Update Dockerfile.fips.standalone-infisical

fips improvements
fix: restructure and requested changes
2025-08-05 07:30:33 +00:00 · 2025-07-25 23:13:26 +04:00 · 2025-07-25 23:09:23 +04:00 · 2025-07-25 20:05:20 +04:00 · 2025-07-25 19:50:28 +04:00 · 2025-07-24 20:08:18 -07:00
92 changed files with 2472 additions and 793 deletions
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@@ -145,7 +145,11 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
    && cd openssl-3.1.2 \
    && ./Configure enable-fips \
    && make \
-    && make install_fips
+    && make install_fips \
    && cd / \
    && rm -rf /openssl-build \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
@@ -186,12 +190,11 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=1024"
+ENV NODE_OPTIONS="--max-old-space-size=8192 --force-fips"
 # FIPS mode of operation:
 ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
 ENV NODE_OPTIONS=--force-fips
 ENV FIPS_ENABLED=true
--- a/backend/Dockerfile.dev.fips
+++ b/backend/Dockerfile.dev.fips
@@ -59,7 +59,11 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
    && cd openssl-3.1.2 \
    && ./Configure enable-fips \
    && make \
-    && make install_fips
+    && make install_fips \
    && cd / \
    && rm -rf /openssl-build \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # ? App setup
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -126,6 +126,15 @@ declare module "@fastify/request-context" {
        namespace: string;
        name: string;
      };
      aws?: {
        accountId: string;
        arn: string;
        userId: string;
        partition: string;
        service: string;
        resourceType: string;
        resourceName: string;
      };
    };
    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
    assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
--- a/backend/src/db/migrations/utils/env-config.ts
+++ b/backend/src/db/migrations/utils/env-config.ts
@@ -53,7 +53,7 @@ export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory
  let envCfg = Object.freeze(parsedEnv.data);
-  const fipsEnabled = await crypto.initialize(superAdminDAL);
+  const fipsEnabled = await crypto.initialize(superAdminDAL, envCfg);
  // Fix for 128-bit entropy encryption key expansion issue:
  // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -2373,6 +2373,10 @@ export const SecretSyncs = {
      keyId: "The AWS KMS key ID or alias to use when encrypting parameters synced by Infisical.",
      tags: "Optional tags to add to secrets synced by Infisical.",
      syncSecretMetadataAsTags: `Whether Infisical secret metadata should be added as tags to secrets synced by Infisical.`
    },
    RENDER: {
      autoRedeployServices:
        "Whether Infisical should automatically redeploy the configured Render service upon secret changes."
    }
  },
  DESTINATION_CONFIG: {
--- a/backend/src/lib/crypto/cryptography/crypto.ts
+++ b/backend/src/lib/crypto/cryptography/crypto.ts
@@ -14,7 +14,7 @@ import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal
 import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service";
 import { isBase64 } from "../../base64";
-import { getConfig } from "../../config/env";
+import { getConfig, TEnvConfig } from "../../config/env";
 import { CryptographyError } from "../../errors";
 import { logger } from "../../logger";
 import { asymmetricFipsValidated } from "./asymmetric-fips";
@@ -106,12 +106,12 @@ const cryptographyFactory = () => {
    }
  };
-  const $setFipsModeEnabled = (enabled: boolean) => {
+  const $setFipsModeEnabled = (enabled: boolean, envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">) => {
    // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key.
    if (enabled) {
      crypto.setFips(true);
-      const appCfg = getConfig();
+      const appCfg = envCfg || getConfig();
      if (appCfg.ENCRYPTION_KEY) {
        // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key
@@ -141,14 +141,14 @@ const cryptographyFactory = () => {
    $isInitialized = true;
  };
-  const initialize = async (superAdminDAL: TSuperAdminDALFactory) => {
+  const initialize = async (superAdminDAL: TSuperAdminDALFactory, envCfg?: Pick<TEnvConfig, "ENCRYPTION_KEY">) => {
    if ($isInitialized) {
      return isFipsModeEnabled();
    }
    if (process.env.FIPS_ENABLED !== "true") {
      logger.info("Cryptography module initialized in normal operation mode.");
-      $setFipsModeEnabled(false);
+      $setFipsModeEnabled(false, envCfg);
      return false;
    }
@@ -158,11 +158,11 @@ const cryptographyFactory = () => {
    if (serverCfg) {
      if (serverCfg.fipsEnabled) {
        logger.info("[FIPS]: Instance is configured for FIPS mode of operation. Continuing startup with FIPS enabled.");
-        $setFipsModeEnabled(true);
+        $setFipsModeEnabled(true, envCfg);
        return true;
      }
      logger.info("[FIPS]: Instance age predates FIPS mode inception date. Continuing without FIPS.");
-      $setFipsModeEnabled(false);
+      $setFipsModeEnabled(false, envCfg);
      return false;
    }
@@ -171,7 +171,7 @@ const cryptographyFactory = () => {
    // TODO(daniel): check if it's an enterprise deployment
    // if there is no server cfg, and FIPS_MODE is `true`, its a fresh FIPS deployment. We need to set the fipsEnabled to true.
-    $setFipsModeEnabled(true);
+    $setFipsModeEnabled(true, envCfg);
    return true;
  };
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@@ -162,6 +162,12 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
            kubernetes: token?.identityAuth?.kubernetes
          });
        }
        if (token?.identityAuth?.aws) {
          requestContext.set("identityAuthInfo", {
            identityId: identity.identityId,
            aws: token?.identityAuth?.aws
          });
        }
        break;
      }
      case AuthMode.SERVICE_TOKEN: {
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -270,11 +270,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
              }
            }
          });
          remainingLimit -= imports.length;
          adjustedOffset = 0;
        } else {
          adjustedOffset = Math.max(0, adjustedOffset - totalImportCount);
        }
      }
@@ -317,7 +312,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
        }
      }
-      if (!includeDynamicSecrets && !includeSecrets)
+      if (!includeDynamicSecrets && !includeSecrets && !includeSecretRotations)
        return {
          folders,
          totalFolderCount,
@@ -547,7 +542,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          (totalFolderCount ?? 0) +
          (totalDynamicSecretCount ?? 0) +
          (totalSecretCount ?? 0) +
          (totalImportCount ?? 0) +
          (totalSecretRotationCount ?? 0)
      };
    }
--- a/backend/src/server/routes/v3/external-migration-router.ts
+++ b/backend/src/server/routes/v3/external-migration-router.ts
@@ -1,9 +1,11 @@
 import fastifyMultipart from "@fastify/multipart";
 import { z } from "zod";
 import { BadRequestError } from "@app/lib/errors";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { VaultMappingType } from "@app/services/external-migration/external-migration-types";
 const MB25_IN_BYTES = 26214400;
@@ -15,7 +17,7 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
    bodyLimit: MB25_IN_BYTES,
    url: "/env-key",
    config: {
-      rateLimit: readLimit
+      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
@@ -52,4 +54,30 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
      });
    }
  });
  server.route({
    method: "POST",
    url: "/vault",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z.object({
        vaultAccessToken: z.string(),
        vaultNamespace: z.string().trim().optional(),
        vaultUrl: z.string(),
        mappingType: z.nativeEnum(VaultMappingType)
      })
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      await server.services.migration.importVaultData({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        ...req.body
      });
    }
  });
 };
--- a/backend/src/server/routes/v3/index.ts
+++ b/backend/src/server/routes/v3/index.ts
@@ -11,5 +11,5 @@ export const registerV3Routes = async (server: FastifyZodProvider) => {
  await server.register(registerUserRouter, { prefix: "/users" });
  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretBlindIndexRouter, { prefix: "/workspaces" });
-  await server.register(registerExternalMigrationRouter, { prefix: "/migrate" });
+  await server.register(registerExternalMigrationRouter, { prefix: "/external-migration" });
 };
--- a/backend/src/services/external-migration/external-migration-fns/envkey.ts
+++ b/backend/src/services/external-migration/external-migration-fns/envkey.ts
@@ -1,32 +1,26 @@
 import slugify from "@sindresorhus/slugify";
 import sjcl from "sjcl";
 import tweetnacl from "tweetnacl";
 import tweetnaclUtil from "tweetnacl-util";
 import { SecretType, TSecretFolders } from "@app/db/schemas";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { chunkArray } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { CommitType, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
+import { TFolderCommitServiceFactory } from "../../folder-commit/folder-commit-service";
-import { TKmsServiceFactory } from "../kms/kms-service";
+import { TKmsServiceFactory } from "../../kms/kms-service";
-import { KmsDataKey } from "../kms/kms-types";
+import { TProjectDALFactory } from "../../project/project-dal";
-import { TProjectDALFactory } from "../project/project-dal";
+import { TProjectServiceFactory } from "../../project/project-service";
-import { TProjectServiceFactory } from "../project/project-service";
+import { TProjectEnvDALFactory } from "../../project-env/project-env-dal";
-import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { TProjectEnvServiceFactory } from "../../project-env/project-env-service";
-import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TResourceMetadataDALFactory } from "../../resource-metadata/resource-metadata-dal";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
+import { TSecretFolderDALFactory } from "../../secret-folder/secret-folder-dal";
-import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretFolderVersionDALFactory } from "../../secret-folder/secret-folder-version-dal";
-import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
+import { TSecretTagDALFactory } from "../../secret-tag/secret-tag-dal";
-import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
+import { TSecretV2BridgeDALFactory } from "../../secret-v2-bridge/secret-v2-bridge-dal";
-import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
+import type { TSecretV2BridgeServiceFactory } from "../../secret-v2-bridge/secret-v2-bridge-service";
-import { fnSecretBulkInsert, getAllSecretReferences } from "../secret-v2-bridge/secret-v2-bridge-fns";
+import { TSecretVersionV2DALFactory } from "../../secret-v2-bridge/secret-version-dal";
-import type { TSecretV2BridgeServiceFactory } from "../secret-v2-bridge/secret-v2-bridge-service";
+import { TSecretVersionV2TagDALFactory } from "../../secret-v2-bridge/secret-version-tag-dal";
-import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
+import { InfisicalImportData, TEnvKeyExportJSON, TImportInfisicalDataCreate } from "../external-migration-types";
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
 import { InfisicalImportData, TEnvKeyExportJSON, TImportInfisicalDataCreate } from "./external-migration-types";
 export type TImportDataIntoInfisicalDTO = {
  projectDAL: Pick<TProjectDALFactory, "transaction">;
@@ -499,326 +493,3 @@ export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<Infisica
  return infisicalImportData;
 };
 export const importDataIntoInfisicalFn = async ({
  projectService,
  projectEnvDAL,
  projectDAL,
  secretDAL,
  kmsService,
  secretVersionDAL,
  secretTagDAL,
  secretVersionTagDAL,
  folderDAL,
  resourceMetadataDAL,
  folderVersionDAL,
  folderCommitService,
  input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
  // Import data to infisical
  if (!data || !data.projects) {
    throw new BadRequestError({ message: "No projects found in data" });
  }
  const originalToNewProjectId = new Map<string, string>();
  const originalToNewEnvironmentId = new Map<
    string,
    { envId: string; envSlug: string; rootFolderId: string; projectId: string }
  >();
  const originalToNewFolderId = new Map<
    string,
    {
      folderId: string;
      projectId: string;
    }
  >();
  const projectsNotImported: string[] = [];
  await projectDAL.transaction(async (tx) => {
    for await (const project of data.projects) {
      const newProject = await projectService
        .createProject({
          actor,
          actorId,
          actorOrgId,
          actorAuthMethod,
          workspaceName: project.name,
          createDefaultEnvs: false,
          tx
        })
        .catch((e) => {
          logger.error(e, `Failed to import to project [name:${project.name}]`);
          throw new BadRequestError({ message: `Failed to import to project [name:${project.name}]` });
        });
      originalToNewProjectId.set(project.id, newProject.id);
    }
    // Import environments
    if (data.environments) {
      for await (const environment of data.environments) {
        const projectId = originalToNewProjectId.get(environment.projectId);
        const slug = slugify(`${environment.name}-${alphaNumericNanoId(4)}`);
        if (!projectId) {
          projectsNotImported.push(environment.projectId);
          // eslint-disable-next-line no-continue
          continue;
        }
        const existingEnv = await projectEnvDAL.findOne({ projectId, slug }, tx);
        if (existingEnv) {
          throw new BadRequestError({
            message: `Environment with slug '${slug}' already exist`,
            name: "CreateEnvironment"
          });
        }
        const lastPos = await projectEnvDAL.findLastEnvPosition(projectId, tx);
        const doc = await projectEnvDAL.create({ slug, name: environment.name, projectId, position: lastPos + 1 }, tx);
        const folder = await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
        originalToNewEnvironmentId.set(environment.id, {
          envSlug: doc.slug,
          envId: doc.id,
          rootFolderId: folder.id,
          projectId
        });
      }
    }
    if (data.folders) {
      for await (const folder of data.folders) {
        const parentEnv = originalToNewEnvironmentId.get(folder.parentFolderId as string);
        if (!parentEnv) {
          // eslint-disable-next-line no-continue
          continue;
        }
        const newFolder = await folderDAL.create(
          {
            name: folder.name,
            envId: parentEnv.envId,
            parentId: parentEnv.rootFolderId
          },
          tx
        );
        const newFolderVersion = await folderVersionDAL.create(
          {
            name: newFolder.name,
            envId: newFolder.envId,
            version: newFolder.version,
            folderId: newFolder.id
          },
          tx
        );
        await folderCommitService.createCommit(
          {
            actor: {
              type: actor,
              metadata: {
                id: actorId
              }
            },
            message: "Changed by external migration",
            folderId: parentEnv.rootFolderId,
            changes: [
              {
                type: CommitType.ADD,
                folderVersionId: newFolderVersion.id
              }
            ]
          },
          tx
        );
        originalToNewFolderId.set(folder.id, {
          folderId: newFolder.id,
          projectId: parentEnv.projectId
        });
      }
    }
    // Useful for debugging:
    // console.log("data.secrets", data.secrets);
    // console.log("data.folders", data.folders);
    // console.log("data.environment", data.environments);
    if (data.secrets && data.secrets.length > 0) {
      const mappedToEnvironmentId = new Map<
        string,
        {
          secretKey: string;
          secretValue: string;
          folderId?: string;
          isFromBlock?: boolean;
        }[]
      >();
      for (const secret of data.secrets) {
        const targetId = secret.folderId || secret.environmentId;
        // Skip if we can't find either an environment or folder mapping for this secret
        if (!originalToNewEnvironmentId.get(secret.environmentId) && !originalToNewFolderId.get(targetId)) {
          logger.info({ secret }, "[importDataIntoInfisicalFn]: Could not find environment or folder for secret");
          // eslint-disable-next-line no-continue
          continue;
        }
        if (!mappedToEnvironmentId.has(targetId)) {
          mappedToEnvironmentId.set(targetId, []);
        }
        const alreadyHasSecret = mappedToEnvironmentId
          .get(targetId)!
          .find((el) => el.secretKey === secret.name && el.folderId === secret.folderId);
        if (alreadyHasSecret && alreadyHasSecret.isFromBlock) {
          // remove the existing secret if any
          mappedToEnvironmentId
            .get(targetId)!
            .splice(mappedToEnvironmentId.get(targetId)!.indexOf(alreadyHasSecret), 1);
        }
        mappedToEnvironmentId.get(targetId)!.push({
          secretKey: secret.name,
          secretValue: secret.value || "",
          folderId: secret.folderId,
          isFromBlock: secret.appBlockOrderIndex !== undefined
        });
      }
      // for each of the mappedEnvironmentId
      for await (const [targetId, secrets] of mappedToEnvironmentId) {
        logger.info("[importDataIntoInfisicalFn]: Processing secrets for targetId", targetId);
        let selectedFolder: TSecretFolders | undefined;
        let selectedProjectId: string | undefined;
        // Case 1: Secret belongs to a folder / branch / branch of a block
        const foundFolder = originalToNewFolderId.get(targetId);
        if (foundFolder) {
          logger.info("[importDataIntoInfisicalFn]: Processing secrets for folder");
          selectedFolder = await folderDAL.findById(foundFolder.folderId, tx);
          selectedProjectId = foundFolder.projectId;
        } else {
          logger.info("[importDataIntoInfisicalFn]: Processing secrets for normal environment");
          const environment = data.environments.find((env) => env.id === targetId);
          if (!environment) {
            logger.info(
              {
                targetId
              },
              "[importDataIntoInfisicalFn]: Could not find environment for secret"
            );
            // eslint-disable-next-line no-continue
            continue;
          }
          const projectId = originalToNewProjectId.get(environment.projectId)!;
          if (!projectId) {
            throw new BadRequestError({ message: `Failed to import secret, project not found` });
          }
          const env = originalToNewEnvironmentId.get(targetId);
          if (!env) {
            logger.info(
              {
                targetId
              },
              "[importDataIntoInfisicalFn]: Could not find environment for secret"
            );
            // eslint-disable-next-line no-continue
            continue;
          }
          const folder = await folderDAL.findBySecretPath(projectId, env.envSlug, "/", tx);
          if (!folder) {
            throw new NotFoundError({
              message: `Folder not found for the given environment slug (${env.envSlug}) & secret path (/)`,
              name: "Create secret"
            });
          }
          selectedFolder = folder;
          selectedProjectId = projectId;
        }
        if (!selectedFolder) {
          throw new NotFoundError({
            message: `Folder not found for the given environment slug & secret path`,
            name: "CreateSecret"
          });
        }
        if (!selectedProjectId) {
          throw new NotFoundError({
            message: `Project not found for the given environment slug & secret path`,
            name: "CreateSecret"
          });
        }
        const { encryptor: secretManagerEncrypt } = await kmsService.createCipherPairWithDataKey(
          {
            type: KmsDataKey.SecretManager,
            projectId: selectedProjectId
          },
          tx
        );
        const secretBatches = chunkArray(secrets, 2500);
        for await (const secretBatch of secretBatches) {
          const secretsByKeys = await secretDAL.findBySecretKeys(
            selectedFolder.id,
            secretBatch.map((el) => ({
              key: el.secretKey,
              type: SecretType.Shared
            })),
            tx
          );
          if (secretsByKeys.length) {
            throw new BadRequestError({
              message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
            });
          }
          await fnSecretBulkInsert({
            inputSecrets: secretBatch.map((el) => {
              const references = getAllSecretReferences(el.secretValue).nestedReferences;
              return {
                version: 1,
                encryptedValue: el.secretValue
                  ? secretManagerEncrypt({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
                  : undefined,
                key: el.secretKey,
                references,
                type: SecretType.Shared
              };
            }),
            folderId: selectedFolder.id,
            orgId: actorOrgId,
            resourceMetadataDAL,
            secretDAL,
            secretVersionDAL,
            secretTagDAL,
            secretVersionTagDAL,
            folderCommitService,
            actor: {
              type: actor,
              actorId
            },
            tx
          });
        }
      }
    }
  });
  return { projectsNotImported };
 };
--- a/backend/src/services/external-migration/external-migration-fns/import.ts
+++ b/backend/src/services/external-migration/external-migration-fns/import.ts
@@ -0,0 +1,352 @@
 import slugify from "@sindresorhus/slugify";
 import { SecretType, TSecretFolders } from "@app/db/schemas";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { chunkArray } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { CommitType } from "@app/services/folder-commit/folder-commit-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { fnSecretBulkInsert, getAllSecretReferences } from "@app/services/secret-v2-bridge/secret-v2-bridge-fns";
 import { TImportDataIntoInfisicalDTO } from "./envkey";
 export const importDataIntoInfisicalFn = async ({
  projectService,
  projectEnvDAL,
  projectDAL,
  secretDAL,
  kmsService,
  secretVersionDAL,
  secretTagDAL,
  secretVersionTagDAL,
  folderDAL,
  resourceMetadataDAL,
  folderVersionDAL,
  folderCommitService,
  input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
  // Import data to infisical
  if (!data || !data.projects) {
    throw new BadRequestError({ message: "No projects found in data" });
  }
  const originalToNewProjectId = new Map<string, string>();
  const originalToNewEnvironmentId = new Map<
    string,
    { envId: string; envSlug: string; rootFolderId?: string; projectId: string }
  >();
  const originalToNewFolderId = new Map<
    string,
    {
      envId: string;
      envSlug: string;
      folderId: string;
      projectId: string;
    }
  >();
  const projectsNotImported: string[] = [];
  await projectDAL.transaction(async (tx) => {
    for await (const project of data.projects) {
      const newProject = await projectService
        .createProject({
          actor,
          actorId,
          actorOrgId,
          actorAuthMethod,
          workspaceName: project.name,
          createDefaultEnvs: false,
          tx
        })
        .catch((e) => {
          logger.error(e, `Failed to import to project [name:${project.name}]`);
          throw new BadRequestError({ message: `Failed to import to project [name:${project.name}]` });
        });
      originalToNewProjectId.set(project.id, newProject.id);
    }
    // Import environments
    if (data.environments) {
      for await (const environment of data.environments) {
        const projectId = originalToNewProjectId.get(environment.projectId);
        const slug = slugify(`${environment.name}-${alphaNumericNanoId(4)}`);
        if (!projectId) {
          projectsNotImported.push(environment.projectId);
          // eslint-disable-next-line no-continue
          continue;
        }
        const existingEnv = await projectEnvDAL.findOne({ projectId, slug }, tx);
        if (existingEnv) {
          throw new BadRequestError({
            message: `Environment with slug '${slug}' already exist`,
            name: "CreateEnvironment"
          });
        }
        const lastPos = await projectEnvDAL.findLastEnvPosition(projectId, tx);
        const doc = await projectEnvDAL.create({ slug, name: environment.name, projectId, position: lastPos + 1 }, tx);
        const folder = await folderDAL.create({ name: "root", parentId: null, envId: doc.id, version: 1 }, tx);
        originalToNewEnvironmentId.set(environment.id, {
          envSlug: doc.slug,
          envId: doc.id,
          rootFolderId: folder.id,
          projectId
        });
      }
    }
    if (data.folders) {
      for await (const folder of data.folders) {
        const parentEnv = originalToNewEnvironmentId.get(folder.parentFolderId as string);
        const parentFolder = originalToNewFolderId.get(folder.parentFolderId as string);
        let newFolder: TSecretFolders;
        if (parentEnv?.rootFolderId) {
          newFolder = await folderDAL.create(
            {
              name: folder.name,
              envId: parentEnv.envId,
              parentId: parentEnv.rootFolderId
            },
            tx
          );
        } else if (parentFolder) {
          newFolder = await folderDAL.create(
            {
              name: folder.name,
              envId: parentFolder.envId,
              parentId: parentFolder.folderId
            },
            tx
          );
        } else {
          logger.info({ folder }, "No parent environment found for folder");
          // eslint-disable-next-line no-continue
          continue;
        }
        const newFolderVersion = await folderVersionDAL.create(
          {
            name: newFolder.name,
            envId: newFolder.envId,
            version: newFolder.version,
            folderId: newFolder.id
          },
          tx
        );
        await folderCommitService.createCommit(
          {
            actor: {
              type: actor,
              metadata: {
                id: actorId
              }
            },
            message: "Changed by external migration",
            folderId: parentEnv?.rootFolderId || parentFolder?.folderId || "",
            changes: [
              {
                type: CommitType.ADD,
                folderVersionId: newFolderVersion.id
              }
            ]
          },
          tx
        );
        originalToNewFolderId.set(folder.id, {
          folderId: newFolder.id,
          envId: parentEnv?.envId || parentFolder?.envId || "",
          envSlug: parentEnv?.envSlug || parentFolder?.envSlug || "",
          projectId: parentEnv?.projectId || parentFolder?.projectId || ""
        });
      }
    }
    // Useful for debugging:
    // console.log("data.secrets", data.secrets);
    // console.log("data.folders", data.folders);
    // console.log("data.environment", data.environments);
    if (data.secrets && data.secrets.length > 0) {
      const mappedToEnvironmentId = new Map<
        string,
        {
          secretKey: string;
          secretValue: string;
          folderId?: string;
          isFromBlock?: boolean;
        }[]
      >();
      for (const secret of data.secrets) {
        const targetId = secret.folderId || secret.environmentId;
        // Skip if we can't find either an environment or folder mapping for this secret
        if (!originalToNewEnvironmentId.get(secret.environmentId) && !originalToNewFolderId.get(targetId)) {
          logger.info({ secret }, "[importDataIntoInfisicalFn]: Could not find environment or folder for secret");
          // eslint-disable-next-line no-continue
          continue;
        }
        if (!mappedToEnvironmentId.has(targetId)) {
          mappedToEnvironmentId.set(targetId, []);
        }
        const alreadyHasSecret = mappedToEnvironmentId
          .get(targetId)!
