misc: optimize partition script

Bring Back Missing Secrets Documentation

.github/workflows/build-docker-image-to-prod.yml

@@ -1,122 +0,0 @@
-name: Release production images (frontend, backend)
-on:
-  push:
-    tags:
-      - "vv*.*.*"
-
-jobs:
-  backend-image:
-    name: Build backend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      # - name: 🧪 Run tests
-      #   run: npm run test:ci
-      #   working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build backend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          load: true
-          context: backend
-          tags: infisical/infisical:test
-          platforms: linux/amd64,linux/arm64
-      - name: ⏻ Spawn backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
-      - name: 🧪 Test backend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-backend-test
-      - name: ⏻ Shut down backend container and dependencies
-        run: |
-          docker compose -f .github/resources/docker-compose.be-test.yml down
-      - name: 🏗️ Build backend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: backend
-          tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-
-  frontend-image:
-    name: Build frontend image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 📦 Build frontend and export to Docker
-        uses: depot/build-push-action@v1
-        with:
-          load: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          project: 64mmf0n610
-          context: frontend
-          tags: infisical/frontend:test
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-      - name: ⏻ Spawn frontend container
-        run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
-      - name: 🧪 Test frontend image
-        run: |
-          ./.github/resources/healthcheck.sh infisical-frontend-test
-      - name: ⏻ Shut down frontend container
-        run: |
-          docker stop infisical-frontend-test
-      - name: 🏗️ Build frontend and push
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          push: true
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: frontend
-          tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/run-backend-tests.yml

@@ -16,6 +16,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
+
+
+      - name: Free up disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          docker system prune -af
+          
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - uses: KengoTODA/actions-setup-docker-compose@v1
@@ -34,6 +44,8 @@ jobs:
         working-directory: backend
       - name: Start postgres and redis
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+      - name: Start Secret Rotation testing databases
+        run: docker compose -f docker-compose.e2e-dbs.yml up -d --wait --wait-timeout 300
       - name: Run unit test
         run: npm run test:unit
         working-directory: backend
@@ -41,6 +53,9 @@ jobs:
         run: npm run test:e2e
         working-directory: backend
         env:
+          E2E_TEST_ORACLE_DB_19_HOST: ${{ secrets.E2E_TEST_ORACLE_DB_19_HOST }}
+          E2E_TEST_ORACLE_DB_19_USERNAME: ${{ secrets.E2E_TEST_ORACLE_DB_19_USERNAME }}
+          E2E_TEST_ORACLE_DB_19_PASSWORD: ${{ secrets.E2E_TEST_ORACLE_DB_19_PASSWORD }}
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
           AUTH_SECRET: something-random

.infisicalignore

@@ -50,3 +50,4 @@ docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
 docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
 docs/integrations/app-connections/railway.mdx:generic-api-key:156
 .github/workflows/validate-db-schemas.yml:generic-api-key:21
+k8-operator/config/samples/universalAuthIdentitySecret.yaml:generic-api-key:8

backend/e2e-test/mocks/queue.ts

@@ -1,34 +0,0 @@
-import { TQueueServiceFactory } from "@app/queue";
-
-export const mockQueue = (): TQueueServiceFactory => {
-  const queues: Record<string, unknown> = {};
-  const workers: Record<string, unknown> = {};
-  const job: Record<string, unknown> = {};
-  const events: Record<string, unknown> = {};
-
-  return {
-    queue: async (name, jobData) => {
-      job[name] = jobData;
-    },
-    queuePg: async () => {},
-    schedulePg: async () => {},
-    initialize: async () => {},
-    shutdown: async () => undefined,
-    stopRepeatableJob: async () => true,
-    start: (name, jobFn) => {
-      queues[name] = jobFn;
-      workers[name] = jobFn;
-    },
-    startPg: async () => {},
-    listen: (name, event) => {
-      events[name] = event;
-    },
-    getRepeatableJobs: async () => [],
-    getDelayedJobs: async () => [],
-    clearQueue: async () => {},
-    stopJobById: async () => {},
-    stopJobByIdPg: async () => {},
-    stopRepeatableJobByJobId: async () => true,
-    stopRepeatableJobByKey: async () => true
-  };
-};

backend/e2e-test/routes/v3/secret-rotations.spec.ts

@@ -0,0 +1,726 @@
+/* eslint-disable no-promise-executor-return */
+/* eslint-disable no-await-in-loop */
+import knex from "knex";
+import { v4 as uuidv4 } from "uuid";
+
+import { seedData1 } from "@app/db/seed-data";
+
+enum SecretRotationType {
+  OracleDb = "oracledb",
+  MySQL = "mysql",
+  Postgres = "postgres"
+}
+
+type TGenericSqlCredentials = {
+  host: string;
+  port: number;
+  username: string;
+  password: string;
+  database: string;
+};
+
+type TSecretMapping = {
+  username: string;
+  password: string;
+};
+
+type TDatabaseUserCredentials = {
+  username: string;
+};
+
+const formatSqlUsername = (username: string) => `${username}_${uuidv4().slice(0, 8).replace(/-/g, "").toUpperCase()}`;
+
+const getSecretValue = async (secretKey: string) => {
+  const passwordSecret = await testServer.inject({
+    url: `/api/v3/secrets/raw/${secretKey}`,
+    method: "GET",
+    query: {
+      workspaceId: seedData1.projectV3.id,
+      environment: seedData1.environment.slug
+    },
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(passwordSecret.statusCode).toBe(200);
+  expect(passwordSecret.json().secret).toBeDefined();
+
+  const passwordSecretJson = JSON.parse(passwordSecret.payload);
+
+  return passwordSecretJson.secret.secretValue as string;
+};
+
+const deleteSecretRotation = async (id: string, type: SecretRotationType) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    query: {
+      deleteSecrets: "true",
+      revokeGeneratedCredentials: "true"
+    },
+    url: `/api/v2/secret-rotations/${type}-credentials/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+};
+
+const deleteAppConnection = async (id: string, type: SecretRotationType) => {
+  const res = await testServer.inject({
+    method: "DELETE",
+    url: `/api/v1/app-connections/${type}/${id}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    }
+  });
+
+  expect(res.statusCode).toBe(200);
+};
+
+const createOracleDBAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createOracleDBAppConnectionReqBody = {
+    credentials: {
+      database: credentials.database,
+      host: credentials.host,
+      username: credentials.username,
+      password: credentials.password,
+      port: credentials.port,
+      sslEnabled: true,
+      sslRejectUnauthorized: true
+    },
+    name: `oracle-db-${uuidv4()}`,
+    description: "Test OracleDB App Connection",
+    gatewayId: null,
+    isPlatformManagedCredentials: false,
+    method: "username-and-password"
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/oracledb`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createOracleDBAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createMySQLAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createMySQLAppConnectionReqBody = {
+    name: `mysql-test-${uuidv4()}`,
+    description: "test-mysql",
+    gatewayId: null,
+    method: "username-and-password",
+    credentials: {
+      host: credentials.host,
+      port: credentials.port,
+      database: credentials.database,
+      username: credentials.username,
+      password: credentials.password,
+      sslEnabled: false,
+      sslRejectUnauthorized: true
+    }
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/mysql`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createMySQLAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createPostgresAppConnection = async (credentials: TGenericSqlCredentials) => {
+  const createPostgresAppConnectionReqBody = {
+    credentials: {
+      host: credentials.host,
+      port: credentials.port,
+      database: credentials.database,
+      username: credentials.username,
+      password: credentials.password,
+      sslEnabled: false,
+      sslRejectUnauthorized: true
+    },
+    name: `postgres-test-${uuidv4()}`,
+    description: "test-postgres",
+    gatewayId: null,
+    method: "username-and-password"
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v1/app-connections/postgres`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createPostgresAppConnectionReqBody
+  });
+
+  const json = JSON.parse(res.payload);
+
+  expect(res.statusCode).toBe(200);
+  expect(json.appConnection).toBeDefined();
+
+  return json.appConnection.id as string;
+};
+
+const createOracleInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "oracledb",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000,
+      ssl: {
+        // @ts-expect-error - this is a valid property for the ssl object
+        sslServerDNMatch: true
+      }
+    }
+  });
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, don't create it
+    const existingUser = await client.raw(`SELECT * FROM all_users WHERE username = '${username}'`);
+
+    if (!existingUser.length) {
+      await client.raw(`CREATE USER ${username} IDENTIFIED BY "temporary_password"`);
+    }
+    await client.raw(`GRANT ALL PRIVILEGES TO ${username} WITH ADMIN OPTION`);
+  }
+
+  await client.destroy();
+};
+
+const createMySQLInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "mysql2",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000
+    }
+  });
+
+  // Fix: Ensure root has GRANT OPTION privileges
+  try {
+    await client.raw("GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;");
+    await client.raw("FLUSH PRIVILEGES;");
+  } catch (error) {
+    // Ignore if already has privileges
+  }
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, dont create it
+
+    const existingUser = await client.raw(`SELECT * FROM mysql.user WHERE user = '${username}'`);
+
+    if (!existingUser[0].length) {
+      await client.raw(`CREATE USER '${username}'@'%' IDENTIFIED BY 'temporary_password';`);
+    }
+
+    await client.raw(`GRANT ALL PRIVILEGES ON \`${credentials.database}\`.* TO '${username}'@'%';`);
+    await client.raw("FLUSH PRIVILEGES;");
+  }
+
+  await client.destroy();
+};
+
+const createPostgresInfisicalUsers = async (
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[]
+) => {
+  const client = knex({
+    client: "pg",
+    connection: {
+      database: credentials.database,
+      port: credentials.port,
+      host: credentials.host,
+      user: credentials.username,
+      password: credentials.password,
+      connectionTimeoutMillis: 10000
+    }
+  });
+
+  for await (const { username } of userCredentials) {
+    // check if user exists, and if it does, don't create it
+    const existingUser = await client.raw("SELECT * FROM pg_catalog.pg_user WHERE usename = ?", [username]);
+
+    if (!existingUser.rows.length) {
+      await client.raw(`CREATE USER "${username}" WITH PASSWORD 'temporary_password'`);
+    }
+
+    await client.raw("GRANT ALL PRIVILEGES ON DATABASE ?? TO ??", [credentials.database, username]);
+  }
+
+  await client.destroy();
+};
+
+const createOracleDBSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createOracleInfisicalUsers(credentials, userCredentials);
+
+  const createOracleDBSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-oracle-${uuidv4()}`,
+    description: "Test OracleDB Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5, // 5 seconds for testing
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/oracledb-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createOracleDBSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+const createMySQLSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createMySQLInfisicalUsers(credentials, userCredentials);
+
+  const createMySQLSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-mysql-rotation-${uuidv4()}`,
+    description: "Test MySQL Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5,
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/mysql-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createMySQLSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+const createPostgresSecretRotation = async (
+  appConnectionId: string,
+  credentials: TGenericSqlCredentials,
+  userCredentials: TDatabaseUserCredentials[],
+  secretMapping: TSecretMapping
+) => {
+  const now = new Date();
+  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
+
+  await createPostgresInfisicalUsers(credentials, userCredentials);
+
+  const createPostgresSecretRotationReqBody = {
+    parameters: userCredentials.reduce(
+      (acc, user, index) => {
+        acc[`username${index + 1}`] = user.username;
+        return acc;
+      },
+      {} as Record<string, string>
+    ),
+    secretsMapping: {
+      username: secretMapping.username,
+      password: secretMapping.password
+    },
+    name: `test-postgres-rotation-${uuidv4()}`,
+    description: "Test Postgres Secret Rotation",
+    secretPath: "/",
+    isAutoRotationEnabled: true,
+    rotationInterval: 5,
+    rotateAtUtc: {
+      hours: rotationTime.getUTCHours(),
+      minutes: rotationTime.getUTCMinutes()
+    },
+    connectionId: appConnectionId,
+    environment: seedData1.environment.slug,
+    projectId: seedData1.projectV3.id
+  };
+
+  const res = await testServer.inject({
+    method: "POST",
+    url: `/api/v2/secret-rotations/postgres-credentials`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createPostgresSecretRotationReqBody
+  });
+
+  expect(res.statusCode).toBe(200);
+  expect(res.json().secretRotation).toBeDefined();
+
+  return res;
+};
+
+describe("Secret Rotations", async () => {
+  const testCases = [
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (8.4.6) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3306
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (8.0.29) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3307
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.MySQL,
+      name: "MySQL (5.7.31) Secret Rotation",
+      dbCredentials: {
+        database: "mysql-test",
+        host: "127.0.0.1",
+        username: "root",
+        password: "mysql-test",
+        port: 3308
+      },
+      secretMapping: {
+        username: formatSqlUsername("MYSQL_USERNAME"),
+        password: formatSqlUsername("MYSQL_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("MYSQL_USER_1")
+        },
+        {
+          username: formatSqlUsername("MYSQL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.OracleDb,
+      name: "OracleDB (23.8) Secret Rotation",
+      dbCredentials: {
+        database: "FREEPDB1",
+        host: "127.0.0.1",
+        username: "system",
+        password: "pdb-password",
+        port: 1521
+      },
+      secretMapping: {
+        username: formatSqlUsername("ORACLEDB_USERNAME"),
+        password: formatSqlUsername("ORACLEDB_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.OracleDb,
+      name: "OracleDB (19.3) Secret Rotation",
+      skippable: true,
+      dbCredentials: {
+        password: process.env.E2E_TEST_ORACLE_DB_19_PASSWORD!,
+        host: process.env.E2E_TEST_ORACLE_DB_19_HOST!,
+        username: process.env.E2E_TEST_ORACLE_DB_19_USERNAME!,
+        port: 1521,
+        database: "ORCLPDB1"
+      },
+      secretMapping: {
+        username: formatSqlUsername("ORACLEDB_USERNAME"),
+        password: formatSqlUsername("ORACLEDB_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (17) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5433
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (16) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5434
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    },
+    {
+      type: SecretRotationType.Postgres,
+      name: "Postgres (10.12) Secret Rotation",
+      dbCredentials: {
+        database: "postgres-test",
+        host: "127.0.0.1",
+        username: "postgres-test",
+        password: "postgres-test",
+        port: 5435
+      },
+      secretMapping: {
+        username: formatSqlUsername("POSTGRES_USERNAME"),
+        password: formatSqlUsername("POSTGRES_PASSWORD")
+      },
+      userCredentials: [
+        {
+          username: formatSqlUsername("INFISICAL_USER_1")
+        },
+        {
+          username: formatSqlUsername("INFISICAL_USER_2")
+        }
+      ]
+    }
+  ] as {
+    skippable?: boolean;
+    type: SecretRotationType;
+    name: string;
+    dbCredentials: TGenericSqlCredentials;
+    secretMapping: TSecretMapping;
+    userCredentials: TDatabaseUserCredentials[];
+  }[];
+
+  const createAppConnectionMap = {
+    [SecretRotationType.OracleDb]: createOracleDBAppConnection,
+    [SecretRotationType.MySQL]: createMySQLAppConnection,
+    [SecretRotationType.Postgres]: createPostgresAppConnection
+  };
+
+  const createRotationMap = {
+    [SecretRotationType.OracleDb]: createOracleDBSecretRotation,
+    [SecretRotationType.MySQL]: createMySQLSecretRotation,
+    [SecretRotationType.Postgres]: createPostgresSecretRotation
+  };
+
+  const appConnectionIds: { id: string; type: SecretRotationType }[] = [];
+  const secretRotationIds: { id: string; type: SecretRotationType }[] = [];
+
+  afterAll(async () => {
+    for (const { id, type } of secretRotationIds) {
+      await deleteSecretRotation(id, type);
+    }
+
+    for (const { id, type } of appConnectionIds) {
+      await deleteAppConnection(id, type);
+    }
+  });
+
+  testCases.forEach(({ skippable, dbCredentials, secretMapping, userCredentials, type, name }) => {
+    const shouldSkip = () => {
+      if (skippable) {
+        if (type === SecretRotationType.OracleDb) {
+          if (!process.env.E2E_TEST_ORACLE_DB_19_HOST) {
+            return true;
+          }
+        }
+      }
+
+      return false;
+    };
+
+    if (shouldSkip()) {
+      test.skip(`Skipping Secret Rotation for ${type} (${name}) because E2E_TEST_ORACLE_DB_19_HOST is not set`);
+    } else {
+      test.concurrent(
+        `Create secret rotation for ${name}`,
+        async () => {
+          const appConnectionId = await createAppConnectionMap[type](dbCredentials);
+
+          if (appConnectionId) {
+            appConnectionIds.push({ id: appConnectionId, type });
+          }
+
+          const res = await createRotationMap[type](appConnectionId, dbCredentials, userCredentials, secretMapping);
+
+          const resJson = JSON.parse(res.payload);
+
+          if (resJson.secretRotation) {
+            secretRotationIds.push({ id: resJson.secretRotation.id, type });
+          }
+
+          const startSecretValue = await getSecretValue(secretMapping.password);
+          expect(startSecretValue).toBeDefined();
+
+          let attempts = 0;
+          while (attempts < 60) {
+            const currentSecretValue = await getSecretValue(secretMapping.password);
+
+            if (currentSecretValue !== startSecretValue) {
+              break;
+            }
+
+            attempts += 1;
+            await new Promise((resolve) => setTimeout(resolve, 2_500));
+          }
+
+          if (attempts >= 60) {
+            throw new Error("Secret rotation failed to rotate after 60 attempts");
+          }
+
+          const finalSecretValue = await getSecretValue(secretMapping.password);
+          expect(finalSecretValue).not.toBe(startSecretValue);
+        },
+        {
+          timeout: 300_000
+        }
+      );
+    }
+  });
+});

backend/e2e-test/vitest-environment-knex.ts

@@ -18,6 +18,7 @@ import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+import { bootstrapCheck } from "@app/server/boot-strap-check";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -63,6 +64,8 @@ export default {
       const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
       const keyStore = keyStoreFactory(envCfg);
 
+      await queue.initialize();
+
       const hsmModule = initializeHsmModule(envCfg);
       hsmModule.initialize();
 
@@ -78,9 +81,13 @@ export default {
         envConfig: envCfg
       });
 
+      await bootstrapCheck({ db });
+
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type
+      globalThis.testQueue = queue;
+      // @ts-expect-error type
       globalThis.testSuperAdminDAL = superAdminDAL;
       // @ts-expect-error type
       globalThis.jwtAuthToken = crypto.jwt().sign(
@@ -105,6 +112,8 @@ export default {
     // custom setup
     return {
       async teardown() {
+        // @ts-expect-error type
+        await globalThis.testQueue.shutdown();
         // @ts-expect-error type
         await globalThis.testServer.close();
         // @ts-expect-error type
@@ -112,7 +121,9 @@ export default {
         // @ts-expect-error type
         delete globalThis.testSuperAdminDAL;
         // @ts-expect-error type
-        delete globalThis.jwtToken;
+        delete globalThis.jwtAuthToken;
+        // @ts-expect-error type
+        delete globalThis.testQueue;
         // called after all tests with this env have been run
         await db.migrate.rollback(
           {

backend/src/db/manual-migrations/partition-audit-logs.ts

@@ -84,6 +84,9 @@ const up = async (knex: Knex): Promise<void> => {
       t.index("expiresAt");
       t.index("orgId");
       t.index("projectId");
+      t.index("eventType");
+      t.index("userAgentType");
+      t.index("actor");
     });
 
     console.log("Adding GIN indices...");
@@ -119,8 +122,8 @@ const up = async (knex: Knex): Promise<void> => {
     console.log("Creating audit log partitions ahead of time... next date:", nextDateStr);
     await createAuditLogPartition(knex, nextDate, new Date(nextDate.getFullYear(), nextDate.getMonth() + 1));
 
-    // create partitions 4 years ahead
-    const partitionMonths = 4 * 12;
+    // create partitions 20 years ahead
+    const partitionMonths = 20 * 12;
     const partitionPromises: Promise<void>[] = [];
     for (let x = 1; x <= partitionMonths; x += 1) {
       partitionPromises.push(

backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts

@@ -2,7 +2,7 @@
 import { Knex } from "knex";
 
 import { chunkArray } from "@app/lib/fn";
-import { logger } from "@app/lib/logger";
+import { initLogger, logger } from "@app/lib/logger";
 
 import { TableName } from "../schemas";
 import { TReminders, TRemindersInsert } from "../schemas/reminders";
@@ -107,5 +107,6 @@ export async function up(knex: Knex): Promise<void> {
 }
 
 export async function down(): Promise<void> {
+  initLogger();
   logger.info("Rollback not implemented for secret reminders fix migration");
 }

backend/src/db/migrations/20250808021941_access-policy-max-time-period.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod"))) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.string("maxTimePeriod").nullable(); // Ex: 1h - Null is permanent
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod")) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("maxTimePeriod");
+    });
+  }
+}

backend/src/db/migrations/20250813020335_access-request-edit-cols.ts

@@ -0,0 +1,38 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
+  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
+
+  if (!hasEditNoteCol || !hasEditedByUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      if (!hasEditedByUserId) {
+        t.uuid("editedByUserId").nullable();
+        t.foreign("editedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+      }
+
+      if (!hasEditNoteCol) {
+        t.string("editNote").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
+  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
+
+  if (hasEditNoteCol || hasEditedByUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      if (hasEditedByUserId) {
+        t.dropColumn("editedByUserId");
+      }
+
+      if (hasEditNoteCol) {
+        t.dropColumn("editNote");
+      }
+    });
+  }
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -17,7 +17,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
   deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true)
+  allowedSelfApprovals: z.boolean().default(true),
+  maxTimePeriod: z.string().nullable().optional()
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/access-approval-requests.ts

@@ -20,7 +20,9 @@ export const AccessApprovalRequestsSchema = z.object({
   requestedByUserId: z.string().uuid(),
   note: z.string().nullable().optional(),
   privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending")
+  status: z.string().default("pending"),
+  editedByUserId: z.string().uuid().nullable().optional(),
+  editNote: z.string().nullable().optional()
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -3,12 +3,32 @@ import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
+const maxTimePeriodSchema = z
+  .string()
+  .trim()
+  .nullish()
+  .transform((val, ctx) => {
+    if (val === undefined) return undefined;
+    if (!val || val === "permanent") return null;
+    const parsedMs = ms(val);
+
+    if (typeof parsedMs !== "number" || parsedMs <= 0) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+      });
+      return z.NEVER;
+    }
+    return val;
+  });
+
 export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/",
@@ -71,7 +91,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
             .optional(),
           approvals: z.number().min(1).default(1),
           enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
+          allowedSelfApprovals: z.boolean().default(true),
+          maxTimePeriod: maxTimePeriodSchema
         })
         .refine(
           (val) => Boolean(val.environment) || Boolean(val.environments),
@@ -124,7 +145,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                 .array()
                 .nullable()
                 .optional(),
-              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
+              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array(),
+              maxTimePeriod: z.string().nullable().optional()
             })
             .array()
             .nullable()
@@ -233,7 +255,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
             stepNumber: z.number().int()
           })
           .array()
-          .optional()
+          .optional(),
+        maxTimePeriod: maxTimePeriodSchema
       }),
       response: {
         200: z.object({
@@ -314,7 +337,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
               })
               .array()
               .nullable()
-              .optional()
+              .optional(),
+            maxTimePeriod: z.string().nullable().optional()
           })
         })
       }

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
+import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -26,7 +27,23 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
       body: z.object({
         permissions: z.any().array(),
         isTemporary: z.boolean(),
-        temporaryRange: z.string().optional(),
+        temporaryRange: z
+          .string()
+          .optional()
+          .transform((val, ctx) => {
+            if (!val || val === "permanent") return undefined;
+
+            const parsedMs = ms(val);
+
+            if (typeof parsedMs !== "number" || parsedMs <= 0) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+              });
+              return z.NEVER;
+            }
+            return val;
+          }),
         note: z.string().max(255).optional()
       }),
       querystring: z.object({
@@ -128,7 +145,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               envId: z.string(),
               enforcementLevel: z.string(),
               deletedAt: z.date().nullish(),
-              allowedSelfApprovals: z.boolean()
+              allowedSelfApprovals: z.boolean(),
+              maxTimePeriod: z.string().nullable().optional()
             }),
             reviewers: z
               .object({
@@ -189,4 +207,47 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
       return { review };
     }
   });
+
+  server.route({
+    url: "/:requestId",
+    method: "PATCH",
+    schema: {
+      params: z.object({
+        requestId: z.string().trim()
+      }),
+      body: z.object({
+        temporaryRange: z.string().transform((val, ctx) => {
+          const parsedMs = ms(val);
+
+          if (typeof parsedMs !== "number" || parsedMs <= 0) {
+            ctx.addIssue({
+              code: z.ZodIssueCode.custom,
+              message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
+            });
+            return z.NEVER;
+          }
+          return val;
+        }),
+        editNote: z.string().max(255)
+      }),
+      response: {
+        200: z.object({
+          approval: AccessApprovalRequestsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { request } = await server.services.accessApprovalRequest.updateAccessApprovalRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        temporaryRange: req.body.temporaryRange,
+        editNote: req.body.editNote,
+        requestId: req.params.requestId
+      });
+      return { approval: request };
+    }
+  });
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -56,6 +56,7 @@ export interface TAccessApprovalPolicyDALFactory
       allowedSelfApprovals: boolean;
       secretPath: string;
       deletedAt?: Date | null | undefined;
+      maxTimePeriod?: string | null;
       projectId: string;
       bypassers: (
         | {
@@ -96,6 +97,7 @@ export interface TAccessApprovalPolicyDALFactory
         allowedSelfApprovals: boolean;
         secretPath: string;
         deletedAt?: Date | null | undefined;
+        maxTimePeriod?: string | null;
         environments: {
           id: string;
           name: string;
@@ -141,6 +143,7 @@ export interface TAccessApprovalPolicyDALFactory
         allowedSelfApprovals: boolean;
         secretPath: string;
         deletedAt?: Date | null | undefined;
+        maxTimePeriod?: string | null;
       }
     | undefined
   >;

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -100,7 +100,8 @@ export const accessApprovalPolicyServiceFactory = ({
     environments,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    maxTimePeriod
   }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -219,7 +220,8 @@ export const accessApprovalPolicyServiceFactory = ({
           secretPath,
           name,
           enforcementLevel,
-          allowedSelfApprovals
+          allowedSelfApprovals,
+          maxTimePeriod
         },
         tx
       );
@@ -318,7 +320,8 @@ export const accessApprovalPolicyServiceFactory = ({
     enforcementLevel,
     allowedSelfApprovals,
     approvalsRequired,
-    environments
+    environments,
+    maxTimePeriod
   }: TUpdateAccessApprovalPolicy) => {
     const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);
 
@@ -461,7 +464,8 @@ export const accessApprovalPolicyServiceFactory = ({
           secretPath,
           name,
           enforcementLevel,
-          allowedSelfApprovals
+          allowedSelfApprovals,
+          maxTimePeriod
         },
         tx
       );

