFactory, "find">;
 };
 
 export type TAppConnectionServiceFactory = ReturnType<typeof appConnectionServiceFactory>;
@@ -134,14 +146,18 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Railway]: ValidateRailwayConnectionCredentialsSchema,
   [AppConnection.Bitbucket]: ValidateBitbucketConnectionCredentialsSchema,
   [AppConnection.Checkly]: ValidateChecklyConnectionCredentialsSchema,
-  [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema
+  [AppConnection.Supabase]: ValidateSupabaseConnectionCredentialsSchema,
+  [AppConnection.DigitalOcean]: ValidateDigitalOceanConnectionCredentialsSchema,
+  [AppConnection.Okta]: ValidateOktaConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
   appConnectionDAL,
   permissionService,
   kmsService,
-  licenseService
+  licenseService,
+  gatewayService,
+  gatewayDAL
 }: TAppConnectionServiceFactoryDep) => {
   const listAppConnectionsByOrg = async (actor: OrgServiceActor, app?: AppConnection) => {
     const { permission } = await permissionService.getOrgPermission(
@@ -222,7 +238,7 @@ export const appConnectionServiceFactory = ({
   };
 
   const createAppConnection = async (
-    { method, app, credentials, ...params }: TCreateAppConnectionDTO,
+    { method, app, credentials, gatewayId, ...params }: TCreateAppConnectionDTO,
     actor: OrgServiceActor
   ) => {
     const { permission } = await permissionService.getOrgPermission(
@@ -238,6 +254,20 @@ export const appConnectionServiceFactory = ({
       OrgPermissionSubjects.AppConnections
     );
 
+    if (gatewayId) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actor.orgId });
+      if (!gateway) {
+        throw new NotFoundError({
+          message: `Gateway with ID ${gatewayId} not found for org`
+        });
+      }
+    }
+
     await enterpriseAppCheck(
       licenseService,
       app,
@@ -245,12 +275,16 @@ export const appConnectionServiceFactory = ({
       "Failed to create app connection due to plan restriction. Upgrade plan to access enterprise app connections."
     );
 
-    const validatedCredentials = await validateAppConnectionCredentials({
-      app,
-      credentials,
-      method,
-      orgId: actor.orgId
-    } as TAppConnectionConfig);
+    const validatedCredentials = await validateAppConnectionCredentials(
+      {
+        app,
+        credentials,
+        method,
+        orgId: actor.orgId,
+        gatewayId
+      } as TAppConnectionConfig,
+      gatewayService
+    );
 
     try {
       const createConnection = async (connectionCredentials: TAppConnection["credentials"]) => {
@@ -265,6 +299,7 @@ export const appConnectionServiceFactory = ({
           encryptedCredentials,
           method,
           app,
+          gatewayId,
           ...params
         });
       };
@@ -277,9 +312,11 @@ export const appConnectionServiceFactory = ({
             app,
             orgId: actor.orgId,
             credentials: validatedCredentials,
-            method
+            method,
+            gatewayId
           } as TAppConnectionConfig,
-          (platformCredentials) => createConnection(platformCredentials)
+          (platformCredentials) => createConnection(platformCredentials),
+          gatewayService
         );
       } else {
         connection = await createConnection(validatedCredentials);
@@ -300,7 +337,7 @@ export const appConnectionServiceFactory = ({
   };
 
   const updateAppConnection = async (
-    { connectionId, credentials, ...params }: TUpdateAppConnectionDTO,
+    { connectionId, credentials, gatewayId, ...params }: TUpdateAppConnectionDTO,
     actor: OrgServiceActor
   ) => {
     const appConnection = await appConnectionDAL.findById(connectionId);
@@ -327,6 +364,22 @@ export const appConnectionServiceFactory = ({
       OrgPermissionSubjects.AppConnections
     );
 
+    if (gatewayId !== appConnection.gatewayId) {
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      if (gatewayId) {
+        const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actor.orgId });
+        if (!gateway) {
+          throw new NotFoundError({
+            message: `Gateway with ID ${gatewayId} not found for org`
+          });
+        }
+      }
+    }
+
     // prevent updating credentials or management status if platform managed
     if (appConnection.isPlatformManagedCredentials && (params.isPlatformManagedCredentials === false || credentials)) {
       throw new BadRequestError({
@@ -351,12 +404,16 @@ export const appConnectionServiceFactory = ({
           } Connection with method ${getAppConnectionMethodName(method)}`
         });
 