          .find((el) => el.secretKey === secret.name && el.folderId === secret.folderId);
        if (alreadyHasSecret && alreadyHasSecret.isFromBlock) {
          // remove the existing secret if any
          mappedToEnvironmentId
            .get(targetId)!
            .splice(mappedToEnvironmentId.get(targetId)!.indexOf(alreadyHasSecret), 1);
        }
        mappedToEnvironmentId.get(targetId)!.push({
          secretKey: secret.name,
          secretValue: secret.value || "",
          folderId: secret.folderId,
          isFromBlock: secret.appBlockOrderIndex !== undefined
        });
      }
      // for each of the mappedEnvironmentId
      for await (const [targetId, secrets] of mappedToEnvironmentId) {
        logger.info("[importDataIntoInfisicalFn]: Processing secrets for targetId", targetId);
        let selectedFolder: TSecretFolders | undefined;
        let selectedProjectId: string | undefined;
        // Case 1: Secret belongs to a folder / branch / branch of a block
        const foundFolder = originalToNewFolderId.get(targetId);
        if (foundFolder) {
          logger.info("[importDataIntoInfisicalFn]: Processing secrets for folder");
          selectedFolder = await folderDAL.findById(foundFolder.folderId, tx);
          selectedProjectId = foundFolder.projectId;
        } else {
          logger.info("[importDataIntoInfisicalFn]: Processing secrets for normal environment");
          const environment = data.environments.find((env) => env.id === targetId);
          if (!environment) {
            logger.info(
              {
                targetId
              },
              "[importDataIntoInfisicalFn]: Could not find environment for secret"
            );
            // eslint-disable-next-line no-continue
            continue;
          }
          const projectId = originalToNewProjectId.get(environment.projectId)!;
          if (!projectId) {
            throw new BadRequestError({ message: `Failed to import secret, project not found` });
          }
          const env = originalToNewEnvironmentId.get(targetId);
          if (!env) {
            logger.info(
              {
                targetId
              },
              "[importDataIntoInfisicalFn]: Could not find environment for secret"
            );
            // eslint-disable-next-line no-continue
            continue;
          }
          const folder = await folderDAL.findBySecretPath(projectId, env.envSlug, "/", tx);
          if (!folder) {
            throw new NotFoundError({
              message: `Folder not found for the given environment slug (${env.envSlug}) & secret path (/)`,
              name: "Create secret"
            });
          }
          selectedFolder = folder;
          selectedProjectId = projectId;
        }
        if (!selectedFolder) {
          throw new NotFoundError({
            message: `Folder not found for the given environment slug & secret path`,
            name: "CreateSecret"
          });
        }
        if (!selectedProjectId) {
          throw new NotFoundError({
            message: `Project not found for the given environment slug & secret path`,
            name: "CreateSecret"
          });
        }
        const { encryptor: secretManagerEncrypt } = await kmsService.createCipherPairWithDataKey(
          {
            type: KmsDataKey.SecretManager,
            projectId: selectedProjectId
          },
          tx
        );
        const secretBatches = chunkArray(secrets, 2500);
        for await (const secretBatch of secretBatches) {
          const secretsByKeys = await secretDAL.findBySecretKeys(
            selectedFolder.id,
            secretBatch.map((el) => ({
              key: el.secretKey,
              type: SecretType.Shared
            })),
            tx
          );
          if (secretsByKeys.length) {
            throw new BadRequestError({
              message: `Secret already exist: ${secretsByKeys.map((el) => el.key).join(",")}`
            });
          }
          await fnSecretBulkInsert({
            inputSecrets: secretBatch.map((el) => {
              const references = getAllSecretReferences(el.secretValue).nestedReferences;
              return {
                version: 1,
                encryptedValue: el.secretValue
                  ? secretManagerEncrypt({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob
                  : undefined,
                key: el.secretKey,
                references,
                type: SecretType.Shared
              };
            }),
            folderId: selectedFolder.id,
            orgId: actorOrgId,
            resourceMetadataDAL,
            secretDAL,
            secretVersionDAL,
            secretTagDAL,
            secretVersionTagDAL,
            folderCommitService,
            actor: {
              type: actor,
              actorId
            },
            tx
          });
        }
      }
    }
  });
  return { projectsNotImported };
 };
--- a/backend/src/services/external-migration/external-migration-fns/index.ts
+++ b/backend/src/services/external-migration/external-migration-fns/index.ts
@@ -0,0 +1,3 @@
 export * from "./envkey";
 export * from "./import";
 export * from "./vault";
--- a/backend/src/services/external-migration/external-migration-fns/vault.ts
+++ b/backend/src/services/external-migration/external-migration-fns/vault.ts
@@ -0,0 +1,341 @@
 import axios, { AxiosInstance } from "axios";
 import { v4 as uuidv4 } from "uuid";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { InfisicalImportData, VaultMappingType } from "../external-migration-types";
 type VaultData = {
  namespace: string;
  mount: string;
  path: string;
  secretData: Record<string, string>;
 };
 const vaultFactory = () => {
  const getMounts = async (request: AxiosInstance) => {
    const response = await request
      .get<
        Record<
          string,
          {
            accessor: string;
            options: {
              version?: string;
            } | null;
            type: string;
          }
        >
      >("/v1/sys/mounts")
      .catch((err) => {
        if (axios.isAxiosError(err)) {
          logger.error(err.response?.data, "External migration: Failed to get Vault mounts");
        }
        throw err;
      });
    return response.data;
  };
  const getPaths = async (
    request: AxiosInstance,
    { mountPath, secretPath = "" }: { mountPath: string; secretPath?: string }
  ) => {
    try {
      // For KV v2: /v1/{mount}/metadata/{path}?list=true
      const path = secretPath ? `${mountPath}/metadata/${secretPath}` : `${mountPath}/metadata`;
      const response = await request.get<{
        data: {
          keys: string[];
        };
      }>(`/v1/${path}?list=true`);
      return response.data.data.keys;
    } catch (err) {
      if (axios.isAxiosError(err)) {
        logger.error(err.response?.data, "External migration: Failed to get Vault paths");
        if (err.response?.status === 404) {
          return null;
        }
      }
      throw err;
    }
  };
  const getSecrets = async (
    request: AxiosInstance,
    { mountPath, secretPath }: { mountPath: string; secretPath: string }
  ) => {
    // For KV v2: /v1/{mount}/data/{path}
    const response = await request
      .get<{
        data: {
          data: Record<string, string>; // KV v2 has nested data structure
          metadata: {
            created_time: string;
            deletion_time: string;
            destroyed: boolean;
            version: number;
          };
        };
      }>(`/v1/${mountPath}/data/${secretPath}`)
      .catch((err) => {
        if (axios.isAxiosError(err)) {
          logger.error(err.response?.data, "External migration: Failed to get Vault secret");
        }
        throw err;
      });
    return response.data.data.data;
  };
  // helper function to check if a mount is KV v2 (will be useful if we add support for Vault KV v1)
  // const isKvV2Mount = (mountInfo: { type: string; options?: { version?: string } | null }) => {
  //   return mountInfo.type === "kv" && mountInfo.options?.version === "2";
  // };
  const recursivelyGetAllPaths = async (
    request: AxiosInstance,
    mountPath: string,
    currentPath: string = ""
  ): Promise<string[]> => {
    const paths = await getPaths(request, { mountPath, secretPath: currentPath });
    if (paths === null || paths.length === 0) {
      return [];
    }
    const allSecrets: string[] = [];
    for await (const path of paths) {
      const cleanPath = path.endsWith("/") ? path.slice(0, -1) : path;
      const fullItemPath = currentPath ? `${currentPath}/${cleanPath}` : cleanPath;
      if (path.endsWith("/")) {
        // it's a folder so we recurse into it
        const subSecrets = await recursivelyGetAllPaths(request, mountPath, fullItemPath);
        allSecrets.push(...subSecrets);
      } else {
        // it's a secret so we add it to our results
        allSecrets.push(`${mountPath}/${fullItemPath}`);
      }
    }
    return allSecrets;
  };
  async function collectVaultData({
    baseUrl,
    namespace,
    accessToken
  }: {
    baseUrl: string;
    namespace?: string;
    accessToken: string;
  }): Promise<VaultData[]> {
    const request = axios.create({
      baseURL: baseUrl,
      headers: {
        "X-Vault-Token": accessToken,
        ...(namespace ? { "X-Vault-Namespace": namespace } : {})
      }
    });
    const allData: VaultData[] = [];
    // Get all mounts in this namespace
    const mounts = await getMounts(request);
    for (const mount of Object.keys(mounts)) {
      if (!mount.endsWith("/")) {
        delete mounts[mount];
      }
    }
    for await (const [mountPath, mountInfo] of Object.entries(mounts)) {
      // skip non-KV mounts
      if (!mountInfo.type.startsWith("kv")) {
        // eslint-disable-next-line no-continue
        continue;
      }
      // get all paths in this mount
      const paths = await recursivelyGetAllPaths(request, `${mountPath.replace(/\/$/, "")}`);
      const cleanMountPath = mountPath.replace(/\/$/, "");
      for await (const secretPath of paths) {
        // get the actual secret data
        const secretData = await getSecrets(request, {
          mountPath: cleanMountPath,
          secretPath: secretPath.replace(`${cleanMountPath}/`, "")
        });
        allData.push({
          namespace: namespace || "",
          mount: mountPath.replace(/\/$/, ""),
          path: secretPath.replace(`${cleanMountPath}/`, ""),
          secretData
        });
      }
    }
    return allData;
  }
  return {
    collectVaultData,
    getMounts,
    getPaths,
    getSecrets,
    recursivelyGetAllPaths
  };
 };
 export const transformToInfisicalFormatNamespaceToProjects = (
  vaultData: VaultData[],
  mappingType: VaultMappingType
 ): InfisicalImportData => {
  const projects: Array<{ name: string; id: string }> = [];
  const environments: Array<{ name: string; id: string; projectId: string; envParentId?: string }> = [];
  const folders: Array<{ id: string; name: string; environmentId: string; parentFolderId?: string }> = [];
  const secrets: Array<{ id: string; name: string; environmentId: string; value: string; folderId?: string }> = [];
  // track created entities to avoid duplicates
  const projectMap = new Map<string, string>(); // namespace -> projectId
  const environmentMap = new Map<string, string>(); // namespace:mount -> environmentId
  const folderMap = new Map<string, string>(); // namespace:mount:folderPath -> folderId
  let environmentId: string = "";
  for (const data of vaultData) {
    const { namespace, mount, path, secretData } = data;
    if (mappingType === VaultMappingType.Namespace) {
      // create project (namespace)
      if (!projectMap.has(namespace)) {
        const projectId = uuidv4();
        projectMap.set(namespace, projectId);
        projects.push({
          name: namespace,
          id: projectId
        });
      }
      const projectId = projectMap.get(namespace)!;
      // create environment (mount)
      const envKey = `${namespace}:${mount}`;
      if (!environmentMap.has(envKey)) {
        environmentId = uuidv4();
        environmentMap.set(envKey, environmentId);
        environments.push({
          name: mount,
          id: environmentId,
          projectId
        });
      }
      environmentId = environmentMap.get(envKey)!;
    } else if (mappingType === VaultMappingType.KeyVault) {
      if (!projectMap.has(mount)) {
        const projectId = uuidv4();
        projectMap.set(mount, projectId);
        projects.push({
          name: mount,
          id: projectId
        });
      }
      const projectId = projectMap.get(mount)!;
      // create single "Production" environment per project, because we have no good way of determining environments from vault
      if (!environmentMap.has(mount)) {
        environmentId = uuidv4();
        environmentMap.set(mount, environmentId);
        environments.push({
          name: "Production",
          id: environmentId,
          projectId
        });
      }
      environmentId = environmentMap.get(mount)!;
    }
    // create folder structure
    let currentFolderId: string | undefined;
    let currentPath = "";
    if (path.includes("/")) {
      const pathParts = path.split("/").filter(Boolean);
      const folderParts = pathParts;
      // create nested folder structure for the entire path
      for (const folderName of folderParts) {
        currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
        const folderKey = `${namespace}:${mount}:${currentPath}`;
        if (!folderMap.has(folderKey)) {
          const folderId = uuidv4();
          folderMap.set(folderKey, folderId);
          folders.push({
            id: folderId,
            name: folderName,
            environmentId,
            parentFolderId: currentFolderId || environmentId
          });
          currentFolderId = folderId;
        } else {
          currentFolderId = folderMap.get(folderKey)!;
        }
      }
    }
    for (const [key, value] of Object.entries(secretData)) {
      secrets.push({
        id: uuidv4(),
        name: key,
        environmentId,
        value: String(value),
        folderId: currentFolderId
      });
    }
  }
  return {
    projects,
    environments,
    folders,
    secrets
  };
 };
 export const importVaultDataFn = async ({
  vaultAccessToken,
  vaultNamespace,
  vaultUrl,
  mappingType
 }: {
  vaultAccessToken: string;
  vaultNamespace?: string;
  vaultUrl: string;
  mappingType: VaultMappingType;
 }) => {
  await blockLocalAndPrivateIpAddresses(vaultUrl);
  if (mappingType === VaultMappingType.Namespace && !vaultNamespace) {
    throw new BadRequestError({
      message: "Vault namespace is required when project mapping type is set to namespace."