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -41,6 +41,7 @@ export type TCreateAccessApprovalPolicy = {
   enforcementLevel: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
+  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAccessApprovalPolicy = {
@@ -60,6 +61,7 @@ export type TUpdateAccessApprovalPolicy = {
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
   environments?: string[];
+  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {
@@ -104,7 +106,8 @@ export interface TAccessApprovalPolicyServiceFactory {
     environment,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired
+    approvalsRequired,
+    maxTimePeriod
   }: TCreateAccessApprovalPolicy) => Promise<{
     environment: {
       name: string;
@@ -135,6 +138,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath: string;
     deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
   }>;
   deleteAccessApprovalPolicy: ({
     policyId,
@@ -159,6 +163,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath: string;
     deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
     environment: {
       id: string;
       name: string;
@@ -185,7 +190,8 @@ export interface TAccessApprovalPolicyServiceFactory {
     enforcementLevel,
     allowedSelfApprovals,
     approvalsRequired,
-    environments
+    environments,
+    maxTimePeriod
   }: TUpdateAccessApprovalPolicy) => Promise<{
     environment: {
       id: string;
@@ -208,6 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
     actorId,
@@ -242,6 +249,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       allowedSelfApprovals: boolean;
       secretPath: string;
       deletedAt?: Date | null | undefined;
+      maxTimePeriod?: string | null;
       environment: {
         id: string;
         name: string;
@@ -298,6 +306,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath: string;
     deletedAt?: Date | null | undefined;
+    maxTimePeriod?: string | null;
     environment: {
       id: string;
       name: string;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -63,6 +63,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
           enforcementLevel: string;
           allowedSelfApprovals: boolean;
           deletedAt: Date | null | undefined;
+          maxTimePeriod?: string | null;
         };
         projectId: string;
         environments: string[];
@@ -161,6 +162,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
         allowedSelfApprovals: boolean;
         envId: string;
         deletedAt: Date | null | undefined;
+        maxTimePeriod?: string | null;
       };
       projectId: string;
       environment: string;
@@ -297,7 +299,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
             db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
             db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
             db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
-            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
+            db.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
           )
           .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
           .select(db.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"))
@@ -364,7 +367,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
               enforcementLevel: doc.policyEnforcementLevel,
               allowedSelfApprovals: doc.policyAllowedSelfApprovals,
               envId: doc.policyEnvId,
-              deletedAt: doc.policyDeletedAt
+              deletedAt: doc.policyDeletedAt,
+              maxTimePeriod: doc.policyMaxTimePeriod
             },
             requestedByUser: {
               userId: doc.requestedByUserId,
@@ -574,7 +578,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
         tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
+        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
+        tx.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
       );
 
   const findById: TAccessApprovalRequestDALFactory["findById"] = async (id, tx) => {
@@ -595,7 +600,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
             secretPath: el.policySecretPath,
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals,
-            deletedAt: el.policyDeletedAt
+            deletedAt: el.policyDeletedAt,
+            maxTimePeriod: el.policyMaxTimePeriod
           },
           requestedByUser: {
             userId: el.requestedByUserId,

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -54,7 +54,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
   accessApprovalRequestReviewerDAL: Pick<
     TAccessApprovalRequestReviewerDALFactory,
-    "create" | "find" | "findOne" | "transaction"
+    "create" | "find" | "findOne" | "transaction" | "delete"
   >;
   groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
@@ -156,6 +156,15 @@ export const accessApprovalRequestServiceFactory = ({
       throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
     }
 
+    // Check if the requested time falls under policy.maxTimePeriod
+    if (policy.maxTimePeriod) {
+      if (!temporaryRange || ms(temporaryRange) > ms(policy.maxTimePeriod)) {
+        throw new BadRequestError({
+          message: `Requested access time range is limited to ${policy.maxTimePeriod} by policy`
+        });
+      }
+    }
+
     const approverIds: string[] = [];
     const approverGroupIds: string[] = [];
 
@@ -292,6 +301,155 @@ export const accessApprovalRequestServiceFactory = ({
     return { request: approval };
   };
 
+  const updateAccessApprovalRequest: TAccessApprovalRequestServiceFactory["updateAccessApprovalRequest"] = async ({
+    temporaryRange,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    editNote,
+    requestId
+  }) => {
+    const cfg = getConfig();
+
+    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
+    if (!accessApprovalRequest) {
+      throw new NotFoundError({ message: `Access request with ID '${requestId}' not found` });
+    }
+
+    const { policy, requestedByUser } = accessApprovalRequest;
+    if (policy.deletedAt) {
+      throw new BadRequestError({
+        message: "The policy associated with this access request has been deleted."
+      });
+    }
+
+    const { membership, hasRole } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: accessApprovalRequest.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
+
+    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
+
+    if (!hasRole(ProjectMembershipRole.Admin) && !isApprover) {
+      throw new ForbiddenRequestError({ message: "You are not authorized to modify this request" });
+    }
+
+    const project = await projectDAL.findById(accessApprovalRequest.projectId);
+
+    if (!project) {
+      throw new NotFoundError({
+        message: `The project associated with this access request was not found. [projectId=${accessApprovalRequest.projectId}]`
+      });
+    }
+
+    if (accessApprovalRequest.status !== ApprovalStatus.PENDING) {
+      throw new BadRequestError({ message: "The request has been closed" });
+    }
+
+    const editedByUser = await userDAL.findById(actorId);
+
+    if (!editedByUser) throw new NotFoundError({ message: "Editing user not found" });
+
+    if (accessApprovalRequest.isTemporary && accessApprovalRequest.temporaryRange) {
+      if (ms(temporaryRange) > ms(accessApprovalRequest.temporaryRange)) {
+        throw new BadRequestError({ message: "Updated access duration must be less than current access duration" });
+      }
+    }
+
+    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({
+      permissions: accessApprovalRequest.permissions
+    });
+
+    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
+      const approvalRequest = await accessApprovalRequestDAL.updateById(
+        requestId,
+        {
+          temporaryRange,
+          isTemporary: true,
+          editNote,
+          editedByUserId: actorId
+        },
+        tx
+      );
+
+      // reset review progress
+      await accessApprovalRequestReviewerDAL.delete(
+        {
+          requestId
+        },
+        tx
+      );
+
+      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
+      const editorFullName = `${editedByUser.firstName} ${editedByUser.lastName}`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
+
+      await triggerWorkflowIntegrationNotification({
+        input: {
+          notification: {
+            type: TriggerFeature.ACCESS_REQUEST_UPDATED,
+            payload: {
+              projectName: project.name,
+              requesterFullName,
+              isTemporary: true,
+              requesterEmail: requestedByUser.email as string,
+              secretPath,
+              environment: envSlug,
+              permissions: accessTypes,
+              approvalUrl,
+              editNote,
+              editorEmail: editedByUser.email as string,
+              editorFullName
+            }
+          },
+          projectId: project.id
+        },
+        dependencies: {
+          projectDAL,
+          projectSlackConfigDAL,
+          kmsService,
+          microsoftTeamsService,
+          projectMicrosoftTeamsConfigDAL
+        }
+      });
+
+      await smtpService.sendMail({
+        recipients: policy.approvers
+          .filter((approver) => Boolean(approver.email) && approver.userId !== editedByUser.id)
+          .map((approver) => approver.email!),
+        subjectLine: "Access Approval Request Updated",
+        substitutions: {
+          projectName: project.name,
+          requesterFullName,
+          requesterEmail: requestedByUser.email,
+          isTemporary: true,
+          expiresIn: msFn(ms(temporaryRange || ""), { long: true }),
+          secretPath,
+          environment: envSlug,
+          permissions: accessTypes,
+          approvalUrl,
+          editNote,
+          editorFullName,
+          editorEmail: editedByUser.email
+        },
+        template: SmtpTemplates.AccessApprovalRequestUpdated
+      });
+
+      return approvalRequest;
+    });
+
+    return { request: approval };
+  };
+
   const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
     projectSlug,
     authorUserId,
@@ -641,6 +799,7 @@ export const accessApprovalRequestServiceFactory = ({
 
   return {
     createAccessApprovalRequest,
+    updateAccessApprovalRequest,
     listApprovalRequests,
     reviewAccessRequest,
     getCount

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -30,6 +30,12 @@ export type TCreateAccessApprovalRequestDTO = {
   note?: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TUpdateAccessApprovalRequestDTO = {
+  requestId: string;
+  temporaryRange: string;
+  editNote: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TListApprovalRequestsDTO = {
   projectSlug: string;
   authorUserId?: string;
@@ -54,6 +60,23 @@ export interface TAccessApprovalRequestServiceFactory {
       privilegeDeletedAt?: Date | null | undefined;
     };
   }>;
+  updateAccessApprovalRequest: (arg: TUpdateAccessApprovalRequestDTO) => Promise<{
+    request: {
+      status: string;
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      policyId: string;
+      isTemporary: boolean;
+      requestedByUserId: string;
+      privilegeId?: string | null | undefined;
+      requestedBy?: string | null | undefined;
+      temporaryRange?: string | null | undefined;
+      permissions?: unknown;
+      note?: string | null | undefined;
+      privilegeDeletedAt?: Date | null | undefined;
+    };
+  }>;
   listApprovalRequests: (arg: TListApprovalRequestsDTO) => Promise<{
     requests: {
       policy: {
@@ -82,6 +105,7 @@ export interface TAccessApprovalRequestServiceFactory {
         allowedSelfApprovals: boolean;
         envId: string;
         deletedAt: Date | null | undefined;
+        maxTimePeriod?: string | null;
       };
       projectId: string;
       environment: string;

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,8 +1,6 @@
 import { AxiosError, RawAxiosRequestHeaders } from "axios";
 
-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
-import { TEventBusService } from "@app/ee/services/event/event-bus-service";
-import { TopicName, toPublishableEvent } from "@app/ee/services/event/types";
+import { SecretKeyEncoding } from "@app/db/schemas";
 import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
@@ -22,7 +20,6 @@ type TAuditLogQueueServiceFactoryDep = {
   queueService: TQueueServiceFactory;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  eventBusService: TEventBusService;
 };
 
 export type TAuditLogQueueServiceFactory = {
@@ -38,8 +35,7 @@ export const auditLogQueueServiceFactory = async ({
   queueService,
   projectDAL,
   licenseService,
-  auditLogStreamDAL,
-  eventBusService
+  auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
   const pushToLog = async (data: TCreateAuditLogDTO) => {
     await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
@@ -145,16 +141,6 @@ export const auditLogQueueServiceFactory = async ({
         )
       );
     }
-
-    const publishable = toPublishableEvent(event);
-
-    if (publishable) {
-      await eventBusService.publish(TopicName.CoreServers, {
-        type: ProjectType.SecretManager,
-        source: "infiscal",
-        data: publishable.data
-      });
-    }
   });
 
   return {

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -9,7 +9,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
   const appCfg = getConfig();
 
-  if (appCfg.isDevelopmentMode) return [host];
+  if (appCfg.isDevelopmentMode || appCfg.isTestMode) return [host];
 
   if (isGateway) return [host];
 

backend/src/ee/services/dynamic-secret/providers/couchbase.ts

@@ -0,0 +1,289 @@
+import crypto from "node:crypto";
+
+import axios from "axios";
+import RE2 from "re2";
+
+import { BadRequestError } from "@app/lib/errors";
+import { sanitizeString } from "@app/lib/fn";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator/validate-url";
+
+import { DynamicSecretCouchbaseSchema, PasswordRequirements, TDynamicProviderFns } from "./models";
+import { compileUsernameTemplate } from "./templateUtils";
+
+type TCreateCouchbaseUser = {
+  name: string;
+  password: string;
+  access: {
+    privileges: string[];
+    resources: {
+      buckets: {
+        name: string;
+        scopes?: {
+          name: string;
+          collections?: string[];
+        }[];
+      }[];
+    };
+  }[];
+};
+
+type CouchbaseUserResponse = {
+  id: string;
+  uuid?: string;
+};
+
+const sanitizeCouchbaseUsername = (username: string): string => {
+  // Couchbase username restrictions:
+  // - Cannot contain: ) ( > < , ; : " \ / ] [ ? = } {
+  // - Cannot begin with @ character
+
+  const forbiddenCharsPattern = new RE2('[\\)\\(><,;:"\\\\\\[\\]\\?=\\}\\{]', "g");
+  let sanitized = forbiddenCharsPattern.replace(username, "-");
+
+  const leadingAtPattern = new RE2("^@+");
+  sanitized = leadingAtPattern.replace(sanitized, "");
+
+  if (!sanitized || sanitized.length === 0) {
+    return alphaNumericNanoId(12);
+  }
+
+  return sanitized;
+};
+
+/**
+ * Normalizes bucket configuration to handle wildcard (*) access consistently.
+ *
+ * Key behaviors:
+ * - If "*" appears anywhere (string or array), grants access to ALL buckets, scopes, and collections
+ *
+ * @param buckets - Either a string or array of bucket configurations
+ * @returns Normalized bucket resources for Couchbase API
+ */
+const normalizeBucketConfiguration = (
+  buckets:
+    | string
+    | Array<{
+        name: string;
+        scopes?: Array<{
+          name: string;
+          collections?: string[];
+        }>;
+      }>
+) => {
+  if (typeof buckets === "string") {
+    // Simple string format - either "*" or comma-separated bucket names
+    const bucketNames = buckets
+      .split(",")
+      .map((bucket) => bucket.trim())
+      .filter((bucket) => bucket.length > 0);
+
+    // If "*" is present anywhere, grant access to all buckets, scopes, and collections
+    if (bucketNames.includes("*") || buckets === "*") {
+      return [{ name: "*" }];
+    }
+    return bucketNames.map((bucketName) => ({ name: bucketName }));
+  }
+
+  // Array of bucket objects with scopes and collections
+  // Check if any bucket is "*" - if so, grant access to all buckets, scopes, and collections
+  const hasWildcardBucket = buckets.some((bucket) => bucket.name === "*");
+
+  if (hasWildcardBucket) {
+    return [{ name: "*" }];
+  }
+
+  return buckets.map((bucket) => ({
+    name: bucket.name,
+    scopes: bucket.scopes?.map((scope) => ({
+      name: scope.name,
+      collections: scope.collections || []
+    }))
+  }));
+};
+
+const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
+  const randomUsername = alphaNumericNanoId(12);
+  if (!usernameTemplate) return sanitizeCouchbaseUsername(randomUsername);
+
+  const compiledUsername = compileUsernameTemplate({
+    usernameTemplate,
+    randomUsername,
+    identity
+  });
+
+  return sanitizeCouchbaseUsername(compiledUsername);
+};
+
+const generatePassword = (requirements?: PasswordRequirements): string => {
+  const {
+    length = 12,
+    required = { lowercase: 1, uppercase: 1, digits: 1, symbols: 1 },
+    allowedSymbols = "!@#$%^()_+-=[]{}:,?/~`"
+  } = requirements || {};
+
+  const lowercase = "abcdefghijklmnopqrstuvwxyz";
+  const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const digits = "0123456789";
+  const symbols = allowedSymbols;
+
+  let password = "";
+  let remaining = length;
+
+  // Add required characters
+  for (let i = 0; i < required.lowercase; i += 1) {
+    password += lowercase[crypto.randomInt(lowercase.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.uppercase; i += 1) {
+    password += uppercase[crypto.randomInt(uppercase.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.digits; i += 1) {
+    password += digits[crypto.randomInt(digits.length)];
+    remaining -= 1;
+  }
+  for (let i = 0; i < required.symbols; i += 1) {
+    password += symbols[crypto.randomInt(symbols.length)];
+    remaining -= 1;
+  }
+
+  // Fill remaining with random characters from all sets
+  const allChars = lowercase + uppercase + digits + symbols;
+  for (let i = 0; i < remaining; i += 1) {
+    password += allChars[crypto.randomInt(allChars.length)];
+  }
+
+  // Shuffle the password
+  return password
+    .split("")
+    .sort(() => crypto.randomInt(3) - 1)
+    .join("");
+};
+
+const couchbaseApiRequest = async (
+  method: string,
+  url: string,
+  apiKey: string,
+  data?: unknown
+): Promise<CouchbaseUserResponse> => {
+  await blockLocalAndPrivateIpAddresses(url);
+
+  try {
+    const response = await axios({
+      method: method.toLowerCase() as "get" | "post" | "put" | "delete",
+      url,
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "Content-Type": "application/json"
+      },
+      data: data || undefined,
+      timeout: 30000
+    });
+
+    return response.data as CouchbaseUserResponse;
+  } catch (err) {
+    const sanitizedErrorMessage = sanitizeString({
+      unsanitizedString: (err as Error)?.message,
+      tokens: [apiKey]
+    });
+    throw new BadRequestError({
+      message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+    });
+  }
+};
+
+export const CouchbaseProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: object) => {
+    const providerInputs = DynamicSecretCouchbaseSchema.parse(inputs);
+
+    await blockLocalAndPrivateIpAddresses(providerInputs.url);
+
+    return providerInputs;
+  };
+
+  const validateConnection = async (inputs: unknown): Promise<boolean> => {
+    try {
+      const providerInputs = await validateProviderInputs(inputs as object);
+
+      // Test connection by trying to get organization info
+      const url = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}`;
+      await couchbaseApiRequest("GET", url, providerInputs.auth.apiKey);
+
+      return true;
+    } catch (error) {
+      throw new BadRequestError({
+        message: `Failed to connect to Couchbase: ${error instanceof Error ? error.message : "Unknown error"}`
+      });
+    }
+  };
+
+  const create = async ({
+    inputs,
+    usernameTemplate,
+    identity
+  }: {
+    inputs: unknown;
+    usernameTemplate?: string | null;
+    identity?: { name: string };
+  }) => {
+    const providerInputs = await validateProviderInputs(inputs as object);
+
+    const username = generateUsername(usernameTemplate, identity);
+
+    const password = generatePassword(providerInputs.passwordRequirements);
+
+    const createUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users`;
+
+    const bucketResources = normalizeBucketConfiguration(providerInputs.buckets);
+
+    const userData: TCreateCouchbaseUser = {
+      name: username,
+      password,
+      access: [
+        {
+          privileges: providerInputs.roles,
+          resources: {
+            buckets: bucketResources
+          }
+        }
+      ]
+    };
+
+    const response = await couchbaseApiRequest("POST", createUserUrl, providerInputs.auth.apiKey, userData);
+
+    const userUuid = response?.id || response?.uuid || username;
+
+    return {
+      entityId: userUuid,
+      data: {
+        username,
+        password
+      }
+    };
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs as object);
+
+    const deleteUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users/${encodeURIComponent(entityId)}`;
+
+    await couchbaseApiRequest("DELETE", deleteUserUrl, providerInputs.auth.apiKey);
+
+    return { entityId };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // Couchbase Cloud API doesn't support renewing user credentials
+    // The user remains valid until explicitly deleted
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -5,6 +5,7 @@ import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
+import { CouchbaseProvider } from "./couchbase";
 import { ElasticSearchProvider } from "./elastic-search";
 import { GcpIamProvider } from "./gcp-iam";
 import { GithubProvider } from "./github";
@@ -46,5 +47,6 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
   [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
   [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
-  [DynamicSecretProviders.Github]: GithubProvider()
+  [DynamicSecretProviders.Github]: GithubProvider(),
+  [DynamicSecretProviders.Couchbase]: CouchbaseProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -505,6 +505,91 @@ export const DynamicSecretGithubSchema = z.object({
     .describe("The private key generated for your GitHub App.")
 });
 
+export const DynamicSecretCouchbaseSchema = z.object({
+  url: z.string().url().trim().min(1).describe("Couchbase Cloud API URL"),
+  orgId: z.string().trim().min(1).describe("Organization ID"),
+  projectId: z.string().trim().min(1).describe("Project ID"),
+  clusterId: z.string().trim().min(1).describe("Cluster ID"),
+  roles: z.array(z.string().trim().min(1)).min(1).describe("Roles to assign to the user"),
+  buckets: z
+    .union([
+      z
+        .string()
+        .trim()
+        .min(1)
+        .default("*")
+        .refine((val) => {
+          if (val.includes(",")) {
+            const buckets = val
+              .split(",")
+              .map((b) => b.trim())
+              .filter((b) => b.length > 0);
+            if (buckets.includes("*") && buckets.length > 1) {
+              return false;
+            }
+          }
+          return true;
+        }, "Cannot combine '*' with other bucket names"),
+      z
+        .array(
+          z.object({
+            name: z.string().trim().min(1).describe("Bucket name"),
+            scopes: z
+              .array(
+                z.object({
+                  name: z.string().trim().min(1).describe("Scope name"),
+                  collections: z.array(z.string().trim().min(1)).optional().describe("Collection names")
+                })
+              )
+              .optional()
+              .describe("Scopes within the bucket")
+          })
+        )
+        .refine((buckets) => {
+          const hasWildcard = buckets.some((bucket) => bucket.name === "*");
+          if (hasWildcard && buckets.length > 1) {
+            return false;
+          }
+          return true;
+        }, "Cannot combine '*' bucket with other buckets")
+    ])
+    .default("*")
+    .describe(
+      "Bucket configuration: '*' for all buckets, scopes, and collections or array of bucket objects with specific scopes and collections"
+    ),
+  passwordRequirements: z
+    .object({
+      length: z.number().min(8, "Password must be at least 8 characters").max(128),
+      required: z
+        .object({
+          lowercase: z.number().min(1, "At least 1 lowercase character required"),
+          uppercase: z.number().min(1, "At least 1 uppercase character required"),
+          digits: z.number().min(1, "At least 1 digit required"),
+          symbols: z.number().min(1, "At least 1 special character required")
+        })
+        .refine((data) => {
+          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
+          return total <= 128;
+        }, "Sum of required characters cannot exceed 128"),
+      allowedSymbols: z
+        .string()
+        .refine((symbols) => {
+          const forbiddenChars = ["<", ">", ";", ".", "*", "&", "|", "£"];
+          return !forbiddenChars.some((char) => symbols?.includes(char));
+        }, "Cannot contain: < > ; . * & | £")
+        .optional()
+    })
+    .refine((data) => {
+      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
+      return total <= data.length;
+    }, "Sum of required characters cannot exceed the total length")
+    .optional()
+    .describe("Password generation requirements for Couchbase"),
+  auth: z.object({
+    apiKey: z.string().trim().min(1).describe("Couchbase Cloud API Key")
+  })
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -524,7 +609,8 @@ export enum DynamicSecretProviders {
   Kubernetes = "kubernetes",
   Vertica = "vertica",
   GcpIam = "gcp-iam",
-  Github = "github"
+  Github = "github",
+  Couchbase = "couchbase"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -546,7 +632,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Couchbase), inputs: DynamicSecretCouchbaseSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/event/event-bus-service.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 
 import { logger } from "@app/lib/logger";
 
-import { EventSchema, TopicName } from "./types";
+import { BusEventSchema, TopicName } from "./types";
 
 export const eventBusFactory = (redis: Redis) => {
   const publisher = redis.duplicate();
@@ -28,7 +28,7 @@ export const eventBusFactory = (redis: Redis) => {
    * @param topic - The topic to publish the event to.
    * @param event - The event data to publish.
    */
-  const publish = async <T extends z.input<typeof EventSchema>>(topic: TopicName, event: T) => {
+  const publish = async <T extends z.input<typeof BusEventSchema>>(topic: TopicName, event: T) => {
     const json = JSON.stringify(event);
 
     return publisher.publish(topic, json, (err) => {
@@ -44,7 +44,7 @@ export const eventBusFactory = (redis: Redis) => {
    * @template T - The type of the event data, which should match the schema defined in EventSchema.
    * @returns A function that can be called to unsubscribe from the event bus.
    */
-  const subscribe = <T extends z.infer<typeof EventSchema>>(fn: (data: T) => Promise<void> | void) => {
+  const subscribe = <T extends z.infer<typeof BusEventSchema>>(fn: (data: T) => Promise<void> | void) => {
     // Not using async await cause redis client's `on` method does not expect async listeners.
     const listener = (channel: string, message: string) => {
       try {

backend/src/ee/services/event/event-sse-service.ts

@@ -7,7 +7,7 @@ import { logger } from "@app/lib/logger";
 
 import { TEventBusService } from "./event-bus-service";
 import { createEventStreamClient, EventStreamClient, IEventStreamClientOpts } from "./event-sse-stream";
-import { EventData, RegisteredEvent, toBusEventName } from "./types";
+import { BusEvent, RegisteredEvent } from "./types";
 
 const AUTH_REFRESH_INTERVAL = 60 * 1000;
 const HEART_BEAT_INTERVAL = 15 * 1000;
@@ -69,8 +69,8 @@ export const sseServiceFactory = (bus: TEventBusService, redis: Redis) => {
     }
   };
 
-  function filterEventsForClient(client: EventStreamClient, event: EventData, registered: RegisteredEvent[]) {
-    const eventType = toBusEventName(event.data.eventType);
+  function filterEventsForClient(client: EventStreamClient, event: BusEvent, registered: RegisteredEvent[]) {
+    const eventType = event.data.event;
     const match = registered.find((r) => r.event === eventType);
     if (!match) return;
 

backend/src/ee/services/event/event-sse-stream.ts

@@ -12,7 +12,7 @@ import { KeyStorePrefixes } from "@app/keystore/keystore";
 import { conditionsMatcher } from "@app/lib/casl";
 import { logger } from "@app/lib/logger";
 
-import { EventData, RegisteredEvent } from "./types";
+import { BusEvent, RegisteredEvent } from "./types";
 
 export const getServerSentEventsHeaders = () =>
   ({
@@ -55,7 +55,7 @@ export type EventStreamClient = {
   id: string;
   stream: Readable;
   open: () => Promise<void>;
-  send: (data: EventMessage | EventData) => void;
+  send: (data: EventMessage | BusEvent) => void;
   ping: () => Promise<void>;
   refresh: () => Promise<void>;
   close: () => void;
@@ -73,15 +73,12 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien
     return {
       subject: options.type,
       action: "subscribe",
-      conditions: {
-        eventType: r.event,
-        ...(hasConditions
-          ? {
-              environment: r.conditions?.environmentSlug ?? "",
-              secretPath: { $glob: secretPath }
-            }
-          : {})
-      }
+      conditions: hasConditions
+        ? {
+            environment: r.conditions?.environmentSlug ?? "",
+            secretPath: { $glob: secretPath }
+          }
+        : undefined
     };
   });
 
@@ -98,7 +95,7 @@ export function createEventStreamClient(redis: Redis, options: IEventStreamClien
   // We will manually push data to the stream
   stream._read = () => {};
 
-  const send = (data: EventMessage | EventData) => {
+  const send = (data: EventMessage | BusEvent) => {
     const chunk = serializeSseEvent(data);
     if (!stream.push(chunk)) {
       logger.debug("Backpressure detected: dropped manual event");

backend/src/ee/services/event/types.ts

@@ -1,7 +1,8 @@
 import { z } from "zod";
 
 import { ProjectType } from "@app/db/schemas";
-import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
+
+import { ProjectPermissionSecretEventActions } from "../permission/project-permission";
 
 export enum TopicName {
   CoreServers = "infisical::core-servers"
@@ -10,84 +11,44 @@ export enum TopicName {
 export enum BusEventName {
   CreateSecret = "secret:create",
   UpdateSecret = "secret:update",
-  DeleteSecret = "secret:delete"
+  DeleteSecret = "secret:delete",
+  ImportMutation = "secret:import-mutation"
 }
 
-type PublisableEventTypes =
-  | EventType.CREATE_SECRET
-  | EventType.CREATE_SECRETS
-  | EventType.DELETE_SECRET
-  | EventType.DELETE_SECRETS
-  | EventType.UPDATE_SECRETS
-  | EventType.UPDATE_SECRET;
-
-export function toBusEventName(input: EventType) {
-  switch (input) {
-    case EventType.CREATE_SECRET:
-    case EventType.CREATE_SECRETS:
-      return BusEventName.CreateSecret;
-    case EventType.UPDATE_SECRET:
-    case EventType.UPDATE_SECRETS:
-      return BusEventName.UpdateSecret;
-    case EventType.DELETE_SECRET:
-    case EventType.DELETE_SECRETS:
-      return BusEventName.DeleteSecret;
-    default:
-      return null;
-  }
-}
-
-const isBulkEvent = (event: Event): event is Extract<Event, { metadata: { secrets: Array<unknown> } }> => {
-  return event.type.endsWith("-secrets"); // Feels so wrong
-};
-
-export const toPublishableEvent = (event: Event) => {
-  const name = toBusEventName(event.type);
-
-  if (!name) return null;
-
-  const e = event as Extract<Event, { type: PublisableEventTypes }>;
-
-  if (isBulkEvent(e)) {
-    return {
-      name,
-      isBulk: true,
-      data: {
-        eventType: e.type,
-        payload: e.metadata.secrets.map((s) => ({
-          environment: e.metadata.environment,
-          secretPath: e.metadata.secretPath,
-          ...s
-        }))
-      }
-    } as const;
-  }
-
-  return {
-    name,
-    isBulk: false,
-    data: {
-      eventType: e.type,
-      payload: {
-        ...e.metadata,
-        environment: e.metadata.environment
-      }
+export const Mappings = {
+  BusEventToAction(input: BusEventName) {
+    switch (input) {
+      case BusEventName.CreateSecret:
+        return ProjectPermissionSecretEventActions.SubscribeCreated;
+      case BusEventName.DeleteSecret:
+        return ProjectPermissionSecretEventActions.SubscribeDeleted;
+      case BusEventName.ImportMutation:
+        return ProjectPermissionSecretEventActions.SubscribeImportMutations;
+      case BusEventName.UpdateSecret:
+        return ProjectPermissionSecretEventActions.SubscribeUpdated;
+      default:
+        throw new Error("Unknown bus event name");
     }
-  } as const;
+  }
 };
 
 export const EventName = z.nativeEnum(BusEventName);
 
 const EventSecretPayload = z.object({
-  secretPath: z.string().optional(),
   secretId: z.string(),
+  secretPath: z.string().optional(),
   secretKey: z.string(),
   environment: z.string()
 });
 