-      updatedCredentials = await validateAppConnectionCredentials({
-        app,
-        orgId: actor.orgId,
-        credentials,
-        method
-      } as TAppConnectionConfig);
+      updatedCredentials = await validateAppConnectionCredentials(
+        {
+          app,
+          orgId: actor.orgId,
+          credentials,
+          method,
+          gatewayId
+        } as TAppConnectionConfig,
+        gatewayService
+      );
 
       if (!updatedCredentials)
         throw new BadRequestError({ message: "Unable to validate connection - check credentials" });
@@ -375,6 +432,7 @@ export const appConnectionServiceFactory = ({
         return appConnectionDAL.updateById(connectionId, {
           orgId: actor.orgId,
           encryptedCredentials,
+          gatewayId,
           ...params
         });
       };
@@ -391,9 +449,11 @@ export const appConnectionServiceFactory = ({
             app,
             orgId: actor.orgId,
             credentials: updatedCredentials,
-            method
+            method,
+            gatewayId
           } as TAppConnectionConfig,
-          (platformCredentials) => updateConnection(platformCredentials)
+          (platformCredentials) => updateConnection(platformCredentials),
+          gatewayService
         );
       } else {
         updatedConnection = await updateConnection(updatedCredentials);
@@ -549,6 +609,8 @@ export const appConnectionServiceFactory = ({
     railway: railwayConnectionService(connectAppConnectionById),
     bitbucket: bitbucketConnectionService(connectAppConnectionById),
     checkly: checklyConnectionService(connectAppConnectionById),
-    supabase: supabaseConnectionService(connectAppConnectionById)
+    supabase: supabaseConnectionService(connectAppConnectionById),
+    digitalOcean: digitalOceanAppPlatformConnectionService(connectAppConnectionById),
+    okta: oktaConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -9,6 +9,7 @@ import {
   TOracleDBConnectionInput,
   TValidateOracleDBConnectionCredentialsSchema
 } from "@app/ee/services/app-connections/oracledb";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { TSqlConnectionConfig } from "@app/services/app-connection/shared/sql/sql-connection-types";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
@@ -86,6 +87,12 @@ import {
   TDatabricksConnectionInput,
   TValidateDatabricksConnectionCredentialsSchema
 } from "./databricks";
+import {
+  TDigitalOceanConnection,
+  TDigitalOceanConnectionConfig,
+  TDigitalOceanConnectionInput,
+  TValidateDigitalOceanCredentialsSchema
+} from "./digital-ocean";
 import {
   TFlyioConnection,
   TFlyioConnectionConfig,
@@ -142,6 +149,12 @@ import {
 } from "./ldap";
 import { TMsSqlConnection, TMsSqlConnectionInput, TValidateMsSqlConnectionCredentialsSchema } from "./mssql";
 import { TMySqlConnection, TMySqlConnectionInput, TValidateMySqlConnectionCredentialsSchema } from "./mysql";
+import {
+  TOktaConnection,
+  TOktaConnectionConfig,
+  TOktaConnectionInput,
+  TValidateOktaConnectionCredentialsSchema
+} from "./okta";
 import {
   TPostgresConnection,
   TPostgresConnectionInput,
@@ -231,6 +244,8 @@ export type TAppConnection = { id: string } & (
   | TRailwayConnection
   | TChecklyConnection
   | TSupabaseConnection
+  | TDigitalOceanConnection
+  | TOktaConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -272,6 +287,8 @@ export type TAppConnectionInput = { id: string } & (
   | TRailwayConnectionInput
   | TChecklyConnectionInput
   | TSupabaseConnectionInput
+  | TDigitalOceanConnectionInput
+  | TOktaConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -282,7 +299,7 @@ export type TSqlConnectionInput =
 
 export type TCreateAppConnectionDTO = Pick<
   TAppConnectionInput,
-  "credentials" | "method" | "name" | "app" | "description" | "isPlatformManagedCredentials"
+  "credentials" | "method" | "name" | "app" | "description" | "isPlatformManagedCredentials" | "gatewayId"
 >;
 
 export type TUpdateAppConnectionDTO = Partial<Omit<TCreateAppConnectionDTO, "method" | "app">> & {
@@ -320,7 +337,9 @@ export type TAppConnectionConfig =
   | TZabbixConnectionConfig
   | TRailwayConnectionConfig
   | TChecklyConnectionConfig
-  | TSupabaseConnectionConfig;
+  | TSupabaseConnectionConfig
+  | TDigitalOceanConnectionConfig
+  | TOktaConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -356,7 +375,9 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateZabbixConnectionCredentialsSchema
   | TValidateRailwayConnectionCredentialsSchema
   | TValidateChecklyConnectionCredentialsSchema
-  | TValidateSupabaseConnectionCredentialsSchema;
+  | TValidateSupabaseConnectionCredentialsSchema
+  | TValidateDigitalOceanCredentialsSchema
+  | TValidateOktaConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;
@@ -369,14 +390,17 @@ export type TListAwsConnectionIamUsers = {
 };
 
 export type TAppConnectionCredentialsValidator = (
-  appConnection: TAppConnectionConfig
+  appConnection: TAppConnectionConfig,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => Promise<TAppConnection["credentials"]>;
 
 export type TAppConnectionTransitionCredentialsToPlatform = (
   appConnection: TAppConnectionConfig,
-  callback: (credentials: TAppConnection["credentials"]) => Promise<TAppConnectionRaw>
+  callback: (credentials: TAppConnection["credentials"]) => Promise<TAppConnectionRaw>,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => Promise<TAppConnectionRaw>;
 
 export type TAppConnectionBaseConfig = {
   supportsPlatformManagedCredentials?: boolean;
+  supportsGateways?: boolean;
 };