    });
  }
  const vaultApi = vaultFactory();
  const vaultData = await vaultApi.collectVaultData({
    accessToken: vaultAccessToken,
    baseUrl: vaultUrl,
    namespace: vaultNamespace
  });
  const infisicalData = transformToInfisicalFormatNamespaceToProjects(vaultData, mappingType);
  return infisicalData;
 };
--- a/backend/src/services/external-migration/external-migration-queue.ts
+++ b/backend/src/services/external-migration/external-migration-queue.ts
@@ -19,7 +19,7 @@ import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-d
 import { TSecretVersionV2TagDALFactory } from "../secret-v2-bridge/secret-version-tag-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { importDataIntoInfisicalFn } from "./external-migration-fns";
-import { ExternalPlatforms, TImportInfisicalDataCreate } from "./external-migration-types";
+import { ExternalPlatforms, ImportType, TImportInfisicalDataCreate } from "./external-migration-types";
 export type TExternalMigrationQueueFactoryDep = {
  smtpService: TSmtpService;
@@ -67,6 +67,7 @@ export const externalMigrationQueueFactory = ({
  const startImport = async (dto: {
    actorEmail: string;
    data: {
      importType: ImportType;
      iv: string;
      tag: string;
      ciphertext: string;
--- a/backend/src/services/external-migration/external-migration-service.ts
+++ b/backend/src/services/external-migration/external-migration-service.ts
@@ -4,9 +4,9 @@ import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
 import { TUserDALFactory } from "../user/user-dal";
-import { decryptEnvKeyDataFn, parseEnvKeyDataFn } from "./external-migration-fns";
+import { decryptEnvKeyDataFn, importVaultDataFn, parseEnvKeyDataFn } from "./external-migration-fns";
 import { TExternalMigrationQueueFactory } from "./external-migration-queue";
-import { TImportEnvKeyDataCreate } from "./external-migration-types";
+import { ImportType, TImportEnvKeyDataDTO, TImportVaultDataDTO } from "./external-migration-types";
 type TExternalMigrationServiceFactoryDep = {
  permissionService: TPermissionServiceFactory;
@@ -28,7 +28,7 @@ export const externalMigrationServiceFactory = ({
    actorId,
    actorOrgId,
    actorAuthMethod
-  }: TImportEnvKeyDataCreate) => {
+  }: TImportEnvKeyDataDTO) => {
    if (crypto.isFipsModeEnabled()) {
      throw new BadRequestError({ message: "EnvKey migration is not supported when running in FIPS mode." });
    }
@@ -60,11 +60,65 @@ export const externalMigrationServiceFactory = ({
    await externalMigrationQueue.startImport({
      actorEmail: user.email!,
-      data: encrypted
+      data: {
        importType: ImportType.EnvKey,
        ...encrypted
      }
    });
  };
  const importVaultData = async ({
    vaultAccessToken,
    vaultNamespace,
    mappingType,
    vaultUrl,
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod
  }: TImportVaultDataDTO) => {
    const { membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
      actorOrgId,
      actorAuthMethod,
      actorOrgId
    );
    if (membership.role !== OrgMembershipRole.Admin) {
      throw new ForbiddenRequestError({ message: "Only admins can import data" });
    }
    const user = await userDAL.findById(actorId);
    const vaultData = await importVaultDataFn({
      vaultAccessToken,
      vaultNamespace,
      vaultUrl,
      mappingType
    });
    const stringifiedJson = JSON.stringify({
      data: vaultData,
      actor,
      actorId,
      actorOrgId,
      actorAuthMethod
    });
    const encrypted = crypto.encryption().symmetric().encryptWithRootEncryptionKey(stringifiedJson);
    await externalMigrationQueue.startImport({
      actorEmail: user.email!,
      data: {
        importType: ImportType.Vault,
        ...encrypted
      }
    });
  };
  return {
-    importEnvKeyData
+    importEnvKeyData,
    importVaultData
  };
 };
--- a/backend/src/services/external-migration/external-migration-types.ts
+++ b/backend/src/services/external-migration/external-migration-types.ts
@@ -1,5 +1,17 @@
 import { TOrgPermission } from "@app/lib/types";
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 export enum ImportType {
  EnvKey = "envkey",
  Vault = "vault"
 }
 export enum VaultMappingType {
  Namespace = "namespace",
  KeyVault = "key-vault"
 }
 export type InfisicalImportData = {
  projects: Array<{ name: string; id: string }>;
  environments: Array<{ name: string; id: string; projectId: string; envParentId?: string }>;
@@ -14,14 +26,17 @@ export type InfisicalImportData = {
  }>;
 };
-export type TImportEnvKeyDataCreate = {
+export type TImportEnvKeyDataDTO = {
  decryptionKey: string;
  encryptedJson: { nonce: string; data: string };
-  actor: ActorType;
+} & Omit<TOrgPermission, "orgId">;
-  actorId: string;
+
-  actorOrgId: string;
+export type TImportVaultDataDTO = {
-  actorAuthMethod: ActorAuthMethod;
+  vaultAccessToken: string;
-};
+  vaultNamespace?: string;
  mappingType: VaultMappingType;
  vaultUrl: string;
 } & Omit<TOrgPermission, "orgId">;
 export type TImportInfisicalDataCreate = {
  data: InfisicalImportData;
--- a/backend/src/services/identity-access-token/identity-access-token-types.ts
+++ b/backend/src/services/identity-access-token/identity-access-token-types.ts
@@ -15,5 +15,16 @@ export type TIdentityAccessTokenJwtPayload = {
      namespace: string;
      name: string;
    };
    aws?: {
      accountId: string;
      arn: string;
      userId: string;
      // Derived from ARN
      partition: string; // "aws", "aws-gov", "aws-cn"
      service: string; // "iam", "sts"
      resourceType: string; // "user" or "role"
      resourceName: string;
    };
  };
 };
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-fns.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-fns.ts
@@ -1,67 +1,91 @@
 interface PrincipalArnEntity {
  Partition: string;
  Service: "iam" | "sts";
  AccountNumber: string;
  Type: "user" | "role" | "instance-profile";
  Path: string;
  FriendlyName: string;
  SessionInfo: string; // Only populated for assumed-role
 }
 export const extractPrincipalArnEntity = (arn: string): PrincipalArnEntity => {
  // split the ARN into parts using ":" as the delimiter
  const fullParts = arn.split(":");
  if (fullParts.length !== 6) {
    throw new Error(`Unrecognized ARN: "${arn}" contains ${fullParts.length} colon-separated parts, expected 6`);
  }
  const [prefix, partition, service, , accountNumber, resource] = fullParts;
  if (prefix !== "arn") {
    throw new Error(`Unrecognized ARN: "${arn}" does not begin with "arn:"`);
  }
  // validate the service is either 'iam' or 'sts'
  if (service !== "iam" && service !== "sts") {
    throw new Error(`Unrecognized service: "${service}" in ARN "${arn}", expected "iam" or "sts"`);
  }
  // parse the last part of the ARN which describes the resource
  const parts = resource.split("/");
  if (parts.length < 2) {
    throw new Error(
      `Unrecognized ARN: "${resource}" in ARN "${arn}" contains fewer than 2 slash-separated parts (expected type/name)`
    );
  }
  const [rawType, ...rest] = parts;
  let finalType: PrincipalArnEntity["Type"];
  let friendlyName: string = parts[parts.length - 1];
  let path: string = "";
  let sessionInfo: string = "";
  // handle different types of resources
  switch (rawType) {
    case "assumed-role": {
      if (rest.length < 2) {
        throw new Error(
          `Unrecognized ARN: "${resource}" for assumed-role in ARN "${arn}" contains fewer than 3 slash-separated parts (type/roleName/sessionId)`
        );
      }
      // assumed roles use a special format where the friendly name is the role name
      const [roleName, sessionId] = rest;
      finalType = "role"; // treat assumed role case as role
      friendlyName = roleName;
      sessionInfo = sessionId;
      break;
    }
    case "user":
    case "role":
    case "instance-profile":
      finalType = rawType;
      path = rest.slice(0, -1).join("/");
      break;
    default:
      throw new Error(
        `Unrecognized principal type: "${rawType}" in ARN "${arn}". Expected "user", "role", "instance-profile", or "assumed-role".`
      );
  }
  const entity: PrincipalArnEntity = {
    Partition: partition,
    Service: service,
    AccountNumber: accountNumber,
    Type: finalType,
    Path: path,
    FriendlyName: friendlyName,
    SessionInfo: sessionInfo
  };
  return entity;
 };
 /**
 * Extracts the identity ARN from the GetCallerIdentity response to one of the following formats:
 * - arn:aws:iam::123456789012:user/MyUserName
 * - arn:aws:iam::123456789012:role/MyRoleName
 */
 export const extractPrincipalArn = (arn: string) => {
-  // split the ARN into parts using ":" as the delimiter
+  const entity = extractPrincipalArnEntity(arn);
  const fullParts = arn.split(":");
  if (fullParts.length !== 6) {
    throw new Error(`Unrecognized ARN: contains ${fullParts.length} colon-separated parts, expected 6`);
  }
  const [prefix, partition, service, , accountNumber, resource] = fullParts;
  if (prefix !== "arn") {
    throw new Error('Unrecognized ARN: does not begin with "arn:"');
  }
  // structure to hold the parsed data
  const entity = {
    Partition: partition,
    Service: service,
    AccountNumber: accountNumber,
    Type: "",
    Path: "",
    FriendlyName: "",
    SessionInfo: ""
  };
  // validate the service is either 'iam' or 'sts'
  if (entity.Service !== "iam" && entity.Service !== "sts") {
    throw new Error(`Unrecognized service: ${entity.Service}, not one of iam or sts`);
  }
  // parse the last part of the ARN which describes the resource
  const parts = resource.split("/");
  if (parts.length < 2) {
    throw new Error(`Unrecognized ARN: "${resource}" contains fewer than 2 slash-separated parts`);
  }
  const [type, ...rest] = parts;
  entity.Type = type;
  entity.FriendlyName = parts[parts.length - 1];
  // handle different types of resources
  switch (entity.Type) {
    case "assumed-role": {
      if (rest.length < 2) {
        throw new Error(`Unrecognized ARN: "${resource}" contains fewer than 3 slash-separated parts`);
      }
      // assumed roles use a special format where the friendly name is the role name
      const [roleName, sessionId] = rest;
      entity.Type = "role"; // treat assumed role case as role
      entity.FriendlyName = roleName;
      entity.SessionInfo = sessionId;
      break;
    }
    case "user":
    case "role":
    case "instance-profile":
      // standard cases: just join back the path if there's any
      entity.Path = rest.slice(0, -1).join("/");
      break;
    default:
      throw new Error(`Unrecognized principal type: "${entity.Type}"`);
  }
  return `arn:aws:iam::${entity.AccountNumber}:${entity.Type}/${entity.FriendlyName}`;
 };
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -22,7 +22,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
-import { extractPrincipalArn } from "./identity-aws-auth-fns";
+import { extractPrincipalArn, extractPrincipalArnEntity } from "./identity-aws-auth-fns";
 import {
  TAttachAwsAuthDTO,
  TAwsGetCallerIdentityHeaders,
@@ -107,7 +107,7 @@ export const identityAwsAuthServiceFactory = ({
    const {
      data: {
        GetCallerIdentityResponse: {
-          GetCallerIdentityResult: { Account, Arn }
+          GetCallerIdentityResult: { Account, Arn, UserId }
        }
      }
    }: { data: TGetCallerIdentityResponse } = await axios({
@@ -168,11 +168,25 @@ export const identityAwsAuthServiceFactory = ({
    });
    const appCfg = getConfig();
    const splitArn = extractPrincipalArnEntity(Arn);
    const accessToken = crypto.jwt().sign(
      {
        identityId: identityAwsAuth.identityId,
        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN,
        identityAuth: {
          aws: {
            accountId: Account,
            arn: Arn,
            userId: UserId,
            // Derived from ARN
            partition: splitArn.Partition,
            service: splitArn.Service,
            resourceType: splitArn.Type,
            resourceName: splitArn.FriendlyName
          }
        }
      } as TIdentityAccessTokenJwtPayload,
      appCfg.AUTH_SECRET,
      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
--- a/backend/src/services/reminder/reminder-queue.ts
+++ b/backend/src/services/reminder/reminder-queue.ts
@@ -11,7 +11,7 @@ import { TReminderServiceFactory } from "./reminder-types";
 type TDailyReminderQueueServiceFactoryDep = {
  reminderService: TReminderServiceFactory;
  queueService: TQueueServiceFactory;
-  secretDAL: Pick<TSecretV2BridgeDALFactory, "transaction" | "findSecretsWithReminderRecipients">;
+  secretDAL: Pick<TSecretV2BridgeDALFactory, "transaction" | "findSecretsWithReminderRecipientsOld">;
  secretReminderRecipientsDAL: Pick<TSecretReminderRecipientsDALFactory, "delete">;
 };
@@ -69,7 +69,7 @@ export const dailyReminderQueueServiceFactory = ({
          // Find existing secrets with pagination
          // eslint-disable-next-line no-await-in-loop
-          const secrets = await secretDAL.findSecretsWithReminderRecipients(batchIds, REMINDER_PRUNE_BATCH_SIZE);
+          const secrets = await secretDAL.findSecretsWithReminderRecipientsOld(batchIds, REMINDER_PRUNE_BATCH_SIZE);
          const secretsWithReminder = secrets.filter((secret) => secret.reminderRepeatDays);
          const foundSecretIds = new Set(secretsWithReminder.map((secret) => secret.id));
--- a/backend/src/services/reminder/reminder-service.ts
+++ b/backend/src/services/reminder/reminder-service.ts
@@ -308,12 +308,11 @@ export const reminderServiceFactory = ({
    );
    const newReminders = await reminderDAL.insertMany(
-      processedReminders.map(({ secretId, message, repeatDays, nextReminderDate, projectId }) => ({
+      processedReminders.map(({ secretId, message, repeatDays, nextReminderDate }) => ({
        secretId,
        message,
        repeatDays,
-        nextReminderDate,
+        nextReminderDate
        projectId
      })),
      tx
    );
--- a/backend/src/services/secret-sync/render/render-sync-fns.ts
+++ b/backend/src/services/secret-sync/render/render-sync-fns.ts
@@ -8,7 +8,26 @@ import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 import { TRenderSecret, TRenderSyncWithCredentials } from "./render-sync-types";
-const getRenderEnvironmentSecrets = async (secretSync: TRenderSyncWithCredentials) => {
+const MAX_RETRIES = 5;
 const retrySleep = async () =>
  new Promise((resolve) => {
    setTimeout(resolve, 60000);
  });
 const makeRequestWithRetry = async <T>(requestFn: () => Promise<T>, attempt = 0): Promise<T> => {
  try {
    return await requestFn();
  } catch (error) {
    if (isAxiosError(error) && error.response?.status === 429 && attempt < MAX_RETRIES) {
      await retrySleep();
      return await makeRequestWithRetry(requestFn, attempt + 1);
    }
    throw error;
  }
 };
 const getRenderEnvironmentSecrets = async (secretSync: TRenderSyncWithCredentials): Promise<TRenderSecret[]> => {
  const {
    destinationConfig,
    connection: {
@@ -22,7 +41,9 @@ const getRenderEnvironmentSecrets = async (secretSync: TRenderSyncWithCredential
  do {
    const url = cursor ? `${baseUrl}?cursor=${cursor}` : baseUrl;
-    const { data } = await request.get<
+
    const { data } = await makeRequestWithRetry(() =>
      request.get<
        {
          envVar: {
            key: string;
@@ -35,7 +56,8 @@ const getRenderEnvironmentSecrets = async (secretSync: TRenderSyncWithCredential
          Authorization: `Bearer ${apiKey}`,
          Accept: "application/json"
        }
-    });
+      })
    );
    const secrets = data.map((item) => ({
      key: item.envVar.key,
@@ -44,13 +66,20 @@ const getRenderEnvironmentSecrets = async (secretSync: TRenderSyncWithCredential
    allSecrets.push(...secrets);
-    cursor = data[data.length - 1]?.cursor;
+    if (data.length > 0 && data[data.length - 1]?.cursor) {
      cursor = data[data.length - 1].cursor;
    } else {
      cursor = undefined;
    }
  } while (cursor);
  return allSecrets;
 };
-const putEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap, key: string) => {
+const batchUpdateEnvironmentSecrets = async (
  secretSync: TRenderSyncWithCredentials,
  envVars: Array<{ key: string; value: string }>
 ): Promise<void> => {
  const {
    destinationConfig,
    connection: {
@@ -58,22 +87,17 @@ const putEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secr
    }
  } = secretSync;
-  await request.put(
+  await makeRequestWithRetry(() =>
-    `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars/${key}`,
+    request.put(`${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars`, envVars, {
    {
      key,
      value: secretMap[key].value
    },
    {
      headers: {
        Authorization: `Bearer ${apiKey}`,
        Accept: "application/json"
      }
-    }
+    })
  );
 };
-const deleteEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, secret: Pick<TRenderSecret, "key">) => {
+const redeployService = async (secretSync: TRenderSyncWithCredentials) => {
  const {
    destinationConfig,
    connection: {
@@ -81,70 +105,81 @@ const deleteEnvironmentSecret = async (secretSync: TRenderSyncWithCredentials, s
    }
  } = secretSync;
-  try {
+  await makeRequestWithRetry(() =>
-    await request.delete(
+    request.post(
-      `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/env-vars/${secret.key}`,
+      `${IntegrationUrls.RENDER_API_URL}/v1/services/${destinationConfig.serviceId}/deploys`,
      {},
      {
        headers: {
          Authorization: `Bearer ${apiKey}`,
          Accept: "application/json"
        }
      }
    )
  );
  } catch (error) {
    if (isAxiosError(error) && error.response?.status === 404) {
      // If the secret does not exist, we can ignore this error
      return;
    }
    throw error;
  }
 };
 const sleep = async () =>
  new Promise((resolve) => {
    setTimeout(resolve, 500);
  });
 export const RenderSyncFns = {
  syncSecrets: async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap) => {
    const renderSecrets = await getRenderEnvironmentSecrets(secretSync);
-    for await (const key of Object.keys(secretMap)) {
+
-      // If value is empty skip it as render does not allow empty variables
+    const finalEnvVars: Array<{ key: string; value: string }> = [];
-      if (secretMap[key].value === "") {
+
    for (const renderSecret of renderSecrets) {
      const shouldKeep =
        secretMap[renderSecret.key] ||
        (secretSync.syncOptions.disableSecretDeletion &&
          !matchesSchema(renderSecret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema));
      if (shouldKeep && !secretMap[renderSecret.key]) {
        finalEnvVars.push({
          key: renderSecret.key,
          value: renderSecret.value
        });
      }
    }
    for (const [key, secret] of Object.entries(secretMap)) {
      // Skip empty values as render does not allow empty variables
      if (secret.value === "") {
        // eslint-disable-next-line no-continue
        continue;
      }
-      await putEnvironmentSecret(secretSync, secretMap, key);
+
-      await sleep();
+      finalEnvVars.push({
        key,
        value: secret.value
      });
    }
-    if (secretSync.syncOptions.disableSecretDeletion) return;
+    await batchUpdateEnvironmentSecrets(secretSync, finalEnvVars);
-    for await (const renderSecret of renderSecrets) {
+    if (secretSync.syncOptions.autoRedeployServices) {
-      if (!matchesSchema(renderSecret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema))
+      await redeployService(secretSync);
        // eslint-disable-next-line no-continue
        continue;
      if (!secretMap[renderSecret.key]) {
        await deleteEnvironmentSecret(secretSync, renderSecret);
        await sleep();
      }
    }
  },
  getSecrets: async (secretSync: TRenderSyncWithCredentials): Promise<TSecretMap> => {
    const renderSecrets = await getRenderEnvironmentSecrets(secretSync);
    return Object.fromEntries(renderSecrets.map((secret) => [secret.key, { value: secret.value ?? "" }]));
  },
  removeSecrets: async (secretSync: TRenderSyncWithCredentials, secretMap: TSecretMap) => {
-    const encryptedSecrets = await getRenderEnvironmentSecrets(secretSync);
+    const renderSecrets = await getRenderEnvironmentSecrets(secretSync);
    const finalEnvVars: Array<{ key: string; value: string }> = [];
-    for await (const encryptedSecret of encryptedSecrets) {
+    for (const renderSecret of renderSecrets) {
-      if (encryptedSecret.key in secretMap) {
+      if (!(renderSecret.key in secretMap)) {
-        await deleteEnvironmentSecret(secretSync, encryptedSecret);
+        finalEnvVars.push({
-        await sleep();
+          key: renderSecret.key,
          value: renderSecret.value
        });
      }
    }
    await batchUpdateEnvironmentSecrets(secretSync, finalEnvVars);
    if (secretSync.syncOptions.autoRedeployServices) {
      await redeployService(secretSync);
    }
  }
 };
--- a/backend/src/services/secret-sync/render/render-sync-schemas.ts
+++ b/backend/src/services/secret-sync/render/render-sync-schemas.ts
@@ -20,23 +20,33 @@ const RenderSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
  })
 ]);
 const RenderSyncOptionsSchema = z.object({
  autoRedeployServices: z.boolean().optional().describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.RENDER.autoRedeployServices)
 });
 const RenderSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
-export const RenderSyncSchema = BaseSecretSyncSchema(SecretSync.Render, RenderSyncOptionsConfig).extend({
+export const RenderSyncSchema = BaseSecretSyncSchema(
  SecretSync.Render,
  RenderSyncOptionsConfig,
  RenderSyncOptionsSchema
 ).extend({
  destination: z.literal(SecretSync.Render),
  destinationConfig: RenderSyncDestinationConfigSchema
 });
 export const CreateRenderSyncSchema = GenericCreateSecretSyncFieldsSchema(
  SecretSync.Render,
-  RenderSyncOptionsConfig
+  RenderSyncOptionsConfig,
  RenderSyncOptionsSchema
 ).extend({
  destinationConfig: RenderSyncDestinationConfigSchema
 });
 export const UpdateRenderSyncSchema = GenericUpdateSecretSyncFieldsSchema(
  SecretSync.Render,
-  RenderSyncOptionsConfig
+  RenderSyncOptionsConfig,
  RenderSyncOptionsSchema
 ).extend({
  destinationConfig: RenderSyncDestinationConfigSchema.optional()
 });
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
@@ -875,6 +875,48 @@ export const secretV2BridgeDALFactory = ({ db, keyStore }: TSecretV2DalArg) => {
    }
  };
  const findSecretsWithReminderRecipientsOld = async (ids: string[], limit: number, tx?: Knex) => {
    try {
      // Create a subquery to get limited secret IDs
      const limitedSecretIds = (tx || db)(TableName.SecretV2)
        .whereIn(`${TableName.SecretV2}.id`, ids)
        .limit(limit)
        .select("id");
      // Join with all recipients for the limited secrets
      const docs = await (tx || db)(TableName.SecretV2)
        .whereIn(`${TableName.SecretV2}.id`, limitedSecretIds)
        .leftJoin(TableName.Reminder, `${TableName.SecretV2}.id`, `${TableName.Reminder}.secretId`)
        .leftJoin(
          TableName.SecretReminderRecipients,
          `${TableName.SecretV2}.id`,
          `${TableName.SecretReminderRecipients}.secretId`
        )
        .select(selectAllTableCols(TableName.SecretV2))
        .select(db.ref("userId").withSchema(TableName.SecretReminderRecipients).as("reminderRecipientUserId"));
      const data = sqlNestRelationships({
        data: docs,
        key: "id",
        parentMapper: (el) => ({
          _id: el.id,
          ...SecretsV2Schema.parse(el)
        }),
        childrenMapper: [
          {
            key: "reminderRecipientUserId",
            label: "recipients" as const,
            mapper: ({ reminderRecipientUserId }) => reminderRecipientUserId
          }
        ]
      });
      return data;
    } catch (error) {
      throw new DatabaseError({ error, name: "findSecretsWithReminderRecipientsOld" });
    }
  };
  return {
    ...secretOrm,
    update,
@@ -893,6 +935,7 @@ export const secretV2BridgeDALFactory = ({ db, keyStore }: TSecretV2DalArg) => {
    findOne,
    find,
    invalidateSecretCacheByProjectId,
-    findSecretsWithReminderRecipients
+    findSecretsWithReminderRecipients,
    findSecretsWithReminderRecipientsOld
  };
 };
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -198,6 +198,14 @@
                  "documentation/platform/workflow-integrations/microsoft-teams-integration"
                ]
              },
              {
                "group": "External Migrations",
                "pages": [
                  "documentation/platform/external-migrations/overview",
                  "documentation/platform/external-migrations/envkey",
                  "documentation/platform/external-migrations/vault"
                ]
              },
              {
                "group": "Admin Consoles",
                "pages": [
--- a/docs/documentation/guides/migrating-from-envkey.mdx
+++ b/docs/documentation/guides/migrating-from-envkey.mdx
@@ -1,41 +0,0 @@
 ---
 title: "Migrating from EnvKey to Infisical"
 sidebarTitle: "Migration"
 description: "Learn how to migrate from EnvKey to Infisical in the easiest way possible."
 ---
 ## What is Infisical? 
 [Infisical](https://infisical.com) is an open-source all-in-one secret management platform that helps developers manage secrets (e.g., API-keys, DB access tokens, [certificates](https://infisical.com/docs/documentation/platform/pki/overview)) across their infrastructure. In addition, Infisical provides [secret sharing](https://infisical.com/docs/documentation/platform/secret-sharing) functionality, ability to [prevent secret leaks](https://infisical.com/docs/cli/scanning-overview), and more.
 Infisical is used by 10,000+ organizations across all industries including First American Financial Corporation, Delivery Hero, and [Hugging Face](https://infisical.com/customers/hugging-face).
 ## Migrating from EnvKey
 <Steps>
 <Step>
 Open the EnvKey dashboard and go to My Org.
 ![EnvKey Dashboard](../../images/guides/import-envkey/envkey-dashboard.png)
 </Step>
 <Step>
 Go to Import/Export on the top right corner, Click on Export Org and save the exported file.
 ![Export organization](../../images/guides/import-envkey/envkey-export.png)
 </Step>
 <Step>
 Click on copy to copy the encryption key and save it.
 ![Copy encryption key](../../images/guides/import-envkey/copy-encryption-key.png)
 </Step>
 <Step>
 Open the Infisical dashboard and go to Organization Settings > Import.
 ![Infisical Organization settings](../../images/guides/import-envkey/infisical-import-dashboard.png)
 </Step>
 <Step>
 Upload the exported file from EnvKey, paste the encryption key and click Import.
 ![Infisical Import EnvKey](../../images/guides/import-envkey/infisical-import-envkey.png)
 </Step>
 </Steps>
 ## Talk to our team
 To make the migration process even more seamless, you can [schedule a meeting with our team](https://infisical.cal.com/vlad/migration-from-envkey-to-infisical) to learn more about how Infisical compares to EnvKey and discuss unique needs of your organization. You are also welcome to email us at [support@infisical.com](mailto:support@infisical.com) to ask any questions or get any technical help.