+const EventImportMutationPayload = z.object({
+  secretPath: z.string(),
+  environment: z.string()
+});
+
 export type EventSecret = z.infer<typeof EventSecretPayload>;
 
-export const EventSchema = z.object({
+export const BusEventSchema = z.object({
   datacontenttype: z.literal("application/json").optional().default("application/json"),
   type: z.nativeEnum(ProjectType),
   source: z.string(),
@@ -95,25 +56,38 @@ export const EventSchema = z.object({
     .string()
     .optional()
     .default(() => new Date().toISOString()),
-  data: z.discriminatedUnion("eventType", [
+  data: z.discriminatedUnion("event", [
     z.object({
       specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRET, EventType.UPDATE_SECRET, EventType.DELETE_SECRET]),
-      payload: EventSecretPayload
+      event: z.enum([BusEventName.CreateSecret, BusEventName.DeleteSecret, BusEventName.UpdateSecret]),
+      payload: z.union([EventSecretPayload, EventSecretPayload.array()])
     }),
     z.object({
       specversion: z.number().optional().default(1),
-      eventType: z.enum([EventType.CREATE_SECRETS, EventType.UPDATE_SECRETS, EventType.DELETE_SECRETS]),
-      payload: EventSecretPayload.array()
+      event: z.enum([BusEventName.ImportMutation]),
+      payload: z.union([EventImportMutationPayload, EventImportMutationPayload.array()])
     })
     // Add more event types as needed
   ])
 });
 
-export type EventData = z.infer<typeof EventSchema>;
+export type BusEvent = z.infer<typeof BusEventSchema>;
+
+type PublishableEventPayload = z.input<typeof BusEventSchema>["data"];
+type PublishableSecretEvent = Extract<
+  PublishableEventPayload,
+  { event: Exclude<BusEventName, BusEventName.ImportMutation> }
+>["payload"];
+
+export type PublishableEvent = {
+  created?: PublishableSecretEvent;
+  updated?: PublishableSecretEvent;
+  deleted?: PublishableSecretEvent;
+  importMutation?: Extract<PublishableEventPayload, { event: BusEventName.ImportMutation }>["payload"];
+};
 
 export const EventRegisterSchema = z.object({
-  event: EventName,
+  event: z.nativeEnum(BusEventName),
   conditions: z
     .object({
       secretPath: z.string().optional().default("/"),

backend/src/ee/services/license/__mocks__/license-fns.ts

@@ -31,7 +31,7 @@ export const getDefaultOnPremFeatures = () => {
     caCrl: false,
     sshHostGroups: false,
     enterpriseSecretSyncs: false,
-    enterpriseAppConnections: false,
+    enterpriseAppConnections: true,
     machineIdentityAuthTemplates: false
   };
 };

backend/src/ee/services/permission/default-roles.ts

@@ -161,8 +161,7 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
       ProjectPermissionSecretActions.Edit,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
     ],
     ProjectPermissionSub.Secrets
   );
@@ -266,8 +265,7 @@ const buildMemberPermissionRules = () => {
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
       ProjectPermissionSecretActions.Create,
-      ProjectPermissionSecretActions.Delete,
-      ProjectPermissionSecretActions.Subscribe
+      ProjectPermissionSecretActions.Delete
     ],
     ProjectPermissionSub.Secrets
   );

backend/src/ee/services/permission/project-permission.ts

@@ -36,8 +36,7 @@ export enum ProjectPermissionSecretActions {
   ReadValue = "readValue",
   Create = "create",
   Edit = "edit",
-  Delete = "delete",
-  Subscribe = "subscribe"
+  Delete = "delete"
 }
 
 export enum ProjectPermissionCmekActions {
@@ -158,6 +157,13 @@ export enum ProjectPermissionSecretScanningConfigActions {
   Update = "update-configs"
 }
 
+export enum ProjectPermissionSecretEventActions {
+  SubscribeCreated = "subscribe-on-created",
+  SubscribeUpdated = "subscribe-on-updated",
+  SubscribeDeleted = "subscribe-on-deleted",
+  SubscribeImportMutations = "subscribe-on-import-mutations"
+}
+
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -197,7 +203,8 @@ export enum ProjectPermissionSub {
   Kmip = "kmip",
   SecretScanningDataSources = "secret-scanning-data-sources",
   SecretScanningFindings = "secret-scanning-findings",
-  SecretScanningConfigs = "secret-scanning-configs"
+  SecretScanningConfigs = "secret-scanning-configs",
+  SecretEvents = "secret-events"
 }
 
 export type SecretSubjectFields = {
@@ -205,7 +212,13 @@ export type SecretSubjectFields = {
   secretPath: string;
   secretName?: string;
   secretTags?: string[];
-  eventType?: string;
+};
+
+export type SecretEventSubjectFields = {
+  environment: string;
+  secretPath: string;
+  secretName?: string;
+  secretTags?: string[];
 };
 
 export type SecretFolderSubjectFields = {
@@ -344,7 +357,11 @@ export type ProjectPermissionSet =
   | [ProjectPermissionCommitsActions, ProjectPermissionSub.Commits]
   | [ProjectPermissionSecretScanningDataSourceActions, ProjectPermissionSub.SecretScanningDataSources]
   | [ProjectPermissionSecretScanningFindingActions, ProjectPermissionSub.SecretScanningFindings]
-  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs];
+  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs]
+  | [
+      ProjectPermissionSecretEventActions,
+      ProjectPermissionSub.SecretEvents | (ForcedSubject<ProjectPermissionSub.SecretEvents> & SecretEventSubjectFields)
+    ];
 
 const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
 const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
@@ -877,7 +894,16 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
       "When specified, only matching conditions will be allowed to access given resource."
     ).optional()
   }),
-
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretEvents).describe("The entity this permission pertains to."),
+    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretEventActions).describe(
+      "Describe what action an entity can take."
+    ),
+    conditions: SecretSyncConditionV2Schema.describe(
+      "When specified, only matching conditions will be allowed to access given resource."
+    ).optional()
+  }),
   ...GeneralPermissionSchema
 ]);
 

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -952,13 +952,39 @@ export const secretApprovalRequestServiceFactory = ({
     if (!folder) {
       throw new NotFoundError({ message: `Folder with ID '${folderId}' not found in project with ID '${projectId}'` });
     }
+
+    const { secrets } = mergeStatus;
+
     await secretQueueService.syncSecrets({
       projectId,
       orgId: actorOrgId,
       secretPath: folder.path,
       environmentSlug: folder.environmentSlug,
       actorId,
-      actor
+      actor,
+      event: {
+        created: secrets.created.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        })),
+        updated: secrets.updated.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        })),
+        deleted: secrets.deleted.map((el) => ({
+          environment: folder.environmentSlug,
+          secretPath: folder.path,
+          secretId: el.id,
+          // @ts-expect-error - not present on V1 secrets
+          secretKey: el.key as string
+        }))
+      }
     });
 
     if (isSoftEnforcement) {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -2,6 +2,7 @@ import { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
@@ -13,9 +14,11 @@ import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
 import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
+import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
-import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
+import { TSecretRotationV2ServiceFactory, TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
 import {
+  TSecretRotationRotateSecretsJobPayload,
   TSecretRotationV2,
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2ListItem,
@@ -74,6 +77,10 @@ export const getNextUtcRotationInterval = (rotateAtUtc?: TSecretRotationV2["rota
   const appCfg = getConfig();
 
   if (appCfg.isRotationDevelopmentMode) {
+    if (appCfg.isTestMode) {
+      // if its test mode, it should always rotate
+      return new Date(Date.now() + 365 * 24 * 60 * 60 * 1000); // Current time + 1 year
+    }
     return getNextUTCMinuteInterval(rotateAtUtc);
   }
 
@@ -263,3 +270,51 @@ export const throwOnImmutableParameterUpdate = (
     // do nothing
   }
 };
+
+export const rotateSecretsFns = async ({
+  job,
+  secretRotationV2DAL,
+  secretRotationV2Service
+}: {
+  job: {
+    data: TSecretRotationRotateSecretsJobPayload;
+    id: string;
+    retryCount: number;
+    retryLimit: number;
+  };
+  secretRotationV2DAL: Pick<TSecretRotationV2DALFactory, "findById">;
+  secretRotationV2Service: Pick<TSecretRotationV2ServiceFactory, "rotateGeneratedCredentials">;
+}) => {
+  const { rotationId, queuedAt, isManualRotation } = job.data;
+  const { retryCount, retryLimit } = job;
+
+  const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
+
+  try {
+    const secretRotation = await secretRotationV2DAL.findById(rotationId);
+
+    if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
+
+    if (!secretRotation.isAutoRotationEnabled) {
+      logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
+    }
+
+    if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
+      // rotated since being queued, skip rotation
+      logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
+      return;
+    }
+
+    await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
+      jobId: job.id,
+      shouldSendNotification: true,
+      isFinalAttempt: retryCount === retryLimit,
+      isManualRotation
+    });
+
+    logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
+  } catch (error) {
+    logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
+    throw error;
+  }
+};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts

@@ -1,9 +1,12 @@
+import { v4 as uuidv4 } from "uuid";
+
 import { ProjectMembershipRole } from "@app/db/schemas";
 import { TSecretRotationV2DALFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-dal";
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
   getNextUtcRotationInterval,
-  getSecretRotationRotateSecretJobOptions
+  getSecretRotationRotateSecretJobOptions,
+  rotateSecretsFns
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-fns";
 import { SECRET_ROTATION_NAME_MAP } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
@@ -63,14 +66,34 @@ export const secretRotationV2QueueServiceFactory = async ({
               rotation.lastRotatedAt
             ).toISOString()}] [rotateAt=${new Date(rotation.nextRotationAt!).toISOString()}]`
           );
-          await queueService.queuePg(
-            QueueJobs.SecretRotationV2RotateSecrets,
-            {
-              rotationId: rotation.id,
-              queuedAt: currentTime
-            },
-            getSecretRotationRotateSecretJobOptions(rotation)
-          );
+
+          const data = {
+            rotationId: rotation.id,
+            queuedAt: currentTime
+          } as TSecretRotationRotateSecretsJobPayload;
+
+          if (appCfg.isTestMode) {
+            logger.warn("secretRotationV2Queue: Manually rotating secrets for test mode");
+            await rotateSecretsFns({
+              job: {
+                id: uuidv4(),
+                data,
+                retryCount: 0,
+                retryLimit: 0
+              },
+              secretRotationV2DAL,
+              secretRotationV2Service
+            });
+          } else {
+            await queueService.queuePg(
+              QueueJobs.SecretRotationV2RotateSecrets,
+              {
+                rotationId: rotation.id,
+                queuedAt: currentTime
+              },
+              getSecretRotationRotateSecretJobOptions(rotation)
+            );
+          }
         }
       } catch (error) {
         logger.error(error, "secretRotationV2Queue: Queue Rotations Error:");
@@ -87,38 +110,14 @@ export const secretRotationV2QueueServiceFactory = async ({
   await queueService.startPg<QueueName.SecretRotationV2>(
     QueueJobs.SecretRotationV2RotateSecrets,
     async ([job]) => {
-      const { rotationId, queuedAt, isManualRotation } = job.data as TSecretRotationRotateSecretsJobPayload;
-      const { retryCount, retryLimit } = job;
-
-      const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
-
-      try {
-        const secretRotation = await secretRotationV2DAL.findById(rotationId);
-
-        if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
-
-        if (!secretRotation.isAutoRotationEnabled) {
-          logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
-        }
-
-        if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
-          // rotated since being queued, skip rotation
-          logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
-          return;
-        }
-
-        await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
-          jobId: job.id,
-          shouldSendNotification: true,
-          isFinalAttempt: retryCount === retryLimit,
-          isManualRotation
-        });
-
-        logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
-      } catch (error) {
-        logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
-        throw error;
-      }
+      await rotateSecretsFns({
+        job: {
+          ...job,
+          data: job.data as TSecretRotationRotateSecretsJobPayload
+        },
+        secretRotationV2DAL,
+        secretRotationV2Service
+      });
     },
     {
       batchSize: 1,

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-fns.ts

@@ -58,9 +58,9 @@ export function scanDirectory(inputPath: string, outputPath: string, configPath?
   });
 }
 
-export function scanFile(inputPath: string): Promise<void> {
+export function scanFile(inputPath: string, configPath?: string): Promise<void> {
   return new Promise((resolve, reject) => {
-    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git`;
+    const command = `infisical scan --exit-code=77 --source "${inputPath}" --no-git ${configPath ? `-c ${configPath}` : ""}`;
     exec(command, (error) => {
       if (error && error.code === 77) {
         reject(error);
@@ -166,6 +166,20 @@ export const parseScanErrorMessage = (err: unknown): string => {
     : `${errorMessage.substring(0, MAX_MESSAGE_LENGTH - 3)}...`;
 };
 
+const generateSecretValuePolicyConfiguration = (entropy: number): string => `
+# Extend default configuration to preserve existing rules
+[extend]
+useDefault = true
+
+# Add custom high-entropy rule
+[[rules]]
+id = "high-entropy"
+description = "Will scan for high entropy secrets"
+regex = '''.*'''
+entropy = ${entropy}
+keywords = []
+`;
+
 export const scanSecretPolicyViolations = async (
   projectId: string,
   secretPath: string,
@@ -188,14 +202,25 @@ export const scanSecretPolicyViolations = async (
 
   const tempFolder = await createTempFolder();
   try {
+    const configPath = join(tempFolder, "infisical-scan.toml");
+
+    const secretPolicyConfiguration = generateSecretValuePolicyConfiguration(
+      appCfg.PARAMS_FOLDER_SECRET_DETECTION_ENTROPY
+    );
+
+    await writeTextToFile(configPath, secretPolicyConfiguration);
+
     const scanPromises = secrets
       .filter((secret) => !ignoreValues.includes(secret.secretValue))
       .map(async (secret) => {
-        const secretFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
-        await writeTextToFile(secretFilePath, `${secret.secretKey}=${secret.secretValue}`);
+        const secretKeyValueFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        const secretValueOnlyFilePath = join(tempFolder, `${crypto.nativeCrypto.randomUUID()}.txt`);
+        await writeTextToFile(secretKeyValueFilePath, `${secret.secretKey}=${secret.secretValue}`);
+        await writeTextToFile(secretValueOnlyFilePath, secret.secretValue);
 
         try {
-          await scanFile(secretFilePath);
+          await scanFile(secretKeyValueFilePath);
+          await scanFile(secretValueOnlyFilePath, configPath);
         } catch (error) {
           throw new BadRequestError({
             message: `Secret value detected in ${secret.secretKey}. Please add this instead to the designated secrets path in the project.`,

backend/src/lib/config/env.ts

@@ -79,6 +79,7 @@ const envSchema = z
     QUEUE_WORKER_PROFILE: z.nativeEnum(QueueWorkerProfile).default(QueueWorkerProfile.All),
     HTTPS_ENABLED: zodStrBool,
     ROTATION_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
+    DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
     // smtp options
     SMTP_HOST: zpStr(z.string().optional()),
     SMTP_IGNORE_TLS: zodStrBool.default("false"),
@@ -215,6 +216,7 @@ const envSchema = z
           return JSON.parse(val) as { secretPath: string; projectId: string }[];
         })
     ),
+    PARAMS_FOLDER_SECRET_DETECTION_ENTROPY: z.coerce.number().optional().default(3.7),
 
     // HSM
     HSM_LIB_PATH: zpStr(z.string().optional()),
@@ -346,7 +348,11 @@ const envSchema = z
     isSmtpConfigured: Boolean(data.SMTP_HOST),
     isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
     isDevelopmentMode: data.NODE_ENV === "development",
-    isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
+    isTestMode: data.NODE_ENV === "test",
+    isRotationDevelopmentMode:
+      (data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE) || data.NODE_ENV === "test",
+    isDailyResourceCleanUpDevelopmentMode:
+      data.NODE_ENV === "development" && data.DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE,
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
     isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
     REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()

backend/src/lib/workflow-integrations/trigger-notification.ts

@@ -20,7 +20,10 @@ export const triggerWorkflowIntegrationNotification = async (dto: TTriggerWorkfl
     const slackConfig = await projectSlackConfigDAL.getIntegrationDetailsByProject(projectId);
 
     if (slackConfig) {
-      if (notification.type === TriggerFeature.ACCESS_REQUEST) {
+      if (
+        notification.type === TriggerFeature.ACCESS_REQUEST ||
+        notification.type === TriggerFeature.ACCESS_REQUEST_UPDATED
+      ) {
         const targetChannelIds = slackConfig.accessRequestChannels?.split(", ") || [];
         if (targetChannelIds.length && slackConfig.isAccessRequestNotificationEnabled) {
           await sendSlackNotification({
@@ -50,7 +53,10 @@ export const triggerWorkflowIntegrationNotification = async (dto: TTriggerWorkfl
     }
 
     if (microsoftTeamsConfig) {
-      if (notification.type === TriggerFeature.ACCESS_REQUEST) {
+      if (
+        notification.type === TriggerFeature.ACCESS_REQUEST ||
+        notification.type === TriggerFeature.ACCESS_REQUEST_UPDATED
+      ) {
         if (microsoftTeamsConfig.isAccessRequestNotificationEnabled && microsoftTeamsConfig.accessRequestChannels) {
           const { success, data } = validateMicrosoftTeamsChannelsSchema.safeParse(
             microsoftTeamsConfig.accessRequestChannels

backend/src/lib/workflow-integrations/types.ts

@@ -6,7 +6,8 @@ import { TProjectSlackConfigDALFactory } from "@app/services/slack/project-slack
 
 export enum TriggerFeature {
   SECRET_APPROVAL = "secret-approval",
-  ACCESS_REQUEST = "access-request"
+  ACCESS_REQUEST = "access-request",
+  ACCESS_REQUEST_UPDATED = "access-request-updated"
 }
 
 export type TNotification =
@@ -34,6 +35,22 @@ export type TNotification =
         approvalUrl: string;
         note?: string;
       };
+    }
+  | {
+      type: TriggerFeature.ACCESS_REQUEST_UPDATED;
+      payload: {
+        requesterFullName: string;
+        requesterEmail: string;
+        isTemporary: boolean;
+        secretPath: string;
+        environment: string;
+        projectName: string;
+        permissions: string[];
+        approvalUrl: string;
+        editNote?: string;
+        editorFullName?: string;
+        editorEmail?: string;
+      };
     };
 
 export type TTriggerWorkflowNotificationDTO = {

backend/src/server/routes/index.ts

@@ -560,8 +560,7 @@ export const registerRoutes = async (
     queueService,
     projectDAL,
     licenseService,
-    auditLogStreamDAL,
-    eventBusService
+    auditLogStreamDAL
   });
 
   const auditLogService = auditLogServiceFactory({ auditLogDAL, permissionService, auditLogQueue });
@@ -1121,7 +1120,9 @@ export const registerRoutes = async (
     resourceMetadataDAL,
     folderCommitService,
     secretSyncQueue,
-    reminderService
+    reminderService,
+    eventBusService,
+    licenseService
   });
 
   const projectService = projectServiceFactory({
@@ -1972,7 +1973,7 @@ export const registerRoutes = async (
 
   await telemetryQueue.startTelemetryCheck();
   await telemetryQueue.startAggregatedEventsJob();
-  await dailyResourceCleanUp.startCleanUp();
+  await dailyResourceCleanUp.init();
   await dailyReminderQueueService.startDailyRemindersJob();
   await dailyReminderQueueService.startSecretReminderMigrationJob();
   await dailyExpiringPkiItemAlert.startSendingAlerts();

backend/src/server/routes/v1/admin-router.ts

@@ -583,16 +583,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         email: z.string().email().trim(),
         password: z.string().trim(),
         firstName: z.string().trim(),
-        lastName: z.string().trim().optional(),
-        protectedKey: z.string().trim(),
-        protectedKeyIV: z.string().trim(),
-        protectedKeyTag: z.string().trim(),
-        publicKey: z.string().trim(),
-        encryptedPrivateKey: z.string().trim(),
-        encryptedPrivateKeyIV: z.string().trim(),
-        encryptedPrivateKeyTag: z.string().trim(),
-        salt: z.string().trim(),
-        verifier: z.string().trim()
+        lastName: z.string().trim().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/event-router.ts

@@ -5,8 +5,8 @@ import { z } from "zod";
 
 import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { getServerSentEventsHeaders } from "@app/ee/services/event/event-sse-stream";
-import { EventRegisterSchema } from "@app/ee/services/event/types";
-import { ProjectPermissionSecretActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { EventRegisterSchema, Mappings } from "@app/ee/services/event/types";
+import { ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { ApiDocsTags, EventSubscriptions } from "@app/lib/api-docs";
 import { BadRequestError, ForbiddenRequestError, RateLimitError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -82,21 +82,19 @@ export const registerEventRouter = async (server: FastifyZodProvider) => {
             req.body.register.forEach((r) => {
               const fields = {
                 environment: r.conditions?.environmentSlug ?? "",
-                secretPath: r.conditions?.secretPath ?? "/",
-                eventType: r.event
+                secretPath: r.conditions?.secretPath ?? "/"
               };
 
-              const allowed = info.permission.can(
-                ProjectPermissionSecretActions.Subscribe,
-                subject(ProjectPermissionSub.Secrets, fields)
-              );
+              const action = Mappings.BusEventToAction(r.event);
+
+              const allowed = info.permission.can(action, subject(ProjectPermissionSub.SecretEvents, fields));
 
               if (!allowed) {
                 throw new ForbiddenRequestError({
                   name: "PermissionDenied",
-                  message: `You are not allowed to subscribe on secrets`,
+                  message: `You are not allowed to subscribe on ${ProjectPermissionSub.SecretEvents}`,
                   details: {
-                    event: fields.eventType,
+                    action,
                     environmentSlug: fields.environment,
                     secretPath: fields.secretPath
                   }

backend/src/server/routes/v1/identity-router.ts

@@ -478,4 +478,30 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       return { identityMemberships };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/details",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          identityDetails: z.object({
+            organization: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            })
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN], { requireOrg: false }),
+    handler: async (req) => {
+      const organization = await server.services.org.findIdentityOrganization(req.permission.id);
+      return { identityDetails: { organization } };
+    }
+  });
 };

backend/src/server/routes/v1/secret-folder-router.ts

@@ -45,7 +45,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .transform(removeTrailingSlash)
           .describe(FOLDERS.CREATE.path)
           .optional(),
-        // backward compatiability with cli
+        // backward compatibility with cli
         directory: z
           .string()
           .trim()
@@ -58,7 +58,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          folder: SecretFoldersSchema
+          folder: SecretFoldersSchema.extend({
+            path: z.string()
+          })
         })
       }
     },
@@ -130,7 +132,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .transform(removeTrailingSlash)
           .describe(FOLDERS.UPDATE.path)
           .optional(),
-        // backward compatiability with cli
+        // backward compatibility with cli
         directory: z
           .string()
           .trim()
@@ -143,7 +145,9 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          folder: SecretFoldersSchema
+          folder: SecretFoldersSchema.extend({
+            path: z.string()
+          })
         })
       }
     },
@@ -359,7 +363,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .transform(removeTrailingSlash)
           .describe(FOLDERS.LIST.path)
           .optional(),
-        // backward compatiability with cli
+        // backward compatibility with cli
         directory: z
           .string()
           .trim()

backend/src/server/routes/v2/project-router.ts

@@ -283,6 +283,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
+      description: "Get project details by slug",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       params: z.object({
         slug: slugSchema({ max: 36 }).describe("The slug of the project to get.")
       }),

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -142,16 +142,27 @@ export const getGitHubAppAuthToken = async (appConnection: TGitHubConnection) =>
   return token;
 };
 
+const parseGitHubLinkHeader = (linkHeader: string | undefined): Record<string, string> => {
+  if (!linkHeader) return {};
+
+  const links: Record<string, string> = {};
+  const segments = linkHeader.split(",");
+  const re = new RE2(/<([^>]+)>;\s*rel="([^"]+)"/);
+
+  for (const segment of segments) {
+    const match = re.exec(segment.trim());
+    if (match) {
+      const url = match[1];
+      const rel = match[2];
+      links[rel] = url;
+    }
+  }
+  return links;
+};
+
 function extractNextPageUrl(linkHeader: string | undefined): string | null {
-  if (!linkHeader) return null;
-
-  const links = linkHeader.split(",");
-  const nextLink = links.find((link) => link.includes('rel="next"'));
-
-  if (!nextLink) return null;
-
-  const match = new RE2(/<([^>]+)>/).exec(nextLink);
-  return match ? match[1] : null;
+  const links = parseGitHubLinkHeader(linkHeader);
+  return links.next || null;
 }
 
 export const makePaginatedGitHubRequest = async <T, R = T[]>(
@@ -164,27 +175,83 @@ export const makePaginatedGitHubRequest = async <T, R = T[]>(
 
   const token =
     method === GitHubConnectionMethod.OAuth ? credentials.accessToken : await getGitHubAppAuthToken(appConnection);
-  let url: string | null = `https://${await getGitHubInstanceApiUrl(appConnection)}${path}`;
+
+  const baseUrl = `https://${await getGitHubInstanceApiUrl(appConnection)}${path}`;
+  const initialUrlObj = new URL(baseUrl);
+  initialUrlObj.searchParams.set("per_page", "100");
+
   let results: T[] = [];
-  let i = 0;
+  const maxIterations = 1000;
 
-  while (url && i < 1000) {
-    // eslint-disable-next-line no-await-in-loop
-    const response: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
-      url,
-      method: "GET",
-      headers: {
-        Accept: "application/vnd.github+json",
-        Authorization: `Bearer ${token}`,
-        "X-GitHub-Api-Version": "2022-11-28"
-      }
-    });
+  // Make initial request to get link header
+  const firstResponse: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
+    url: initialUrlObj.toString(),
+    method: "GET",
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${token}`,
+      "X-GitHub-Api-Version": "2022-11-28"
+    }
+  });
 
-    const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
-    results = results.concat(items);
+  const firstPageItems = dataMapper ? dataMapper(firstResponse.data) : (firstResponse.data as unknown as T[]);
+  results = results.concat(firstPageItems);
 
-    url = extractNextPageUrl(response.headers.link as string | undefined);
-    i += 1;
+  const linkHeader = parseGitHubLinkHeader(firstResponse.headers.link as string | undefined);
+  const lastPageUrl = linkHeader.last;
+
+  // If there's a last page URL, get its page number and concurrently fetch every page starting from 2 to last
+  if (lastPageUrl) {
+    const lastPageParam = new URL(lastPageUrl).searchParams.get("page");
+    const totalPages = lastPageParam ? parseInt(lastPageParam, 10) : 1;
+
+    const pageRequests: Promise<AxiosResponse<R>>[] = [];
+
+    for (let pageNum = 2; pageNum <= totalPages && pageNum - 1 < maxIterations; pageNum += 1) {
+      const pageUrlObj = new URL(initialUrlObj.toString());
+      pageUrlObj.searchParams.set("page", pageNum.toString());
+
+      pageRequests.push(
+        requestWithGitHubGateway<R>(appConnection, gatewayService, {
+          url: pageUrlObj.toString(),
+          method: "GET",
+          headers: {
+            Accept: "application/vnd.github+json",
+            Authorization: `Bearer ${token}`,
+            "X-GitHub-Api-Version": "2022-11-28"
+          }
+        })
+      );
+    }
+    const responses = await Promise.all(pageRequests);
+
+    for (const response of responses) {
+      const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
+      results = results.concat(items);
+    }
+  } else {
+    // Fallback in case last link isn't present
+    let url: string | null = extractNextPageUrl(firstResponse.headers.link as string | undefined);
+    let i = 1;
+
+    while (url && i < maxIterations) {
+      // eslint-disable-next-line no-await-in-loop
+      const response: AxiosResponse<R> = await requestWithGitHubGateway<R>(appConnection, gatewayService, {
+        url,
+        method: "GET",
+        headers: {
+          Accept: "application/vnd.github+json",
+          Authorization: `Bearer ${token}`,
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      });
+
+      const items = dataMapper ? dataMapper(response.data) : (response.data as unknown as T[]);
+      results = results.concat(items);
+
+      url = extractNextPageUrl(response.headers.link as string | undefined);
+      i += 1;
+    }
   }
 
   return results;

backend/src/services/microsoft-teams/microsoft-teams-fns.ts

@@ -462,6 +462,54 @@ export const buildTeamsPayload = (notification: TNotification) => {
       };
     }
 
