updates billing types else where

feat(secret-sharing): Require Login for Secrets Shared to Specific Emails

backend/e2e-test/vitest-environment-knex.ts

@@ -15,8 +15,8 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
-import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -30,7 +30,7 @@ export default {
       dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = new Redis(envConfig.REDIS_URL);
+    const redis = buildRedisFromConfig(envConfig);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,8 +55,8 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig);
 
       const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();

backend/package.json

@@ -131,6 +131,7 @@
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
+    "@aws-sdk/client-route-53": "^3.810.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -174,6 +175,7 @@
     "@slack/oauth": "^3.0.2",
     "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
+    "acme-client": "^5.4.0",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",

backend/scripts/generate-schema-types.ts

@@ -84,6 +84,11 @@ const getZodDefaultValue = (type: unknown, value: string | number | boolean | Ob
   }
 };
 
+const bigIntegerColumns: Record<string, string[]> = {
+  "folder_commits": ["commitId"]
+};
+
+
 const main = async () => {
   const tables = (
     await db("information_schema.tables")
@@ -108,6 +113,9 @@ const main = async () => {
       const columnName = columnNames[colNum];
       const colInfo = columns[columnName];
       let ztype = getZodPrimitiveType(colInfo.type);
+      if (bigIntegerColumns[tableName]?.includes(columnName)) {
+        ztype = "z.coerce.bigint()";
+      }
       if (["zodBuffer"].includes(ztype)) {
         zodImportSet.add(ztype);
       }

backend/src/@types/fastify.d.ts

@@ -26,6 +26,7 @@ import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-con
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TPitServiceFactory } from "@app/ee/services/pit/pit-service";
 import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
@@ -53,10 +54,12 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
+import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
@@ -110,6 +113,7 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
+    orgId?: string;
     identityAuthInfo?: {
       identityId: string;
       oidc?: {
@@ -268,6 +272,9 @@ declare module "fastify" {
       microsoftTeams: TMicrosoftTeamsServiceFactory;
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
+      folderCommit: TFolderCommitServiceFactory;
+      pit: TPitServiceFactory;
+      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -68,12 +68,33 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalCertificateAuthorities,
+  TExternalCertificateAuthoritiesInsert,
+  TExternalCertificateAuthoritiesUpdate,
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate,
   TExternalKms,
   TExternalKmsInsert,
   TExternalKmsUpdate,
+  TFolderCheckpointResources,
+  TFolderCheckpointResourcesInsert,
+  TFolderCheckpointResourcesUpdate,
+  TFolderCheckpoints,
+  TFolderCheckpointsInsert,
+  TFolderCheckpointsUpdate,
+  TFolderCommitChanges,
+  TFolderCommitChangesInsert,
+  TFolderCommitChangesUpdate,
+  TFolderCommits,
+  TFolderCommitsInsert,
+  TFolderCommitsUpdate,
+  TFolderTreeCheckpointResources,
+  TFolderTreeCheckpointResourcesInsert,
+  TFolderTreeCheckpointResourcesUpdate,
+  TFolderTreeCheckpoints,
+  TFolderTreeCheckpointsInsert,
+  TFolderTreeCheckpointsUpdate,
   TGateways,
   TGatewaysInsert,
   TGatewaysUpdate,
@@ -155,6 +176,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
+  TInternalCertificateAuthorities,
+  TInternalCertificateAuthoritiesInsert,
+  TInternalCertificateAuthoritiesUpdate,
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
@@ -538,6 +562,16 @@ declare module "knex/types/tables" {
       TCertificateAuthorityCrlInsert,
       TCertificateAuthorityCrlUpdate
     >;
+    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TInternalCertificateAuthorities,
+      TInternalCertificateAuthoritiesInsert,
+      TInternalCertificateAuthoritiesUpdate
+    >;
+    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TExternalCertificateAuthorities,
+      TExternalCertificateAuthoritiesInsert,
+      TExternalCertificateAuthoritiesUpdate
+    >;
     [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
     [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
       TCertificateTemplates,
@@ -1074,5 +1108,35 @@ declare module "knex/types/tables" {
       TGithubOrgSyncConfigsInsert,
       TGithubOrgSyncConfigsUpdate
     >;
+    [TableName.FolderCommit]: KnexOriginal.CompositeTableType<
+      TFolderCommits,
+      TFolderCommitsInsert,
+      TFolderCommitsUpdate
+    >;
+    [TableName.FolderCommitChanges]: KnexOriginal.CompositeTableType<
+      TFolderCommitChanges,
+      TFolderCommitChangesInsert,
+      TFolderCommitChangesUpdate
+    >;
+    [TableName.FolderCheckpoint]: KnexOriginal.CompositeTableType<
+      TFolderCheckpoints,
+      TFolderCheckpointsInsert,
+      TFolderCheckpointsUpdate
+    >;
+    [TableName.FolderCheckpointResources]: KnexOriginal.CompositeTableType<
+      TFolderCheckpointResources,
+      TFolderCheckpointResourcesInsert,
+      TFolderCheckpointResourcesUpdate
+    >;
+    [TableName.FolderTreeCheckpoint]: KnexOriginal.CompositeTableType<
+      TFolderTreeCheckpoints,
+      TFolderTreeCheckpointsInsert,
+      TFolderTreeCheckpointsUpdate
+    >;
+    [TableName.FolderTreeCheckpointResources]: KnexOriginal.CompositeTableType<
+      TFolderTreeCheckpointResources,
+      TFolderTreeCheckpointResourcesInsert,
+      TFolderTreeCheckpointResourcesUpdate
+    >;
   }
 }

backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts

@@ -0,0 +1,44 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
+    if (!hasProjectIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId", 36).nullable();
+        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      });
+
+      await knex.raw(`
+          UPDATE "${TableName.Certificate}" cert
+          SET "projectId" = ca."projectId"
+          FROM "${TableName.CertificateAuthority}" ca
+          WHERE cert."caId" = ca.id
+        `);
+
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId").notNullable().alter();
+      });
+    }
+
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caId").nullable().alter();
+      t.uuid("caCertId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropForeign("projectId");
+        t.dropColumn("projectId");
+      });
+    }
+  }
+
+  // Altering back to notNullable for caId and caCertId will fail
+}

backend/src/db/migrations/20250505194916_add-pit-revamp-tables.ts

@@ -0,0 +1,166 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (!hasFolderCommitTable) {
+    await knex.schema.createTable(TableName.FolderCommit, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.bigIncrements("commitId");
+      t.jsonb("actorMetadata").notNullable();
+      t.string("actorType").notNullable();
+      t.string("message");
+      t.uuid("folderId").notNullable();
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderId");
+      t.index("envId");
+    });
+  }
+
+  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
+  if (!hasFolderCommitChangesTable) {
+    await knex.schema.createTable(TableName.FolderCommitChanges, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.string("changeType").notNullable();
+      t.boolean("isUpdate").notNullable().defaultTo(false);
+      t.uuid("secretVersionId");
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("folderVersionId");
+      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+      t.index("secretVersionId");
+      t.index("folderVersionId");
+    });
+  }
+
+  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
+  if (!hasFolderCheckpointTable) {
+    await knex.schema.createTable(TableName.FolderCheckpoint, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+    });
+  }
+
+  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
+  if (!hasFolderCheckpointResourcesTable) {
+    await knex.schema.createTable(TableName.FolderCheckpointResources, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCheckpointId").notNullable();
+      t.foreign("folderCheckpointId").references("id").inTable(TableName.FolderCheckpoint).onDelete("CASCADE");
+      t.uuid("secretVersionId");
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("folderVersionId");
+      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCheckpointId");
+      t.index("secretVersionId");
+      t.index("folderVersionId");
+    });
+  }
+
+  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
+  if (!hasFolderTreeCheckpointTable) {
+    await knex.schema.createTable(TableName.FolderTreeCheckpoint, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+    });
+  }
+
+  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
+  if (!hasFolderTreeCheckpointResourcesTable) {
+    await knex.schema.createTable(TableName.FolderTreeCheckpointResources, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderTreeCheckpointId").notNullable();
+      t.foreign("folderTreeCheckpointId").references("id").inTable(TableName.FolderTreeCheckpoint).onDelete("CASCADE");
+      t.uuid("folderId").notNullable();
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderTreeCheckpointId");
+      t.index("folderId");
+      t.index("folderCommitId");
+    });
+  }
+
+  if (!hasFolderCommitTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCommit);
+  }
+
+  if (!hasFolderCommitChangesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCommitChanges);
+  }
+
+  if (!hasFolderCheckpointTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCheckpoint);
+  }
+
+  if (!hasFolderCheckpointResourcesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
+  }
+
+  if (!hasFolderTreeCheckpointTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
+  }
+
+  if (!hasFolderTreeCheckpointResourcesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
+  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
+  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
+  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
+
+  if (hasFolderTreeCheckpointResourcesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
+    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpointResources);
+  }
+
+  if (hasFolderCheckpointResourcesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
+    await knex.schema.dropTableIfExists(TableName.FolderCheckpointResources);
+  }
+
+  if (hasFolderTreeCheckpointTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
+    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpoint);
+  }
+
+  if (hasFolderCheckpointTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCheckpoint);
+    await knex.schema.dropTableIfExists(TableName.FolderCheckpoint);
+  }
+
+  if (hasFolderCommitChangesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCommitChanges);
+    await knex.schema.dropTableIfExists(TableName.FolderCommitChanges);
+  }
+
+  if (hasFolderCommitTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCommit);
+    await knex.schema.dropTableIfExists(TableName.FolderCommit);
+  }
+}