--- a/docs/documentation/platform/access-controls/abac/managing-machine-identity-attributes.mdx
+++ b/docs/documentation/platform/access-controls/abac/managing-machine-identity-attributes.mdx
@@ -72,9 +72,25 @@ For methods like OIDC, these come as claims in the token and can be made availab
    ```
    <img src="/images/platform/access-controls/abac-policy-k8s-format.png" />
  </Tab>
  <Tab title="AWS Attributes">
    For identities authenticated using AWS Auth, several attributes can be accessed. On top of the 3 base attributes, there's 4 derived from the ARN. The example below includes comments showing how each derived attribute looks like based on this ARN: `arn:aws:iam::123456789012:user/example-user`
    ```
    {{ identity.auth.aws.accountId }}
    {{ identity.auth.aws.arn }}
    {{ identity.auth.aws.userId }}
    // Derived from ARN
    {{ identity.auth.aws.partition }} // aws
    {{ identity.auth.aws.service }} // iam
    {{ identity.auth.aws.resourceType }} // user
    {{ identity.auth.aws.resourceName }} // example-user
    ```
    <img src="/images/platform/access-controls/abac-policy-aws-format.png" />
  </Tab>
  <Tab title="Other Authentication Method Attributes">
-    At the moment we only support OIDC claims. Payloads on other authentication methods are not yet accessible.
+    At the moment we only support OIDC claims, Kubernetes attributes, and AWS attributes. Payloads on other authentication methods are not yet accessible.
  </Tab>
 </Tabs>
--- a/docs/documentation/platform/external-migrations/envkey.mdx
+++ b/docs/documentation/platform/external-migrations/envkey.mdx
@@ -0,0 +1,44 @@
 ---
 title: "Migrating from EnvKey to Infisical"
 sidebarTitle: "EnvKey"
 description: "Learn how to migrate secrets from EnvKey to Infisical."
 ---
 ## Migrating from EnvKey
 <Steps>
  <Step title="Open the EnvKey dashboard and go to My Org">
    ![EnvKey Dashboard](/images/platform/external-migrations/envkey-dashboard.png)
  </Step>
  <Step title="Export your EnvKey organization">
    Go to Import/Export on the top right corner, Click on Export Org and save the exported file.
    ![Export organization](/images/platform/external-migrations/envkey-export.png)
  </Step>
  <Step title="Obtain EnvKey encryption key">
    Click on copy to copy the encryption key and save it.
    ![Copy encryption key](/images/platform/external-migrations/envkey-copy-encryption-key.png)
  </Step>
  <Step title="Navigate to Infisical external migrations">
    Open the Infisical dashboard and go to Organization Settings > External Migrations.
    ![Infisical Organization settings](/images/platform/external-migrations/infisical-external-migration-dashboard.png)
  </Step>
  <Step title="Select the EnvKey platform">
    Select the EnvKey platform and click on Next.
    ![Select EnvKey platform](/images/platform/external-migrations/infisical-import-envkey-modal.png)
  </Step>
  <Step title="Upload the exported file from EnvKey">
    Upload the exported file from EnvKey, paste the encryption key and click Import data.
    ![Infisical Import EnvKey](/images/platform/external-migrations/infisical-import-envkey.png)
  </Step>
 </Steps>
 <Note>
  It may take several minutes to complete the migration. You will receive an email when the migration is complete, or if there were any errors during the migration process.
 </Note>
 ## Talk to our team
 To make the migration process even more seamless, you can [schedule a meeting with our team](https://infisical.cal.com/vlad/migration-from-envkey-to-infisical) to learn more about how Infisical compares to EnvKey and discuss unique needs of your organization. You are also welcome to email us at [support@infisical.com](mailto:support@infisical.com) to ask any questions or get any technical help.
--- a/docs/documentation/platform/external-migrations/overview.mdx
+++ b/docs/documentation/platform/external-migrations/overview.mdx
@@ -0,0 +1,16 @@
 ---
 title: "External Migrations"
 sidebarTitle: "Overview"
 description: "Learn how to migrate secrets from third-party secrets management platforms to Infisical."
 ---
 ## Overview
 Infisical supports migrating secrets from third-party secrets management platforms to Infisical. This is useful if you're looking to easily switch to Infisical and wish to move over your existing secrets from a different platform.
 ## Supported Platforms
 - [EnvKey](./envkey)
 - [Vault](./vault)
 We're always looking to add more migration paths for other providers. If we're missing a platform, please open an issue on our [GitHub repository](https://github.com/infisical/infisical/issues).
--- a/docs/documentation/platform/external-migrations/vault.mdx
+++ b/docs/documentation/platform/external-migrations/vault.mdx
@@ -0,0 +1,127 @@
 ---
 title: "Migrating from Vault to Infisical"
 sidebarTitle: "Vault"
 description: "Learn how to migrate secrets from Vault to Infisical."
 ---
 ## Migrating from Vault
 Migrating from Vault Self-Hosted or Dedicated Vault is a straight forward process with our inbuilt migration option. In order to migrate from Vault, you'll need to provide Infisical an access token to your Vault instance.
 Currently the Vault migration only supports migrating secrets from the KV v2 secrets engine. If you're using a different secrets engine, please open an issue on our [GitHub repository](https://github.com/infisical/infisical/issues).
 ### Prerequisites
 - A Vault instance with the KV v2 secrets engine enabled.
 - An access token to your Vault instance.
 ### Project Mapping
 When migrating from Vault, you'll need to choose how you want to map your Vault resources to Infisical projects.
 There are two options for project mapping:
 - `Namespace`: This will map your selected Vault namespace to a single Infisical project. When you select this option, each KV secret engine within the namespace will be mapped to a single Infisical project. Each KV secret engine will be mapped to a Infisical environment within the project. This means if you have 3 KV secret engines, you'll have 3 environments inside the same project, where the name of the environments correspond to the name of the KV secret engines.
 - `Key Vault`: This will map all the KV secret engines within your Vault instance to a Infisical project. Each KV engine will be created as a Infisical project. This means if you have 3 KV secret engines, you'll have 3 Infisical projects. For each of the created projects, a single default environment will be created called `Production`, which will contain all your secrets from the corresponding KV secret engine.
 <Steps>
  <Step title="Create a Vault policy">
    In order to migrate from Vault, you'll need to create a Vault policy that allows Infisical to read the secrets and metadata from the KV v2 secrets engines within your Vault instance.
    ```python
    # Allow listing secret engines/mounts
    path "sys/mounts" {
      capabilities = ["read", "list"]
    }
    # For KV v2 engines - access to both data and metadata
    path "*/data/*" {
      capabilities = ["read", "list"]
    }
    path "*/metadata/*" {
      capabilities = ["read", "list"]
    }
    # If using Vault Enterprise - allow listing namespaces
    path "sys/namespaces" {
      capabilities = ["list", "read"]
    }
    # Cross-namespace access (Enterprise only)
    path "+/*" {
      capabilities = ["read", "list"]
    }
    path "+/sys/mounts" {
      capabilities = ["read", "list"]
    }
    ```
    Save this policy with the name `infisical-migration`.
  </Step>
  <Step title="Generate an access token">
    You can use the Vault CLI to easily generate an access token for the new `infisical-migration` policy that you created in the previous step.
    ```bash
    vault token create --policy="infisical-migration"
    ```
    After generating the token, you should see the following output:
    ```t
    $ vault token create --policy="infisical-migration"
    Key                  Value
    ---                  -----
    token                <your-access-token>
    token_accessor       p6kJDiBSzYYdabJUIpGCsCBm
    token_duration       768h
    token_renewable      true
    token_policies       ["default" "infisical-migration"]
    identity_policies    []
    policies             ["default" "infisical-migration"]
    ```
    Copy the `token` field and save it for later, as you'll need this when configuring the migration to Infisical.
  </Step>
  <Step title="Navigate to Infisical external migrations">
    Open the Infisical dashboard and go to Organization Settings > External Migrations.
    ![Infisical Organization settings](/images/platform/external-migrations/infisical-external-migration-dashboard.png)
  </Step>
  <Step title="Select the Vault platform">
    Select the Vault platform and click on Next.
    ![Select Vault platform](/images/platform/external-migrations/infisical-import-vault-modal.png)
  </Step>
  <Step title="Configure the Vault migration">
    Enter the Vault access token that you generated in the previous step and click Import data.
    ![Configure Vault migration](/images/platform/external-migrations/infisical-import-vault.png)
    - `Vault URL`: The URL of your Vault instance.
    - `Vault Namespace`: The namespace of your Vault instance. This is optional, and can be left blank if you're not using namespaces for your Vault instance.
    - `Vault Access Token`: The access token that you generated in the previous step.
    - `Project Mapping`: Choose how you want to map your Vault resources to Infisical projects. You can review the mapping options in the [Project Mapping](#project-mapping) section.
    Click on Import data to start the migration.
  </Step>
 </Steps>
 <Note>
  It may take several minutes to complete the migration. You will receive an email when the migration is complete, or if there were any errors during the migration process.
 </Note>
--- a/docs/images/guides/import-envkey/infisical-import-dashboard.png
+++ b/docs/images/guides/import-envkey/infisical-import-dashboard.png
--- a/docs/images/guides/import-envkey/infisical-import-envkey.png
+++ b/docs/images/guides/import-envkey/infisical-import-envkey.png
--- a/docs/images/platform/access-controls/abac-policy-aws-format.png
+++ b/docs/images/platform/access-controls/abac-policy-aws-format.png
--- a/docs/images/platform/external-migrations/envkey-copy-encryption-key.png
+++ b/docs/images/platform/external-migrations/envkey-copy-encryption-key.png
--- a/docs/images/platform/external-migrations/envkey-dashboard.png
+++ b/docs/images/platform/external-migrations/envkey-dashboard.png
--- a/docs/images/platform/external-migrations/envkey-export.png
+++ b/docs/images/platform/external-migrations/envkey-export.png
--- a/docs/images/platform/external-migrations/infisical-external-migration-dashboard.png
+++ b/docs/images/platform/external-migrations/infisical-external-migration-dashboard.png
--- a/docs/images/platform/external-migrations/infisical-import-envkey-modal.png
+++ b/docs/images/platform/external-migrations/infisical-import-envkey-modal.png
--- a/docs/images/platform/external-migrations/infisical-import-envkey.png
+++ b/docs/images/platform/external-migrations/infisical-import-envkey.png
--- a/docs/images/platform/external-migrations/infisical-import-vault-modal.png
+++ b/docs/images/platform/external-migrations/infisical-import-vault-modal.png
--- a/docs/images/platform/external-migrations/infisical-import-vault.png
+++ b/docs/images/platform/external-migrations/infisical-import-vault.png
--- a/frontend/src/components/projects/NewProjectModal.tsx
+++ b/frontend/src/components/projects/NewProjectModal.tsx
@@ -271,6 +271,8 @@ const NewProjectForm = ({ onOpenChange }: NewProjectFormProps) => {
                    value={value}
                    onValueChange={onChange}
                    className="w-full"
                    position="popper"
                    dropdownContainerClassName="max-w-none"
                  >
                    {projectTemplates.length
                      ? projectTemplates.map((template) => (
@@ -306,6 +308,9 @@ const NewProjectForm = ({ onOpenChange }: NewProjectFormProps) => {
                        onChange(e);
                      }}
                      className="mb-12 w-full bg-mineshaft-600"
                      position="popper"
                      dropdownContainerClassName="max-w-none -top-1"
                      side="top"
                    >
                      <SelectItem value={INTERNAL_KMS_KEY_ID} key="kms-internal">
                        Default Infisical KMS
--- a/frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/RenderSyncFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/RenderSyncFields.tsx
@@ -9,7 +9,7 @@ import {
  useRenderConnectionListServices
 } from "@app/hooks/api/appConnections/render";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
-import { RenderSyncScope, RenderSyncType } from "@app/hooks/api/secretSyncs/render-sync";
+import { RenderSyncScope, RenderSyncType } from "@app/hooks/api/secretSyncs/types/render-sync";
 import { TSecretSyncForm } from "../schemas";
--- a/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/RenderSyncOptionsFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/RenderSyncOptionsFields.tsx
@@ -0,0 +1,40 @@
 import { Controller, useFormContext } from "react-hook-form";
 import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { FormControl, Switch, Tooltip } from "@app/components/v2";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 import { TSecretSyncForm } from "../schemas";
 export const RenderSyncOptionsFields = () => {
  const { control } = useFormContext<TSecretSyncForm & { destination: SecretSync.Render }>();
  return (
    <Controller
      name="syncOptions.autoRedeployServices"
      control={control}
      render={({ field: { value, onChange }, fieldState: { error } }) => (
        <FormControl className="mt-4" isError={Boolean(error?.message)} errorText={error?.message}>
          <Switch
            className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
            id="auto-redeploy-services"
            thumbClassName="bg-mineshaft-800"
            isChecked={value}
            onCheckedChange={onChange}
          >
            Auto Redeploy Services On Sync
            <Tooltip
              className="max-w-md"
              content={
                <p>If enabled, services will be automatically redeployed upon secret changes.</p>
              }
            >
              <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
            </Tooltip>
          </Switch>
        </FormControl>
      )}
    />
  );
 };
--- a/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
@@ -14,6 +14,7 @@ import { SecretSync, useSecretSyncOption } from "@app/hooks/api/secretSyncs";
 import { TSecretSyncForm } from "../schemas";
 import { AwsParameterStoreSyncOptionsFields } from "./AwsParameterStoreSyncOptionsFields";
 import { AwsSecretsManagerSyncOptionsFields } from "./AwsSecretsManagerSyncOptionsFields";
 import { RenderSyncOptionsFields } from "./RenderSyncOptionsFields";
 type Props = {
  hideInitialSync?: boolean;
@@ -38,6 +39,9 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
    case SecretSync.AWSSecretsManager:
      AdditionalSyncOptionsFieldsComponent = <AwsSecretsManagerSyncOptionsFields />;
      break;
    case SecretSync.Render:
      AdditionalSyncOptionsFieldsComponent = <RenderSyncOptionsFields />;
      break;
    case SecretSync.GitHub:
    case SecretSync.GCPSecretManager:
    case SecretSync.AzureKeyVault:
@@ -54,7 +58,6 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
    case SecretSync.OnePass:
    case SecretSync.OCIVault:
    case SecretSync.Heroku:
    case SecretSync.Render:
    case SecretSync.Flyio:
    case SecretSync.GitLab:
    case SecretSync.CloudflarePages:
--- a/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/RenderSyncReviewFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/RenderSyncReviewFields.tsx
@@ -2,8 +2,29 @@ import { useFormContext } from "react-hook-form";
 import { GenericFieldLabel } from "@app/components/secret-syncs";
 import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
 import { Badge } from "@app/components/v2";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
 export const RenderSyncOptionsReviewFields = () => {
  const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Render }>();
  const [{ autoRedeployServices }] = watch(["syncOptions"]);
  return (
    <div>
      {autoRedeployServices ? (
        <GenericFieldLabel label="Auto Redeploy Services">
          <Badge variant="success">Enabled</Badge>
        </GenericFieldLabel>
      ) : (
        <GenericFieldLabel label="Auto Redeploy Services">
          <Badge variant="danger">Disabled</Badge>
        </GenericFieldLabel>
      )}
    </div>
  );
 };
 export const RenderSyncReviewFields = () => {
  const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Render }>();
  const serviceName = watch("destinationConfig.serviceName");
--- a/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx
@@ -35,7 +35,7 @@ import { HumanitecSyncReviewFields } from "./HumanitecSyncReviewFields";
 import { OCIVaultSyncReviewFields } from "./OCIVaultSyncReviewFields";
 import { OnePassSyncReviewFields } from "./OnePassSyncReviewFields";
 import { RailwaySyncReviewFields } from "./RailwaySyncReviewFields";
-import { RenderSyncReviewFields } from "./RenderSyncReviewFields";
+import { RenderSyncOptionsReviewFields, RenderSyncReviewFields } from "./RenderSyncReviewFields";
 import { SupabaseSyncReviewFields } from "./SupabaseSyncReviewFields";
 import { TeamCitySyncReviewFields } from "./TeamCitySyncReviewFields";
 import { TerraformCloudSyncReviewFields } from "./TerraformCloudSyncReviewFields";
@@ -121,6 +121,7 @@ export const SecretSyncReviewFields = () => {
      break;
    case SecretSync.Render:
      DestinationFieldsComponent = <RenderSyncReviewFields />;
      AdditionalSyncOptionsFieldsComponent = <RenderSyncOptionsReviewFields />;
      break;
    case SecretSync.Flyio:
      DestinationFieldsComponent = <FlyioSyncReviewFields />;
--- a/frontend/src/components/secret-syncs/forms/schemas/render-sync-destination-schema.ts
+++ b/frontend/src/components/secret-syncs/forms/schemas/render-sync-destination-schema.ts
@@ -2,9 +2,13 @@ import { z } from "zod";
 import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
-import { RenderSyncScope, RenderSyncType } from "@app/hooks/api/secretSyncs/render-sync";
+import { RenderSyncScope, RenderSyncType } from "@app/hooks/api/secretSyncs/types/render-sync";
-export const RenderSyncDestinationSchema = BaseSecretSyncSchema().merge(
+export const RenderSyncDestinationSchema = BaseSecretSyncSchema(
  z.object({
    autoRedeployServices: z.boolean().optional()
  })
 ).merge(
  z.object({
    destination: z.literal(SecretSync.Render),
    destinationConfig: z.discriminatedUnion("scope", [
--- a/frontend/src/components/v2/Select/Select.tsx
+++ b/frontend/src/components/v2/Select/Select.tsx
@@ -20,6 +20,7 @@ type Props = {
  isMulti?: boolean;
  iconClassName?: string;
  dropdownContainerStyle?: React.CSSProperties;
  side?: SelectPrimitive.SelectContentProps["side"];
 };
 export type SelectProps = Omit<SelectPrimitive.SelectProps, "disabled"> & Props;
@@ -37,6 +38,7 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
      containerClassName,
      iconClassName,
      dropdownContainerStyle,
      side,
      ...props
    },
    ref
@@ -78,6 +80,7 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
          </SelectPrimitive.Trigger>
          <SelectPrimitive.Portal>
            <SelectPrimitive.Content
              side={side}
              className={twMerge(
                "relative top-1 z-[100] max-w-sm overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 font-inter text-bunker-100 shadow-md",
                position === "popper" && "max-h-72",
--- a/frontend/src/helpers/secretSyncs.ts
+++ b/frontend/src/helpers/secretSyncs.ts
@@ -4,9 +4,9 @@ import {
  SecretSyncImportBehavior,
  SecretSyncInitialSyncBehavior
 } from "@app/hooks/api/secretSyncs";
 import { RenderSyncScope } from "@app/hooks/api/secretSyncs/render-sync";
 import { GcpSyncScope } from "@app/hooks/api/secretSyncs/types/gcp-sync";
 import { HumanitecSyncScope } from "@app/hooks/api/secretSyncs/types/humanitec-sync";
 import { RenderSyncScope } from "@app/hooks/api/secretSyncs/types/render-sync";
 export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }> = {
  [SecretSync.AWSParameterStore]: { name: "AWS Parameter Store", image: "Amazon Web Services.png" },
--- a/frontend/src/hooks/api/identities/mutations.tsx
+++ b/frontend/src/hooks/api/identities/mutations.tsx
@@ -86,6 +86,7 @@ export const useCreateIdentity = () => {
      queryClient.invalidateQueries({
        queryKey: subscriptionQueryKeys.getOrgSubsription(organizationId)
      });
      queryClient.invalidateQueries({ queryKey: identitiesKeys.searchIdentitiesRoot });
    }
  });
 };
@@ -110,6 +111,7 @@ export const useUpdateIdentity = () => {
        queryKey: organizationKeys.getOrgIdentityMemberships(organizationId)
      });
      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityById(identityId) });
      queryClient.invalidateQueries({ queryKey: identitiesKeys.searchIdentitiesRoot });
    }
  });
 };
@@ -130,6 +132,7 @@ export const useDeleteIdentity = () => {
      queryClient.invalidateQueries({
        queryKey: subscriptionQueryKeys.getOrgSubsription(organizationId)
      });
      queryClient.invalidateQueries({ queryKey: identitiesKeys.searchIdentitiesRoot });
    }
  });
 };
--- a/frontend/src/hooks/api/identities/queries.tsx
+++ b/frontend/src/hooks/api/identities/queries.tsx
@@ -25,7 +25,9 @@ import {
 export const identitiesKeys = {
  getIdentityById: (identityId: string) => [{ identityId }, "identity"] as const,
-  searchIdentities: (dto: TSearchIdentitiesDTO) => ["identity", "search", dto] as const,
+  searchIdentitiesRoot: ["identity", "search"] as const,
  searchIdentities: (dto: TSearchIdentitiesDTO) =>
    [...identitiesKeys.searchIdentitiesRoot, dto] as const,
  getIdentityUniversalAuth: (identityId: string) =>
    [{ identityId }, "identity-universal-auth"] as const,
  getIdentityUniversalAuthClientSecrets: (identityId: string) =>
--- a/frontend/src/hooks/api/migration/index.ts
+++ b/frontend/src/hooks/api/migration/index.ts
@@ -0,0 +1 @@
 export * from "./mutations";
--- a/frontend/src/hooks/api/migration/mutations.tsx
+++ b/frontend/src/hooks/api/migration/mutations.tsx
@@ -15,7 +15,7 @@ export const useImportEnvKey = () => {
      formData.append("file", file);
      try {
-        const response = await apiRequest.post("/api/v3/migrate/env-key/", formData, {