+    case TriggerFeature.ACCESS_REQUEST_UPDATED: {
+      const { payload } = notification;
+
+      const adaptiveCard = {
+        type: "AdaptiveCard",
+        $schema: "http://adaptivecards.io/schemas/adaptive-card.json",
+        version: "1.5",
+        body: [
+          {
+            type: "TextBlock",
+            text: "Updated access approval request pending for review",
+            weight: "Bolder",
+            size: "Large"
+          },
+          {
+            type: "TextBlock",
+            text: `${payload.editorFullName} (${payload.editorEmail}) has updated the ${
+              payload.isTemporary ? "temporary" : "permanent"
+            } access request from ${payload.requesterFullName} (${payload.requesterEmail}) to ${payload.secretPath} in the ${payload.environment} environment of ${payload.projectName}.`,
+            wrap: true
+          },
+          {
+            type: "TextBlock",
+            text: `The following permissions are requested: ${payload.permissions.join(", ")}`,
+            wrap: true
+          },
+          payload.editNote
+            ? {
+                type: "TextBlock",
+                text: `**Editor Note**: ${payload.editNote}`,
+                wrap: true
+              }
+            : null
+        ].filter(Boolean),
+        actions: [
+          {
+            type: "Action.OpenUrl",
+            title: "View request in Infisical",
+            url: payload.approvalUrl
+          }
+        ]
+      };
+
+      return {
+        adaptiveCard
+      };
+    }
+
     default: {
       throw new BadRequestError({
         message: "Teams notification type not supported."

backend/src/services/org/org-dal.ts

@@ -630,6 +630,25 @@ export const orgDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findIdentityOrganization = async (
+    identityId: string
+  ): Promise<{ id: string; name: string; slug: string; role: string }> => {
+    try {
+      const org = await db
+        .replicaNode()(TableName.IdentityOrgMembership)
+        .where({ identityId })
+        .join(TableName.Organization, `${TableName.IdentityOrgMembership}.orgId`, `${TableName.Organization}.id`)
+        .select(db.ref("id").withSchema(TableName.Organization).as("id"))
+        .select(db.ref("name").withSchema(TableName.Organization).as("name"))
+        .select(db.ref("slug").withSchema(TableName.Organization).as("slug"))
+        .select(db.ref("role").withSchema(TableName.IdentityOrgMembership).as("role"));
+
+      return org?.[0];
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find identity organization" });
+    }
+  };
+
   return withTransaction(db, {
     ...orgOrm,
     findOrgByProjectId,
@@ -652,6 +671,7 @@ export const orgDALFactory = (db: TDbClient) => {
     updateMembershipById,
     deleteMembershipById,
     deleteMembershipsById,
-    updateMembership
+    updateMembership,
+    findIdentityOrganization
   });
 };

backend/src/services/org/org-service.ts

@@ -198,6 +198,15 @@ export const orgServiceFactory = ({
     // Filter out orgs where the membership object is an invitation
     return orgs.filter((org) => org.userStatus !== "invited");
   };
+
+  /*
+   * Get all organization an identity is part of
+   * */
+  const findIdentityOrganization = async (identityId: string) => {
+    const org = await orgDAL.findIdentityOrganization(identityId);
+
+    return org;
+  };
   /*
    * Get all workspace members
    * */
@@ -1403,6 +1412,7 @@ export const orgServiceFactory = ({
     findOrganizationById,
     findAllOrgMembers,
     findAllOrganizationOfUser,
+    findIdentityOrganization,
     inviteUserToOrganization,
     verifyUserToOrg,
     updateOrg,

backend/src/services/project-env/project-env-service.ts

@@ -177,6 +177,18 @@ export const projectEnvServiceFactory = ({
         }
       }
 
+      const envs = await projectEnvDAL.find({ projectId });
+      const project = await projectDAL.findById(projectId);
+      const plan = await licenseService.getPlan(project.orgId);
+      if (plan.environmentLimit !== null && envs.length > plan.environmentLimit) {
+        // case: limit imposed on number of environments allowed
+        // case: number of environments used exceeds the number of environments allowed
+        throw new BadRequestError({
+          message:
+            "Failed to update environment due to environment limit exceeded. To update an environment, please upgrade your plan or remove unused environments."
+        });
+      }
+
       const env = await projectEnvDAL.transaction(async (tx) => {
         if (position) {
           const existingEnvWithPosition = await projectEnvDAL.findOne({ projectId, position }, tx);

backend/src/services/resource-cleanup/resource-cleanup-queue.ts

@@ -1,5 +1,6 @@
 import { TAuditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { TSnapshotDALFactory } from "@app/ee/services/secret-snapshot/snapshot-dal";
+import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 
@@ -41,32 +42,19 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
   serviceTokenService,
   orgService
 }: TDailyResourceCleanUpQueueServiceFactoryDep) => {
-  queueService.start(QueueName.DailyResourceCleanUp, async () => {
-    logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
-    await identityAccessTokenDAL.removeExpiredTokens();
-    await identityUniversalAuthClientSecretDAL.removeExpiredClientSecrets();
-    await secretSharingDAL.pruneExpiredSharedSecrets();
-    await secretSharingDAL.pruneExpiredSecretRequests();
-    await snapshotDAL.pruneExcessSnapshots();
-    await secretVersionDAL.pruneExcessVersions();
-    await secretVersionV2DAL.pruneExcessVersions();
-    await secretFolderVersionDAL.pruneExcessVersions();
-    await serviceTokenService.notifyExpiringTokens();
-    await orgService.notifyInvitedUsers();
-    await auditLogDAL.pruneAuditLog();
-    logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
-  });
+  const appCfg = getConfig();
 
-  // we do a repeat cron job in utc timezone at 12 Midnight each day
-  const startCleanUp = async () => {
-    // TODO(akhilmhdh): remove later
+  if (appCfg.isDailyResourceCleanUpDevelopmentMode) {
+    logger.warn("Daily Resource Clean Up is in development mode.");
+  }
+
+  const init = async () => {
     await queueService.stopRepeatableJob(
       QueueName.AuditLogPrune,
       QueueJobs.AuditLogPrune,
       { pattern: "0 0 * * *", utc: true },
       QueueName.AuditLogPrune // just a job id
     );
-    // clear previous job
     await queueService.stopRepeatableJob(
       QueueName.DailyResourceCleanUp,
       QueueJobs.DailyResourceCleanUp,
@@ -74,18 +62,43 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
       QueueName.DailyResourceCleanUp // just a job id
     );
 
-    await queueService.queue(QueueName.DailyResourceCleanUp, QueueJobs.DailyResourceCleanUp, undefined, {
-      delay: 5000,
-      jobId: QueueName.DailyResourceCleanUp,
-      repeat: { pattern: "0 0 * * *", utc: true }
-    });
+    await queueService.startPg<QueueName.DailyResourceCleanUp>(
+      QueueJobs.DailyResourceCleanUp,
+      async () => {
+        try {
+          logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
+          await identityAccessTokenDAL.removeExpiredTokens();
+          await identityUniversalAuthClientSecretDAL.removeExpiredClientSecrets();
+          await secretSharingDAL.pruneExpiredSharedSecrets();
+          await secretSharingDAL.pruneExpiredSecretRequests();
+          await snapshotDAL.pruneExcessSnapshots();
+          await secretVersionDAL.pruneExcessVersions();
+          await secretVersionV2DAL.pruneExcessVersions();
+          await secretFolderVersionDAL.pruneExcessVersions();
+          await serviceTokenService.notifyExpiringTokens();
+          await orgService.notifyInvitedUsers();
+          await auditLogDAL.pruneAuditLog();
+          logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
+        } catch (error) {
+          logger.error(error, `${QueueName.DailyResourceCleanUp}: resource cleanup failed`);
+          throw error;
+        }
+      },
+      {
+        batchSize: 1,
+        workerCount: 1,
+        pollingIntervalSeconds: 1
+      }
+    );
+    await queueService.schedulePg(
+      QueueJobs.DailyResourceCleanUp,
+      appCfg.isDailyResourceCleanUpDevelopmentMode ? "*/5 * * * *" : "0 0 * * *",
+      undefined,
+      { tz: "UTC" }
+    );
   };
 
-  queueService.listen(QueueName.DailyResourceCleanUp, "failed", (_, err) => {
-    logger.error(err, `${QueueName.DailyResourceCleanUp}: resource cleanup failed`);
-  });
-
   return {
-    startCleanUp
+    init
   };
 };

backend/src/services/secret-folder/secret-folder-service.ts

@@ -238,8 +238,16 @@ export const secretFolderServiceFactory = ({
       return doc;
     });
 
+    const [folderWithFullPath] = await folderDAL.findSecretPathByFolderIds(projectId, [folder.id]);
+
+    if (!folderWithFullPath) {
+      throw new NotFoundError({
+        message: `Failed to retrieve path for folder with ID '${folder.id}'`
+      });
+    }
+
     await snapshotService.performSnapshot(folder.parentId as string);
-    return folder;
+    return { ...folder, path: folderWithFullPath.path };
   };
 
   const updateManyFolders = async ({
@@ -496,8 +504,27 @@ export const secretFolderServiceFactory = ({
       return doc;
     });
 
+    const foldersWithFullPaths = await folderDAL.findSecretPathByFolderIds(projectId, [newFolder.id, folder.id]);
+
+    const newFolderWithFullPath = foldersWithFullPaths.find((f) => f?.id === newFolder.id);
+    if (!newFolderWithFullPath) {
+      throw new NotFoundError({
+        message: `Failed to retrieve path for folder with ID '${newFolder.id}'`
+      });
+    }
+
+    const folderWithFullPath = foldersWithFullPaths.find((f) => f?.id === folder.id);
+    if (!folderWithFullPath) {
+      throw new NotFoundError({
+        message: `Failed to retrieve path for folder with ID '${folder.id}'`
+      });
+    }
+
     await snapshotService.performSnapshot(newFolder.parentId as string);
-    return { folder: newFolder, old: folder };
+    return {
+      folder: { ...newFolder, path: newFolderWithFullPath.path },
+      old: { ...folder, path: folderWithFullPath.path }
+    };
   };
 
   const $checkFolderPolicy = async ({

backend/src/services/secret-import/secret-import-service.ts

@@ -181,7 +181,13 @@ export const secretImportServiceFactory = ({
         projectId,
         environmentSlug: environment,
         actorId,
-        actor
+        actor,
+        event: {
+          importMutation: {
+            secretPath,
+            environment
+          }
+        }
       });
     }
 
@@ -356,7 +362,13 @@ export const secretImportServiceFactory = ({
       projectId,
       environmentSlug: environment,
       actor,
-      actorId
+      actorId,
+      event: {
+        importMutation: {
+          secretPath,
+          environment
+        }
+      }
     });
 
     await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -1,4 +1,5 @@
 import AWS, { AWSError } from "aws-sdk";
+import handlebars from "handlebars";
 
 import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
@@ -34,18 +35,51 @@ const sleep = async () =>
     setTimeout(resolve, 1000);
   });
 
-const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreRecord> => {
+const getFullPath = ({ path, keySchema, environment }: { path: string; keySchema?: string; environment: string }) => {
+  if (!keySchema || !keySchema.includes("/")) return path;
+
+  if (keySchema.startsWith("/")) {
+    throw new SecretSyncError({ message: `Key schema cannot contain leading '/'`, shouldRetry: false });
+  }
+
+  const keySchemaSegments = handlebars
+    .compile(keySchema)({
+      environment,
+      secretKey: "{{secretKey}}"
+    })
+    .split("/");
+
+  const pathSegments = keySchemaSegments.slice(0, keySchemaSegments.length - 1);
+
+  if (pathSegments.some((segment) => segment.includes("{{secretKey}}"))) {
+    throw new SecretSyncError({
+      message: "Key schema cannot contain '/' after {{secretKey}}",
+      shouldRetry: false
+    });
+  }
+
+  return `${path}${pathSegments.join("/")}/`;
+};
+
+const getParametersByPath = async (
+  ssm: AWS.SSM,
+  path: string,
+  keySchema: string | undefined,
+  environment: string
+): Promise<TAWSParameterStoreRecord> => {
   const awsParameterStoreSecretsRecord: TAWSParameterStoreRecord = {};
   let hasNext = true;
   let nextToken: string | undefined;
   let attempt = 0;
 
+  const fullPath = getFullPath({ path, keySchema, environment });
+
   while (hasNext) {
     try {
       // eslint-disable-next-line no-await-in-loop
       const parameters = await ssm
         .getParametersByPath({
-          Path: path,
+          Path: fullPath,
           Recursive: false,
           WithDecryption: true,
           MaxResults: BATCH_SIZE,
@@ -59,7 +93,7 @@ const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSPara
         parameters.Parameters.forEach((parameter) => {
           if (parameter.Name) {
             // no leading slash if path is '/'
-            const secKey = path.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
+            const secKey = fullPath.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
             awsParameterStoreSecretsRecord[secKey] = parameter;
           }
         });
@@ -83,12 +117,19 @@ const getParametersByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSPara
   return awsParameterStoreSecretsRecord;
 };
 
-const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<TAWSParameterStoreMetadataRecord> => {
+const getParameterMetadataByPath = async (
+  ssm: AWS.SSM,
+  path: string,
+  keySchema: string | undefined,
+  environment: string
+): Promise<TAWSParameterStoreMetadataRecord> => {
   const awsParameterStoreMetadataRecord: TAWSParameterStoreMetadataRecord = {};
   let hasNext = true;
   let nextToken: string | undefined;
   let attempt = 0;
 
+  const fullPath = getFullPath({ path, keySchema, environment });
+
   while (hasNext) {
     try {
       // eslint-disable-next-line no-await-in-loop
@@ -100,7 +141,7 @@ const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<T
             {
               Key: "Path",
               Option: "OneLevel",
-              Values: [path]
+              Values: [fullPath]
             }
           ]
         })
@@ -112,7 +153,7 @@ const getParameterMetadataByPath = async (ssm: AWS.SSM, path: string): Promise<T
         parameters.Parameters.forEach((parameter) => {
           if (parameter.Name) {
             // no leading slash if path is '/'
-            const secKey = path.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
+            const secKey = fullPath.length > 1 ? parameter.Name.substring(path.length) : parameter.Name;
             awsParameterStoreMetadataRecord[secKey] = parameter;
           }
         });
@@ -298,9 +339,19 @@ export const AwsParameterStoreSyncFns = {
 
     const ssm = await getSSM(secretSync);
 
-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+    const awsParameterStoreSecretsRecord = await getParametersByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );
 
-    const awsParameterStoreMetadataRecord = await getParameterMetadataByPath(ssm, destinationConfig.path);
+    const awsParameterStoreMetadataRecord = await getParameterMetadataByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );
 
     const { shouldManageTags, awsParameterStoreTagsRecord } = await getParameterStoreTagsRecord(
       ssm,
@@ -400,22 +451,32 @@ export const AwsParameterStoreSyncFns = {
     await deleteParametersBatch(ssm, parametersToDelete);
   },
   getSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials): Promise<TSecretMap> => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;
 
     const ssm = await getSSM(secretSync);
 
-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+    const awsParameterStoreSecretsRecord = await getParametersByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );
 
     return Object.fromEntries(
       Object.entries(awsParameterStoreSecretsRecord).map(([key, value]) => [key, { value: value.Value ?? "" }])
     );
   },
   removeSecrets: async (secretSync: TAwsParameterStoreSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions, environment } = secretSync;
 
     const ssm = await getSSM(secretSync);
 
-    const awsParameterStoreSecretsRecord = await getParametersByPath(ssm, destinationConfig.path);
+    const awsParameterStoreSecretsRecord = await getParametersByPath(
+      ssm,
+      destinationConfig.path,
+      syncOptions.keySchema,
+      environment!.slug
+    );
 
     const parametersToDelete: AWS.SSM.Parameter[] = [];
 

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -386,7 +386,15 @@ export const secretV2BridgeServiceFactory = ({
         actorId,
         actor,
         projectId,
-        environmentSlug: folder.environment.slug
+        environmentSlug: folder.environment.slug,
+        event: {
+          created: {
+            secretId: secret.id,
+            environment: folder.environment.slug,
+            secretKey: secret.key,
+            secretPath
+          }
+        }
       });
     }
 
@@ -616,7 +624,15 @@ export const secretV2BridgeServiceFactory = ({
         actor,
         projectId,
         orgId: actorOrgId,
-        environmentSlug: folder.environment.slug
+        environmentSlug: folder.environment.slug,
+        event: {
+          updated: {
+            secretId: secret.id,
+            environment: folder.environment.slug,
+            secretKey: secret.key,
+            secretPath
+          }
+        }
       });
     }
 
@@ -728,7 +744,15 @@ export const secretV2BridgeServiceFactory = ({
           actor,
           projectId,
           orgId: actorOrgId,
-          environmentSlug: folder.environment.slug
+          environmentSlug: folder.environment.slug,
+          event: {
+            deleted: {
+              secretId: secretToDelete.id,
+              environment: folder.environment.slug,
+              secretKey: secretToDelete.key,
+              secretPath
+            }
+          }
         });
       }
 
@@ -1708,7 +1732,15 @@ export const secretV2BridgeServiceFactory = ({
       secretPath,
       projectId,
       orgId: actorOrgId,
-      environmentSlug: folder.environment.slug
+      environmentSlug: folder.environment.slug,
+      event: {
+        created: newSecrets.map((el) => ({
+          secretId: el.id,
+          secretKey: el.key,
+          secretPath,
+          environment: folder.environment.slug
+        }))
+      }
     });
 
     return newSecrets.map((el) => {
@@ -2075,7 +2107,15 @@ export const secretV2BridgeServiceFactory = ({
               secretPath: el.path,
               projectId,
               orgId: actorOrgId,
-              environmentSlug: environment
+              environmentSlug: environment,
+              event: {
+                updated: updatedSecrets.map((sec) => ({
+                  secretId: sec.id,
+                  secretKey: sec.key,
+                  secretPath: sec.secretPath,
+                  environment
+                }))
+              }
             })
           : undefined
       )
@@ -2214,7 +2254,15 @@ export const secretV2BridgeServiceFactory = ({
         secretPath,
         projectId,
         orgId: actorOrgId,
-        environmentSlug: folder.environment.slug
+        environmentSlug: folder.environment.slug,
+        event: {
+          deleted: secretsDeleted.map((el) => ({
+            secretId: el.id,
+            secretKey: el.key,
+            secretPath,
+            environment: folder.environment.slug
+          }))
+        }
       });
 
       const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -2751,7 +2799,13 @@ export const secretV2BridgeServiceFactory = ({
         secretPath: destinationFolder.path,
         environmentSlug: destinationFolder.environment.slug,
         actorId,
-        actor
+        actor,
+        event: {
+          importMutation: {
+            secretPath: sourceFolder.path,
+            environment: sourceFolder.environment.slug
+          }
+        }
       });
     }
 
@@ -2763,7 +2817,13 @@ export const secretV2BridgeServiceFactory = ({
         secretPath: sourceFolder.path,
         environmentSlug: sourceFolder.environment.slug,
         actorId,
-        actor
+        actor,
+        event: {
+          importMutation: {
+            secretPath: sourceFolder.path,
+            environment: sourceFolder.environment.slug
+          }
+        }
       });
     }
 

backend/src/services/secret/secret-queue.ts

@@ -5,6 +5,7 @@ import { Knex } from "knex";
 
 import {
   ProjectMembershipRole,
+  ProjectType,
   ProjectUpgradeStatus,
   ProjectVersion,
   SecretType,
@@ -12,6 +13,9 @@ import {
   TSecretVersionsV2
 } from "@app/db/schemas";
 import { Actor, EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
+import { TEventBusService } from "@app/ee/services/event/event-bus-service";
+import { BusEventName, PublishableEvent, TopicName } from "@app/ee/services/event/types";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { TSecretRotationDALFactory } from "@app/ee/services/secret-rotation/secret-rotation-dal";
 import { TSnapshotDALFactory } from "@app/ee/services/secret-snapshot/snapshot-dal";
@@ -111,6 +115,8 @@ type TSecretQueueFactoryDep = {
   folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
   secretSyncQueue: Pick<TSecretSyncQueueFactory, "queueSecretSyncsSyncSecretsByPath">;
   reminderService: Pick<TReminderServiceFactory, "createReminderInternal" | "deleteReminderBySecretId">;
+  eventBusService: TEventBusService;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
 export type TGetSecrets = {
@@ -172,7 +178,9 @@ export const secretQueueFactory = ({
   resourceMetadataDAL,
   secretSyncQueue,
   folderCommitService,
-  reminderService
+  reminderService,
+  eventBusService,
+  licenseService
 }: TSecretQueueFactoryDep) => {
   const integrationMeter = opentelemetry.metrics.getMeter("Integrations");
   const errorHistogram = integrationMeter.createHistogram("integration_secret_sync_errors", {
@@ -534,17 +542,70 @@ export const secretQueueFactory = ({
     });
   };
 
+  const publishEvents = async (event: PublishableEvent) => {
+    if (event.created) {
+      await eventBusService.publish(TopicName.CoreServers, {
+        type: ProjectType.SecretManager,
+        source: "infiscal",
+        data: {
+          event: BusEventName.CreateSecret,
+          payload: event.created
+        }
+      });
+    }
+
+    if (event.updated) {
+      await eventBusService.publish(TopicName.CoreServers, {
+        type: ProjectType.SecretManager,
+        source: "infiscal",
+        data: {
+          event: BusEventName.UpdateSecret,
+          payload: event.updated
+        }
+      });
+    }
+
+    if (event.deleted) {
+      await eventBusService.publish(TopicName.CoreServers, {
+        type: ProjectType.SecretManager,
+        source: "infiscal",
+        data: {
+          event: BusEventName.DeleteSecret,
+          payload: event.deleted
+        }
+      });
+    }
+
+    if (event.importMutation) {
+      await eventBusService.publish(TopicName.CoreServers, {
+        type: ProjectType.SecretManager,
+        source: "infiscal",
+        data: {
+          event: BusEventName.ImportMutation,
+          payload: event.importMutation
+        }
+      });
+    }
+  };
+
   const syncSecrets = async <T extends boolean = false>({
     // seperate de-dupe queue for integration sync and replication sync
     _deDupeQueue: deDupeQueue = {},
     _depth: depth = 0,
     _deDupeReplicationQueue: deDupeReplicationQueue = {},
+    event,
     ...dto
-  }: TSyncSecretsDTO<T>) => {
+  }: TSyncSecretsDTO<T> & { event?: PublishableEvent }) => {
     logger.info(
       `syncSecrets: syncing project secrets where [projectId=${dto.projectId}]  [environment=${dto.environmentSlug}] [path=${dto.secretPath}]`
     );
 
+    const plan = await licenseService.getPlan(dto.orgId);
+
+    if (event && plan.eventSubscriptions) {
+      await publishEvents(event);
+    }
+
     const deDuplicationKey = uniqueSecretQueueKey(dto.environmentSlug, dto.secretPath);
     if (
       !dto.excludeReplication
@@ -565,7 +626,7 @@ export const secretQueueFactory = ({
         _deDupeQueue: deDupeQueue,
         _deDupeReplicationQueue: deDupeReplicationQueue,
         _depth: depth
-      } as TSyncSecretsDTO,
+      } as unknown as TSyncSecretsDTO,
       {
         removeOnFail: true,
         removeOnComplete: true,
@@ -689,6 +750,7 @@ export const secretQueueFactory = ({
         isManual,
         projectId,
         secretPath,
+
         depth = 1,
         deDupeQueue = {}
       } = job.data as TIntegrationSyncPayload;
@@ -738,7 +800,13 @@ export const secretQueueFactory = ({
                 environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
                 _deDupeQueue: deDupeQueue,
                 _depth: depth + 1,
-                excludeReplication: true
+                excludeReplication: true,
+                event: {
+                  importMutation: {
+                    secretPath: foldersGroupedById[folderId][0]?.path as string,
+                    environment: foldersGroupedById[folderId][0]?.environmentSlug as string
+                  }
+                }
               })
             )
         );
@@ -791,7 +859,13 @@ export const secretQueueFactory = ({
                 environmentSlug: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string,
                 _deDupeQueue: deDupeQueue,
                 _depth: depth + 1,
-                excludeReplication: true
+                excludeReplication: true,
+                event: {
+                  importMutation: {
+                    secretPath: referencedFoldersGroupedById[folderId][0]?.path as string,
+                    environment: referencedFoldersGroupedById[folderId][0]?.environmentSlug as string
+                  }
+                }
               })
             )
         );

backend/src/services/slack/slack-fns.ts

@@ -115,6 +115,44 @@ User Note: ${payload.note}`
         payloadBlocks
       };
     }
+    case TriggerFeature.ACCESS_REQUEST_UPDATED: {
+      const { payload } = notification;
+      const messageBody = `${payload.editorFullName} (${payload.editorEmail}) has updated the ${
+        payload.isTemporary ? "temporary" : "permanent"
+      } access request from ${payload.requesterFullName} (${payload.requesterEmail}) to ${payload.secretPath} in the ${payload.environment} environment of ${payload.projectName}.
+      
+The following permissions are requested: ${payload.permissions.join(", ")}
+
+View the request and approve or deny it <${payload.approvalUrl}|here>.${
+        payload.editNote
+          ? `
+Editor Note: ${payload.editNote}`
+          : ""
+      }`;
+
+      const payloadBlocks = [
+        {
+          type: "header",
+          text: {
+            type: "plain_text",
+            text: "Updated access approval request pending for review",
+            emoji: true
+          }
+        },
+        {
+          type: "section",
+          text: {
+            type: "mrkdwn",
+            text: messageBody
+          }
+        }
+      ];
+
+      return {
+        payloadMessage: messageBody,
+        payloadBlocks
+      };
+    }
     default: {
       throw new BadRequestError({
         message: "Slack notification type not supported."