+        const response = await apiRequest.post("/api/v3/external-migration/env-key/", formData, {
          headers: {
            "Content-Type": "multipart/form-data"
          },
@@ -39,3 +39,26 @@ export const useImportEnvKey = () => {
    }
  });
 };
 export const useImportVault = () => {
  return useMutation({
    mutationFn: async ({
      vaultAccessToken,
      vaultNamespace,
      vaultUrl,
      mappingType
    }: {
      vaultAccessToken: string;
      vaultNamespace?: string;
      vaultUrl: string;
      mappingType: string;
    }) => {
      await apiRequest.post("/api/v3/external-migration/vault/", {
        vaultAccessToken,
        vaultNamespace,
        vaultUrl,
        mappingType
      });
    }
  });
 };
--- a/frontend/src/hooks/api/secretSyncs/types/index.ts
+++ b/frontend/src/hooks/api/secretSyncs/types/index.ts
@@ -1,7 +1,6 @@
 import { SecretSync, SecretSyncImportBehavior } from "@app/hooks/api/secretSyncs";
 import { DiscriminativePick } from "@app/types";
 import { TRenderSync } from "../render-sync";
 import { TOnePassSync } from "./1password-sync";
 import { TAwsParameterStoreSync } from "./aws-parameter-store-sync";
 import { TAwsSecretsManagerSync } from "./aws-secrets-manager-sync";
@@ -24,6 +23,7 @@ import { THerokuSync } from "./heroku-sync";
 import { THumanitecSync } from "./humanitec-sync";
 import { TOCIVaultSync } from "./oci-vault-sync";
 import { TRailwaySync } from "./railway-sync";
 import { TRenderSync } from "./render-sync";
 import { TSupabaseSync } from "./supabase";
 import { TTeamCitySync } from "./teamcity-sync";
 import { TTerraformCloudSync } from "./terraform-cloud-sync";
--- a/frontend/src/hooks/api/secretSyncs/types/render-sync.ts
+++ b/frontend/src/hooks/api/secretSyncs/types/render-sync.ts
@@ -1,6 +1,6 @@
 import { AppConnection } from "@app/hooks/api/appConnections/enums";
 import { SecretSync } from "@app/hooks/api/secretSyncs";
-import { TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
+import { RootSyncOptions, TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
 export type TRenderSync = TRootSecretSync & {
  destination: SecretSync.Render;
@@ -16,6 +16,10 @@ export type TRenderSync = TRootSecretSync & {
    name: string;
    id: string;
  };
  syncOptions: RootSyncOptions & {
    autoRedeployServices?: boolean;
  };
 };
 export enum RenderSyncScope {
--- a/frontend/src/hooks/useResizableColWidth.tsx
+++ b/frontend/src/hooks/useResizableColWidth.tsx
@@ -0,0 +1,71 @@
 import { MouseEvent, useCallback, useEffect, useRef, useState } from "react";
 type Params = {
  minWidth: number;
  maxWidth: number;
  initialWidth: number;
 };
 export const useResizableColWidth = ({ minWidth, maxWidth, initialWidth }: Params) => {
  const [colWidth, setColWidth] = useState(initialWidth);
  const [isResizing, setIsResizing] = useState(false);
  const startX = useRef(0);
  const startWidth = useRef(0);
  const handleMouseDown = useCallback(
    (e: MouseEvent<HTMLDivElement>) => {
      e.preventDefault();
      e.stopPropagation();
      setIsResizing(true);
      startX.current = e.clientX;
      startWidth.current = colWidth;
    },
    [colWidth]
  );
  const handleMouseMove = useCallback(
    (e: MouseEvent) => {
      if (!isResizing) return;
      const deltaX = e.clientX - startX.current;
      const newWidth = Math.max(minWidth, Math.min(maxWidth, startWidth.current + deltaX));
      setColWidth(newWidth);
    },
    [isResizing]
  );
  const handleMouseUp = useCallback(() => {
    setIsResizing(false);
  }, []);
  useEffect(() => {
    if (isResizing) {
      document.addEventListener(
        "mousemove",
        // @ts-expect-error native discrepancy
        handleMouseMove
      );
      document.addEventListener("mouseup", handleMouseUp);
      document.body.style.cursor = "ew-resize";
      document.body.style.userSelect = "none";
    }
    return () => {
      document.removeEventListener(
        "mousemove",
        // @ts-expect-error native discrepancy
        handleMouseMove
      );
      document.removeEventListener("mouseup", handleMouseUp);
      document.body.style.cursor = "";
      document.body.style.userSelect = "";
    };
  }, [isResizing, handleMouseMove, handleMouseUp]);
  return {
    colWidth,
    handleMouseDown,
    isResizing
  };
 };
--- a/frontend/src/layouts/KmsLayout/KmsLayout.tsx
+++ b/frontend/src/layouts/KmsLayout/KmsLayout.tsx
@@ -1,4 +1,4 @@
-import { faCog, faCube, faHome, faLock, faUsers } from "@fortawesome/free-solid-svg-icons";
+import { faBook, faCog, faCube, faHome, faLock, faUsers } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Link, Outlet } from "@tanstack/react-router";
 import { motion } from "framer-motion";
@@ -84,6 +84,23 @@ export const KmsLayout = () => {
                      </MenuItem>
                    )}
                  </Link>
                  <Link
                    to="/projects/kms/$projectId/audit-logs"
                    params={{
                      projectId: currentWorkspace.id
                    }}
                  >
                    {({ isActive }) => (
                      <MenuItem isSelected={isActive}>
                        <div className="mx-1 flex gap-2">
                          <div className="w-6">
                            <FontAwesomeIcon icon={faBook} />
                          </div>
                          Audit Logs
                        </div>
                      </MenuItem>
                    )}
                  </Link>
                  <Link
                    to="/projects/kms/$projectId/settings"
                    params={{
--- a/frontend/src/layouts/PkiManagerLayout/PkiManagerLayout.tsx
+++ b/frontend/src/layouts/PkiManagerLayout/PkiManagerLayout.tsx
@@ -1,6 +1,7 @@
 import { useTranslation } from "react-i18next";
 import {
  faBell,
  faBook,
  faCertificate,
  faCog,
  faFileLines,
@@ -148,6 +149,23 @@ export const PkiManagerLayout = () => {
                        </MenuItem>
                      )}
                    </Link>
                    <Link
                      to="/projects/cert-management/$projectId/audit-logs"
                      params={{
                        projectId: currentWorkspace.id
                      }}
                    >
                      {({ isActive }) => (
                        <MenuItem isSelected={isActive}>
                          <div className="mx-1 flex gap-2">
                            <div className="w-6">
                              <FontAwesomeIcon icon={faBook} />
                            </div>
                            Audit Logs
                          </div>
                        </MenuItem>
                      )}
                    </Link>
                    <Link
                      to="/projects/cert-management/$projectId/settings"
                      params={{
--- a/frontend/src/layouts/SecretManagerLayout/SecretManagerLayout.tsx
+++ b/frontend/src/layouts/SecretManagerLayout/SecretManagerLayout.tsx
@@ -1,6 +1,7 @@
 import { useTranslation } from "react-i18next";
 import {
  faArrowsSpin,
  faBook,
  faCheckToSlot,
  faCog,
  faHome,
@@ -166,6 +167,23 @@ export const SecretManagerLayout = () => {
                        </MenuItem>
                      )}
                    </Link>
                    <Link
                      to="/projects/secret-management/$projectId/audit-logs"
                      params={{
                        projectId: currentWorkspace.id
                      }}
                    >
                      {({ isActive }) => (
                        <MenuItem isSelected={isActive}>
                          <div className="mx-1 flex gap-2">
                            <div className="w-6">
                              <FontAwesomeIcon icon={faBook} />
                            </div>
                            Audit Logs
                          </div>
                        </MenuItem>
                      )}
                    </Link>
                    <Link
                      to="/projects/secret-management/$projectId/settings"
                      params={{
--- a/frontend/src/layouts/SecretScanningLayout/SecretScanningLayout.tsx
+++ b/frontend/src/layouts/SecretScanningLayout/SecretScanningLayout.tsx
@@ -1,4 +1,5 @@
 import {
  faBook,
  faCog,
  faDatabase,
  faHome,
@@ -90,6 +91,23 @@ export const SecretScanningLayout = () => {
                      </MenuItem>
                    )}
                  </Link>
                  <Link
                    to="/projects/secret-scanning/$projectId/audit-logs"
                    params={{
                      projectId: currentWorkspace.id
                    }}
                  >
                    {({ isActive }) => (
                      <MenuItem isSelected={isActive}>
                        <div className="mx-1 flex gap-2">
                          <div className="w-6">
                            <FontAwesomeIcon icon={faBook} />
                          </div>
                          Audit Logs
                        </div>
                      </MenuItem>
                    )}
                  </Link>
                  <Link
                    to="/projects/secret-scanning/$projectId/settings"
                    params={{
--- a/frontend/src/layouts/SshLayout/SshLayout.tsx
+++ b/frontend/src/layouts/SshLayout/SshLayout.tsx
@@ -1,4 +1,11 @@
-import { faCog, faHome, faServer, faStamp, faUsers } from "@fortawesome/free-solid-svg-icons";
+import {
  faBook,
  faCog,
  faHome,
  faServer,
  faStamp,
  faUsers
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { Link, Outlet } from "@tanstack/react-router";
 import { motion } from "framer-motion";
@@ -100,6 +107,23 @@ export const SshLayout = () => {
                      </MenuItem>
                    )}
                  </Link>
                  <Link
                    to="/projects/ssh/$projectId/audit-logs"
                    params={{
                      projectId: currentWorkspace.id
                    }}
                  >
                    {({ isActive }) => (
                      <MenuItem isSelected={isActive}>
                        <div className="mx-1 flex gap-2">
                          <div className="w-6">
                            <FontAwesomeIcon icon={faBook} />
                          </div>
                          Audit Logs
                        </div>
                      </MenuItem>
                    )}
                  </Link>
                  <Link
                    to="/projects/ssh/$projectId/settings"
                    params={{
--- a/frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx
+++ b/frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx
@@ -29,6 +29,7 @@ import {
 } from "@app/hooks/api/auditLogs/constants";
 import { EventType } from "@app/hooks/api/auditLogs/enums";
 import { UserAgentType } from "@app/hooks/api/auth/types";
 import { Workspace } from "@app/hooks/api/workspace/types";
 import { LogFilterItem } from "./LogFilterItem";
 import { auditLogFilterFormSchema, Presets, TAuditLogFilterFormData } from "./types";
@@ -43,6 +44,7 @@ type Props = {
  presets?: Presets;
  setFilter: (data: TAuditLogFilterFormData) => void;
  filter: TAuditLogFilterFormData;
  project?: Workspace;
 };
 const getActiveFilterCount = (filter: TAuditLogFilterFormData) => {
@@ -69,7 +71,7 @@ const getActiveFilterCount = (filter: TAuditLogFilterFormData) => {
  return filterCount;
 };
-export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
+export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
  const { data: workspaces = [] } = useGetUserWorkspaces();
  const { currentOrg } = useOrganization();
@@ -90,7 +92,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
      values: filter
    });
  const selectedEventTypes = watch("eventType") as EventType[] | undefined;
-  const selectedProject = watch("project");
+  const selectedProject = project ?? watch("project");
  const showSecretsSection =
    selectedEventTypes?.some(
@@ -270,6 +272,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
                  )}
                />
              </LogFilterItem>
              {!project && (
                <LogFilterItem
                  label="Project"
                  onClear={() => {
@@ -312,6 +315,7 @@ export const LogsFilter = ({ presets, setFilter, filter }: Props) => {
                    )}
                  />
                </LogFilterItem>
              )}
              <AnimatePresence initial={false}>
                {showSecretsSection && (
                  <motion.div
--- a/frontend/src/pages/organization/AuditLogsPage/components/LogsSection.tsx
+++ b/frontend/src/pages/organization/AuditLogsPage/components/LogsSection.tsx
@@ -7,6 +7,7 @@ import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
 import { OrgPermissionActions, OrgPermissionSubjects, useSubscription } from "@app/context";
 import { Timezone } from "@app/helpers/datetime";
 import { withPermission } from "@app/hoc";
 import { Workspace } from "@app/hooks/api/workspace/types";
 import { usePopUp } from "@app/hooks/usePopUp";
 import { LogsDateFilter } from "./LogsDateFilter";
@@ -24,10 +25,11 @@ type Props = {
  refetchInterval?: number;
  showFilters?: boolean;
  pageView?: boolean;
  project?: Workspace;
 };
 export const LogsSection = withPermission(
-  ({ presets, refetchInterval, showFilters = true, pageView = false }: Props) => {
+  ({ presets, refetchInterval, showFilters = true, pageView = false, project }: Props) => {
    const { subscription } = useSubscription();
    const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["upgradePlan"] as const);
@@ -83,7 +85,12 @@ export const LogsSection = withPermission(
                />
              )}
              {showFilters && (
-                <LogsFilter presets={presets} setFilter={setLogFilter} filter={logFilter} />
+                <LogsFilter
                  project={project}
                  presets={presets}
                  setFilter={setLogFilter}
                  filter={logFilter}
                />
              )}
            </div>
          </div>
@@ -94,7 +101,7 @@ export const LogsSection = withPermission(
                secretPath: logFilter.secretPath || undefined,
                secretKey: logFilter.secretKey || undefined,
                eventMetadata: logFilter?.eventMetadata,
-                projectId: logFilter?.project?.id,
+                projectId: project?.id || logFilter?.project?.id,
                actorType: presets?.actorType,
                limit: 15,
                eventType: logFilter?.eventType,
@@ -119,7 +126,7 @@ export const LogsSection = withPermission(
    return (
      <div className="space-y-2">
-        <div className="flex w-full justify-end">
+        <div className="flex flex-wrap items-center gap-2 lg:justify-end">
          {showFilters && (
            <LogsDateFilter
              filter={dateFilter}
--- a/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/ExternalMigrationsTab.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/ExternalMigrationsTab.tsx
@@ -9,7 +9,7 @@ import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
 import { SelectImportFromPlatformModal } from "./components/SelectImportFromPlatformModal";
-export const ImportTab = () => {
+export const ExternalMigrationsTab = () => {
  const { membership } = useOrgPermission();
  const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["selectImportPlatform"] as const);
@@ -30,7 +30,7 @@ export const ImportTab = () => {
              <a
                target="_blank"
                rel="noopener noreferrer"
-                href="https://infisical.com/docs/documentation/guides/migrating-from-envkey"
+                href="https://infisical.com/docs/documentation/platform/external-migrations/overview"
              >
                <div className="ml-2 inline-block rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-sm text-yellow opacity-80 hover:opacity-100">
                  <FontAwesomeIcon icon={faBookOpen} className="mr-1.5" />
--- a/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/EnvKeyPlatformModal.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/EnvKeyPlatformModal.tsx
@@ -45,7 +45,6 @@ export const EnvKeyPlatformModal = ({ onClose }: Props) => {
      return;
    }
    try {
    await importEnvKey({
      file: data.file,
      decryptionKey: data.encryptionKey
@@ -62,9 +61,6 @@ export const EnvKeyPlatformModal = ({ onClose }: Props) => {
    if (fileUploadRef.current) {
      fileUploadRef.current.value = "";
    }
    } catch {
      reset();
    }
  };
  const onImportFileDrop = (file?: File) => {
--- a/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/GenericDropzone.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/GenericDropzone.tsx
--- a/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/SelectImportFromPlatformModal.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/SelectImportFromPlatformModal.tsx
@@ -1,11 +1,12 @@
 import { useState } from "react";
-import { faKey } from "@fortawesome/free-solid-svg-icons";
+import { faKey, faVault } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { AnimatePresence, motion } from "framer-motion";
 import { Modal, ModalContent } from "@app/components/v2";
 import { EnvKeyPlatformModal } from "./EnvKeyPlatformModal";
 import { VaultPlatformModal } from "./VaultPlatformModal";
 type Props = {
  isOpen?: boolean;
@@ -22,6 +23,11 @@ const PLATFORM_LIST = [
    icon: faKey,
    platform: "env-key",
    title: "Env Key"
  },
  {
    icon: faVault,
    platform: "vault",
    title: "Vault"
  }
 ] as const;
@@ -82,8 +88,9 @@ export const SelectImportFromPlatformModal = ({ isOpen, onToggle }: Props) => {
              </div>
            </motion.div>
          )}
-          {wizardStep === WizardSteps.PlatformInputs &&
+          {wizardStep === WizardSteps.PlatformInputs && (
-            selectedPlatform?.platform === "env-key" && (
+            <>
              {selectedPlatform?.platform === "env-key" && (
                <motion.div
                  key="env-key-step"
                  transition={{ duration: 0.1 }}
@@ -94,6 +101,19 @@ export const SelectImportFromPlatformModal = ({ isOpen, onToggle }: Props) => {
                  <EnvKeyPlatformModal onClose={() => handleFormReset(false)} />
                </motion.div>
              )}
              {selectedPlatform?.platform === "vault" && (
                <motion.div
                  key="vault-step"
                  transition={{ duration: 0.1 }}
                  initial={{ opacity: 0, translateX: 30 }}
                  animate={{ opacity: 1, translateX: 0 }}
                  exit={{ opacity: 0, translateX: -30 }}
                >
                  <VaultPlatformModal onClose={() => handleFormReset(false)} />
                </motion.div>
              )}
            </>
          )}
        </AnimatePresence>
      </ModalContent>
    </Modal>
--- a/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/VaultPlatformModal.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/VaultPlatformModal.tsx
@@ -0,0 +1,222 @@
 import { Controller, useForm } from "react-hook-form";
 import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { twMerge } from "tailwind-merge";
 import { z } from "zod";
 import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, Input, Tooltip } from "@app/components/v2";
 import { NoticeBannerV2 } from "@app/components/v2/NoticeBannerV2/NoticeBannerV2";
 import { useImportVault } from "@app/hooks/api/migration/mutations";
 type Props = {
  id?: string;
  onClose: () => void;
 };
 enum VaultMappingType {
  KeyVault = "key-vault",
  Namespace = "namespace"
 }
 const MAPPING_TYPE_MENU_ITEMS = [
  {
    value: VaultMappingType.KeyVault,
    label: "Key Vaults",
    tooltip: (
      <div>
        When using key vaults for mapping, each key vault within Vault will be created in Infisical
        as a project. Each secret path inside the key vault, will be created as an environment
        inside the corresponding project. When using Key Vaults as the project mapping type, a
        default environment called &quot;Production&quot; will be created for each project, which
        will contain the secrets from the key vault.
        <div className="mt-4 flex flex-col gap-1 text-sm">
          <div>Key Vault → Project</div>
          <div>Default Environment (Production)</div>
          <div>Secret Path → Secret Folder</div>
          <div>Secret data → Secrets</div>
        </div>
      </div>
    )
  },
  {
    value: VaultMappingType.Namespace,
    label: "Namespaces",
    tooltip: (
      <div>
        When using namespaces for mapping, each namespace within Vault will be created in Infisical
        as a project. Each key vault (KV) inside the namespace, will be created as an environment
        inside the corresponding project.
        <div className="mt-4 flex flex-col gap-1 text-sm">
          <div>Namespace → Project</div>
          <div>Key Vault → Project Environment</div>
          <div>Secret Path → Secret Folder</div>
          <div>Secret data → Secrets</div>
        </div>
      </div>
    )
  }
 ];
 export const VaultPlatformModal = ({ onClose }: Props) => {
  const formSchema = z.object({
    vaultUrl: z.string().min(1),
    vaultNamespace: z.string().trim().optional(),
    vaultAccessToken: z.string().min(1),
    mappingType: z.nativeEnum(VaultMappingType).default(VaultMappingType.KeyVault)
  });
  type TFormData = z.infer<typeof formSchema>;
  const { mutateAsync: importVault } = useImportVault();
  const {
    control,
    handleSubmit,
    reset,
    formState: { isLoading, isDirty, isSubmitting, isValid, errors }
  } = useForm<TFormData>({
    resolver: zodResolver(formSchema)
  });
  console.log({
    isSubmitting,
    isLoading,
    isValid,
    errors
  });
  const onSubmit = async (data: TFormData) => {
    await importVault({
      vaultAccessToken: data.vaultAccessToken,
      vaultNamespace: data.vaultNamespace,
      vaultUrl: data.vaultUrl,
      mappingType: data.mappingType
    });
    createNotification({
      title: "Import started",
      text: "Your data is being imported. You will receive an email when the import is complete or if the import fails. This may take up to 10 minutes.",
      type: "info"
    });
    onClose();
    reset();
  };
  return (
    <div>
      <NoticeBannerV2 title="Vault KV Secret Engine Import" className="mb-4">
        <p className="text-sm">
          The Vault migration currently supports importing static secrets from Vault
          Dedicated/Self-Hosted.
          <div className="mt-2 text-xs opacity-80">
            Currently only KV Secret Engine V2 is supported for Vault migrations.
          </div>
        </p>
      </NoticeBannerV2>
      <form onSubmit={handleSubmit(onSubmit)} autoComplete="off">
        <Controller
          control={control}
          name="vaultUrl"
          render={({ field, fieldState: { error } }) => (
            <FormControl
              label="Vault URL"
              isRequired
              errorText={error?.message}
              isError={Boolean(error)}
            >
              <Input placeholder="" {...field} />
            </FormControl>
          )}
        />
        <Controller
          control={control}
          name="vaultNamespace"
          render={({ field, fieldState: { error } }) => (
            <FormControl
              label="Vault Namespace"
              errorText={error?.message}
              isError={Boolean(error)}
            >
              <Input type="text" placeholder="" {...field} />
            </FormControl>
          )}
        />
        <Controller
          control={control}
          name="vaultAccessToken"
          render={({ field, fieldState: { error } }) => (
            <FormControl
              label="Vault Access Token"
              isRequired
              errorText={error?.message}
              isError={Boolean(error)}
            >
              <Input type="password" placeholder="" {...field} />
            </FormControl>
          )}
        />
        <Controller
          control={control}
          name="mappingType"
          defaultValue={VaultMappingType.KeyVault}
          render={({ field, fieldState: { error } }) => (
            <FormControl
              label="Project Mapping"
              isError={Boolean(error)}
              isRequired
              errorText={error?.message}
              className="flex-1"
            >
              <div className="mt-2 grid h-full w-full grid-cols-2 gap-4">
                {MAPPING_TYPE_MENU_ITEMS.map((el) => (
                  <div
                    key={el.value}
                    className={twMerge(
                      "flex w-full cursor-pointer flex-col items-center gap-2 rounded border border-mineshaft-600 p-4 opacity-75 transition-all",
                      field.value === el.value
                        ? "border-primary-700 border-opacity-70 bg-mineshaft-600 opacity-100"
                        : "hover:border-primary-700 hover:bg-mineshaft-600"
                    )}
                    onClick={() => field.onChange(el.value)}
                    role="button"
                    tabIndex={0}
                    onKeyDown={(e) => {
                      if (e.key === "Enter") {
                        field.onChange(el.value);
                      }
                    }}
                  >
                    <div className="flex items-center gap-1">
                      <div className="text-center text-sm">{el.label}</div>
                      {el.tooltip && (
                        <div className="text-center text-sm">
                          <Tooltip content={el.tooltip} className="max-w-96">
                            <FontAwesomeIcon className="opacity-60" icon={faQuestionCircle} />
                          </Tooltip>
                        </div>
                      )}
                    </div>
                  </div>
                ))}
              </div>
            </FormControl>
          )}
        />
        <div className="mt-6 flex items-center space-x-4">
          <Button
            type="submit"
            isLoading={isLoading}
            isDisabled={!isDirty || isSubmitting || isLoading || !isValid}
          >
            Import data
          </Button>
          <Button variant="outline_bg" onClick={onClose}>
            Cancel
          </Button>
        </div>
      </form>
    </div>
  );
 };
--- a/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/index.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/index.tsx
@@ -0,0 +1 @@
 export { ExternalMigrationsTab } from "./ExternalMigrationsTab";
--- a/frontend/src/pages/organization/SettingsPage/components/ImportTab/index.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/ImportTab/index.tsx
@@ -1 +0,0 @@
 export { ImportTab } from "./ImportTab";
--- a/frontend/src/pages/organization/SettingsPage/components/OrgTabGroup/OrgTabGroup.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/OrgTabGroup/OrgTabGroup.tsx
@@ -5,7 +5,7 @@ import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
 import { ROUTE_PATHS } from "@app/const/routes";
 import { AuditLogStreamsTab } from "../AuditLogStreamTab";
-import { ImportTab } from "../ImportTab";
+import { ExternalMigrationsTab } from "../ExternalMigrationsTab";
 import { KmipTab } from "../KmipTab/OrgKmipTab";
 import { OrgEncryptionTab } from "../OrgEncryptionTab";
 import { OrgGeneralTab } from "../OrgGeneralTab";
@@ -39,7 +39,11 @@ export const OrgTabGroup = () => {
      component: OrgWorkflowIntegrationTab
    },
    { name: "Audit Log Streams", key: "tag-audit-log-streams", component: AuditLogStreamsTab },
-    { name: "Import", key: "tab-import", component: ImportTab },
+    {
      name: "External Migrations",
      key: "tab-external-migrations",
      component: ExternalMigrationsTab
    },
    {
      name: "Project Templates",
      key: "project-templates",
--- a/frontend/src/pages/project/AuditLogsPage/AuditLogsPage.tsx
+++ b/frontend/src/pages/project/AuditLogsPage/AuditLogsPage.tsx
@@ -0,0 +1,27 @@
 import { Helmet } from "react-helmet";
 import { PageHeader } from "@app/components/v2";
 import { useWorkspace } from "@app/context";
 import { LogsSection } from "@app/pages/organization/AuditLogsPage/components";
 export const AuditLogsPage = () => {
  const { currentWorkspace } = useWorkspace();
  return (
    <div className="container mx-auto flex flex-col justify-between bg-bunker-800 text-white">
      <Helmet>
        <title>Project Audit Logs</title>
        <link rel="icon" href="/infisical.ico" />
      </Helmet>
      <div className="flex h-full w-full justify-center bg-bunker-800 text-white">
        <div className="w-full max-w-7xl">
          <PageHeader
            title="Audit logs"
            description="Audit logs for security and compliance teams to monitor information access."
          />
          <LogsSection pageView project={currentWorkspace} />
        </div>
      </div>
    </div>
  );
 };
--- a/frontend/src/pages/project/AuditLogsPage/route-cert-manager.tsx
+++ b/frontend/src/pages/project/AuditLogsPage/route-cert-manager.tsx
@@ -0,0 +1,19 @@
 import { createFileRoute } from "@tanstack/react-router";
 import { AuditLogsPage } from "./AuditLogsPage";
 export const Route = createFileRoute(
  "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs"
 )({
  component: AuditLogsPage,
  beforeLoad: ({ context }) => {
    return {
      breadcrumbs: [
        ...context.breadcrumbs,
        {
          label: "Audit Logs"
        }
      ]
    };
  }
 });
--- a/frontend/src/pages/project/AuditLogsPage/route-kms.tsx
+++ b/frontend/src/pages/project/AuditLogsPage/route-kms.tsx
@@ -0,0 +1,19 @@
 import { createFileRoute } from "@tanstack/react-router";
 import { AuditLogsPage } from "./AuditLogsPage";
 export const Route = createFileRoute(
  "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs"
 )({
  component: AuditLogsPage,
  beforeLoad: ({ context }) => {
    return {
      breadcrumbs: [
        ...context.breadcrumbs,
        {
          label: "Audit Logs"
        }
      ]
    };
  }
 });
--- a/frontend/src/pages/project/AuditLogsPage/route-secret-manager.tsx
+++ b/frontend/src/pages/project/AuditLogsPage/route-secret-manager.tsx
@@ -0,0 +1,19 @@
 import { createFileRoute } from "@tanstack/react-router";
 import { AuditLogsPage } from "./AuditLogsPage";
 export const Route = createFileRoute(
  "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs"
 )({
  component: AuditLogsPage,
  beforeLoad: ({ context }) => {
    return {
      breadcrumbs: [
        ...context.breadcrumbs,
        {
          label: "Audit Logs"
        }
      ]
    };
  }
 });
--- a/frontend/src/pages/project/AuditLogsPage/route-secret-scanning.tsx
+++ b/frontend/src/pages/project/AuditLogsPage/route-secret-scanning.tsx
@@ -0,0 +1,19 @@
 import { createFileRoute } from "@tanstack/react-router";
 import { AuditLogsPage } from "./AuditLogsPage";
 export const Route = createFileRoute(
  "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs"
 )({
  component: AuditLogsPage,
  beforeLoad: ({ context }) => {
    return {
      breadcrumbs: [
        ...context.breadcrumbs,
        {
          label: "Audit Logs"
        }
      ]
    };
  }
 });
--- a/frontend/src/pages/project/AuditLogsPage/route-ssh.tsx
+++ b/frontend/src/pages/project/AuditLogsPage/route-ssh.tsx
@@ -0,0 +1,19 @@
 import { createFileRoute } from "@tanstack/react-router";
 import { AuditLogsPage } from "./AuditLogsPage";
 export const Route = createFileRoute(
  "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs"
 )({
  component: AuditLogsPage,
  beforeLoad: ({ context }) => {
    return {
      breadcrumbs: [
        ...context.breadcrumbs,
        {
          label: "Audit Logs"
        }
      ]
    };
  }
 });
--- a/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/RenderSyncDestinationCol.tsx
+++ b/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/RenderSyncDestinationCol.tsx
@@ -1,5 +1,5 @@
 import { useRenderConnectionListServices } from "@app/hooks/api/appConnections/render";
-import { TRenderSync } from "@app/hooks/api/secretSyncs/render-sync";
+import { TRenderSync } from "@app/hooks/api/secretSyncs/types/render-sync";
 import { getSecretSyncDestinationColValues } from "../helpers";
 import { SecretSyncTableCell } from "../SecretSyncTableCell";
--- a/frontend/src/pages/secret-manager/OverviewPage/OverviewPage.tsx
+++ b/frontend/src/pages/secret-manager/OverviewPage/OverviewPage.tsx
@@ -10,13 +10,12 @@ import {
  faArrowRight,
  faArrowRightToBracket,
  faArrowUp,
-  faFileImport,
+  faFilter,
  faFingerprint,
  faFolder,
  faFolderBlank,
  faFolderPlus,
  faKey,
  faList,
  faPlus,
  faRotate
 } from "@fortawesome/free-solid-svg-icons";
@@ -96,7 +95,12 @@ import { OrderByDirection } from "@app/hooks/api/generic/types";
 import { useUpdateFolderBatch } from "@app/hooks/api/secretFolders/queries";
 import { TUpdateFolderBatchDTO } from "@app/hooks/api/secretFolders/types";
 import { TSecretRotationV2 } from "@app/hooks/api/secretRotationsV2";
-import { SecretType, SecretV3RawSanitized, TSecretFolder } from "@app/hooks/api/types";
+import {
  SecretType,
  SecretV3RawSanitized,
  TSecretFolder,
  WorkspaceEnv
 } from "@app/hooks/api/types";
 import { ProjectVersion } from "@app/hooks/api/workspace/types";
 import {
  useDynamicSecretOverview,
@@ -135,7 +139,6 @@ enum RowType {
  Folder = "folder",
  DynamicSecret = "dynamic",
  Secret = "secret",
  Import = "import",
  SecretRotation = "rotation"
 }
@@ -144,11 +147,10 @@ type Filter = {
 };
 const DEFAULT_FILTER_STATE = {
-  [RowType.Folder]: true,
+  [RowType.Folder]: false,
-  [RowType.DynamicSecret]: true,
+  [RowType.DynamicSecret]: false,
-  [RowType.Secret]: true,
+  [RowType.Secret]: false,
-  [RowType.Import]: true,
+  [RowType.SecretRotation]: false
  [RowType.SecretRotation]: true
 };
 const DEFAULT_COLLAPSED_HEADER_HEIGHT = 120;
@@ -265,11 +267,8 @@ export const OverviewPage = () => {
    )
  );
-  const [visibleEnvs, setVisibleEnvs] = useState(userAvailableEnvs);
+  const [filteredEnvs, setFilteredEnvs] = useState<WorkspaceEnv[]>([]);
-
+  const visibleEnvs = filteredEnvs.length ? filteredEnvs : userAvailableEnvs;
  useEffect(() => {
    setVisibleEnvs(userAvailableEnvs);
  }, [userAvailableEnvs]);
  const {
    secretImports,
@@ -282,6 +281,7 @@ export const OverviewPage = () => {
    environments: (userAvailableEnvs || []).map(({ slug }) => slug)
  });
  const isFilteredByResources = Object.values(filter).some(Boolean);
  const { isPending: isOverviewLoading, data: overview } = useGetProjectSecretsOverview(
    {
      projectId: workspaceId,
@@ -289,11 +289,11 @@ export const OverviewPage = () => {
      secretPath,
      orderDirection,
      orderBy,
-      includeFolders: filter.folder,
+      includeFolders: isFilteredByResources ? filter.folder : true,
-      includeDynamicSecrets: filter.dynamic,
+      includeDynamicSecrets: isFilteredByResources ? filter.dynamic : true,
-      includeSecrets: filter.secret,
+      includeSecrets: isFilteredByResources ? filter.secret : true,
-      includeImports: filter.import,
+      includeImports: true,
-      includeSecretRotations: filter.rotation,
+      includeSecretRotations: isFilteredByResources ? filter.rotation : true,
      search: debouncedSearchFilter,
      limit,
      offset
@@ -529,10 +529,10 @@ export const OverviewPage = () => {
  };
  const handleEnvSelect = (envId: string) => {
-    if (visibleEnvs.map((env) => env.id).includes(envId)) {
+    if (filteredEnvs.map((env) => env.id).includes(envId)) {
-      setVisibleEnvs(visibleEnvs.filter((env) => env.id !== envId));
+      setFilteredEnvs(filteredEnvs.filter((env) => env.id !== envId));
    } else {
-      setVisibleEnvs(visibleEnvs.concat(userAvailableEnvs.filter((env) => env.id === envId)));
+      setFilteredEnvs(filteredEnvs.concat(userAvailableEnvs.filter((env) => env.id === envId)));
    }
  };
@@ -792,11 +792,11 @@ export const OverviewPage = () => {
    envNames: string[],
    envs: { environment: string; importedBy: ProjectSecretsImportedBy[] }[]
  ): ProjectSecretsImportedBy[] => {
-    const filteredEnvs = envs.filter((env) => envNames.includes(env.environment));
+    const environments = envs.filter((env) => envNames.includes(env.environment));
-    if (filteredEnvs.length === 0) return [];
+    if (environments.length === 0) return [];
-    const allImportedBy = filteredEnvs.flatMap((env) => env.importedBy);
+    const allImportedBy = environments.flatMap((env) => env.importedBy);
    const groupedBySlug: Record<string, ProjectSecretsImportedBy[]> = {};
    allImportedBy.forEach((item) => {
@@ -902,9 +902,7 @@ export const OverviewPage = () => {
  const isTableEmpty = totalCount === 0;
-  const isTableFiltered =
+  const isTableFiltered = isFilteredByResources || filteredEnvs.length > 0;
    Boolean(Object.values(filter).filter((enabled) => !enabled).length) ||
    userAvailableEnvs.length !== visibleEnvs.length;
  if (!isProjectV3)
    return (
@@ -969,26 +967,42 @@ export const OverviewPage = () => {
        <div className="mt-4 flex items-center justify-between">
          <FolderBreadCrumbs secretPath={secretPath} onResetSearch={handleResetSearch} />
          <div className="flex flex-row items-center justify-center space-x-2">
            {isTableFiltered && (
              <Button
                variant="plain"
                colorSchema="secondary"
                onClick={() => {
                  setFilteredEnvs([]);
                  setFilter(DEFAULT_FILTER_STATE);
                }}
              >
                Clear Filters
              </Button>
            )}
            {userAvailableEnvs.length > 0 && (
              <DropdownMenu>
                <DropdownMenuTrigger asChild>
-                  <IconButton
+                  <Button
                    ariaLabel="Environments"
                    variant="plain"
                    size="sm"
                    variant="outline_bg"
                    className={twMerge(
-                      "flex h-10 w-11 items-center justify-center overflow-hidden border border-mineshaft-600 bg-mineshaft-800 p-0 transition-all hover:border-primary/60 hover:bg-primary/10",
+                      "flex h-[2.5rem]",
-                      isTableFiltered && "border-primary/50 text-primary"
+                      isTableFiltered && "border-primary/40 bg-primary/10"
                    )}
                    leftIcon={
                      <FontAwesomeIcon
                        icon={faFilter}
                        className={isTableFiltered ? "text-primary/80" : undefined}
                      />
                    }
                  >
-                    <Tooltip content="Choose visible environments" className="mb-2">
+                    Filters
-                      <FontAwesomeIcon icon={faList} />
+                  </Button>
                    </Tooltip>
                  </IconButton>
                </DropdownMenuTrigger>
                <DropdownMenuContent
                  className="thin-scrollbar max-h-[70vh] overflow-y-auto"
                  align="end"
                  sideOffset={2}
                >
                  {/* <DropdownMenuItem className="px-1.5" asChild>
                    <Button
@@ -1002,20 +1016,8 @@ export const OverviewPage = () => {
                      Create an environment
                    </Button>
                  </DropdownMenuItem> */}
-                  <DropdownMenuLabel>Filter project resources</DropdownMenuLabel>
+                  <DropdownMenuLabel>Filter by Resource</DropdownMenuLabel>
-                  <DropdownMenuItem
+
                    onClick={(e) => {
                      e.preventDefault();
                      handleToggleRowType(RowType.Import);
                    }}
                    icon={filter[RowType.Import] && <FontAwesomeIcon icon={faCheckCircle} />}
                    iconPos="right"
                  >
                    <div className="flex items-center gap-2">
                      <FontAwesomeIcon icon={faFileImport} className="text-green-700" />
                      <span>Imports</span>
                    </div>
                  </DropdownMenuItem>
                  <DropdownMenuItem
                    onClick={(e) => {
                      e.preventDefault();
@@ -1070,11 +1072,11 @@ export const OverviewPage = () => {
                      <span>Secrets</span>
                    </div>
                  </DropdownMenuItem>
-                  <DropdownMenuLabel>Choose visible environments</DropdownMenuLabel>
+                  <DropdownMenuLabel>Filter by Environment</DropdownMenuLabel>
                  {userAvailableEnvs.map((availableEnv) => {
                    const { id: envId, name } = availableEnv;
-                    const isEnvSelected = visibleEnvs.map((env) => env.id).includes(envId);
+                    const isEnvSelected = filteredEnvs.map((env) => env.id).includes(envId);
                    return (
                      <DropdownMenuItem
                        onClick={(e) => {
@@ -1082,7 +1084,6 @@ export const OverviewPage = () => {
                          handleEnvSelect(envId);
                        }}
                        key={envId}
                        disabled={visibleEnvs?.length === 1}
                        icon={isEnvSelected && <FontAwesomeIcon icon={faCheckCircle} />}
                        iconPos="right"
                      >
@@ -1405,13 +1406,6 @@ export const OverviewPage = () => {
                    className="bg-mineshaft-700"
                  />
                )}
                {userAvailableEnvs.length > 0 && visibleEnvs.length === 0 && (
                  <Tr>
                    <Td colSpan={visibleEnvs.length + 1}>
                      <EmptyState title="You have no visible environments" iconSize="3x" />
                    </Td>
                  </Tr>
                )}
                {userAvailableEnvs.length === 0 && (
                  <Tr>
                    <Td colSpan={visibleEnvs.length + 1}>
@@ -1444,8 +1438,8 @@ export const OverviewPage = () => {
                    <Td colSpan={visibleEnvs.length + 1}>
                      <EmptyState
                        title={
-                          debouncedSearchFilter
+                          isTableFiltered || debouncedSearchFilter
-                            ? "No secret found for your search, add one now"
+                            ? "No secrets found for your search, add one now"
                            : "Let's add some secrets"
                        }
                        icon={faFolderBlank}
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/SecretDashboardPage.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/SecretDashboardPage.tsx
@@ -1,5 +1,5 @@
 /* eslint-disable no-case-declarations */
-import { useCallback, useEffect, useMemo, useState } from "react";
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { Helmet } from "react-helmet";
 import { useTranslation } from "react-i18next";
 import { subject } from "@casl/ability";
@@ -53,6 +53,7 @@ import { PendingAction } from "@app/hooks/api/secretFolders/types";
 import { useCreateCommit } from "@app/hooks/api/secrets/mutations";
 import { SecretV3RawSanitized } from "@app/hooks/api/types";
 import { usePathAccessPolicies } from "@app/hooks/usePathAccessPolicies";
 import { useResizableColWidth } from "@app/hooks/useResizableColWidth";
 import { hasSecretReadValueOrDescribePermission } from "@app/lib/fn/permission";
 import { RequestAccessModal } from "@app/pages/secret-manager/SecretApprovalsPage/components/AccessApprovalRequest/components/RequestAccessModal";
 import { SecretRotationListView } from "@app/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView";
@@ -104,6 +105,8 @@ const Page = () => {
  const { permission } = useProjectPermission();
  const { mutateAsync: createCommit } = useCreateCommit();
  const tableRef = useRef<HTMLDivElement>(null);
  const [isVisible, setIsVisible] = useState(false);
  const { isBatchMode, pendingChanges } = useBatchMode();
  const { loadPendingChanges, setExistingKeys } = useBatchModeActions();
@@ -212,11 +215,11 @@ const Page = () => {
    searchFilter: (routerQueryParams.search as string) || "",
    // these should always be on by default for the UI, they will be disabled for the query below based off permissions
    include: {
-      [RowType.Folder]: true,
+      [RowType.Folder]: false,
-      [RowType.Import]: true,
+      [RowType.Import]: false,
-      [RowType.DynamicSecret]: true,
+      [RowType.DynamicSecret]: false,
-      [RowType.Secret]: true,
+      [RowType.Secret]: false,
-      [RowType.SecretRotation]: true
+      [RowType.SecretRotation]: false
    }
  };
@@ -242,6 +245,7 @@ const Page = () => {
    }
  }, [currentWorkspace, environment]);
  const isResourceTypeFiltered = Object.values(filter.include).some(Boolean);
  const {
    data,
    isPending: isDetailsLoading,
@@ -255,12 +259,14 @@ const Page = () => {
    orderBy,
    search: debouncedSearchFilter,
    orderDirection,
-    includeImports: canReadSecretImports && filter.include.import,
+    includeImports: canReadSecretImports && (isResourceTypeFiltered ? filter.include.import : true),
-    includeFolders: filter.include.folder,
+    includeFolders: isResourceTypeFiltered ? filter.include.folder : true,
    viewSecretValue: canReadSecretValue,
-    includeDynamicSecrets: canReadDynamicSecret && filter.include.dynamic,
+    includeDynamicSecrets:
-    includeSecrets: canReadSecret && filter.include.secret,
+      canReadDynamicSecret && (isResourceTypeFiltered ? filter.include.dynamic : true),
-    includeSecretRotations: canReadSecretRotations && filter.include.rotation,
+    includeSecrets: canReadSecret && (isResourceTypeFiltered ? filter.include.secret : true),
    includeSecretRotations:
      canReadSecretRotations && (isResourceTypeFiltered ? filter.include.rotation : true),
    tags: filter.tags
  });
@@ -480,6 +486,14 @@ const Page = () => {
    handlePopUpClose("snapshots");
  }, []);
  const { handleMouseDown, isResizing, colWidth } = useResizableColWidth({
    initialWidth: 320,
    minWidth: 100,
    maxWidth: tableRef.current
      ? tableRef.current.clientWidth - 148 // ensure value column can't collapse completely
      : 800
  });
  useEffect(() => {
    // restore filters for path if set
    const restore = filterHistory.get(secretPath);
@@ -769,8 +783,22 @@ const Page = () => {
            isPITEnabled={isPITEnabled}
            hasPathPolicies={hasPathPolicies}
            onRequestAccess={(params) => handlePopUpOpen("requestAccess", params)}
            onClearFilters={() =>
              setFilter((prev) => ({
                ...prev,
                tags: {},
                include: {
                  secret: false,
                  import: false,
                  dynamic: false,
                  rotation: false,
                  folder: false
                }
              }))
            }
          />
          <div
            ref={tableRef}
            className={twMerge(
              "thin-scrollbar mt-3 overflow-y-auto overflow-x-hidden rounded-md bg-mineshaft-800 text-left text-sm text-bunker-300",
              isNotEmpty && "rounded-b-none"
@@ -804,8 +832,21 @@ const Page = () => {
                      />
                    </div>
                  </Tooltip>
                  <div className="relative">
                    <div
-                    className="flex w-80 flex-shrink-0 items-center border-r border-mineshaft-600 py-2 pl-4"
+                      tabIndex={-1}
                      role="button"
                      className={`absolute -right-[0.05rem] z-40 h-full w-0.5 cursor-ew-resize hover:bg-blue-400/20 ${
                        isResizing ? "bg-blue-400/75" : "bg-transparent"
                      }`}
                      onMouseDown={handleMouseDown}
                    />
                    <div className="pointer-events-none absolute -right-[0.04rem] top-2 z-30">
                      <div className="h-5 w-0.5 rounded-[1.5px] bg-gray-400 opacity-50" />
                    </div>
                    <div
                      className="flex flex-shrink-0 items-center border-r border-mineshaft-600 py-2 pl-4"
                      style={{ width: colWidth }}
                      role="button"
                      tabIndex={0}
                      onClick={handleSortToggle}
@@ -819,6 +860,7 @@ const Page = () => {
                        className="ml-2"
                      />
                    </div>
                  </div>
                  <div className="flex-grow px-4 py-2">Value</div>
                </div>
              )}
@@ -911,6 +953,7 @@ const Page = () => {
              )}
              {canReadSecret && Boolean(mergedSecrets?.length) && (
                <SecretListView
                  colWidth={colWidth}
                  secrets={mergedSecrets}
                  tags={tags}
                  isVisible={isVisible}
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/ActionBar.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/ActionBar.tsx
@@ -136,6 +136,7 @@ type Props = {
  isPITEnabled: boolean;
  onRequestAccess: (actions: ProjectPermissionActions[]) => void;
  hasPathPolicies: boolean;
  onClearFilters: () => void;
 };
 export const ActionBar = ({
@@ -159,7 +160,8 @@ export const ActionBar = ({
  isPITEnabled = false,
  usedBySecretSyncs,
  onRequestAccess,
-  hasPathPolicies
+  hasPathPolicies,
  onClearFilters
 }: Props) => {
  const { handlePopUpOpen, handlePopUpToggle, handlePopUpClose, popUp } = usePopUp([
    "addFolder",
@@ -661,6 +663,9 @@ export const ActionBar = ({
    }
  };
  const isTableFiltered =
    Object.values(filter.tags).some(Boolean) || Object.values(filter.include).some(Boolean);
  return (
    <>
      <div className="mt-4 flex items-center space-x-2">
@@ -676,18 +681,22 @@ export const ActionBar = ({
        <div>
          <DropdownMenu>
            <DropdownMenuTrigger asChild>
-              <IconButton
+              <Button
                size="sm"
                variant="outline_bg"
                ariaLabel="Download"
                className={twMerge(
-                  "transition-all",
+                  "flex h-[2.5rem]",
-                  (Object.keys(filter.tags).length ||
+                  isTableFiltered && "border-primary/40 bg-primary/10"
                    Object.values(filter.include).filter((include) => !include).length) &&
                    "border-primary/50 text-primary"
                )}
                leftIcon={
                  <FontAwesomeIcon
                    icon={faFilter}
                    className={isTableFiltered ? "text-primary/80" : undefined}
                  />
                }
              >
-                <FontAwesomeIcon icon={faFilter} />
+                Filters
-              </IconButton>
+              </Button>
            </DropdownMenuTrigger>
            <DropdownMenuContent align="end" className="p-0">
              <DropdownMenuGroup>Filter By</DropdownMenuGroup>
@@ -762,6 +771,7 @@ export const ActionBar = ({
                  <span>Secrets</span>
                </div>
              </DropdownMenuItem>
              {Boolean(tags.length) && (
                <DropdownSubMenu>
                  <DropdownSubMenuTrigger
                    iconPos="right"
@@ -794,19 +804,29 @@ export const ActionBar = ({
                    ))}
                  </DropdownSubMenuContent>
                </DropdownSubMenu>
              )}
            </DropdownMenuContent>
          </DropdownMenu>
        </div>
        {isTableFiltered && (
          <Button variant="plain" colorSchema="secondary" onClick={onClearFilters}>
            Clear Filters
          </Button>
        )}
        <div className="flex-grow" />
        <div>
          {isProtectedBranch && (
            <Tooltip content={`Protected by policy ${protectedBranchPolicyName}`}>
-              <IconButton variant="outline_bg" ariaLabel="protected">
+              <IconButton
                variant="outline_bg"
                className="border-primary/40 bg-primary/10"
                ariaLabel="protected"
              >
                <FontAwesomeIcon icon={faLock} className="text-primary" />
              </IconButton>
            </Tooltip>
          )}
        </div>
        <div className="flex-grow" />
        <div>
          <IconButton variant="outline_bg" ariaLabel="Download" onClick={handleSecretDownload}>
            <FontAwesomeIcon icon={faDownload} />
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/FolderListView/FolderListView.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/FolderListView/FolderListView.tsx
@@ -235,7 +235,7 @@ export const FolderListView = ({
            )}
          </div>
          {isPending ? (
-            <div className="flex items-center space-x-4 border-l border-mineshaft-600 px-3 py-3">
+            <div className="flex w-16 items-center justify-between border-l border-mineshaft-600 px-3 py-3">
              <IconButton
                ariaLabel="edit-folder"
                variant="plain"
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretItem.tsx
@@ -90,6 +90,7 @@ type Props = {
  }[];
  isPending?: boolean;
  pendingAction?: PendingAction;
  colWidth: number;
 };
 export const SecretItem = memo(
@@ -108,7 +109,8 @@ export const SecretItem = memo(
    handleSecretShare,
    importedBy,
    isPending,
-    pendingAction
+    pendingAction,
    colWidth
  }: Props) => {
    const { handlePopUpOpen, handlePopUpToggle, handlePopUpClose, popUp } = usePopUp([
      "editSecret"
@@ -383,7 +385,10 @@ export const SecretItem = memo(
                </>
              )}
            </div>
-            <div className="flex h-11 w-80 flex-shrink-0 items-center px-4 py-2">
+            <div
              className="flex h-11 flex-shrink-0 items-center px-4 py-2"
              style={{ width: colWidth }}
            >
              <Controller
                name="key"
                control={control}
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretListView.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretListView.tsx
@@ -51,6 +51,7 @@ type Props = {
      isImported: boolean;
    }[];
  }[];
  colWidth: number;
 };
 export const SecretListView = ({
@@ -62,7 +63,8 @@ export const SecretListView = ({
  isVisible,
  isProtectedBranch = false,
  usedBySecretSyncs,
-  importedBy
+  importedBy,
  colWidth
 }: Props) => {
  const queryClient = useQueryClient();
  const { popUp, handlePopUpToggle, handlePopUpOpen, handlePopUpClose } = usePopUp([
@@ -554,6 +556,7 @@ export const SecretListView = ({
      ))}
      {secrets.map((secret) => (
        <SecretItem
          colWidth={colWidth}
          environment={environment}
          secretPath={secretPath}
          tags={wsTags}
--- a/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/RenderSyncDestinationSection.tsx
+++ b/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/RenderSyncDestinationSection.tsx
@@ -1,6 +1,6 @@
 import { GenericFieldLabel } from "@app/components/secret-syncs";
 import { useRenderConnectionListServices } from "@app/hooks/api/appConnections/render";
-import { TRenderSync } from "@app/hooks/api/secretSyncs/render-sync";
+import { TRenderSync } from "@app/hooks/api/secretSyncs/types/render-sync";
 type Props = {
  secretSync: TRenderSync;
--- a/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/RenderSyncOptionsSection.tsx
+++ b/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/RenderSyncOptionsSection.tsx
@@ -0,0 +1,21 @@
 import { GenericFieldLabel } from "@app/components/secret-syncs";
 import { Badge } from "@app/components/v2";
 import { TRenderSync } from "@app/hooks/api/secretSyncs/types/render-sync";
 type Props = {
  secretSync: TRenderSync;
 };
 export const RenderSyncOptionsSection = ({ secretSync }: Props) => {
  const {
    syncOptions: { autoRedeployServices }
  } = secretSync;
  return (
    <GenericFieldLabel label="Auto Redeploy Services">
      <Badge variant={autoRedeployServices ? "success" : "danger"}>
        {autoRedeployServices ? "Enabled" : "Disabled"}
      </Badge>
    </GenericFieldLabel>
  );
 };
--- a/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx
+++ b/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx
@@ -13,6 +13,7 @@ import { SecretSync, TSecretSync } from "@app/hooks/api/secretSyncs";
 import { AwsParameterStoreSyncOptionsSection } from "./AwsParameterStoreSyncOptionsSection";
 import { AwsSecretsManagerSyncOptionsSection } from "./AwsSecretsManagerSyncOptionsSection";
 import { RenderSyncOptionsSection } from "./RenderSyncOptionsSection";
 type Props = {
  secretSync: TSecretSync;
@@ -40,6 +41,9 @@ export const SecretSyncOptionsSection = ({ secretSync, onEditOptions }: Props) =
        <AwsSecretsManagerSyncOptionsSection secretSync={secretSync} />
      );
      break;
    case SecretSync.Render:
      AdditionalSyncOptionsComponent = <RenderSyncOptionsSection secretSync={secretSync} />;
      break;
    case SecretSync.GitHub:
    case SecretSync.GCPSecretManager:
    case SecretSync.AzureKeyVault:
@@ -56,7 +60,6 @@ export const SecretSyncOptionsSection = ({ secretSync, onEditOptions }: Props) =
    case SecretSync.OCIVault:
    case SecretSync.OnePass:
    case SecretSync.Heroku:
    case SecretSync.Render:
    case SecretSync.Flyio:
    case SecretSync.GitLab:
    case SecretSync.CloudflarePages:
--- a/frontend/src/routeTree.gen.ts
+++ b/frontend/src/routeTree.gen.ts
@@ -81,10 +81,15 @@ import { Route as secretManagerIntegrationsRouteBitbucketOauthRedirectImport } f
 import { Route as secretManagerIntegrationsRouteAzureKeyVaultOauthRedirectImport } from './pages/secret-manager/integrations/route-azure-key-vault-oauth-redirect'
 import { Route as secretManagerIntegrationsRouteAzureAppConfigurationsOauthRedirectImport } from './pages/secret-manager/integrations/route-azure-app-configurations-oauth-redirect'
 import { Route as organizationSettingsPageOauthCallbackPageRouteImport } from './pages/organization/SettingsPage/OauthCallbackPage/route'
 import { Route as projectAuditLogsPageRouteSshImport } from './pages/project/AuditLogsPage/route-ssh'
 import { Route as projectAccessControlPageRouteSshImport } from './pages/project/AccessControlPage/route-ssh'
 import { Route as projectAuditLogsPageRouteSecretScanningImport } from './pages/project/AuditLogsPage/route-secret-scanning'
 import { Route as projectAccessControlPageRouteSecretScanningImport } from './pages/project/AccessControlPage/route-secret-scanning'
 import { Route as projectAuditLogsPageRouteSecretManagerImport } from './pages/project/AuditLogsPage/route-secret-manager'
 import { Route as projectAccessControlPageRouteSecretManagerImport } from './pages/project/AccessControlPage/route-secret-manager'
 import { Route as projectAuditLogsPageRouteKmsImport } from './pages/project/AuditLogsPage/route-kms'
 import { Route as projectAccessControlPageRouteKmsImport } from './pages/project/AccessControlPage/route-kms'
 import { Route as projectAuditLogsPageRouteCertManagerImport } from './pages/project/AuditLogsPage/route-cert-manager'
 import { Route as projectAccessControlPageRouteCertManagerImport } from './pages/project/AccessControlPage/route-cert-manager'
 import { Route as sshSettingsPageRouteImport } from './pages/ssh/SettingsPage/route'
 import { Route as sshSshHostsPageRouteImport } from './pages/ssh/SshHostsPage/route'
@@ -903,6 +908,13 @@ const organizationSettingsPageOauthCallbackPageRouteRoute =
      AuthenticateInjectOrgDetailsOrgLayoutOrganizationSettingsRoute,
  } as any)
 const projectAuditLogsPageRouteSshRoute =
  projectAuditLogsPageRouteSshImport.update({
    id: '/audit-logs',
    path: '/audit-logs',
    getParentRoute: () => sshLayoutRoute,
  } as any)
 const projectAccessControlPageRouteSshRoute =
  projectAccessControlPageRouteSshImport.update({
    id: '/access-management',
@@ -919,6 +931,13 @@ const AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecret
    } as any,
  )
 const projectAuditLogsPageRouteSecretScanningRoute =
  projectAuditLogsPageRouteSecretScanningImport.update({
    id: '/audit-logs',
    path: '/audit-logs',
    getParentRoute: () => secretScanningLayoutRoute,
  } as any)
 const projectAccessControlPageRouteSecretScanningRoute =
  projectAccessControlPageRouteSecretScanningImport.update({
    id: '/access-management',
@@ -935,6 +954,13 @@ const AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecr
    } as any,
  )
 const projectAuditLogsPageRouteSecretManagerRoute =
  projectAuditLogsPageRouteSecretManagerImport.update({
    id: '/audit-logs',
    path: '/audit-logs',
    getParentRoute: () => secretManagerLayoutRoute,
  } as any)
 const projectAccessControlPageRouteSecretManagerRoute =
  projectAccessControlPageRouteSecretManagerImport.update({
    id: '/access-management',
@@ -942,6 +968,13 @@ const projectAccessControlPageRouteSecretManagerRoute =
    getParentRoute: () => secretManagerLayoutRoute,
  } as any)
 const projectAuditLogsPageRouteKmsRoute =
  projectAuditLogsPageRouteKmsImport.update({
    id: '/audit-logs',
    path: '/audit-logs',
    getParentRoute: () => kmsLayoutRoute,
  } as any)
 const projectAccessControlPageRouteKmsRoute =
  projectAccessControlPageRouteKmsImport.update({
    id: '/access-management',
@@ -967,6 +1000,13 @@ const AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertMa
    } as any,
  )
 const projectAuditLogsPageRouteCertManagerRoute =
  projectAuditLogsPageRouteCertManagerImport.update({
    id: '/audit-logs',
    path: '/audit-logs',
    getParentRoute: () => certManagerLayoutRoute,
  } as any)
 const projectAccessControlPageRouteCertManagerRoute =
  projectAccessControlPageRouteCertManagerImport.update({
    id: '/access-management',
@@ -2722,6 +2762,13 @@ declare module '@tanstack/react-router' {
      preLoaderRoute: typeof projectAccessControlPageRouteCertManagerImport
      parentRoute: typeof certManagerLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs'
      path: '/audit-logs'
      fullPath: '/projects/cert-management/$projectId/audit-logs'
      preLoaderRoute: typeof projectAuditLogsPageRouteCertManagerImport
      parentRoute: typeof certManagerLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates'
      path: '/certificate-templates'
@@ -2743,6 +2790,13 @@ declare module '@tanstack/react-router' {
      preLoaderRoute: typeof projectAccessControlPageRouteKmsImport
      parentRoute: typeof kmsLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs'
      path: '/audit-logs'
      fullPath: '/projects/kms/$projectId/audit-logs'
      preLoaderRoute: typeof projectAuditLogsPageRouteKmsImport
      parentRoute: typeof kmsLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/access-management': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/access-management'
      path: '/access-management'
@@ -2750,6 +2804,13 @@ declare module '@tanstack/react-router' {
      preLoaderRoute: typeof projectAccessControlPageRouteSecretManagerImport
      parentRoute: typeof secretManagerLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs'
      path: '/audit-logs'
      fullPath: '/projects/secret-management/$projectId/audit-logs'
      preLoaderRoute: typeof projectAuditLogsPageRouteSecretManagerImport
      parentRoute: typeof secretManagerLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations'
      path: '/integrations'
@@ -2764,6 +2825,13 @@ declare module '@tanstack/react-router' {
      preLoaderRoute: typeof projectAccessControlPageRouteSecretScanningImport
      parentRoute: typeof secretScanningLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs'
      path: '/audit-logs'
      fullPath: '/projects/secret-scanning/$projectId/audit-logs'
      preLoaderRoute: typeof projectAuditLogsPageRouteSecretScanningImport
      parentRoute: typeof secretScanningLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/data-sources': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/data-sources'
      path: '/data-sources'
@@ -2778,6 +2846,13 @@ declare module '@tanstack/react-router' {
      preLoaderRoute: typeof projectAccessControlPageRouteSshImport
      parentRoute: typeof sshLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs'
      path: '/audit-logs'
      fullPath: '/projects/ssh/$projectId/audit-logs'
      preLoaderRoute: typeof projectAuditLogsPageRouteSshImport
      parentRoute: typeof sshLayoutImport
    }
    '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates/': {
      id: '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates/'
      path: '/'
@@ -3781,6 +3856,7 @@ interface certManagerLayoutRouteChildren {
  certManagerCertificatesPageRouteRoute: typeof certManagerCertificatesPageRouteRoute
  certManagerSettingsPageRouteRoute: typeof certManagerSettingsPageRouteRoute
  projectAccessControlPageRouteCertManagerRoute: typeof projectAccessControlPageRouteCertManagerRoute
  projectAuditLogsPageRouteCertManagerRoute: typeof projectAuditLogsPageRouteCertManagerRoute
  AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutCertificateTemplatesRoute: typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutCertificateTemplatesRouteWithChildren
  AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutSubscribersRoute: typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutSubscribersRouteWithChildren
  certManagerCertAuthDetailsByIDPageRouteRoute: typeof certManagerCertAuthDetailsByIDPageRouteRoute
@@ -3799,6 +3875,8 @@ const certManagerLayoutRouteChildren: certManagerLayoutRouteChildren = {
  certManagerSettingsPageRouteRoute: certManagerSettingsPageRouteRoute,
  projectAccessControlPageRouteCertManagerRoute:
    projectAccessControlPageRouteCertManagerRoute,
  projectAuditLogsPageRouteCertManagerRoute:
    projectAuditLogsPageRouteCertManagerRoute,
  AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutCertificateTemplatesRoute:
    AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutCertificateTemplatesRouteWithChildren,
  AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutSubscribersRoute:
@@ -3839,6 +3917,7 @@ interface kmsLayoutRouteChildren {
  kmsOverviewPageRouteRoute: typeof kmsOverviewPageRouteRoute
  kmsSettingsPageRouteRoute: typeof kmsSettingsPageRouteRoute
  projectAccessControlPageRouteKmsRoute: typeof projectAccessControlPageRouteKmsRoute
  projectAuditLogsPageRouteKmsRoute: typeof projectAuditLogsPageRouteKmsRoute
  projectGroupDetailsByIDPageRouteKmsRoute: typeof projectGroupDetailsByIDPageRouteKmsRoute
  projectIdentityDetailsByIDPageRouteKmsRoute: typeof projectIdentityDetailsByIDPageRouteKmsRoute
  projectMemberDetailsByIDPageRouteKmsRoute: typeof projectMemberDetailsByIDPageRouteKmsRoute
@@ -3850,6 +3929,7 @@ const kmsLayoutRouteChildren: kmsLayoutRouteChildren = {
  kmsOverviewPageRouteRoute: kmsOverviewPageRouteRoute,
  kmsSettingsPageRouteRoute: kmsSettingsPageRouteRoute,
  projectAccessControlPageRouteKmsRoute: projectAccessControlPageRouteKmsRoute,
  projectAuditLogsPageRouteKmsRoute: projectAuditLogsPageRouteKmsRoute,
  projectGroupDetailsByIDPageRouteKmsRoute:
    projectGroupDetailsByIDPageRouteKmsRoute,
  projectIdentityDetailsByIDPageRouteKmsRoute:
@@ -4166,6 +4246,7 @@ interface secretManagerLayoutRouteChildren {
  secretManagerSecretRotationPageRouteRoute: typeof secretManagerSecretRotationPageRouteRoute
  secretManagerSettingsPageRouteRoute: typeof secretManagerSettingsPageRouteRoute
  projectAccessControlPageRouteSecretManagerRoute: typeof projectAccessControlPageRouteSecretManagerRoute
  projectAuditLogsPageRouteSecretManagerRoute: typeof projectAuditLogsPageRouteSecretManagerRoute
  AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecretManagerLayoutIntegrationsRoute: typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecretManagerLayoutIntegrationsRouteWithChildren
  secretManagerSecretDashboardPageRouteRoute: typeof secretManagerSecretDashboardPageRouteRoute
  projectGroupDetailsByIDPageRouteSecretManagerRoute: typeof projectGroupDetailsByIDPageRouteSecretManagerRoute
@@ -4186,6 +4267,8 @@ const secretManagerLayoutRouteChildren: secretManagerLayoutRouteChildren = {
  secretManagerSettingsPageRouteRoute: secretManagerSettingsPageRouteRoute,
  projectAccessControlPageRouteSecretManagerRoute:
    projectAccessControlPageRouteSecretManagerRoute,
  projectAuditLogsPageRouteSecretManagerRoute:
    projectAuditLogsPageRouteSecretManagerRoute,
  AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecretManagerLayoutIntegrationsRoute:
    AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecretManagerLayoutIntegrationsRouteWithChildren,
  secretManagerSecretDashboardPageRouteRoute:
@@ -4241,6 +4324,7 @@ interface secretScanningLayoutRouteChildren {
  secretScanningSecretScanningFindingsPageRouteRoute: typeof secretScanningSecretScanningFindingsPageRouteRoute
  secretScanningSettingsPageRouteRoute: typeof secretScanningSettingsPageRouteRoute
  projectAccessControlPageRouteSecretScanningRoute: typeof projectAccessControlPageRouteSecretScanningRoute
  projectAuditLogsPageRouteSecretScanningRoute: typeof projectAuditLogsPageRouteSecretScanningRoute
  AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecretScanningLayoutDataSourcesRoute: typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecretScanningLayoutDataSourcesRouteWithChildren
  projectGroupDetailsByIDPageRouteSecretScanningRoute: typeof projectGroupDetailsByIDPageRouteSecretScanningRoute
  projectIdentityDetailsByIDPageRouteSecretScanningRoute: typeof projectIdentityDetailsByIDPageRouteSecretScanningRoute
@@ -4254,6 +4338,8 @@ const secretScanningLayoutRouteChildren: secretScanningLayoutRouteChildren = {
  secretScanningSettingsPageRouteRoute: secretScanningSettingsPageRouteRoute,
  projectAccessControlPageRouteSecretScanningRoute:
    projectAccessControlPageRouteSecretScanningRoute,
  projectAuditLogsPageRouteSecretScanningRoute:
    projectAuditLogsPageRouteSecretScanningRoute,
  AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecretScanningLayoutDataSourcesRoute:
    AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecretScanningLayoutDataSourcesRouteWithChildren,
  projectGroupDetailsByIDPageRouteSecretScanningRoute:
@@ -4289,6 +4375,7 @@ interface sshLayoutRouteChildren {
  sshSshHostsPageRouteRoute: typeof sshSshHostsPageRouteRoute
  sshSettingsPageRouteRoute: typeof sshSettingsPageRouteRoute
  projectAccessControlPageRouteSshRoute: typeof projectAccessControlPageRouteSshRoute
  projectAuditLogsPageRouteSshRoute: typeof projectAuditLogsPageRouteSshRoute
  sshSshCaByIDPageRouteRoute: typeof sshSshCaByIDPageRouteRoute
  sshSshHostGroupDetailsByIDPageRouteRoute: typeof sshSshHostGroupDetailsByIDPageRouteRoute
  projectGroupDetailsByIDPageRouteSshRoute: typeof projectGroupDetailsByIDPageRouteSshRoute
@@ -4303,6 +4390,7 @@ const sshLayoutRouteChildren: sshLayoutRouteChildren = {
  sshSshHostsPageRouteRoute: sshSshHostsPageRouteRoute,
  sshSettingsPageRouteRoute: sshSettingsPageRouteRoute,
  projectAccessControlPageRouteSshRoute: projectAccessControlPageRouteSshRoute,
  projectAuditLogsPageRouteSshRoute: projectAuditLogsPageRouteSshRoute,
  sshSshCaByIDPageRouteRoute: sshSshCaByIDPageRouteRoute,
  sshSshHostGroupDetailsByIDPageRouteRoute:
    sshSshHostGroupDetailsByIDPageRouteRoute,
@@ -4642,14 +4730,19 @@ export interface FileRoutesByFullPath {
  '/projects/ssh/$projectId/overview': typeof sshSshHostsPageRouteRoute
  '/projects/ssh/$projectId/settings': typeof sshSettingsPageRouteRoute
  '/projects/cert-management/$projectId/access-management': typeof projectAccessControlPageRouteCertManagerRoute
  '/projects/cert-management/$projectId/audit-logs': typeof projectAuditLogsPageRouteCertManagerRoute
  '/projects/cert-management/$projectId/certificate-templates': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutCertificateTemplatesRouteWithChildren
  '/projects/cert-management/$projectId/subscribers': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutSubscribersRouteWithChildren
  '/projects/kms/$projectId/access-management': typeof projectAccessControlPageRouteKmsRoute
  '/projects/kms/$projectId/audit-logs': typeof projectAuditLogsPageRouteKmsRoute
  '/projects/secret-management/$projectId/access-management': typeof projectAccessControlPageRouteSecretManagerRoute
  '/projects/secret-management/$projectId/audit-logs': typeof projectAuditLogsPageRouteSecretManagerRoute
  '/projects/secret-management/$projectId/integrations': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecretManagerLayoutIntegrationsRouteWithChildren
  '/projects/secret-scanning/$projectId/access-management': typeof projectAccessControlPageRouteSecretScanningRoute
  '/projects/secret-scanning/$projectId/audit-logs': typeof projectAuditLogsPageRouteSecretScanningRoute
  '/projects/secret-scanning/$projectId/data-sources': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecretScanningLayoutDataSourcesRouteWithChildren
  '/projects/ssh/$projectId/access-management': typeof projectAccessControlPageRouteSshRoute
  '/projects/ssh/$projectId/audit-logs': typeof projectAuditLogsPageRouteSshRoute
  '/projects/cert-management/$projectId/certificate-templates/': typeof certManagerPkiTemplateListPageRouteRoute
  '/projects/cert-management/$projectId/subscribers/': typeof certManagerPkiSubscribersPageRouteRoute
  '/projects/secret-management/$projectId/integrations/': typeof secretManagerIntegrationsListPageRouteRoute
@@ -4852,10 +4945,15 @@ export interface FileRoutesByTo {
  '/projects/ssh/$projectId/overview': typeof sshSshHostsPageRouteRoute
  '/projects/ssh/$projectId/settings': typeof sshSettingsPageRouteRoute
  '/projects/cert-management/$projectId/access-management': typeof projectAccessControlPageRouteCertManagerRoute
  '/projects/cert-management/$projectId/audit-logs': typeof projectAuditLogsPageRouteCertManagerRoute
  '/projects/kms/$projectId/access-management': typeof projectAccessControlPageRouteKmsRoute
  '/projects/kms/$projectId/audit-logs': typeof projectAuditLogsPageRouteKmsRoute
  '/projects/secret-management/$projectId/access-management': typeof projectAccessControlPageRouteSecretManagerRoute
  '/projects/secret-management/$projectId/audit-logs': typeof projectAuditLogsPageRouteSecretManagerRoute
  '/projects/secret-scanning/$projectId/access-management': typeof projectAccessControlPageRouteSecretScanningRoute
  '/projects/secret-scanning/$projectId/audit-logs': typeof projectAuditLogsPageRouteSecretScanningRoute
  '/projects/ssh/$projectId/access-management': typeof projectAccessControlPageRouteSshRoute
  '/projects/ssh/$projectId/audit-logs': typeof projectAuditLogsPageRouteSshRoute
  '/projects/cert-management/$projectId/certificate-templates': typeof certManagerPkiTemplateListPageRouteRoute
  '/projects/cert-management/$projectId/subscribers': typeof certManagerPkiSubscribersPageRouteRoute
  '/projects/secret-management/$projectId/integrations': typeof secretManagerIntegrationsListPageRouteRoute
@@ -5075,14 +5173,19 @@ export interface FileRoutesById {
  '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/overview': typeof sshSshHostsPageRouteRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/settings': typeof sshSettingsPageRouteRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/access-management': typeof projectAccessControlPageRouteCertManagerRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs': typeof projectAuditLogsPageRouteCertManagerRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutCertificateTemplatesRouteWithChildren
  '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/subscribers': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsCertManagementProjectIdCertManagerLayoutSubscribersRouteWithChildren
  '/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/access-management': typeof projectAccessControlPageRouteKmsRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs': typeof projectAuditLogsPageRouteKmsRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/access-management': typeof projectAccessControlPageRouteSecretManagerRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs': typeof projectAuditLogsPageRouteSecretManagerRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretManagementProjectIdSecretManagerLayoutIntegrationsRouteWithChildren
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/access-management': typeof projectAccessControlPageRouteSecretScanningRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs': typeof projectAuditLogsPageRouteSecretScanningRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/data-sources': typeof AuthenticateInjectOrgDetailsOrgLayoutProjectsSecretScanningProjectIdSecretScanningLayoutDataSourcesRouteWithChildren
  '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/access-management': typeof projectAccessControlPageRouteSshRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs': typeof projectAuditLogsPageRouteSshRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates/': typeof certManagerPkiTemplateListPageRouteRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/subscribers/': typeof certManagerPkiSubscribersPageRouteRoute
  '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations/': typeof secretManagerIntegrationsListPageRouteRoute
@@ -5295,14 +5398,19 @@ export interface FileRouteTypes {
    | '/projects/ssh/$projectId/overview'
    | '/projects/ssh/$projectId/settings'
    | '/projects/cert-management/$projectId/access-management'
    | '/projects/cert-management/$projectId/audit-logs'
    | '/projects/cert-management/$projectId/certificate-templates'
    | '/projects/cert-management/$projectId/subscribers'
    | '/projects/kms/$projectId/access-management'
    | '/projects/kms/$projectId/audit-logs'
    | '/projects/secret-management/$projectId/access-management'
    | '/projects/secret-management/$projectId/audit-logs'
    | '/projects/secret-management/$projectId/integrations'
    | '/projects/secret-scanning/$projectId/access-management'
    | '/projects/secret-scanning/$projectId/audit-logs'
    | '/projects/secret-scanning/$projectId/data-sources'
    | '/projects/ssh/$projectId/access-management'
    | '/projects/ssh/$projectId/audit-logs'
    | '/projects/cert-management/$projectId/certificate-templates/'
    | '/projects/cert-management/$projectId/subscribers/'
    | '/projects/secret-management/$projectId/integrations/'
@@ -5504,10 +5612,15 @@ export interface FileRouteTypes {
    | '/projects/ssh/$projectId/overview'
    | '/projects/ssh/$projectId/settings'
    | '/projects/cert-management/$projectId/access-management'
    | '/projects/cert-management/$projectId/audit-logs'
    | '/projects/kms/$projectId/access-management'
    | '/projects/kms/$projectId/audit-logs'
    | '/projects/secret-management/$projectId/access-management'
    | '/projects/secret-management/$projectId/audit-logs'
    | '/projects/secret-scanning/$projectId/access-management'
    | '/projects/secret-scanning/$projectId/audit-logs'
    | '/projects/ssh/$projectId/access-management'
    | '/projects/ssh/$projectId/audit-logs'
    | '/projects/cert-management/$projectId/certificate-templates'
    | '/projects/cert-management/$projectId/subscribers'
    | '/projects/secret-management/$projectId/integrations'
@@ -5725,14 +5838,19 @@ export interface FileRouteTypes {
    | '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/overview'
    | '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/settings'
    | '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/access-management'
    | '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs'
    | '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates'
    | '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/subscribers'
    | '/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/access-management'
    | '/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/access-management'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/access-management'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/data-sources'
    | '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/access-management'
    | '/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs'
    | '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates/'
    | '/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/subscribers/'
    | '/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations/'
@@ -6331,6 +6449,7 @@ export const routeTree = rootRoute
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificates",
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/settings",
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/access-management",
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs",
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates",
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/subscribers",
        "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/ca/$caName",
@@ -6349,6 +6468,7 @@ export const routeTree = rootRoute
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/overview",
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/settings",
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/access-management",
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs",
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/groups/$groupId",
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/identities/$identityId",
        "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/members/$membershipId",
@@ -6365,6 +6485,7 @@ export const routeTree = rootRoute
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/secret-rotation",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/settings",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/access-management",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/secrets/$envSlug",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/groups/$groupId",
@@ -6381,6 +6502,7 @@ export const routeTree = rootRoute
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/findings",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/settings",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/access-management",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/data-sources",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/groups/$groupId",
        "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/identities/$identityId",
@@ -6397,6 +6519,7 @@ export const routeTree = rootRoute
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/overview",
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/settings",
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/access-management",
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs",
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/ca/$caId",
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/ssh-host-groups/$sshHostGroupId",
        "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/groups/$groupId",
@@ -6485,6 +6608,10 @@ export const routeTree = rootRoute
      "filePath": "project/AccessControlPage/route-cert-manager.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/audit-logs": {
      "filePath": "project/AuditLogsPage/route-cert-manager.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates": {
      "filePath": "",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout",
@@ -6504,10 +6631,18 @@ export const routeTree = rootRoute
      "filePath": "project/AccessControlPage/route-kms.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout/audit-logs": {
      "filePath": "project/AuditLogsPage/route-kms.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/kms/$projectId/_kms-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/access-management": {
      "filePath": "project/AccessControlPage/route-secret-manager.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/audit-logs": {
      "filePath": "project/AuditLogsPage/route-secret-manager.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout/integrations": {
      "filePath": "",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/secret-management/$projectId/_secret-manager-layout",
@@ -6596,6 +6731,10 @@ export const routeTree = rootRoute
      "filePath": "project/AccessControlPage/route-secret-scanning.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/audit-logs": {
      "filePath": "project/AuditLogsPage/route-secret-scanning.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout/data-sources": {
      "filePath": "",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/secret-scanning/$projectId/_secret-scanning-layout",
@@ -6608,6 +6747,10 @@ export const routeTree = rootRoute
      "filePath": "project/AccessControlPage/route-ssh.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout/audit-logs": {
      "filePath": "project/AuditLogsPage/route-ssh.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/ssh/$projectId/_ssh-layout"
    },
    "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates/": {
      "filePath": "cert-manager/PkiTemplateListPage/route.tsx",
      "parent": "/_authenticate/_inject-org-details/_org-layout/projects/cert-management/$projectId/_cert-manager-layout/certificate-templates"
--- a/frontend/src/routes.ts
+++ b/frontend/src/routes.ts
@@ -63,6 +63,7 @@ const secretManagerRoutes = route("/projects/secret-management/$projectId", [
        )
      ])
    ]),
    route("/audit-logs", "project/AuditLogsPage/route-secret-manager.tsx"),
    route("/access-management", "project/AccessControlPage/route-secret-manager.tsx"),
    route("/roles/$roleSlug", "project/RoleDetailsBySlugPage/route-secret-manager.tsx"),
    route("/identities/$identityId", "project/IdentityDetailsByIDPage/route-secret-manager.tsx"),
@@ -312,6 +313,7 @@ const certManagerRoutes = route("/projects/cert-management/$projectId", [
    route("/ca/$caName", "cert-manager/CertAuthDetailsByIDPage/route.tsx"),
    route("/pki-collections/$collectionId", "cert-manager/PkiCollectionDetailsByIDPage/routes.tsx"),
    route("/settings", "cert-manager/SettingsPage/route.tsx"),
    route("/audit-logs", "project/AuditLogsPage/route-cert-manager.tsx"),
    route("/access-management", "project/AccessControlPage/route-cert-manager.tsx"),
    route("/roles/$roleSlug", "project/RoleDetailsBySlugPage/route-cert-manager.tsx"),
    route("/identities/$identityId", "project/IdentityDetailsByIDPage/route-cert-manager.tsx"),
@@ -325,6 +327,7 @@ const kmsRoutes = route("/projects/kms/$projectId", [
    route("/overview", "kms/OverviewPage/route.tsx"),
    route("/kmip", "kms/KmipPage/route.tsx"),
    route("/settings", "kms/SettingsPage/route.tsx"),
    route("/audit-logs", "project/AuditLogsPage/route-kms.tsx"),
    route("/access-management", "project/AccessControlPage/route-kms.tsx"),
    route("/roles/$roleSlug", "project/RoleDetailsBySlugPage/route-kms.tsx"),
    route("/identities/$identityId", "project/IdentityDetailsByIDPage/route-kms.tsx"),
@@ -341,6 +344,7 @@ const sshRoutes = route("/projects/ssh/$projectId", [
    route("/ca/$caId", "ssh/SshCaByIDPage/route.tsx"),
    route("/ssh-host-groups/$sshHostGroupId", "ssh/SshHostGroupDetailsByIDPage/route.tsx"),
    route("/settings", "ssh/SettingsPage/route.tsx"),
    route("/audit-logs", "project/AuditLogsPage/route-ssh.tsx"),
    route("/access-management", "project/AccessControlPage/route-ssh.tsx"),
    route("/roles/$roleSlug", "project/RoleDetailsBySlugPage/route-ssh.tsx"),
    route("/identities/$identityId", "project/IdentityDetailsByIDPage/route-ssh.tsx"),
@@ -357,6 +361,7 @@ const secretScanningRoutes = route("/projects/secret-scanning/$projectId", [
    ]),
    route("/findings", "secret-scanning/SecretScanningFindingsPage/route.tsx"),
    route("/settings", "secret-scanning/SettingsPage/route.tsx"),
    route("/audit-logs", "project/AuditLogsPage/route-secret-scanning.tsx"),
    route("/access-management", "project/AccessControlPage/route-secret-scanning.tsx"),
    route("/roles/$roleSlug", "project/RoleDetailsBySlugPage/route-secret-scanning.tsx"),
    route("/identities/$identityId", "project/IdentityDetailsByIDPage/route-secret-scanning.tsx"),
Author	SHA1	Message	Date
Daniel Hougaard	d4f0301104	Update Dockerfile.fips.standalone-infisical	2025-07-25 23:13:26 +04:00
Daniel Hougaard	253c46f21d	fips improvements	2025-07-25 23:09:23 +04:00
Daniel Hougaard	11ca76ccca	fix: restructure and requested changes	2025-07-25 20:05:20 +04:00
Daniel Hougaard	418aca8af0	feat(secret-sync/render): auto redeploy on sync	2025-07-25 19:50:28 +04:00
Scott Wilson	929822514e	Merge pull request #4230 from Infisical/secret-dashboard-sing-env-col-resize improvement(frontend): add col resize to secret dashboard env view	2025-07-24 20:08:18 -07:00
Daniel Hougaard	616ccb97f2	Merge pull request #4238 from Infisical/daniel/docs-fix Update docs.json	2025-07-25 04:59:32 +04:00
Daniel Hougaard	7917a767e6	Update docs.json	2025-07-25 04:57:15 +04:00
carlosmonastyrski	ccff675e0d	Merge pull request #4237 from Infisical/fix/remindersMigrationFix Fix secret reminders migration job	2025-07-24 21:25:47 -03:00
Carlos Monastyrski	ad905b2ff7	Fix secret reminders migration job	2025-07-24 20:42:39 -03:00
carlosmonastyrski	2ada753527	Merge pull request #4235 from Infisical/fix/renderRateLimit Improve render retries and rate limits	2025-07-24 19:07:17 -03:00
Carlos Monastyrski	c031736701	Improve render api usage	2025-07-24 18:51:44 -03:00
Daniel Hougaard	91a1c34637	Merge pull request #4211 from Infisical/daniel/vault-import feat(external-migrations): vault migrations	2025-07-25 01:16:50 +04:00
Carlos Monastyrski	eadb1a63fa	Improve render retries and rate limits	2025-07-24 17:49:28 -03:00
Scott Wilson	f70a1e3db6	Merge pull request #4233 from Infisical/fix-identity-role-invalidation fix(frontend): correct org identity mutation table invalidation	2025-07-24 12:17:03 -07:00
Scott Wilson	fc6ab94a06	fix: correct org identity mutation table invalidation	2025-07-24 12:08:41 -07:00
Scott Wilson	4feb3314e7	Merge pull request #4232 from Infisical/create-project-modal-dropdown improvement(frontend): Adjust select dropdown styling in add project modal	2025-07-24 11:57:23 -07:00
Scott Wilson	d9a57d1391	fix: make side prop optional	2025-07-24 11:50:05 -07:00
Scott Wilson	2c99d41592	improvement: adjust select dropdown styling in add project modal	2025-07-24 11:42:04 -07:00
Scott Wilson	2535d1bc4b	Merge pull request #4228 from Infisical/project-audit-logs-page feature(project-audit-logs): add project audit logs pages	2025-07-24 10:49:02 -07:00
Scott Wilson	83e59ae160	feature: add col resize to secret dashboard env view	2025-07-24 10:18:57 -07:00
x032205	a8a1bc5f4a	Merge pull request #4227 from Infisical/ENG-3345 feat(machine-identity): Add AWS attributes for ABAC	2025-07-24 11:59:17 -04:00
Daniel Hougaard	d2a4f265de	Update ExternalMigrationsTab.tsx	2025-07-24 19:58:29 +04:00
x032205	3483f185a8	Doc tweaks	2025-07-24 11:44:10 -04:00
Scott Wilson	9bc24487b3	Merge pull request #4216 from Infisical/dashboard-filter-improvements improvement(frontend): improve dashboard filter behavior and design	2025-07-24 08:33:24 -07:00
Daniel Hougaard	4af872e504	fix: ui state	2025-07-24 19:14:50 +04:00
Daniel Hougaard	716b88fa49	requested changes and docs	2025-07-24 19:09:24 +04:00
Maidul Islam	cb700c5124	Merge pull request #4183 from Infisical/fix/oracle-app-connection fix: resolved oracle failing in app connection	2025-07-24 09:57:10 -04:00
Daniel Hougaard	716f061c01	Merge branch 'heads/main' into daniel/vault-import	2025-07-24 17:29:55 +04:00
Scott Wilson	dd008724fb	fix type error	2025-07-23 18:26:01 -07:00
Scott Wilson	dd0c07fb95	improvements: remove fixed css	2025-07-23 18:18:59 -07:00
Scott Wilson	d935b28925	feature: add project audit logs	2025-07-23 16:48:54 -07:00
x032205	60620840f2	Tweaks	2025-07-23 16:48:06 -04:00
x032205	e798eb2a4e	feat(machine-identity): Add AWS attributes for ABAC	2025-07-23 16:30:55 -04:00
Scott Wilson	e96e7b835d	improvements: address feedback	2025-07-23 12:43:48 -07:00
Scott Wilson	e76e0f7bcc	improvement: improve dashboard filter behavior and design	2025-07-22 17:14:45 -07:00
Daniel Hougaard	464e32b0e9	Update VaultPlatformModal.tsx	2025-07-22 13:04:00 +04:00
Daniel Hougaard	bfd8b64871	requested changes	2025-07-22 02:15:21 +04:00
Daniel Hougaard	185cc4efba	Update VaultPlatformModal copy.tsx	2025-07-22 01:50:28 +04:00
Daniel Hougaard	7150b9314d	feat(external-migrations): vault migrations	2025-07-22 01:35:02 +04:00
		`@@ -0,0 +1 @@`
							`export { ExternalMigrationsTab } from "./ExternalMigrationsTab";`