backend/src/services/smtp/emails/AccessApprovalRequestUpdatedTemplate.tsx

@@ -0,0 +1,95 @@
+import { Heading, Section, Text } from "@react-email/components";
+import React from "react";
+
+import { BaseButton } from "./BaseButton";
+import { BaseEmailWrapper, BaseEmailWrapperProps } from "./BaseEmailWrapper";
+import { BaseLink } from "./BaseLink";
+
+interface AccessApprovalRequestUpdatedTemplateProps
+  extends Omit<BaseEmailWrapperProps, "title" | "preview" | "children"> {
+  projectName: string;
+  requesterFullName: string;
+  requesterEmail: string;
+  isTemporary: boolean;
+  secretPath: string;
+  environment: string;
+  expiresIn: string;
+  permissions: string[];
+  editNote: string;
+  editorFullName: string;
+  editorEmail: string;
+  approvalUrl: string;
+}
+
+export const AccessApprovalRequestUpdatedTemplate = ({
+  projectName,
+  siteUrl,
+  requesterFullName,
+  requesterEmail,
+  isTemporary,
+  secretPath,
+  environment,
+  expiresIn,
+  permissions,
+  editNote,
+  editorEmail,
+  editorFullName,
+  approvalUrl
+}: AccessApprovalRequestUpdatedTemplateProps) => {
+  return (
+    <BaseEmailWrapper
+      title="Access Approval Request Update"
+      preview="An access approval request was updated and requires your review."
+      siteUrl={siteUrl}
+    >
+      <Heading className="text-black text-[18px] leading-[28px] text-center font-normal p-0 mx-0">
+        An access approval request was updated and is pending your review for the project <strong>{projectName}</strong>
+      </Heading>
+      <Section className="px-[24px] mb-[28px] mt-[36px] pt-[12px] pb-[8px] border border-solid border-gray-200 rounded-md bg-gray-50">
+        <Text className="text-black text-[14px] leading-[24px]">
+          <strong>{editorFullName}</strong> (<BaseLink href={`mailto:${editorEmail}`}>{editorEmail}</BaseLink>) has
+          updated the access request submitted by <strong>{requesterFullName}</strong> (
+          <BaseLink href={`mailto:${requesterEmail}`}>{requesterEmail}</BaseLink>) for <strong>{secretPath}</strong> in
+          the <strong>{environment}</strong> environment.
+        </Text>
+
+        {isTemporary && (
+          <Text className="text-[14px] text-red-600 leading-[24px]">
+            <strong>This access will expire {expiresIn} after approval.</strong>
+          </Text>
+        )}
+        <Text className="text-[14px] leading-[24px] mb-[4px]">
+          <strong>The following permissions are requested:</strong>
+        </Text>
+        {permissions.map((permission) => (
+          <Text key={permission} className="text-[14px] my-[2px] leading-[24px]">
+            - {permission}
+          </Text>
+        ))}
+        <Text className="text-[14px] text-slate-700 leading-[24px]">
+          <strong className="text-black">Editor Note:</strong> "{editNote}"
+        </Text>
+      </Section>
+      <Section className="text-center">
+        <BaseButton href={approvalUrl}>Review Request</BaseButton>
+      </Section>
+    </BaseEmailWrapper>
+  );
+};
+
+export default AccessApprovalRequestUpdatedTemplate;
+
+AccessApprovalRequestUpdatedTemplate.PreviewProps = {
+  requesterFullName: "Abigail Williams",
+  requesterEmail: "abigail@infisical.com",
+  isTemporary: true,
+  secretPath: "/api/secrets",
+  environment: "Production",
+  siteUrl: "https://infisical.com",
+  projectName: "Example Project",
+  expiresIn: "1 day",
+  permissions: ["Read Secret", "Delete Project", "Create Dynamic Secret"],
+  editNote: "Too permissive, they only need 3 days",
+  editorEmail: "john@infisical.com",
+  editorFullName: "John Smith"
+} as AccessApprovalRequestUpdatedTemplateProps;

backend/src/services/smtp/emails/index.ts

@@ -1,4 +1,5 @@
 export * from "./AccessApprovalRequestTemplate";
+export * from "./AccessApprovalRequestUpdatedTemplate";
 export * from "./EmailMfaTemplate";
 export * from "./EmailVerificationTemplate";
 export * from "./ExternalImportFailedTemplate";

backend/src/services/smtp/smtp-service.ts

@@ -8,6 +8,7 @@ import { logger } from "@app/lib/logger";
 
 import {
   AccessApprovalRequestTemplate,
+  AccessApprovalRequestUpdatedTemplate,
   EmailMfaTemplate,
   EmailVerificationTemplate,
   ExternalImportFailedTemplate,
@@ -54,6 +55,7 @@ export enum SmtpTemplates {
   EmailMfa = "emailMfa",
   UnlockAccount = "unlockAccount",
   AccessApprovalRequest = "accessApprovalRequest",
+  AccessApprovalRequestUpdated = "accessApprovalRequestUpdated",
   AccessSecretRequestBypassed = "accessSecretRequestBypassed",
   SecretApprovalRequestNeedsReview = "secretApprovalRequestNeedsReview",
   // HistoricalSecretList = "historicalSecretLeakIncident", not used anymore?
@@ -96,6 +98,7 @@ const EmailTemplateMap: Record<SmtpTemplates, React.FC<any>> = {
   [SmtpTemplates.SignupEmailVerification]: SignupEmailVerificationTemplate,
   [SmtpTemplates.EmailMfa]: EmailMfaTemplate,
   [SmtpTemplates.AccessApprovalRequest]: AccessApprovalRequestTemplate,
+  [SmtpTemplates.AccessApprovalRequestUpdated]: AccessApprovalRequestUpdatedTemplate,
   [SmtpTemplates.EmailVerification]: EmailVerificationTemplate,
   [SmtpTemplates.ExternalImportFailed]: ExternalImportFailedTemplate,
   [SmtpTemplates.ExternalImportStarted]: ExternalImportStartedTemplate,

backend/src/services/super-admin/super-admin-service.ts

@@ -11,7 +11,6 @@ import {
   validateOverrides
 } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
@@ -465,43 +464,15 @@ export const superAdminServiceFactory = ({
     return updatedServerCfg;
   };
 
-  const adminSignUp = async ({
-    lastName,
-    firstName,
-    email,
-    salt,
-    password,
-    verifier,
-    publicKey,
-    protectedKey,
-    protectedKeyIV,
-    protectedKeyTag,
-    encryptedPrivateKey,
-    encryptedPrivateKeyIV,
-    encryptedPrivateKeyTag,
-    ip,
-    userAgent
-  }: TAdminSignUpDTO) => {
+  const adminSignUp = async ({ lastName, firstName, email, password, ip, userAgent }: TAdminSignUpDTO) => {
     const appCfg = getConfig();
 
     const sanitizedEmail = email.trim().toLowerCase();
     const existingUser = await userDAL.findOne({ username: sanitizedEmail });
     if (existingUser) throw new BadRequestError({ name: "Admin sign up", message: "User already exists" });
 
-    const privateKey = await getUserPrivateKey(password, {
-      encryptionVersion: 2,
-      salt,
-      protectedKey,
-      protectedKeyIV,
-      protectedKeyTag,
-      encryptedPrivateKey,
-      iv: encryptedPrivateKeyIV,
-      tag: encryptedPrivateKeyTag
-    });
-
     const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
 
-    const { iv, tag, ciphertext, encoding } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
     const userInfo = await userDAL.transaction(async (tx) => {
       const newUser = await userDAL.create(
         {
@@ -519,25 +490,13 @@ export const superAdminServiceFactory = ({
       );
       const userEnc = await userDAL.createUserEncryption(
         {
-          salt,
           encryptionVersion: 2,
-          protectedKey,
-          protectedKeyIV,
-          protectedKeyTag,
-          publicKey,
-          encryptedPrivateKey,
-          iv: encryptedPrivateKeyIV,
-          tag: encryptedPrivateKeyTag,
-          verifier,
           userId: newUser.id,
-          hashedPassword,
-          serverEncryptedPrivateKey: ciphertext,
-          serverEncryptedPrivateKeyIV: iv,
-          serverEncryptedPrivateKeyTag: tag,
-          serverEncryptedPrivateKeyEncoding: encoding
+          hashedPassword
         },
         tx
       );
+
       return { user: newUser, enc: userEnc };
     });
 
@@ -587,26 +546,14 @@ export const superAdminServiceFactory = ({
         },
         tx
       );
-      const { tag, encoding, ciphertext, iv } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(password);
-      const encKeys = await generateUserSrpKeys(sanitizedEmail, password);
+
+      const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
 
       const userEnc = await userDAL.createUserEncryption(
         {
           userId: newUser.id,
           encryptionVersion: 2,
-          protectedKey: encKeys.protectedKey,
-          protectedKeyIV: encKeys.protectedKeyIV,
-          protectedKeyTag: encKeys.protectedKeyTag,
-          publicKey: encKeys.publicKey,
-          encryptedPrivateKey: encKeys.encryptedPrivateKey,
-          iv: encKeys.encryptedPrivateKeyIV,
-          tag: encKeys.encryptedPrivateKeyTag,
-          salt: encKeys.salt,
-          verifier: encKeys.verifier,
-          serverEncryptedPrivateKeyEncoding: encoding,
-          serverEncryptedPrivateKeyTag: tag,
-          serverEncryptedPrivateKeyIV: iv,
-          serverEncryptedPrivateKey: ciphertext
+          hashedPassword
         },
         tx
       );

backend/src/services/super-admin/super-admin-types.ts

@@ -3,17 +3,8 @@ import { TEnvConfig } from "@app/lib/config/env";
 export type TAdminSignUpDTO = {
   email: string;
   password: string;
-  publicKey: string;
-  salt: string;
   lastName?: string;
-  verifier: string;
   firstName: string;
-  protectedKey: string;
-  protectedKeyIV: string;
-  protectedKeyTag: string;
-  encryptedPrivateKey: string;
-  encryptedPrivateKeyIV: string;
-  encryptedPrivateKeyTag: string;
   ip: string;
   userAgent: string;
 };

backend/vitest.e2e.config.ts

@@ -5,7 +5,10 @@ export default defineConfig({
   test: {
     globals: true,
     env: {
-      NODE_ENV: "test"
+      NODE_ENV: "test",
+      E2E_TEST_ORACLE_DB_19_HOST: process.env.E2E_TEST_ORACLE_DB_19_HOST!,
+      E2E_TEST_ORACLE_DB_19_USERNAME: process.env.E2E_TEST_ORACLE_DB_19_USERNAME!,
+      E2E_TEST_ORACLE_DB_19_PASSWORD: process.env.E2E_TEST_ORACLE_DB_19_PASSWORD!
     },
     environment: "./e2e-test/vitest-environment-knex.ts",
     include: ["./e2e-test/**/*.spec.ts"],

docker-compose.e2e-dbs.yml

@@ -0,0 +1,157 @@
+version: '3.8'
+
+services:
+  # Oracle Databases
+  oracle-db-23.8:
+    image: container-registry.oracle.com/database/free:23.8.0.0
+    container_name: oracle-db-23.8
+    ports:
+      - "1521:1521"
+    environment:
+      - ORACLE_PDB=pdb
+      - ORACLE_PWD=pdb-password
+    volumes:
+      - oracle-data-23.8:/opt/oracle/oradata
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "sqlplus", "-L", "system/pdb-password@//localhost:1521/FREEPDB1", "<<<", "SELECT 1 FROM DUAL;"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+  # MySQL Databases
+  mysql-8.4.6:
+    image: mysql:8.4.6
+    container_name: mysql-8.4.6
+    ports:
+      - "3306:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=mysql-test
+      - MYSQL_DATABASE=mysql-test
+      - MYSQL_ROOT_HOST=% 
+      - MYSQL_USER=mysql-test
+      - MYSQL_PASSWORD=mysql-test
+    volumes:
+      - mysql-data-8.4.6:/var/lib/mysql
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "mysql-test", "-pmysql-test"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+  mysql-8.0.29:
+    image: mysql:8.0.29
+    container_name: mysql-8.0.28
+    ports:
+      - "3307:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=mysql-test
+      - MYSQL_DATABASE=mysql-test
+      - MYSQL_ROOT_HOST=%
+      - MYSQL_USER=mysql-test
+      - MYSQL_PASSWORD=mysql-test
+    volumes:
+      - mysql-data-8.0.29:/var/lib/mysql
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "mysql-test", "-pmysql-test"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+  mysql-5.7.31:
+    image: mysql:5.7.31
+    container_name: mysql-5.7.31
+    platform: linux/amd64
+    ports:
+      - "3308:3306"
+    environment:
+      - MYSQL_ROOT_PASSWORD=mysql-test
+      - MYSQL_DATABASE=mysql-test
+      - MYSQL_ROOT_HOST=%
+      - MYSQL_USER=mysql-test
+      - MYSQL_PASSWORD=mysql-test
+    volumes:
+      - mysql-data-5.7.31:/var/lib/mysql
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "mysql-test", "-pmysql-test"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+
+  # PostgreSQL Databases
+  postgres-17:
+    image: postgres:17
+    platform: linux/amd64
+    container_name: postgres-17
+    ports:
+      - "5433:5432"
+    environment:
+      - POSTGRES_DB=postgres-test
+      - POSTGRES_USER=postgres-test
+      - POSTGRES_PASSWORD=postgres-test
+    volumes:
+      - postgres-data-17:/var/lib/postgresql/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres-test -d postgres-test"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+  postgres-16:
+    image: postgres:16
+    platform: linux/amd64
+    container_name: postgres-16
+    ports:
+      - "5434:5432"
+    environment:
+      - POSTGRES_DB=postgres-test
+      - POSTGRES_USER=postgres-test
+      - POSTGRES_PASSWORD=postgres-test
+    volumes:
+      - postgres-data-16:/var/lib/postgresql/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres-test -d postgres-test"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+  postgres-10.12:
+    image: postgres:10.12
+    platform: linux/amd64
+    container_name: postgres-10.12
+    ports:
+      - "5435:5432"
+    environment:
+      - POSTGRES_DB=postgres-test
+      - POSTGRES_USER=postgres-test
+      - POSTGRES_PASSWORD=postgres-test
+    volumes:
+      - postgres-data-10.12:/var/lib/postgresql/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres-test -d postgres-test"]
+      interval: 10s
+      timeout: 10s
+      retries: 30
+      start_period: 30s
+
+volumes:
+  oracle-data-23.8:
+  mysql-data-8.4.6:
+  mysql-data-8.0.29:
+  mysql-data-5.7.31:
+  postgres-data-17:
+  postgres-data-16:
+  postgres-data-10.12:

docs/api-reference/endpoints/workspaces/get-workspace-by-slug.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get Project By Slug"
+openapi: "GET /api/v2/workspace/{slug}"
+---

docs/docs.json

@@ -41,8 +41,6 @@
             "group": "Platform Reference",
             "pages": [
               "documentation/platform/organization",
-              "documentation/platform/event-subscriptions",
-              "documentation/platform/folder",
               {
                 "group": "Projects",
                 "pages": [
@@ -145,6 +143,7 @@
                   }
                 ]
               },
+              "documentation/platform/event-subscriptions",
               {
                 "group": "Workflow Integrations",
                 "pages": [
@@ -389,8 +388,37 @@
                 "group": "Secrets Management",
                 "pages": [
                   "documentation/platform/secrets-mgmt/overview",
+                  {
+                    "group": "Concepts",
+                    "pages": [
+                      "documentation/platform/secrets-mgmt/concepts/secrets-mgmt",
+                      "documentation/platform/secrets-mgmt/concepts/access-control",
+                      "documentation/platform/secrets-mgmt/concepts/secrets-delivery",
+                      "documentation/platform/secrets-mgmt/concepts/secrets-rotation",
+                      "documentation/platform/secrets-mgmt/concepts/dynamic-secrets"
+                    ]
+                  },
+                  {
+                    "group": "Guides",
+                    "pages": [
+                      "documentation/guides/introduction",
+                      "documentation/guides/local-development",
+                      "documentation/guides/node",
+                      "documentation/guides/python",
+                      "documentation/guides/nextjs-vercel",
+                      "documentation/guides/microsoft-power-apps"
+                    ]
+                  }
+                ]
+              },
+              {
+                "group": "Product Reference",
+                "pages": [
                   "documentation/platform/secrets-mgmt/project",
                   "documentation/platform/folder",
+                  "documentation/platform/secret-versioning",
+                  "documentation/platform/pit-recovery",
+                  "documentation/platform/secret-reference",
                   {
                     "group": "Secret Rotation",
                     "pages": [
@@ -414,6 +442,7 @@
                       "documentation/platform/dynamic-secrets/aws-iam",
                       "documentation/platform/dynamic-secrets/azure-entra-id",
                       "documentation/platform/dynamic-secrets/cassandra",
+                      "documentation/platform/dynamic-secrets/couchbase",
                       "documentation/platform/dynamic-secrets/elastic-search",
                       "documentation/platform/dynamic-secrets/gcp-iam",
                       "documentation/platform/dynamic-secrets/github",
@@ -434,17 +463,7 @@
                       "documentation/platform/dynamic-secrets/vertica"
                     ]
                   },
-                  {
-                    "group": "Guides",
-                    "pages": [
-                      "documentation/guides/introduction",
-                      "documentation/guides/local-development",
-                      "documentation/guides/node",
-                      "documentation/guides/python",
-                      "documentation/guides/nextjs-vercel",
-                      "documentation/guides/microsoft-power-apps"
-                    ]
-                  }
+                  "documentation/platform/webhooks"
                 ]
               },
               {
@@ -467,7 +486,7 @@
                     "group": "Agent",
                     "pages": [
                       "integrations/platforms/infisical-agent",
-                       "integrations/platforms/docker-swarm-with-agent",
+                      "integrations/platforms/docker-swarm-with-agent",
                       "integrations/platforms/ecs-with-agent"
                     ]
                   },
@@ -636,14 +655,21 @@
             "item": "Secrets Scanning",
             "groups": [
               {
-                "group": "Secret Scanning",
+                "group": "Secrets Scanning",
                 "pages": [
-                  "documentation/platform/secret-scanning/overview"
+                  "documentation/platform/secret-scanning/overview",
+                  {
+                    "group": "Concepts",
+                    "pages": [
+                      "documentation/platform/secret-scanning/concepts/secret-scanning"
+                    ]
+                  }
                 ]
               },
               {
-                "group": "Datasources",
+                "group": "Product Reference",
                 "pages": [
+                  "documentation/platform/secret-scanning/usage",
                   "documentation/platform/secret-scanning/bitbucket",
                   "documentation/platform/secret-scanning/github",
                   "documentation/platform/secret-scanning/gitlab"
@@ -683,6 +709,18 @@
                 "group": "Infisical SSH",
                 "pages": [
                   "documentation/platform/ssh/overview",
+                  {
+                    "group": "Concepts",
+                    "pages": [
+                      "documentation/platform/ssh/concepts/ssh-certificates"
+                    ]
+                  }
+                ]
+              },
+              {
+                "group": "Platform Reference",
+                "pages": [
+                  "documentation/platform/ssh/usage",
                   "documentation/platform/ssh/host-groups"
                 ]
               }
@@ -962,6 +1000,7 @@
               {
                 "group": "Projects",
                 "pages": [
+                  "api-reference/endpoints/workspaces/get-workspace-by-slug",
                   "api-reference/endpoints/workspaces/create-workspace",
                   "api-reference/endpoints/workspaces/delete-workspace",
                   "api-reference/endpoints/workspaces/get-workspace",

docs/documentation/platform/dynamic-secrets/couchbase.mdx

@@ -0,0 +1,259 @@
+---
+title: "Couchbase"
+description: "Learn how to dynamically generate Couchbase Database user credentials."
+---
+
+The Infisical Couchbase dynamic secret allows you to generate Couchbase Cloud Database user credentials on demand based on configured roles and bucket access permissions.
+
+## Prerequisite
+
+Create an API Key in your Couchbase Cloud following the [official documentation](https://docs.couchbase.com/cloud/get-started/create-account.html#create-api-key).
+
+<Info>The API Key must have permission to manage database users in your Couchbase Cloud organization and project.</Info>
+
+## Set up Dynamic Secrets with Couchbase
+
+<Steps>
+  <Step title="Open Secret Overview Dashboard">
+	Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select Couchbase">
+	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/couchbase/dynamic-secret-couchbase-modal.png)
+  </Step>
+  <Step title="Provide the inputs for dynamic secret parameters">
+	<ParamField path="Secret Name" type="string" required>
+		Name by which you want the secret to be referenced
+	</ParamField>
+
+    <ParamField path="Default TTL" type="string" required>
+    	Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
+    </ParamField>
+
+    <ParamField path="Max TTL" type="string" required>
+    	Maximum time-to-live for a generated secret
+    </ParamField>
+
+    <ParamField path="URL" type="string" required default="https://cloudapi.cloud.couchbase.com">
+    	The Couchbase Cloud API URL
+    </ParamField>
+
+    <ParamField path="Organization ID" type="string" required>
+    	Your Couchbase Cloud organization ID
+    </ParamField>
+
+    <ParamField path="Project ID" type="string" required>
+    	Your Couchbase Cloud project ID
+    </ParamField>
+
+    <ParamField path="Cluster ID" type="string" required>
+    	Your Couchbase Cloud cluster ID where users will be created
+    </ParamField>
+
+    <ParamField path="Roles" type="array" required>
+       Database credential roles to assign to the generated user. Available options:
+    	 - **read**: Read access to bucket data (alias for data_reader)
+    	 - **write**: Read and write access to bucket data (alias for data_writer)
+    </ParamField>
+
+    <ParamField path="Bucket Access" type="string" required default="*">
+       Specify bucket access configuration:
+    	 - Use `*` for access to all buckets
+    	 - Use comma-separated bucket names (e.g., `bucket1,bucket2,bucket3`) for specific buckets
+    	 - Use Advanced Bucket Configuration for granular scope and collection access
+    </ParamField>
+
+    <ParamField path="API Key" type="string" required>
+    	Your Couchbase Cloud API Key for authentication
+    </ParamField>
+
+    ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/couchbase/dynamic-secret-modal-couchbase.png)
+
+  </Step>
+  <Step title="(Optional) Advanced Configuration">
+
+    ![Advanced Configuration Modal](../../../images/platform/dynamic-secrets/couchbase/advanced-option-couchbase.png)
+
+    <ParamField path="Advanced Bucket Configuration" type="boolean" default="false">
+        Enable advanced bucket configuration to specify granular access to buckets, scopes, and collections
+    </ParamField>
+
+    When Advanced Bucket Configuration is enabled, you can configure:
+
+    <ParamField path="Buckets" type="array">
+        List of buckets with optional scope and collection specifications:
+        - **Bucket Name**: Name of the bucket (e.g., travel-sample)
+        - **Scopes**: Optional array of scopes within the bucket
+          - **Scope Name**: Name of the scope (e.g., inventory, _default)
+          - **Collections**: Optional array of collection names within the scope
+    </ParamField>
+
+    <ParamField path="Username Template" type="string" default="{{randomUsername}}">
+        Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
+
+        Allowed template variables are:
+        - `{{randomUsername}}`: Random username string
+        - `{{unixTimestamp}}`: Current Unix timestamp
+        - `{{identity.name}}`: Name of the identity that is generating the secret
+        - `{{random N}}`: Random string of N characters
+
+        Allowed template functions are:
+        - `truncate`: Truncates a string to a specified length
+        - `replace`: Replaces a substring with another value
+
+        Examples:
+        ```
+        {{randomUsername}}                              // infisical-3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
+        {{unixTimestamp}}                               // 17490641580
+        {{identity.name}}                               // testuser
+        {{random 5}}                                    // x9k2m
+        {{truncate identity.name 4}}                    // test
+        {{replace identity.name 'user' 'replace'}}      // testreplace
+        ```
+	</ParamField>
+
+    <ParamField path="Password Configuration" type="object">
+        Optional password generation requirements for Couchbase users:
+        
+        <ParamField path="Password Length" type="number" default="12" min="8" max="128">
+            Length of the generated password
+        </ParamField>
+
+        <ParamField path="Character Requirements" type="object">
+            Minimum required character counts:
+            - **Lowercase Count**: Minimum lowercase letters (default: 1)
+            - **Uppercase Count**: Minimum uppercase letters (default: 1)
+            - **Digit Count**: Minimum digits (default: 1)
+            - **Symbol Count**: Minimum special characters (default: 1)
+        </ParamField>
+
+        <ParamField path="Allowed Symbols" type="string" default="!@#$%^()_+-=[]{}:,?/~`">
+            Special characters allowed in passwords. Cannot contain: `< > ; . * & | £`
+        </ParamField>
+
+        <Info>
+        Couchbase password requirements: minimum 8 characters, maximum 128 characters, at least 1 uppercase, 1 lowercase, 1 digit, and 1 special character. Cannot contain: `< > ; . * & | £`
+        </Info>
+    </ParamField>
+
+  </Step>
+
+  <Step title="Click 'Submit'">
+  	After submitting the form, you will see a dynamic secret created in the dashboard.
+
+    <Note>
+    	If this step fails, you may need to verify your Couchbase Cloud API key permissions and organization/project/cluster IDs.
+    </Note>
+
+    ![Dynamic Secret](../../../images/platform/dynamic-secrets/couchbase/dynamic-secret-couchbase.png)
+
+  </Step>
+  <Step title="Generate dynamic secrets">
+	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
+	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+    ![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret-generate.png)
+    ![Dynamic Secret](../../../images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+    When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+    ![Provision Lease](../../../images/platform/dynamic-secrets/provision-lease.png)
+
+    <Tip>
+    	Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
+    </Tip>
+
+    Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
+
+    ![Provision Lease](../../../images/platform/dynamic-secrets/lease-values.png)
+
+  </Step>
+</Steps>
+
+## Advanced Bucket Configuration Examples
+
+The advanced bucket configuration allows you to specify granular access control:
+
+### Example 1: Specific Bucket Access
+```json
+[
+  {
+    "name": "travel-sample"
+  }
+]
+```
+
+### Example 2: Bucket with Specific Scopes
+```json
+[
+  {
+    "name": "travel-sample",
+    "scopes": [
+      {
+        "name": "inventory"
+      },
+      {
+        "name": "_default"
+      }
+    ]
+  }
+]
+```
+
+### Example 3: Bucket with Scopes and Collections
+```json
+[
+  {
+    "name": "travel-sample",
+    "scopes": [
+      {
+        "name": "inventory",
+        "collections": ["airport", "airline"]
+      },
+      {
+        "name": "_default",
+        "collections": ["users"]
+      }
+    ]
+  }
+]
+```
+
+## Audit or Revoke Leases
+
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
+This will allow you to see the expiration time of the lease or delete a lease before its set time to live.
+
+![Provision Lease](../../../images/platform/dynamic-secrets/lease-data.png)
+
+## Renew Leases
+
+To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the **Renew** button as illustrated below.
+![Provision Lease](../../../images/platform/dynamic-secrets/dynamic-secret-lease-renew.png)
+
+<Warning>
+  Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret
+</Warning>
+
+## Couchbase Roles and Permissions
+
+The Couchbase dynamic secret integration supports the following database credential roles:
+
+- **read**: Provides read-only access to bucket data
+- **write**: Provides read and write access to bucket data
+
+<Note>
+These roles are specifically for database credentials and are different from Couchbase's administrative roles. They provide data-level access to buckets, scopes, and collections based on your configuration.
+</Note>
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Invalid API Key**: Ensure your Couchbase Cloud API key has the necessary permissions to manage database users
+2. **Invalid Organization/Project/Cluster IDs**: Verify that the provided IDs exist and are accessible with your API key
+3. **Role Permission Errors**: Make sure you're using only the supported database credential roles (read, write)
+4. **Bucket Access Issues**: Ensure the specified buckets exist in your cluster and are accessible

docs/documentation/platform/secret-scanning/concepts/secret-scanning.mdx

@@ -0,0 +1,20 @@
+---
+title: "Secrets Scanning"
+description: "Learn what is secret scanning and why it matters for building secure systems."
+---
+
+## What is Secret Scanning?
+
+_Secret scanning_ is the process of monitoring code and related systems for exposed secrets — such as API keys, database credentials, and authentication tokens — that may have been accidentally committed or leaked.
+
+As teams grow and development accelerates, it becomes easy for secrets to slip into version control, CI/CD pipelines, or shared files. Left undetected, secrets can fall into the wrong hands and give attackers direct access to production systems, third-party services, or internal APIs.
+
+A secret scanning solution helps teams proactively identify and respond to these risks before they result in compromise. Rather than relying on manual review, secret scanning automates detection through pattern matching, entropy analysis, and contextual rules that surface secrets across your infrastructure and repositories.
+
+## Secret Scanning in Infisical
+
+Infisical Secret Scanning continuously monitors your source code and connected systems for exposed credentials. It integrates with platforms like [GitHub](/documentation/platform/secret-scanning/github), [GitLab](/documentation/platform/secret-scanning/gitlab), and [Bitbucket](/documentation/platform/secret-scanning/bitbucket) to scan codebases in real-time, detecting leaks as they happen and notifying administrators when action is needed.
+
+Findings are surfaced with detailed context — including file location, commit metadata, and rule match — and can be tracked through their lifecycle using status labels like `Resolved`, `False Positive`, or `Ignored`. Teams can configure rules, exclusions, and thresholds to reduce noise and tailor detection to their environment.
+
+In addition to real-time monitoring, Infisical supports both full repository scans and lightweight diff scans, as well as local pre-commit scanning via the [Infisical CLI](/cli/commands/scan). This allows teams to prevent secret leaks before they ever reach production.

docs/documentation/platform/secret-scanning/overview.mdx

@@ -1,230 +1,17 @@
 ---
 title: "Secret Scanning"
 sidebarTitle: "Overview"
-description: "Scan and prevent secret leaks in your code repositories"
+description: "Learn how to detect and respond to exposed secrets in code."
 ---
 
-## Introduction
+Infisical Secret Scanning helps teams detect leaked credentials — such as API keys, database passwords, and tokens — across source code and developer systems. It allows organizations to proactively catch exposed secrets before they can be exploited, and respond quickly when incidents occur.
 
-Monitor and detect exposed secrets across your data sources, including code repositories, with Infisical Secret Scanning.
+Secret Scanning works across both cloud-connected repositories and local developer environments. It integrates with data sources like [GitHub](/documentation/platform/secret-scanning/github), [GitLab](/documentation/platform/secret-scanning/gitlab), and [Bitbucket](/documentation/platform/secret-scanning/bitbucket) to monitor repositories for exposed secrets in real time, and provides a CLI ([`infisical scan`](/cli/commands/scan)) for scanning local directories, Git history, or CI pipelines before changes are pushed.
 
-For additional security, we recommend using our [CLI Secret Scanner](/cli/scanning-overview#automatically-scan-changes-before-you-commit) to check for exposed secrets before pushing your code changes.
+Core capabilities include:
 
-<Note>
-    Secret Scanning is a paid feature.
-    If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-    then you should contact team@infisical.com to purchase an enterprise license to use it.
-</Note>
-
-## How Secret Scanning Works
-
-Secret Scanning consists of several components that enable you to quickly respond to secret leaks:
-
-- **Scanner Engine**: The core component that analyzes your code and detects potential secrets using pattern matching and entropy analysis
-- **Real-time Monitoring**: Provides continuous surveillance of your repositories for immediate detection of exposed secrets
-- **Alert System**: Notifies organization admins via email when secrets are detected
-- **Risk Management**: Allows tracking and managing detected secrets with different status options
-- **Data Sources**: Integrates with various data sources and version control systems
-- **Customizable Rules**: Supports ignore patterns and custom configurations to reduce false positives
-
-These components work together to provide comprehensive secret detection and incident response capabilities.
-
-### Data Sources
-
-Data sources are configured integrations with external platforms, such as a GitHub organization or a GitLab group, that establish secure connections for scanning purposes using [App Connections](/integrations/app-connections/overview).
-
-A data source acts as a secure intermediary between the external system and the scanner engine. It manages a collection of scannable resources (such as repositories) and handles the authentication and communication required for scanning operations.
-
-![data sources](/images/platform/secret-scanning/secret-scanning-data-sources.png)
-
-### Resources
-
-Resources are the atomic, scannable units, such as a repository, that can be monitored for secret exposure. Resources are added automatically when a data source is scanned and updated when scanning events are triggered, such as when a user pushes changes to GitHub.
-
-Each resource maintains its own scanning history and status, allowing for granular monitoring and management of secret scanning across your organization.
-
-![resources](/images/platform/secret-scanning/secret-scanning-resources.png)
-
-### Scans
-
-Scans can be initiated in two ways:
-
-1. **Full Scan** - Manually triggered scan that comprehensively checks either all resources associated with a data source or a single selected resource.
-
-2. **Diff Scan** - Automatically executed when **Auto-Scan** is enabled on a data source. This scan type specifically focuses on updates to existing resources.
-
-All scan activities can be monitored in real-time through the Infisical UI, which displays:
-- Current scan status
-- Timestamp of the scan
-- Resource(s) being scanned
-- Detection results (whether any secrets were found)
-
-![scans](/images/platform/secret-scanning/secret-scanning-scans.png)
-
-### Findings
-
-Findings are automatically generated when secret leaks are detected during scanning operations. Each finding contains comprehensive information including:
-- The specific scanning rule that identified the leak
-- File location and line number where the secret was found
-- Resource-specific details (e.g., commit hash and author for Git repositories)
-
-Findings are initially marked as **Unresolved** and can be updated to one of the following statuses with additional remarks:
-- **Resolved** - The issue has been addressed
-- **False Positive** - The detection was incorrect
-- **Ignore** - The finding can be safely disregarded
-
-These status options help teams effectively track and manage the lifecycle of detected secret leaks.
-
-![findings](/images/platform/secret-scanning/secret-scanning-findings.png)
-
-### Configuration
-
-You can configure custom scanning rules and exceptions by updating your project's scanning configuration via the UI or API.
-
-The configuration options allow you to:
-- Define custom scanning patterns and rules
-- Set up ignore patterns to reduce false positives
-- Specify file path exclusions
-- Configure entropy thresholds for secret detection
-- Add allowlists for known safe patterns
-
-For detailed configuration options, expand the example configuration below.
-
-<Accordion title="Example Configuration">
-    ```toml
-    # Title for the configuration file
-    title = "Some title"
-
-
-    # This configuration is the foundation that can be expanded. If there are any overlapping rules
-    # between this base and the expanded configuration, the rules in this base will take priority.
-    # Another aspect of extending configurations is the ability to link multiple files, up to a depth of 2.
-    # "Allowlist" arrays get appended and may have repeated elements.
-    # "useDefault" and "path" cannot be used simultaneously. Please choose one.
-    [extend]
-    # useDefault will extend the base configuration with the default config:
-    # https://raw.githubusercontent.com/Infisical/infisical/main/cli/config/infisical-scan.toml
-    useDefault = true
-    # or you can supply a path to a configuration. Path is relative to where infisical cli
-    # was invoked, not the location of the base config.
-    path = "common_config.toml"
-
-    # An array of tables that contain information that define instructions
-    # on how to detect secrets
-    [[rules]]
-
-    # Unique identifier for this rule
-    id = "some-identifier-for-rule"
-
-    # Short human readable description of the rule.
-    description = "awesome rule 1"
-
-    # Golang regular expression used to detect secrets. Note Golang's regex engine
-    # does not support lookaheads.
-    regex = '''one-go-style-regex-for-this-rule'''
-
-    # Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
-    # in conjunction with a valid `regex` entry.
-    path = '''a-file-path-regex'''
-
-    # Array of strings used for metadata and reporting purposes.
-    tags = ["tag","another tag"]
-
-    # A regex match may have many groups, this allows you to specify the group that should be used as (which group the secret is contained in)
-    # its entropy checked if `entropy` is set.
-    secretGroup = 3
-
-    # Float representing the minimum shannon entropy a regex group must have to be considered a secret.
-    # Shannon entropy measures how random a data is. Since secrets are usually composed of many random characters, they typically have high entropy
-    entropy = 3.5
-
-    # Keywords are used for pre-regex check filtering.
-    # If rule has keywords but the text fragment being scanned doesn't have at least one of it's keywords, it will be skipped for processing further.
-    # Ideally these values should either be part of the identifier or unique strings specific to the rule's regex
-    # (introduced in v8.6.0)
-    keywords = [
-        "auth",
-        "password",
-        "token",
-    ]
-
-    # You can include an allowlist table for a single rule to reduce false positives or ignore commits
-    # with known/rotated secrets
-    [rules.allowlist]
-    description = "ignore commit A"
-    commits = [ "commit-A", "commit-B"]
-    paths = [
-        '''go\.mod''',
-        '''go\.sum'''
-    ]
-    # note: (rule) regexTarget defaults to check the _Secret_ in the finding.
-    # if regexTarget is not specified then _Secret_ will be used.
-    # Acceptable values for regexTarget are "match" and "line"
-    regexTarget = "match"
-    regexes = [
-        '''process''',
-        '''getenv''',
-    ]
-    # note: stopwords targets the extracted secret, not the entire regex match
-    # if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)
-    stopwords = [
-        '''client''',
-        '''endpoint''',
-    ]
-
-
-    # This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
-    # If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
-    # secrets will be detected for said commit. The same logic applies for regexes and paths.
-    [allowlist]
-    description = "global allow list"
-    commits = [ "commit-A", "commit-B", "commit-C"]
-    paths = [
-        '''gitleaks\.toml''',
-        '''(.*?)(jpg|gif|doc)'''
-    ]
-
-    # note: (global) regexTarget defaults to check the _Secret_ in the finding.
-    # if regexTarget is not specified then _Secret_ will be used.
-    # Acceptable values for regexTarget are "match" and "line"
-    regexTarget = "match"
-
-    regexes = [
-        '''219-09-9999''',
-        '''078-05-1120''',
-        '''(9[0-9]{2}|666)-\d{2}-\d{4}''',
-    ]
-    # note: stopwords targets the extracted secret, not the entire regex match
-    # if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)
-    stopwords = [
-        '''client''',
-        '''endpoint''',
-    ]
-    ```
-</Accordion>
-
-![config](/images/platform/secret-scanning/secret-scanning-config.png)
-
-## Ignoring Known Secrets
-If you're intentionally committing a test secret that the secret scanner might flag, you can instruct Infisical to overlook that secret with the methods listed below.
-
-### infisical-scan:ignore
-
-To ignore a secret contained in line of code, simply add `infisical-scan:ignore ` at the end of the line as comment in the given programming.
-
-```js example.js
-function helloWorld() {
-    console.log("8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"); // infisical-scan:ignore
-}
-```
-
-### .infisicalignore
-An alternative method to exclude specific findings involves creating a .infisicalignore file at your repository's root.
-You can then add the fingerprints of the findings you wish to exclude. The [Infisical scan](/cli/scanning-overview) report provides a unique Fingerprint for each secret found.
-By incorporating these Fingerprints into the .infisicalignore file, Infisical will skip the corresponding secret findings in subsequent scans.
-
-```.ignore .infisicalignore
-bea0ff6e05a4de73a5db625d4ae181a015b50855:frontend/components/utilities/attemptLogin.js:stripe-access-token:147
-bea0ff6e05a4de73a5db625d4ae181a015b50855:backend/src/json/integrations.json:generic-api-key:5
-1961b92340e5d2613acae528b886c842427ce5d0:frontend/components/utilities/attemptLogin.js:stripe-access-token:148
-```
+- Integrated Scanning Across Environments: Monitor secrets in real time across connected repositories like GitHub, GitLab, and Bitbucket, or scan locally using the infisical scan CLI.
+- Detection Engine: Identify potential secrets using pattern matching, entropy analysis, and custom rules tailored to your codebase and workflows.
+- Flexible Scan Modes: Run full scans manually or configure automatic diff scans triggered by new commits. CLI scans support Git history, file directories, or staged changes in CI pipelines.
+- Findings and Lifecycle Management: Track detected secrets with context like file path, commit hash, and scanning rule. Findings can be resolved, ignored, or marked as false positives — with full visibility into scan results over time.
+- Custom Configuration and Noise Reduction: Fine-tune scanning behavior with custom patterns, ignore rules (infisical-scan:ignore, .infisicalignore), entropy thresholds, and excluded paths to reduce false positives.

docs/documentation/platform/secret-scanning/usage.mdx

@@ -0,0 +1,236 @@
+---
+title: "Usage"
+description: "Learn what is secret scanning and why it matters for building secure systems."
+---
+
+## Introduction
+
+Monitor and detect exposed secrets across your data sources, including code repositories, with Infisical Secret Scanning.
+
+For additional security, we recommend using our [CLI Secret Scanner](/cli/scanning-overview#automatically-scan-changes-before-you-commit) to check for exposed secrets before pushing your code changes.
+
+<Note>
+  Secret Scanning is a paid feature. If you're using Infisical Cloud, then it is
+  available under the **Enterprise Tier**. If you're self-hosting Infisical,
+  then you should contact team@infisical.com to purchase an enterprise license
+  to use it.
+</Note>
+
+## How Secret Scanning Works
+
+Secret Scanning consists of several components that enable you to quickly respond to secret leaks:
+
+- **Scanner Engine**: The core component that analyzes your code and detects potential secrets using pattern matching and entropy analysis
+- **Real-time Monitoring**: Provides continuous surveillance of your repositories for immediate detection of exposed secrets
+- **Alert System**: Notifies organization admins via email when secrets are detected
+- **Risk Management**: Allows tracking and managing detected secrets with different status options
+- **Data Sources**: Integrates with various data sources and version control systems
+- **Customizable Rules**: Supports ignore patterns and custom configurations to reduce false positives
+
+These components work together to provide comprehensive secret detection and incident response capabilities.
+
+### Data Sources
+
+Data sources are configured integrations with external platforms, such as a GitHub organization or a GitLab group, that establish secure connections for scanning purposes using [App Connections](/integrations/app-connections/overview).
+
+A data source acts as a secure intermediary between the external system and the scanner engine. It manages a collection of scannable resources (such as repositories) and handles the authentication and communication required for scanning operations.
+
+![data sources](/images/platform/secret-scanning/secret-scanning-data-sources.png)
+
+### Resources
+
+Resources are the atomic, scannable units, such as a repository, that can be monitored for secret exposure. Resources are added automatically when a data source is scanned and updated when scanning events are triggered, such as when a user pushes changes to GitHub.
+
+Each resource maintains its own scanning history and status, allowing for granular monitoring and management of secret scanning across your organization.
+
+![resources](/images/platform/secret-scanning/secret-scanning-resources.png)
+
+### Scans
+
+Scans can be initiated in two ways:
+
+1. **Full Scan** - Manually triggered scan that comprehensively checks either all resources associated with a data source or a single selected resource.
+
+2. **Diff Scan** - Automatically executed when **Auto-Scan** is enabled on a data source. This scan type specifically focuses on updates to existing resources.
+
+All scan activities can be monitored in real-time through the Infisical UI, which displays:
+
+- Current scan status
+- Timestamp of the scan
+- Resource(s) being scanned
+- Detection results (whether any secrets were found)
+
+![scans](/images/platform/secret-scanning/secret-scanning-scans.png)
+
+### Findings
+
+Findings are automatically generated when secret leaks are detected during scanning operations. Each finding contains comprehensive information including:
+
+- The specific scanning rule that identified the leak
+- File location and line number where the secret was found
+- Resource-specific details (e.g., commit hash and author for Git repositories)
+
+Findings are initially marked as **Unresolved** and can be updated to one of the following statuses with additional remarks:
+
+- **Resolved** - The issue has been addressed
+- **False Positive** - The detection was incorrect
+- **Ignore** - The finding can be safely disregarded
+
+These status options help teams effectively track and manage the lifecycle of detected secret leaks.
+
+![findings](/images/platform/secret-scanning/secret-scanning-findings.png)
+
+### Configuration
+
+You can configure custom scanning rules and exceptions by updating your project's scanning configuration via the UI or API.
+
+The configuration options allow you to:
+
+- Define custom scanning patterns and rules
+- Set up ignore patterns to reduce false positives
+- Specify file path exclusions
+- Configure entropy thresholds for secret detection
+- Add allowlists for known safe patterns
+
+For detailed configuration options, expand the example configuration below.
+
+<Accordion title="Example Configuration">
+    ```toml
+    # Title for the configuration file
+    title = "Some title"
+
+    # This configuration is the foundation that can be expanded. If there are any overlapping rules
+    # between this base and the expanded configuration, the rules in this base will take priority.
+    # Another aspect of extending configurations is the ability to link multiple files, up to a depth of 2.
+    # "Allowlist" arrays get appended and may have repeated elements.
+    # "useDefault" and "path" cannot be used simultaneously. Please choose one.
+    [extend]
+    # useDefault will extend the base configuration with the default config:
+    # https://raw.githubusercontent.com/Infisical/infisical/main/cli/config/infisical-scan.toml
+    useDefault = true
+    # or you can supply a path to a configuration. Path is relative to where infisical cli
+    # was invoked, not the location of the base config.
+    path = "common_config.toml"
+
+    # An array of tables that contain information that define instructions
+    # on how to detect secrets
+    [[rules]]
+
+    # Unique identifier for this rule
+    id = "some-identifier-for-rule"
+
+    # Short human readable description of the rule.
+    description = "awesome rule 1"
+
+    # Golang regular expression used to detect secrets. Note Golang's regex engine
+    # does not support lookaheads.
+    regex = '''one-go-style-regex-for-this-rule'''
+
+    # Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
+    # in conjunction with a valid `regex` entry.
+    path = '''a-file-path-regex'''
+
+    # Array of strings used for metadata and reporting purposes.
+    tags = ["tag","another tag"]
+
+    # A regex match may have many groups, this allows you to specify the group that should be used as (which group the secret is contained in)
+    # its entropy checked if `entropy` is set.
+    secretGroup = 3
+
+    # Float representing the minimum shannon entropy a regex group must have to be considered a secret.
+    # Shannon entropy measures how random a data is. Since secrets are usually composed of many random characters, they typically have high entropy
+    entropy = 3.5
+
+    # Keywords are used for pre-regex check filtering.
+    # If rule has keywords but the text fragment being scanned doesn't have at least one of it's keywords, it will be skipped for processing further.
+    # Ideally these values should either be part of the identifier or unique strings specific to the rule's regex
+    # (introduced in v8.6.0)
+    keywords = [
+        "auth",
+        "password",
+        "token",
+    ]
+
+    # You can include an allowlist table for a single rule to reduce false positives or ignore commits
+    # with known/rotated secrets
+    [rules.allowlist]
+    description = "ignore commit A"
+    commits = [ "commit-A", "commit-B"]
+    paths = [
+        '''go\.mod''',
+        '''go\.sum'''
+    ]
+    # note: (rule) regexTarget defaults to check the _Secret_ in the finding.
+    # if regexTarget is not specified then _Secret_ will be used.
+    # Acceptable values for regexTarget are "match" and "line"
+    regexTarget = "match"
+    regexes = [
+        '''process''',
+        '''getenv''',
+    ]
+    # note: stopwords targets the extracted secret, not the entire regex match
+    # if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)
+    stopwords = [
+        '''client''',
+        '''endpoint''',
+    ]
+
+
+    # This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
+    # If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
+    # secrets will be detected for said commit. The same logic applies for regexes and paths.
+    [allowlist]
+    description = "global allow list"
+    commits = [ "commit-A", "commit-B", "commit-C"]
+    paths = [
+        '''gitleaks\.toml''',
+        '''(.*?)(jpg|gif|doc)'''
+    ]
+
+    # note: (global) regexTarget defaults to check the _Secret_ in the finding.
+    # if regexTarget is not specified then _Secret_ will be used.
+    # Acceptable values for regexTarget are "match" and "line"
+    regexTarget = "match"
+
+    regexes = [
+        '''219-09-9999''',
+        '''078-05-1120''',
+        '''(9[0-9]{2}|666)-\d{2}-\d{4}''',
+    ]
+    # note: stopwords targets the extracted secret, not the entire regex match
+    # if the extracted secret is found in the stopwords list, the finding will be skipped (i.e not included in report)
+    stopwords = [
+        '''client''',
+        '''endpoint''',
+    ]
+    ```
+
+</Accordion>
+
+![config](/images/platform/secret-scanning/secret-scanning-config.png)
+
+## Ignoring Known Secrets
+
+If you're intentionally committing a test secret that the secret scanner might flag, you can instruct Infisical to overlook that secret with the methods listed below.
+
+### infisical-scan:ignore
+
+To ignore a secret contained in line of code, simply add `infisical-scan:ignore ` at the end of the line as comment in the given programming.
+
+```js example.js
+function helloWorld() {
+  console.log("8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"); // infisical-scan:ignore
+}
+```
+
+### .infisicalignore
+
+An alternative method to exclude specific findings involves creating a .infisicalignore file at your repository's root.
+You can then add the fingerprints of the findings you wish to exclude. The [Infisical scan](/cli/scanning-overview) report provides a unique Fingerprint for each secret found.
+By incorporating these Fingerprints into the .infisicalignore file, Infisical will skip the corresponding secret findings in subsequent scans.
+
+```.ignore .infisicalignore
+bea0ff6e05a4de73a5db625d4ae181a015b50855:frontend/components/utilities/attemptLogin.js:stripe-access-token:147
+bea0ff6e05a4de73a5db625d4ae181a015b50855:backend/src/json/integrations.json:generic-api-key:5
+1961b92340e5d2613acae528b886c842427ce5d0:frontend/components/utilities/attemptLogin.js:stripe-access-token:148
+```

docs/documentation/platform/secrets-mgmt/concepts/access-control.mdx

@@ -0,0 +1,33 @@
+---
+title: "Scoping Secrets"
+description: "Learn how access to secrets is controlled in Infisical."
+---
+
+## Secret Hierarchy
+
+Every secret in Infisical is scoped to an environment and a path.
+
+- An environment separates where secrets are used, such as `development`, `staging`, or `production`.
+- A path is an (optional) namespace within an environment that groups related secrets such as `/postgres`, `/redis`, or per-service paths like `/service-a`.
+
+This structure makes it easy to organize secrets by team, service, or environment, and sets the foundation for controlling who can access what.
+
+## Access Control
+
+Access control determines who (or what) can access a secret and under what conditions. Without clear policies, even securely stored secrets can be misused or exposed.
+
+To control access to secrets, you configure role-based permissions at the project level. These permissions determine which environments and paths a user or machine identity with that role can access. For example, an engineer might have a role that allows them to read secrets in the `development` environment but not those in the `production` environment.
+
+This model follows the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) such that each user or machine identity has access only to the secrets it needs — and nothing more.
+
+## Advanced Capabilities
+
+Beyond basic role assignments, Infisical includes additional access control mechanisms for more advanced use cases:
+
+- Access approvals: Users can request access to specific environments or paths. Access can be temporary and reviewed before it is granted, reducing long-term exposure.
+
+- Secret change approvals: Updates to sensitive secrets can require approval before taking effect. This adds control in environments where unreviewed changes pose risk.
+
+- Attribute-based access control (ABAC): Permissions can be matched against metadata on a user or machine identity — such as team, service, or environment — enabling dynamic access rules without manual role changes.
+
+All access and approval actions are logged, so it’s always possible to trace who accessed what, when, and under what conditions.

docs/documentation/platform/secrets-mgmt/concepts/dynamic-secrets.mdx

@@ -0,0 +1,22 @@
+---
+title: "Dynamic Secrets"
+description: "Learn what dynamic secrets are, why they're useful, and how Infisical enables them."
+---
+
+## What is a Dynamic Secret?
+
+A _dynamic secret_ is a time-bound credential generated on demand for a specific user or system. Unlike _static secrets_, which are created and stored ahead of time, or rotated credentials, which are periodically replaced, dynamic secrets don’t exist until they’re requested — and automatically expire shortly after use.
+
+Each secret is unique to the identity that requested it, reducing the risk of reuse, long-term exposure, or accidental leaks. Because they are short-lived and tightly scoped, dynamic secrets are well suited for high-security environments, automated systems, and ephemeral workloads where access needs to be both temporary and auditable.
+
+By limiting the lifespan and visibility of credentials, dynamic secrets offer a strong alternative to managing long-lived secrets manually.
+
+## Dynamic Secrets in Infisical
+
+Infisical generates dynamic secrets in real time when a user or machine identity requests access. Each secret is uniquely scoped to the requesting identity, valid just-in-time only for a limited duration, and automatically revoked after it expires.
+
+Because they are short-lived and identity-specific, dynamic secrets reduce the risk of credential reuse, accidental exposure, or long-term persistence across environments.
+
+When supported for a given integration, using dynamic secrets is strongly recommended. Infisical currently supports dynamic secret templates for commonly used systems including [PostgreSQL](/documentation/platform/dynamic-secrets/postgresql), [MySQL](/documentation/platform/dynamic-secrets/mysql), [Microsoft SQL Server](/documentation/platform/dynamic-secrets/mssql), [MongoDB Atlas](/documentation/platform/dynamic-secrets/mongo-db), [Redis](/documentation/platform/dynamic-secrets/redis), [AWS IAM](/documentation/platform/dynamic-secrets/aws-iam), [GCP IAM](/documentation/platform/dynamic-secrets/gcp-iam), [Azure Entra ID](/documentation/platform/dynamic-secrets/azure-entra-id), and more.
+
+To learn more, refer to the [dynamic secrets documentation](/documentation/platform/dynamic-secrets/overview).

docs/documentation/platform/secrets-mgmt/concepts/secrets-delivery.mdx

@@ -0,0 +1,96 @@
+---
+title: "Fetching Secrets"
+description: "Learn how to deliver secrets from Infisical into the systems, applications, and environments that need them."
+---
+
+Once secrets are stored and scoped in Infisical, the next step is delivering them securely to the systems and applications that need them.
+
+Infisical supports many delivery methods to match a wide range of environments — from [local development](/documentation/platform/secrets-mgmt/concepts/secrets-delivery#local-development%2C-scripts%2C-and-one-off-tasks) to [Kubernetes workloads](/documentation/platform/secrets-mgmt/concepts/secrets-delivery#kubernetes-workloads), [CI/CD pipelines](/documentation/platform/secrets-mgmt/concepts/secrets-delivery#ci%2Fcd-pipelines), [infrastructure-as-code tools](/documentation/platform/secrets-mgmt/concepts/secrets-delivery#infrastructure-as-code-and-automation-tools), and more.
+
+The table below provides a quick overview of which delivery method may be suitable to use based on your environment and how secrets are consumed:
+
+| Use Case / Environment                                | Recommended Method(s)                                                                                                                         | Consumes Secrets As          | Notes                                                              |
+| ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ------------------------------------------------------------------ |
+| Local development or scripting                        | [Infisical CLI](/cli/overview)                                                                                                                | Environment variables        | Easiest way to inject secrets during local dev or debugging        |
+| Application code fetching at runtime                  | [SDKs](/sdks/overview), [HTTP API](/api-reference/overview/introduction)                                                                      | In-memory / API call         | Full control in app code; supports dynamic or ephemeral fetching   |
+| VMs, containers, or CI jobs needing preloaded secrets | [Infisical Agent](/integrations/platforms/infisical-agent)                                                                                    | Env vars or files            | Good for non-interactive workloads; avoids inline secret fetch     |
+| GitHub Actions                                        | [Secrets Action](https://github.com/Infisical/secrets-action), [Secret Syncs](/integrations/secret-syncs/github)                              | Env vars or files            | Use Action for dynamic fetch; use Syncs to preload into GitHub     |
+| GitLab CI, Jenkins, other CI                          | [Infisical CLI](/cli/overview), [Infisical Agent](/integrations/platforms/infisical-agent), [Secret Syncs](/integrations/secret-syncs/gitlab) | Env vars or files            | Choose based on timing — fetch at runtime vs. pre-populate ahead   |
+| Kubernetes (declarative secrets)                      | [Kubernetes Operator](/integrations/platforms/kubernetes/overview)                                                                            | Kubernetes Secrets           | Syncs from Infisical into native Kubernetes Secrets                |
+| Kubernetes (ESO-based workflows)                      | [External Secrets Operator (ESO)](https://external-secrets.io/latest/provider/infisical/)                                                     | Kubernetes Secrets           | Reuses existing ESO setup; Infisical acts as a provider            |
+| Kubernetes (file-based, no K8s secrets)               | [Kubernetes Agent Injector](/integrations/platforms/kubernetes-injector)                                                                      | Mounted files                | Injects secrets via init container into volume at pod startup      |
+| Kubernetes (file-based, with rotation)                | [Kubernetes CSI Provider](/integrations/platforms/kubernetes-csi)                                                                             | Mounted files                | Uses CSI driver to mount secrets as files with automatic rotation  |
+| Image builds (VMs or containers)                      | [Packer Plugin](/integrations/frameworks/packer)                                                                                              | Env vars or files            | Inject secrets at image build time                                 |
+| Ansible automation                                    | [Ansible Collection](/integrations/platforms/ansible)                                                                                         | Variables                    | Runtime secret fetching in playbooks using lookup plugin           |
+| Terraform / Pulumi                                    | [Terraform Provider](/integrations/frameworks/terraform), [Pulumi](/integrations/frameworks/pulumi)                                           | Inputs / ephemeral resources | Use ephemeral for security; avoids storing secrets in state        |
+| Third-party platforms (GitHub, AWS, etc.)             | [Secret Syncs](/integrations/secret-syncs/overview)                                                                                           | Preloaded secrets            | Push secrets to platforms that can't fetch directly from Infisical |
+
+From here, you can explore the delivery method that best matches your environment:
+
+## Local Development, Scripts, and One-Off Tasks
+
+For local development, one-off scripts, or basic automation, the [Infisical CLI](/cli/overview) is a quick and flexible option.
+
+Instead of using a `.env` file, you can use [`infisical run`](/cli/commands/run) to inject secrets as environment variables directly into your development process. This provides a cleaner and more secure workflow. You can also use [`infisical secrets`](/cli/commands/secrets#infisical-secrets) to perform CRUD operations on secrets from the command line, which works well for debugging, local tooling, and lightweight scripting.
+
+To learn more, refer to the [CLI quickstart](cli/usage).
+
+## Applications and Services
+
+When secrets need to be accessed directly from within application code, Infisical provides SDKs for [Node.js](https://github.com/Infisical/node-sdk-v2), [Python](https://github.com/Infisical/python-sdk-official), [Go](/sdks/languages/go), [Java](https://github.com/Infisical/java-sdk), [.NET](https://github.com/Infisical/infisical-dotnet-sdk), [C++](https://github.com/Infisical/infisical-cpp-sdk), [Rust](https://github.com/Infisical/rust-sdk), and [Ruby](/sdks/languages/ruby).
+
+These SDKs let services fetch secrets at runtime or startup. For unsupported languages or if you prefer direct integration, you can use the fully documented [HTTP API](/api-reference/overview/introduction) to fetch secrets within your application logic.
+
+This approach gives you fine-grained control but also requires managing authentication and caching.
+
+## Virtual Machines(VMs), Containers, and CI Environments
+
+For systems that shouldn’t fetch secrets themselves — such as production VMs, Docker containers, or CI jobs — the [Infisical Agent](/integrations/platforms/infisical-agent) can be used to sync secrets into the local environment on their behalf.
+
+The agent runs as a lightweight background process and supports injecting secrets into files, environment variables, or application config formats. It's especially useful for non-interactive workloads that expect secrets to already exist at runtime.
+
+You can run the agent as a standalone binary, as a Docker sidecar, or embedded in automation scripts. It works well in environments like:
+
+- VMs that need secrets provisioned at startup.
+- [Docker Swarm](/integrations/platforms/docker-swarm-with-agent) services using shared volumes.
+- [ECS tasks](/integrations/platforms/ecs-with-agent) using EFS for shared secret delivery.
+
+## CI/CD Pipelines
+
+For CI/CD pipelines, the right method depends on the platform.
+
+- On GitHub Actions, the [Infisical Secrets Action](https://github.com/Infisical/secrets-action) provides a native integration that injects secrets as environment variables or `.env` files during workflows. It supports authentication via [AWS IAM](/documentation/platform/identities/aws-auth), [OIDC](/documentation/platform/identities/oidc-auth/github), or [Universal Auth](/documentation/platform/identities/universal-auth) using a Machine Identity.
+- On other CI platforms like GitLab CI, CircleCI, or Jenkins, the CLI or Agent may be used depending on how secrets are consumed — whether at runtime or during setup.
+
+Some CI/CD systems also support [Secret Syncs](/integrations/secret-syncs/overview) as an alternative. Instead of fetching secrets dynamically, you can configure Infisical to forward secrets into [GitHub Actions](/integrations/secret-syncs/github), [GitLab CI](/integrations/secret-syncs/gitlab), and similar platforms ahead of time — allowing them to be used as native environment secrets during jobs.
+
+## Kubernetes Workloads
+
+Infisical supports multiple options for delivering secrets into Kubernetes, each designed to match different operational models and consumption patterns:
+
+- [Infisical Kubernetes Operator](/integrations/platforms/kubernetes/overview): A set of CRDs that sync secrets from Infisical into Kubernetes Secrets, push secrets from Kubernetes back to Infisical, and manage dynamic secrets with automatic leases. Best suited for teams using declarative workflows and wanting to treat secrets as part of infrastructure code.
+
+- [External Secrets Operator (ESO)](https://external-secrets.io/latest/provider/infisical/): Enables syncing Infisical secrets into Kubernetes by defining ExternalSecret resources. Ideal if your team already uses ESO as a centralized way to fetch secrets from multiple providers.
+
+- [Infisical Agent Injector](/integrations/platforms/kubernetes-injector): A Kubernetes mutating admission webhook that injects an init container into your pods. The injected container syncs secrets from Infisical into a shared volume at startup, making them available as files. Useful for workloads that expect file-based secrets and where avoiding Kubernetes Secrets entirely is preferred.
+
+- [Infisical CSI Provider](/integrations/platforms/kubernetes-csi): Integrates with the Kubernetes Secrets Store CSI Driver to mount secrets as files in pods. Supports automatic rotation and fine-grained control over how secrets are structured and updated. Suitable for environments that require file-based secret delivery with rotation, without persisting Kubernetes Secrets.
+
+These methods provide secure, declarative integrations with Kubernetes-native workflows.
+
+## Forwarding to Third-Party Platforms
+
+In some cases, secrets must be delivered into systems that can’t fetch them from Infisical directly.
+
+[Secret Syncs](/integrations/secret-syncs/overview) allow you to forward secrets to platforms such as [GitHub](/integrations/secret-syncs/github), [GitLab](/integrations/secret-syncs/gitlab), [AWS Secrets Manager](/integrations/secret-syncs/aws-secrets-manager), [Vercel](/integrations/secret-syncs/vercel), and more.
+
+This is useful when external systems require secrets to be available ahead of time or expect them in a specific location.
+
+## Infrastructure-as-Code and Automation Tools
+
+Infisical integrates with common IaC and automation tools to help you securely inject secrets into your infrastructure provisioning workflows:
+
+- [Terraform](/integrations/frameworks/terraform): Use the official Infisical Terraform provider to fetch secrets either as ephemeral resources (never written to state files) or as traditional data sources. Ideal for managing cloud infrastructure while keeping secrets secure and version-safe.
+- [Pulumi](/integrations/frameworks/pulumi): Integrate Infisical into Pulumi projects using the Terraform Bridge, allowing you to fetch and manage secrets in TypeScript, Go, Python, or C# — without changing your existing workflows.
+- [Ansible](/integrations/platforms/ansible): Retrieve secrets from Infisical at runtime using the official Ansible Collection and lookup plugin. Works well for dynamic configuration during playbook execution.
+- [Packer](/integrations/frameworks/packer): Inject secrets into VM or container images at build time using the Infisical Packer Plugin — useful for provisioning base images that require secure configuration values.

docs/documentation/platform/secrets-mgmt/concepts/secrets-mgmt.mdx

@@ -0,0 +1,18 @@
+---
+title: "Secrets Management"
+description: "Learn what is secrets management and why it matters for building secure systems."
+---
+
+## What is Secret?
+
+A _secret_ is a confidential value used by an application such as database credential, API key, or other configuration.
+
+In most cases, secrets allow applications to access systems and control how they behave across the development cycle — for example, an application might use a database password stored in an environment variable like `DB_PASSWORD` to connect to production data. These secrets must be kept secure to protect infrastructure and data.
+
+## What is Secrets Management?
+
+As infrastructure scales and systems become more distributed, [secrets sprawl](https://infisical.com/blog/what-is-secret-sprawl). Without consistent security practices, secrets get hardcoded in source code, exposed in environment variables, left unrotated for long periods, and scattered across systems without clear visibility into who can access them.
+
+To solve secret sprawl, organizations rely on [secrets management](https://infisical.com/blog/what-is-secrets-management): the practice of centralizing secrets and managing them through well-defined workflows. This includes secure storage, fine-grained access controls, automatic rotation, audit logging, and support for dynamic, short-lived credentials.
+
+A consistent approach makes it easier to keep secrets safe, reduce risk, and operate reliably across environments.

docs/documentation/platform/secrets-mgmt/concepts/secrets-rotation.mdx

@@ -0,0 +1,18 @@
+---
+title: "Secrets Rotation"
+description: "Learn what secrets rotation is, why it matters, and how Infisical enables it."
+---
+
+## What is Secrets Rotation?
+
+Secrets rotation is the process of regularly replacing credentials like API keys, database passwords, and tokens to reduce the risk of long-term exposure. Even if a secret is compromised, frequent rotation limits how long it can be used.
+
+Without rotation, secrets often go unchanged for months or years — hardcoded in codebases, embedded in CI pipelines, or shared across environments. Over time, this increases the risk of leaks, misuse, and operational blind spots.
+
+## Secrets Rotation in Infisical
+
+Infisical automates rotation using a rolling lifecycle model where new credentials are issued on a fixed schedule with previous ones remaining temporarily valid to give systems time to update without disruption. Each secret moves through three phases: active, inactive, and eventually revoked. This ensures that applications continue to function smoothly throughout the rotation process.
+
+When rotation is applicable for a given secret type, using it is strongly recommended. Infisical supports configuring automatic rotation for a growing set of use cases including [PostgreSQL](/documentation/platform/secret-rotation/postgres-credentials), [MySQL](/documentation/platform/secret-rotation/mysql-credentials), [Microsoft SQL Server](/documentation/platform/secret-rotation/mssql-credentials), [OracleDB](/documentation/platform/secret-rotation/oracledb-credentials), [LDAP](/documentation/platform/secret-rotation/ldap-password), [AWS IAM users](/documentation/platform/secret-rotation/aws-iam-user-secret), [Azure](/documentation/platform/secret-rotation/azure-client-secret) and [Okta](/documentation/platform/secret-rotation/okta-client-secret) client secrets, and more.
+
+To learn more, refer to the [secrets rotation documentation](/documentation/platform/secret-rotation/overview).

docs/documentation/platform/secrets-mgmt/overview.mdx

@@ -12,6 +12,6 @@ Core capabilities include:
 
 - Secret Stores: Secure, versioned storage scoped by [project](/documentation/platform/secrets-mgmt/project), [environment](/documentation/platform/secrets-mgmt/project#project-environments), and [path](/documentation/platform/folder).
 - [Access Control](/documentation/platform/access-controls/overview): Fine-grained, identity-aware permissions for users and machines
-- Secret Delivery: Access secrets via [CLI](/cli/overview), [SDKs](/sdks/overview) (Go, Node.js, Python, etc.), [HTTP API](/api-reference/overview/introduction), [agents](/integrations/platforms/infisical-agent), [Kubernetes Operator](/integrations/platforms/kubernetes/overview), [External Secrets Operator (ESO)](https://external-secrets.io/latest/provider/infisical), and more.
-- Lifecycle Automation: Automate [secret rotation](/documentation/platform/secret-rotation/overview), generate [dynamic secrets](/documentation/platform/dynamic-secrets/overview), and enforce [approval-based workflows](/documentation/platform/pr-workflows).
+- [Secret Delivery](/documentation/platform/secrets-mgmt/concepts/secrets-delivery): Access secrets via [CLI](/cli/overview), [SDKs](/sdks/overview) (Go, Node.js, Python, etc.), [HTTP API](/api-reference/overview/introduction), [agents](/integrations/platforms/infisical-agent), [Kubernetes Operator](/integrations/platforms/kubernetes/overview), [External Secrets Operator (ESO)](https://external-secrets.io/latest/provider/infisical), and more.
+- Lifecycle Automation: Automate [secret rotation](/documentation/platform/secrets-mgmt/concepts/secrets-rotation), generate [dynamic secrets](/documentation/platform/secrets-mgmt/concepts/dynamic-secrets), and enforce [approval-based workflows](/documentation/platform/pr-workflows).
 - [Secrets Syncs](/integrations/secret-syncs/overview): Push secrets to external services like [GitHub](/integrations/secret-syncs/github), [GitLab](/integrations/secret-syncs/gitlab), [AWS Secrets Manager](/integrations/secret-syncs/aws-secrets-manager), [Vercel](/integrations/secret-syncs/vercel), and more.

docs/documentation/platform/ssh/concepts/ssh-certificates.mdx

@@ -0,0 +1,26 @@
+---
+title: "SSH Certificates"
+description: "Learn what SSH certificates are, why they're useful, and how they enable secure, scalable infrastructure access."
+---
+
+SSH access is ubiquitous — It's how engineers, scripts, and platforms across the world remotely administer Linux systems. That said, as teams and systems grow, managing access with static SSH keys becomes brittle and issues like key sprawl, unclear boundaries, and poor revocation hygiene start to emerge.
+
+_SSH certificates_ offer an alternative approach to securing and managing access at scale.
+
+## What is an SSH Certificate?
+
+An _SSH certificate_ is a short-lived, signed credential that proves a user or host’s identity. Unlike static SSH keys, which are distributed and managed manually, SSH certificates rely on a centralized certificate authority (CA) to vouch for identities.
+There are two types of SSH certificates:
+
+- User certificates: Issued to users to authenticate with remote hosts
+- Host certificates: Issued to hosts so clients can verify they're trusted
+
+Because certificates are time-bound and centrally managed, they’re easier to audit, revoke, and scale across infrastructure.
+
+## SSH with Infisical
+
+Infisical SSH gives you a secure, scalable way to manage infrastructure access using SSH certificates — without the overhead of running your own certificate authority, wiring trust across hosts, or building issuance workflows from scratch.
+
+It replaces long-lived SSH keys with short-lived, identity-bound certificates and handles all the moving parts for you: operating CAs, configuring trust between users and hosts, and issuing certificates on demand. With Infisical SSH, you can register a host with [`infisical ssh add-host`](/docs/cli/commands/ssh#infisical-ssh-add-host), then connect with [`infisical ssh connect`](/docs/cli/commands/ssh#infisical-ssh-connect) — that’s all it takes.
+
+The result is centralized, auditable SSH access that’s easy to use and built to scale with your infrastructure.

docs/documentation/platform/ssh/overview.mdx

@@ -1,201 +1,15 @@
 ---
-title: "Overview"
+title: "Infisical SSH"
 sidebarTitle: "Overview"
-description: "Learn how to securely provision user SSH access to your infrastructure using SSH certificates."
+description: "Learn how to manage secure, short-lived SSH access to infrastructure using certificates."
 ---
 
-## Concept
+Infisical SSH provides a secure, certificate-based solution for managing SSH access to infrastructure.
+It replaces long-lived SSH keys with short-lived, identity-bound certificates to reduce key sprawl, simplify access control, and improve auditability.
 
-Infisical SSH can be configured to provide users on your team short-lived, secure SSH access to infrastructure. Under the hood, it uses SSH certificates
-and improves upon traditional SSH key-based authentication by mitigating private key compromise, static key management,
-unauthorized access, and SSH key sprawl.
+Core capabilities include:
 
-The following entities are important to understand when configuring and using Infisical SSH:
-
-- Administrator: An individual on your team who is responsible for configuring Infisical SSH.
-- Users: Other individuals that gain access to remote hosts through Infisical SSH.
-- Host: A remote machine (e.g. EC2 instance, GCP VM, Azure VM, on-prem Linux server, Raspberry Pi, VMware VM, etc.) that users need SSH access to that is registered with Infisical SSH.
-
-## Workflow
-
-The typical workflow for using Infisical SSH consists of the following steps:
-
-1. The administrator registers a remote host with Infisical using the Infisical CLI via the `infisical ssh add-host` command.
-2. The administrator configures Infisical SSH to grant users access to the remote host.
-3. User(s) access the remote host using the Infisical CLI via the `infisical ssh connect` command.
-
-## Admin Guide for Configuring Infisical SSH
-
-In the following steps, we explore how to configure Infisical SSH to control and streamline your team's SSH access to infrastructure. As part of this guide,
-we will register a remote host with Infisical through a [machine identity](/documentation/platform/identities/machine-identities) and configure Infisical to grant user(s) access to the remote host.
-
-<Steps>
-  <Step title="Create an Infisical SSH project">
-    Start by creating a new Infisical SSH project in Infisical.
-    
-    ![ssh project create](/images/platform/ssh/v2/ssh-create-project.png)
-  </Step>
-  <Step title="Create a machine identity for bootstrapping Infisical SSH">
-    2.1. Follow the instructions [here](/documentation/platform/identities/universal-auth) to configure a [machine identity](/documentation/platform/identities/machine-identities) in Infisical with Universal Auth.
-
-    By the end of this step, you should have a **Client ID** and **Client Secret** on hand as part of the Universal Auth configuration for the identity to authenticate with Infisical
-    as part of registering a remote host in step 3.
-
-    <Note>
-        You may use other authentication methods as suitable (e.g. [AWS Auth](/documentation/platform/identities/aws-auth), [Azure Auth](/documentation/platform/identities/azure-auth), [GCP Auth](/documentation/platform/identities/gcp-auth), etc.) as part of the machine identity configuration but, to keep this example simple, we will be using Universal Auth.
-    </Note>
-
-    2.2. Add the machine identity to the Infisical SSH project you created in the previous step and assign it the **SSH Host Bootstrapper** role.
-
-      This role grants the ability to **Create** and **Issue Host Certificates** on the **SSH Host** resource; this will enable the linked machine identity to bootstrap a remote host with Infisical
-      and establish the necessary configuration on it.
-
-      <Tip>
-          If you plan to use a custom role to bootstrap SSH hosts, ensure the role has the **Create** and **Issue Host Certificates** on the **SSH Host** resource.
-      </Tip>
-
-    ![ssh add identity to project](/images/platform/ssh/v2/ssh-add-identity-to-project.png)
-
-  </Step>
-  <Step title="Configure the remote host">
-    3.1. Follow the instructions [here](/cli/overview) to install the Infisical CLI onto the remote host.
-    
-    3.2. Run the commands below to register the remote host with Infisical.
-
-    Use the **Client ID** and **Client Secret** from the machine identity you created in step 2.1 as part of the `infisical login` command
-    to obtain an access token and save it as an environment variable.
-
-    ```bash
-    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain)
-    ```
-
-    Next, use the `infisical ssh add-host` command to register the remote host with Infisical. As part of this command, input the ID of the Infisical SSH project you created in step 1 for the `--projectId` flag and the hostname of the remote host for the `--hostname` flag.
-
-    ```bash
-    sudo infisical ssh add-host --projectId=<project-id> --hostname=<hostname> --token="$INFISICAL_TOKEN" --write-user-ca-to-file --write-host-cert-to-file --configure-sshd
-    ```
-
-    <Tip>
-        Note that if you're self-hosting Infisical, you can use the `--domain` flag on the `infisical login` command to specify the domain of your Infisical instance.
-
-        For more information on the `infisical ssh add-host` command, please refer to the Infisical CLI [documentation](/cli/overview).
-    </Tip>
-
-    If successful, you should see output similar to the following:
-
-    ```bash
-    ✅ Successfully registered host: <hostname>
-    📁 Wrote User CA public key to: /etc/ssh/infisical_user_ca.pub
-    📁 Wrote host certificate to: /etc/ssh/ssh_host_ed25519_key-cert.pub
-    📄 Updated sshd_config entries
-    ```
-
-    Finally, use the following command to reload the SSH daemon on the remote host to apply the changes:
-
-    ```bash
-    sudo systemctl reload sshd
-    ```
-
-    <Note>
-      The command may differ depending on the host. For older versions of Ubuntu/Debian/CentOS, you may need to use `sudo service ssh reload` instead;
-      for Alpine or minimal systems, `/etc/init.d/sshd reload`.
-    </Note>
-
-    Back in Infisical, you should now see the remote host you just registered in the Infisical SSH project you created in step 1 under the **Hosts** tab.
-
-    ![ssh hosts](/images/platform/ssh/v2/ssh-added-hosts.png)
-
-  </Step>
-  <Step title="Grant users access to the remote host">
-    4.1. Add the user(s) you wish to grant access to the remote host to the Infisical SSH project under Access Control > Users.
-    
-    ![ssh hosts](/images/platform/ssh/v2/ssh-add-user.png)
-    
-    4.2. On the registered host in the **Hosts** tab, click **Edit SSH Host** and add a login mapping for the user(s) you added in step 4.1.
-
-    The login mapping dictates what user(s) will be allowed access to the remote host and under a specific login user; in the allowed principals,
-    you should select user(s) part of the Infisical SSH project that will be allowed to login to the remote host as the login user.
-
-    For instance, if you add a mapping with the login user `ec2-user` to some users John and Alice in Infisical, then they will be allowed to login to the remote host as `ec2-user` which is a system user that
-    exists on the remote host.
-
-    ![ssh host mappings](/images/platform/ssh/v2/ssh-host-login-mappings.png)
-
-    <Note>
-        Note that you should configure authorized principals files for each login user you add to the remote host.
-    </Note>
-
-  </Step>
-</Steps>
-
-## User Guide for SSHing to a Host
-
-Once Infisical SSH is configured by an administrator, users can SSH to the remote host using the Infisical CLI.
-
-<Steps>
-    <Step title="Install the Infisical CLI">
-        Follow the instructions [here](/cli/overview) to install the Infisical CLI onto your local machine.
-    </Step>
-    <Step title="Connect to the remote host">
-        The `infisical ssh connect` command can be used in either interactive or non-interactive mode to connect to a remote host.
-
-        <Tabs>
-            <Tab title="Interactive Mode">
-                In interactive mode, you'll first need to authenticate with Infisical by running:
-
-                ```bash
-                infisical login
-                ```
-
-                Then simply run:
-
-                ```bash
-                infisical ssh connect
-                ```
-
-                You'll be prompted to select an SSH Host from a list of accessible hosts; this is based on project membership and login mappings configured on hosts by
-                the administrator.
-
-                ```bash
-                Use the arrow keys to navigate: ↓ ↑ → ←
-                ? Select an SSH Host:
-                ▸ ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com
-                ```
-
-                After selecting a host, you'll be prompted to select a login user from a list of allowed login users:
-
-                ```bash
-                ? Select Login User:
-                ▸ ec2-user
-                ```
-
-                If successful, you should be able to SSH to the remote host.
-
-                ```bash
-                ✔ ec2-54-199-104-116.ap-northeast-1.compute.amazonaws.com
-                ✔ ec2-user
-                ✔ SSH credentials successfully added to agent
-                Connecting to ec2-user@ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com...
-                ```
-            </Tab>
-            <Tab title="Non-Interactive Mode">
-                For CI/CD pipelines or automation scenarios, you can use the non-interactive mode with an Infisical token:
-
-                ```bash
-                infisical ssh connect \
-                  --hostname ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com \
-                  --login-user ec2-user \
-                  --out-file-path ~/.ssh/id_rsa-cert.pub \
-                  --token <your-infisical-token>
-                ```
-
-                This will:
-                - Connect to the specified hostname
-                - Use the specified login user
-                - Write the SSH credentials to the specified path instead of adding them to the SSH agent
-                - Authenticate using the provided Infisical token
-            </Tab>
-        </Tabs>
-    </Step>
-
-</Steps>
+- Certificate Authority (CA): Managed CA infrastructure for issuing short-lived SSH certificates.
+- Centralized Access Management: View all registered hosts, see who has access to each, and control permissions from a single interface.
+- Easy Host Registration & Connection: Quickly register hosts and connect using short-lived certificates without manual key distribution.
+- Audit Logging: Detailed records of certificate issuance and SSH access activity.

docs/documentation/platform/ssh/usage.mdx

@@ -0,0 +1,201 @@
+---
+title: "Overview"
+sidebarTitle: "Overview"
+description: "Learn how to securely provision user SSH access to your infrastructure using SSH certificates."
+---
+
+## Concept
+
+Infisical SSH can be configured to provide users on your team short-lived, secure SSH access to infrastructure. Under the hood, it uses SSH certificates
+and improves upon traditional SSH key-based authentication by mitigating private key compromise, static key management,
+unauthorized access, and SSH key sprawl.
+
+The following entities are important to understand when configuring and using Infisical SSH:
+
+- Administrator: An individual on your team who is responsible for configuring Infisical SSH.
+- Users: Other individuals that gain access to remote hosts through Infisical SSH.
+- Host: A remote machine (e.g. EC2 instance, GCP VM, Azure VM, on-prem Linux server, Raspberry Pi, VMware VM, etc.) that users need SSH access to that is registered with Infisical SSH.
+
+## Workflow
+
+The typical workflow for using Infisical SSH consists of the following steps:
+
+1. The administrator registers a remote host with Infisical using the Infisical CLI via the `infisical ssh add-host` command.
+2. The administrator configures Infisical SSH to grant users access to the remote host.
+3. User(s) access the remote host using the Infisical CLI via the `infisical ssh connect` command.
+
+## Admin Guide for Configuring Infisical SSH
+
+In the following steps, we explore how to configure Infisical SSH to control and streamline your team's SSH access to infrastructure. As part of this guide,
+we will register a remote host with Infisical through a [machine identity](/documentation/platform/identities/machine-identities) and configure Infisical to grant user(s) access to the remote host.
+
+<Steps>
+  <Step title="Create an Infisical SSH project">
+    Start by creating a new Infisical SSH project in Infisical.
+    
+    ![ssh project create](/images/platform/ssh/v2/ssh-create-project.png)
+  </Step>
+  <Step title="Create a machine identity for bootstrapping Infisical SSH">
+    2.1. Follow the instructions [here](/documentation/platform/identities/universal-auth) to configure a [machine identity](/documentation/platform/identities/machine-identities) in Infisical with Universal Auth.
+
+    By the end of this step, you should have a **Client ID** and **Client Secret** on hand as part of the Universal Auth configuration for the identity to authenticate with Infisical
+    as part of registering a remote host in step 3.
+
+    <Note>
+        You may use other authentication methods as suitable (e.g. [AWS Auth](/documentation/platform/identities/aws-auth), [Azure Auth](/documentation/platform/identities/azure-auth), [GCP Auth](/documentation/platform/identities/gcp-auth), etc.) as part of the machine identity configuration but, to keep this example simple, we will be using Universal Auth.
+    </Note>
+
+    2.2. Add the machine identity to the Infisical SSH project you created in the previous step and assign it the **SSH Host Bootstrapper** role.
+
+      This role grants the ability to **Create** and **Issue Host Certificates** on the **SSH Host** resource; this will enable the linked machine identity to bootstrap a remote host with Infisical
+      and establish the necessary configuration on it.
+
+      <Tip>
+          If you plan to use a custom role to bootstrap SSH hosts, ensure the role has the **Create** and **Issue Host Certificates** on the **SSH Host** resource.
+      </Tip>
+
+    ![ssh add identity to project](/images/platform/ssh/v2/ssh-add-identity-to-project.png)
+
+  </Step>
+  <Step title="Configure the remote host">
+    3.1. Follow the instructions [here](/cli/overview) to install the Infisical CLI onto the remote host.
+    
+    3.2. Run the commands below to register the remote host with Infisical.
+
+    Use the **Client ID** and **Client Secret** from the machine identity you created in step 2.1 as part of the `infisical login` command
+    to obtain an access token and save it as an environment variable.
+
+    ```bash
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<identity-client-id> --client-secret=<identity-client-secret> --silent --plain)
+    ```
+
+    Next, use the `infisical ssh add-host` command to register the remote host with Infisical. As part of this command, input the ID of the Infisical SSH project you created in step 1 for the `--projectId` flag and the hostname of the remote host for the `--hostname` flag.
+
+    ```bash
+    sudo infisical ssh add-host --projectId=<project-id> --hostname=<hostname> --token="$INFISICAL_TOKEN" --write-user-ca-to-file --write-host-cert-to-file --configure-sshd
+    ```
+
+    <Tip>
+        Note that if you're self-hosting Infisical, you can use the `--domain` flag on the `infisical login` command to specify the domain of your Infisical instance.
+
+        For more information on the `infisical ssh add-host` command, please refer to the Infisical CLI [documentation](/cli/overview).
+    </Tip>
+
+    If successful, you should see output similar to the following:
+
+    ```bash
+    ✅ Successfully registered host: <hostname>
+    📁 Wrote User CA public key to: /etc/ssh/infisical_user_ca.pub
+    📁 Wrote host certificate to: /etc/ssh/ssh_host_ed25519_key-cert.pub
+    📄 Updated sshd_config entries
+    ```
+
+    Finally, use the following command to reload the SSH daemon on the remote host to apply the changes:
+
+    ```bash
+    sudo systemctl reload sshd
+    ```
+
+    <Note>
+      The command may differ depending on the host. For older versions of Ubuntu/Debian/CentOS, you may need to use `sudo service ssh reload` instead;
+      for Alpine or minimal systems, `/etc/init.d/sshd reload`.
+    </Note>
+
+    Back in Infisical, you should now see the remote host you just registered in the Infisical SSH project you created in step 1 under the **Hosts** tab.
+
+    ![ssh hosts](/images/platform/ssh/v2/ssh-added-hosts.png)
+
+  </Step>
+  <Step title="Grant users access to the remote host">
+    4.1. Add the user(s) you wish to grant access to the remote host to the Infisical SSH project under Access Control > Users.
+    
+    ![ssh hosts](/images/platform/ssh/v2/ssh-add-user.png)
+    
+    4.2. On the registered host in the **Hosts** tab, click **Edit SSH Host** and add a login mapping for the user(s) you added in step 4.1.
+
+    The login mapping dictates what user(s) will be allowed access to the remote host and under a specific login user; in the allowed principals,
+    you should select user(s) part of the Infisical SSH project that will be allowed to login to the remote host as the login user.
+
+    For instance, if you add a mapping with the login user `ec2-user` to some users John and Alice in Infisical, then they will be allowed to login to the remote host as `ec2-user` which is a system user that
+    exists on the remote host.
+
+    ![ssh host mappings](/images/platform/ssh/v2/ssh-host-login-mappings.png)
+
+    <Note>
+        Note that you should configure authorized principals files for each login user you add to the remote host.
+    </Note>
+
+  </Step>
+</Steps>
+
+## User Guide for SSHing to a Host
+
+Once Infisical SSH is configured by an administrator, users can SSH to the remote host using the Infisical CLI.
+
+<Steps>
+    <Step title="Install the Infisical CLI">
+        Follow the instructions [here](/cli/overview) to install the Infisical CLI onto your local machine.
+    </Step>
+    <Step title="Connect to the remote host">
+        The `infisical ssh connect` command can be used in either interactive or non-interactive mode to connect to a remote host.
+
+        <Tabs>
+            <Tab title="Interactive Mode">
+                In interactive mode, you'll first need to authenticate with Infisical by running:
+
+                ```bash
+                infisical login
+                ```
+
+                Then simply run:
+
+                ```bash
+                infisical ssh connect
+                ```
+
+                You'll be prompted to select an SSH Host from a list of accessible hosts; this is based on project membership and login mappings configured on hosts by
+                the administrator.
+
+                ```bash
+                Use the arrow keys to navigate: ↓ ↑ → ←
+                ? Select an SSH Host:
+                ▸ ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com
+                ```
+
+                After selecting a host, you'll be prompted to select a login user from a list of allowed login users:
+
+                ```bash
+                ? Select Login User:
+                ▸ ec2-user
+                ```
+
+                If successful, you should be able to SSH to the remote host.
+
+                ```bash
+                ✔ ec2-54-199-104-116.ap-northeast-1.compute.amazonaws.com
+                ✔ ec2-user
+                ✔ SSH credentials successfully added to agent
+                Connecting to ec2-user@ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com...
+                ```
+            </Tab>
+            <Tab title="Non-Interactive Mode">
+                For CI/CD pipelines or automation scenarios, you can use the non-interactive mode with an Infisical token:
+
+                ```bash
+                infisical ssh connect \
+                  --hostname ec2-12-345-678-910.ap-northeast-1.compute.amazonaws.com \
+                  --login-user ec2-user \
+                  --out-file-path ~/.ssh/id_rsa-cert.pub \
+                  --token <your-infisical-token>
+                ```
+
+                This will:
+                - Connect to the specified hostname
+                - Use the specified login user
+                - Write the SSH credentials to the specified path instead of adding them to the SSH agent
+                - Authenticate using the provided Infisical token
+            </Tab>
+        </Tabs>
+    </Step>
+
+</Steps>

docs/integrations/platforms/kubernetes/overview.mdx

@@ -22,7 +22,7 @@ It can also automatically reload dependent Deployments resources whenever releva
 
 ## Install 
 
-The operator can be install via [Helm](https://helm.sh). Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.
+The operator can be installed via [Helm](https://helm.sh). Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.
 
 **Install the latest Helm repository**
 ```bash
@@ -229,9 +229,9 @@ The managed secret created by the operator will not be deleted when the operator
 
 <Tabs>
 	 <Tab title="Helm">
-		Install Infisical Helm repository 
+		Uninstall Infisical Helm repository 
     ```bash
     helm uninstall <release name>
     ```
    </Tab>
-</Tabs>
+</Tabs>

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -9,6 +9,10 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
         - Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Sync** permissions
         - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
+<Note>
+  For workflows involving large amounts of secrets or frequent syncs, we recommend increasing your [AWS Parameter Store throughput quota](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-throughput.html) to avoid rate limiting.
+</Note>
+
 <Tabs>
     <Tab title="Infisical UI">
         1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.

docs/internals/permissions/project-permissions.mdx

@@ -142,12 +142,12 @@ Below is a comprehensive list of all available project-level subjects and their
 Supports conditions and permission inversion
 | Action | Description | Notes |
 | -------- | ------------------------------- | ----- |
-| `read` | View secrets and their values     | This action is the equivalent of granting both `describeSecret` and `readValue`. The `read` action is considered **legacy**. You should use the `describeSecret` and/or `readValue` actions instead.       |
+| `read` | View secrets and their values | This action is the equivalent of granting both `describeSecret` and `readValue`. The `read` action is considered **legacy**. You should use the `describeSecret` and/or `readValue` actions instead. |
 | `describeSecret` | View secret details such as key, path, metadata, tags, and more | If you are using the API, you can pass `viewSecretValue: false` to the API call to retrieve secrets without their values. |
 | `readValue` | View the value of a secret.| In order to read secret values, the `describeSecret` action must also be granted. |
-| `create` | Add new secrets to the project  |       |
-| `edit` | Modify existing secret values     |       |
-| `delete` | Remove secrets from the project |       |
+| `create` | Add new secrets to the project | |
+| `edit` | Modify existing secret values | |
+| `delete` | Remove secrets from the project | |
 
 #### Subject: `secret-folders`
 
@@ -169,6 +169,15 @@ Supports conditions and permission inversion
 | `edit` | Modify secret imports |
 | `delete` | Remove secret imports |
 
+#### Subject: `secret-events`
+
+| Action                          | Description                                                   |
+| ------------------------------- | ------------------------------------------------------------- |
+| `subscribe-on-created`          | Subscribe to events when secrets are created                  |
+| `subscribe-on-updated`          | Subscribe to events when secrets are updated                  |
+| `subscribe-on-deleted`          | Subscribe to events when secrets are deleted                  |
+| `subscribe-on-import-mutations` | Subscribe to events when secrets are modified through imports |
+
 #### Subject: `secret-rollback`
 
 | Action   | Description                        |
@@ -178,10 +187,10 @@ Supports conditions and permission inversion
 
 #### Subject: `commits`
 
-| Action   | Description                        |
-| -------- | ---------------------------------- |
-| `read`   | View commits and changes across folders |
-| `perform-rollback` | Roll back commits changes and restore folders to previous state|
+| Action             | Description                                                     |
+| ------------------ | --------------------------------------------------------------- |
+| `read`             | View commits and changes across folders                         |
+| `perform-rollback` | Roll back commits changes and restore folders to previous state |
 
 #### Subject: `secret-approval`
 
@@ -197,14 +206,14 @@ Supports conditions and permission inversion
 #### Subject: `secret-rotation`
 
 Supports conditions and permission inversion
-| Action                         | Description                                    |
+| Action | Description |
 | ------------------------------ | ---------------------------------------------- |
-| `read`                         | View secret rotation configurations            |
-| `read-generated-credentials`   | View the generated credentials of a rotation   |
-| `create`                       | Set up secret rotation configurations          |
-| `edit`                         | Modify secret rotation configurations          |
-| `rotate-secrets`               | Rotate the generated credentials of a rotation |
-| `delete`                       | Remove secret rotation configurations          |
+| `read` | View secret rotation configurations |
+| `read-generated-credentials` | View the generated credentials of a rotation |
+| `create` | Set up secret rotation configurations |
+| `edit` | Modify secret rotation configurations |
+| `rotate-secrets` | Rotate the generated credentials of a rotation |
+| `delete` | Remove secret rotation configurations |
 
 #### Subject: `secret-syncs`
 
@@ -263,12 +272,12 @@ Supports conditions and permission inversion
 
 #### Subject: `certificates`
 
-| Action               | Description                   |
-| -------------------- | ----------------------------- |
-| `read`               | View certificates             |
-| `read-private-key`   | Read certificate private key  |
-| `create`             | Issue new certificates        |
-| `delete`             | Revoke or remove certificates |
+| Action             | Description                   |
+| ------------------ | ----------------------------- |
+| `read`             | View certificates             |
+| `read-private-key` | Read certificate private key  |
+| `create`           | Issue new certificates        |
+| `delete`           | Revoke or remove certificates |
 
 #### Subject: `certificate-templates`
 
@@ -330,8 +339,8 @@ Supports conditions and permission inversion
 
 #### Subject: `secret-scanning-data-sources`
 
-| Action   | Description                                          |
-| -------- | ---------------------------------------------------- |
+| Action                       | Description                      |
+| ---------------------------- | -------------------------------- |
 | `read-data-sources`          | View Data Sources                |
 | `create-data-sources`        | Create new Data Sources          |
 | `edit-data-sources`          | Modify Data Sources              |
@@ -342,15 +351,14 @@ Supports conditions and permission inversion
 
 #### Subject: `secret-scanning-findings`
 
-| Action   | Description                       |
-| -------- | --------------------------------- |
-| `read-findings`     | View Secret Scanning Findings   |
-| `update-findings`   | Update Secret Scanning Findings |
-
+| Action            | Description                     |
+| ----------------- | ------------------------------- |
+| `read-findings`   | View Secret Scanning Findings   |
+| `update-findings` | Update Secret Scanning Findings |
 
 #### Subject: `secret-scanning-configs`
 
-| Action           | Description                                      |
-| ---------------- | ------------------------------------------------ |
-| `read-configs`   | View Secret Scanning Project Configuration       |
-| `update-configs` | Update Secret Scanning Project Configuration     |
+| Action           | Description                                  |
+| ---------------- | -------------------------------------------- |
+| `read-configs`   | View Secret Scanning Project Configuration   |
+| `update-configs` | Update Secret Scanning Project Configuration |

docs/internals/security.mdx

@@ -92,12 +92,11 @@ Infisical Cloud utilizes several strategies to ensure high availability, leverag
 
 ## Cross-Region Replication for Disaster Recovery (Infisical Cloud)
 
-To handle regional failures, Infisical Cloud keeps standby regions updated and ready to take over when needed.
+To handle regional failures, Infisical Cloud keeps backups both within AWS and across cloud providers in GCP updated and ready to take over when needed.
 
 - ElastiCache (Redis): Data is replicated across regions using AWS Global Datastore, keeping cached data consistent and available even if a primary region goes down.
-- RDS (PostgreSQL): Cross-region read replicas ensure database data is available in multiple locations, allowing for failover in case of a regional outage.
+- RDS (PostgreSQL): Cross-region read replicas ensure database data is available in multiple AWS locations, with additional replication to GCP for multi-cloud disaster recovery, allowing for failover in case of a regional outage or cloud provider issues.
 
-With standby regions and automated failovers in place, Infisical Cloud faces minimal service disruptions even during large-scale outages.
 
 ## Penetration testing
 

frontend/public/locales/en/translations.json

@@ -53,8 +53,8 @@
     "project-id": "Project ID",
     "save-changes": "Save Changes",
     "saved": "Saved",
-    "drop-zone": "Drag and drop a .env, .json, or .yml file here.",
-    "drop-zone-keys": "Drag and drop a .env, .json, or .yml file here to add more secrets.",
+    "drop-zone": "Drag and drop a .env, .json, .csv, or .yml file here.",
+    "drop-zone-keys": "Drag and drop a .env, .json, .csv, or .yml file here to add more secrets.",
     "role": "Role",
     "role_admin": "admin",
     "display-name": "Display Name",

frontend/src/components/features/TtlFormLabel.tsx

@@ -1,4 +1,4 @@
-import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
+import { faArrowUpRightFromSquare, faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { FormLabel, Tooltip } from "../v2";
@@ -10,15 +10,18 @@ export const TtlFormLabel = ({ label }: { label: string }) => (
       label={label}
       icon={
         <Tooltip
+          className="max-w-lg"
           content={
             <span>
+              Examples: 30m, 1h, 3d, etc.{" "}
               <a
                 href="https://github.com/vercel/ms?tab=readme-ov-file#examples"
                 target="_blank"
                 rel="noopener noreferrer"
-                className="text-primary-700"
+                className="text-primary-500 hover:text-mineshaft-100"
               >
-                More
+                See More Examples{" "}
+                <FontAwesomeIcon size="xs" className="mt-0.5" icon={faArrowUpRightFromSquare} />
               </a>
             </span>
           }
@@ -26,7 +29,7 @@ export const TtlFormLabel = ({ label }: { label: string }) => (
           <FontAwesomeIcon
             icon={faQuestionCircle}
             size="sm"
-            className="relative bottom-px right-1"
+            className="relative right-1 mt-0.5 text-mineshaft-300"
           />
         </Tooltip>
       }

frontend/src/components/roles/RoleOption.tsx

@@ -0,0 +1,29 @@
+import { components, OptionProps } from "react-select";
+import { faCheckCircle } from "@fortawesome/free-regular-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+export const RoleOption = ({
+  isSelected,
+  children,
+  ...props
+}: OptionProps<{ name: string; slug: string; description?: string | undefined }>) => {
+  return (
+    <components.Option isSelected={isSelected} {...props}>
+      <div className="flex flex-row items-center justify-between">
+        <div>
+          <p className="truncate">{children}</p>
+          {props.data.description ? (
+            <p className="truncate text-xs leading-4 text-mineshaft-400">
+              {props.data.description}
+            </p>
+          ) : (
+            <p className="text-xs leading-4 text-mineshaft-400/50">No Description</p>
+          )}
+        </div>
+        {isSelected && (
+          <FontAwesomeIcon className="ml-2 text-primary" icon={faCheckCircle} size="sm" />
+        )}
+      </div>
+    </components.Option>
+  );
+};

frontend/src/components/roles/index.tsx

@@ -0,0 +1 @@
+export * from "./RoleOption";

frontend/src/components/utilities/parseSecrets.ts

@@ -165,3 +165,61 @@ export function parseYaml(src: ArrayBuffer | string) {
 
   return result;
 }
+
+function detectSeparator(csvContent: string): string {
+  const firstLine = csvContent.split("\n")[0];
+  const separators = [",", ";", "\t", "|"];
+
+  const counts = separators.map((sep) => ({
+    separator: sep,
+    count: (firstLine.match(new RegExp(`\\${sep}`, "g")) || []).length
+  }));
+
+  const detected = counts.reduce((max, curr) => (curr.count > max.count ? curr : max));
+
+  return detected.count > 0 ? detected.separator : ",";
+}
+
+export function parseCsvToMatrix(src: ArrayBuffer | string): string[][] {
+  let csvContent: string;
+  if (typeof src === "string") {
+    csvContent = src;
+  } else {
+    csvContent = new TextDecoder("utf-8").decode(src);
+  }
+
+  const separator = detectSeparator(csvContent);
+  const lines = csvContent.replace(/\r\n?/g, "\n").split("\n");
+  const matrix: string[][] = [];
+
+  lines.forEach((line) => {
+    if (line.trim() !== "") {
+      const cells: string[] = [];
+      let currentCell = "";
+      let inQuote = false;
+
+      for (let i = 0; i < line.length; i += 1) {
+        const char = line[i];
+        const nextChar = line[i + 1];
+
+        if (char === '"') {
+          if (inQuote && nextChar === '"') {
+            currentCell += '"';
+            i += 1;
+          } else {
+            inQuote = !inQuote;
+          }
+        } else if (char === separator && !inQuote) {
+          cells.push(currentCell.trim());
+          currentCell = "";
+        } else {
+          currentCell += char;
+        }
+      }
+      cells.push(currentCell.trim());
+      matrix.push(cells);
+    }
+  });
+
+  return matrix;
+}

frontend/src/context/ProjectPermissionContext/types.ts

@@ -143,6 +143,13 @@ export enum ProjectPermissionSecretScanningConfigActions {
   Update = "update-configs"
 }
 
+export enum ProjectPermissionSecretEventActions {
+  SubscribeCreated = "subscribe-on-created",
+  SubscribeUpdated = "subscribe-on-updated",
+  SubscribeDeleted = "subscribe-on-deleted",
+  SubscribeImportMutations = "subscribe-on-import-mutations"
+}
+
 export enum PermissionConditionOperators {
   $IN = "$in",
   $ALL = "$all",
@@ -172,7 +179,8 @@ export type ConditionalProjectPermissionSubject =
   | ProjectPermissionSub.CertificateTemplates
   | ProjectPermissionSub.SecretFolders
   | ProjectPermissionSub.SecretImports
-  | ProjectPermissionSub.SecretRotation;
+  | ProjectPermissionSub.SecretRotation
+  | ProjectPermissionSub.SecretEvents;
 
 export const formatedConditionsOperatorNames: { [K in PermissionConditionOperators]: string } = {
   [PermissionConditionOperators.$EQ]: "equal to",
@@ -250,7 +258,8 @@ export enum ProjectPermissionSub {
   Commits = "commits",
   SecretScanningDataSources = "secret-scanning-data-sources",
   SecretScanningFindings = "secret-scanning-findings",
-  SecretScanningConfigs = "secret-scanning-configs"
+  SecretScanningConfigs = "secret-scanning-configs",
+  SecretEvents = "secret-events"
 }
 
 export type SecretSubjectFields = {
@@ -260,6 +269,14 @@ export type SecretSubjectFields = {
   secretTags: string[];
 };
 
+export type SecretEventSubjectFields = {
+  environment: string;
+  secretPath: string;
+  secretName: string;
+  secretTags: string[];
+  action: string;
+};
+
 export type SecretFolderSubjectFields = {
   environment: string;
   secretPath: string;
@@ -403,6 +420,13 @@ export type ProjectPermissionSet =
       ProjectPermissionSub.SecretScanningDataSources
     ]
   | [ProjectPermissionSecretScanningFindingActions, ProjectPermissionSub.SecretScanningFindings]
-  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs];
+  | [ProjectPermissionSecretScanningConfigActions, ProjectPermissionSub.SecretScanningConfigs]
+  | [
+      ProjectPermissionSecretEventActions,
+      (
+        | ProjectPermissionSub.SecretEvents
+        | (ForcedSubject<ProjectPermissionSub.SecretEvents> & SecretEventSubjectFields)
+      )
+    ];
 
 export type TProjectPermission = MongoAbility<ProjectPermissionSet>;

frontend/src/helpers/key.ts

@@ -1,84 +0,0 @@
-import Aes256Gcm from "@app/components/utilities/cryptography/aes-256-gcm";
-import { deriveArgonKey } from "@app/components/utilities/cryptography/crypto";
-
-/**
- * @param {Object} obj
- * @param {Number} obj.encryptionVersion
- * @param {String} obj.encryptedPrivateKey
- * @param {String} obj.iv
- * @param {String} obj.tag
- * @param {String} obj.password
- * @param {String} obj.salt
- * @param {String} obj.protectedKey
- * @param {String} obj.protectedKeyIV
- * @param {String} obj.protectedKeyTag
- */
-const decryptPrivateKeyHelper = async ({
-  encryptionVersion,
-  encryptedPrivateKey,
-  iv,
-  tag,
-  password,
-  salt,
-  protectedKey,
-  protectedKeyIV,
-  protectedKeyTag
-}: {
-  encryptionVersion: number;
-  encryptedPrivateKey: string;
-  iv: string;
-  tag: string;
-  password: string;
-  salt: string;
-  protectedKey?: string;
-  protectedKeyIV?: string;
-  protectedKeyTag?: string;
-}) => {
-  let privateKey;
-  try {
-    if (encryptionVersion === 1) {
-      privateKey = Aes256Gcm.decrypt({
-        ciphertext: encryptedPrivateKey,
-        iv,
-        tag,
-        secret: password
-          .slice(0, 32)
-          .padStart(32 + (password.slice(0, 32).length - new Blob([password]).size), "0")
-      });
-    } else if (encryptionVersion === 2 && protectedKey && protectedKeyIV && protectedKeyTag) {
-      const derivedKey = await deriveArgonKey({
-        password,
-        salt,
-        mem: 65536,
-        time: 3,
-        parallelism: 1,
-        hashLen: 32
-      });
-
-      if (!derivedKey) throw new Error("Failed to generate derived key");
-
-      const key = Aes256Gcm.decrypt({
-        ciphertext: protectedKey,
-        iv: protectedKeyIV,
-        tag: protectedKeyTag,
-        secret: Buffer.from(derivedKey.hash)
-      });
-
-      // decrypt back the private key
-      privateKey = Aes256Gcm.decrypt({
-        ciphertext: encryptedPrivateKey,
-        iv,
-        tag,
-        secret: Buffer.from(key, "hex")
-      });
-    } else {
-      throw new Error("Insufficient details to decrypt private key");
-    }
-  } catch {
-    throw new Error("Failed to decrypt private key");
-  }
-
-  return privateKey;
-};
-
-export { decryptPrivateKeyHelper };

frontend/src/hooks/api/accessApproval/mutation.tsx

@@ -6,10 +6,12 @@ import { apiRequest } from "@app/config/request";
 import { accessApprovalKeys } from "./queries";
 import {
   TAccessApproval,
+  TAccessApprovalRequest,
   TCreateAccessPolicyDTO,
   TCreateAccessRequestDTO,
   TDeleteSecretPolicyDTO,
-  TUpdateAccessPolicyDTO
+  TUpdateAccessPolicyDTO,
+  TUpdateAccessRequestDTO
 } from "./types";
 
 export const useCreateAccessApprovalPolicy = () => {
@@ -26,7 +28,8 @@ export const useCreateAccessApprovalPolicy = () => {
       secretPath,
       enforcementLevel,
       allowedSelfApprovals,
-      approvalsRequired
+      approvalsRequired,
+      maxTimePeriod
     }) => {
       const { data } = await apiRequest.post("/api/v1/access-approvals/policies", {
         environments,
@@ -38,7 +41,8 @@ export const useCreateAccessApprovalPolicy = () => {
         name,
         enforcementLevel,
         allowedSelfApprovals,
-        approvalsRequired
+        approvalsRequired,
+        maxTimePeriod
       });
       return data;
     },
@@ -64,7 +68,8 @@ export const useUpdateAccessApprovalPolicy = () => {
       enforcementLevel,
       allowedSelfApprovals,
       approvalsRequired,
-      environments
+      environments,
+      maxTimePeriod
     }) => {
       const { data } = await apiRequest.patch(`/api/v1/access-approvals/policies/${id}`, {
         approvals,
@@ -75,7 +80,8 @@ export const useUpdateAccessApprovalPolicy = () => {
         enforcementLevel,
         allowedSelfApprovals,
         approvalsRequired,
-        environments
+        environments,
+        maxTimePeriod
       });
       return data;
     },
@@ -130,6 +136,25 @@ export const useCreateAccessRequest = () => {
   });
 };
 
+export const useUpdateAccessRequest = () => {
+  const queryClient = useQueryClient();
+  return useMutation<TAccessApprovalRequest, object, TUpdateAccessRequestDTO>({
+    mutationFn: async ({ requestId, ...payload }) => {
+      const { data } = await apiRequest.patch<{ approval: TAccessApprovalRequest }>(
+        `/api/v1/access-approvals/requests/${requestId}`,
+        payload
+      );
+
+      return data.approval;
+    },
+    onSuccess: (_, { projectSlug }) => {
+      queryClient.invalidateQueries({
+        queryKey: accessApprovalKeys.getAccessApprovalRequests(projectSlug)
+      });
+    }
+  });
+};
+
 export const useReviewAccessRequest = () => {
   const queryClient = useQueryClient();
   return useMutation<

frontend/src/hooks/api/accessApproval/queries.tsx

@@ -24,7 +24,7 @@ export const accessApprovalKeys = {
     envSlug?: string,
     requestedBy?: string,
     bypassReason?: string
-  ) => [{ projectSlug, envSlug, requestedBy, bypassReason }, "access-approvals-requests"] as const,
+  ) => ["access-approvals-requests", projectSlug, envSlug, requestedBy, bypassReason] as const,
   getAccessApprovalRequestCount: (projectSlug: string, policyId?: string) =>
     [{ projectSlug }, "access-approval-request-count", ...(policyId ? [policyId] : [])] as const
 };

frontend/src/hooks/api/accessApproval/types.ts

@@ -18,6 +18,7 @@ export type TAccessApprovalPolicy = {
   approvers?: Approver[];
   bypassers?: Bypasser[];
   allowedSelfApprovals: boolean;
+  maxTimePeriod?: string | null;
 };
 
 export enum ApproverType {
@@ -93,6 +94,7 @@ export type TAccessApprovalRequest = {
     enforcementLevel: EnforcementLevel;
     deletedAt: Date | null;
     allowedSelfApprovals: boolean;
+    maxTimePeriod?: string | null;
   };
 
   reviewers: {
@@ -101,6 +103,8 @@ export type TAccessApprovalRequest = {
   }[];
 
   note?: string;
+  editNote?: string;
+  editedByUserId?: string;
 };
 
 export type TAccessApproval = {
@@ -144,6 +148,13 @@ export type TCreateAccessRequestDTO = {
   note?: string;
 } & Omit<TProjectUserPrivilege, "id" | "createdAt" | "updatedAt" | "slug" | "projectMembershipId">;
 
+export type TUpdateAccessRequestDTO = {
+  requestId: string;
+  editNote: string;
+  temporaryRange: string;
+  projectSlug: string;
+};
+
 export type TGetAccessApprovalRequestsDTO = {
   projectSlug: string;
   policyId?: string;
@@ -173,6 +184,7 @@ export type TCreateAccessPolicyDTO = {
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
+  maxTimePeriod?: string | null;
 };
 
 export type TUpdateAccessPolicyDTO = {
@@ -188,6 +200,7 @@ export type TUpdateAccessPolicyDTO = {
   // for invalidating list
   projectSlug: string;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
+  maxTimePeriod?: string | null;
 };
 
 export type TDeleteSecretPolicyDTO = {

frontend/src/hooks/api/admin/types.ts

@@ -74,15 +74,6 @@ export type TCreateAdminUserDTO = {
   password: string;
   firstName: string;
   lastName?: string;
-  protectedKey: string;
-  protectedKeyTag: string;
-  protectedKeyIV: string;
-  encryptedPrivateKey: string;
-  encryptedPrivateKeyIV: string;
-  encryptedPrivateKeyTag: string;
-  publicKey: string;
-  verifier: string;
-  salt: string;
 };
 
 export type AdminGetOrganizationsFilters = {

frontend/src/hooks/api/dynamicSecret/mutation.ts

@@ -43,12 +43,15 @@ export const useUpdateDynamicSecret = () => {
       );
       return data.dynamicSecret;
     },
-    onSuccess: (_, { path, environmentSlug, projectSlug }) => {
+    onSuccess: (_, { path, environmentSlug, projectSlug, name }) => {
       // TODO: optimize but currently don't pass projectId
       queryClient.invalidateQueries({ queryKey: dashboardKeys.all() });
       queryClient.invalidateQueries({
         queryKey: dynamicSecretKeys.list({ path, projectSlug, environmentSlug })
       });
+      queryClient.invalidateQueries({
+        queryKey: dynamicSecretKeys.details({ path, projectSlug, environmentSlug, name })
+      });
     }
   });
 };

frontend/src/hooks/api/dynamicSecret/types.ts

@@ -37,7 +37,8 @@ export enum DynamicSecretProviders {
   Kubernetes = "kubernetes",
   Vertica = "vertica",
   GcpIam = "gcp-iam",
-  Github = "github"
+  Github = "github",
+  Couchbase = "couchbase"
 }
 
 export enum KubernetesDynamicSecretCredentialType {
@@ -353,6 +354,38 @@ export type TDynamicSecretProvider =
         installationId: number;
         privateKey: string;
       };
+    }
+  | {
+      type: DynamicSecretProviders.Couchbase;
+      inputs: {
+        url: string;
+        orgId: string;
+        projectId: string;
+        clusterId: string;
+        roles: string[];
+        buckets:
+          | string
+          | Array<{
+              name: string;
+              scopes?: Array<{
+                name: string;
+                collections?: string[];
+              }>;
+            }>;
+        passwordRequirements?: {
+          length: number;
+          required: {
+            lowercase: number;
+            uppercase: number;
+            digits: number;
+            symbols: number;
+          };
+          allowedSymbols?: string;
+        };
+        auth: {
+          apiKey: string;
+        };
+      };
     };
 
 export type TCreateDynamicSecretDTO = {