backend/src/db/migrations/20250507185010_pit-projects-commits-initialization.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+
+import { ProjectType, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationPITServices } from "./utils/services";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (hasFolderCommitTable) {
+    const keyStore = inMemoryKeyStore();
+    const envConfig = getMigrationEnvConfig();
+    const { folderCommitService } = await getMigrationPITServices({ db: knex, keyStore, envConfig });
+    const projects = await knex(TableName.Project).where({ version: 3, type: ProjectType.SecretManager }).select("id");
+    for (const project of projects) {
+      // eslint-disable-next-line no-await-in-loop
+      await folderCommitService.initializeProject(project.id, knex);
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (hasFolderCommitTable) {
+    // delete all existing entries
+    await knex(TableName.FolderCommit).del();
+  }
+}

backend/src/db/migrations/20250521110635_add-external-ca-pki.ts

@@ -0,0 +1,205 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && !hasInternalCATable) {
+    await knex.schema.createTableLike(TableName.InternalCertificateAuthority, TableName.CertificateAuthority, (t) => {
+      t.uuid("caId").nullable();
+    });
+
+    // @ts-expect-error intentional: migration
+    await knex(TableName.InternalCertificateAuthority).insert(knex(TableName.CertificateAuthority).select("*"));
+    await knex(TableName.InternalCertificateAuthority).update("caId", knex.ref("id"));
+
+    await knex.schema.alterTable(TableName.InternalCertificateAuthority, (t) => {
+      t.dropColumn("projectId");
+      t.dropColumn("requireTemplateForIssuance");
+      t.dropColumn("createdAt");
+      t.dropColumn("updatedAt");
+      t.dropColumn("status");
+      t.uuid("parentCaId")
+        .nullable()
+        .references("id")
+        .inTable(TableName.CertificateAuthority)
+        .onDelete("CASCADE")
+        .alter();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert).alter();
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE").alter();
+    });
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.renameColumn("requireTemplateForIssuance", "enableDirectIssuance");
+      t.string("name").nullable();
+    });
+
+    // prefill name for existing internal CAs and flip enableDirectIssuance
+    const cas = await knex(TableName.CertificateAuthority).select("id", "friendlyName", "enableDirectIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        const slugifiedName = ca.friendlyName
+          ? slugify(`${ca.friendlyName.slice(0, 16)}-${alphaNumericNanoId(8)}`)
+          : slugify(alphaNumericNanoId(12));
+
+        return knex(TableName.CertificateAuthority)
+          .where({ id: ca.id })
+          .update({ name: slugifiedName, enableDirectIssuance: !ca.enableDirectIssuance });
+      })
+    );
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.dropColumn("parentCaId");
+      t.dropColumn("type");
+      t.dropColumn("friendlyName");
+      t.dropColumn("organization");
+      t.dropColumn("ou");
+      t.dropColumn("country");
+      t.dropColumn("province");
+      t.dropColumn("locality");
+      t.dropColumn("commonName");
+      t.dropColumn("dn");
+      t.dropColumn("serialNumber");
+      t.dropColumn("maxPathLength");
+      t.dropColumn("keyAlgorithm");
+      t.dropColumn("notBefore");
+      t.dropColumn("notAfter");
+      t.dropColumn("activeCaCertId");
+      t.boolean("enableDirectIssuance").notNullable().defaultTo(true).alter();
+      t.string("name").notNullable().alter();
+      t.unique(["name", "projectId"]);
+    });
+  }
+
+  if (!hasExternalCATable) {
+    await knex.schema.createTable(TableName.ExternalCertificateAuthority, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("type").notNullable();
+      t.uuid("appConnectionId").nullable();
+      t.foreign("appConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("dnsAppConnectionId").nullable();
+      t.foreign("dnsAppConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("credentials");
+      t.json("configuration");
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.string("ttl").nullable().alter();
+
+      t.boolean("enableAutoRenewal").notNullable().defaultTo(false);
+      t.integer("autoRenewalPeriodInDays");
+      t.datetime("lastAutoRenewAt");
+
+      t.string("lastOperationStatus");
+      t.text("lastOperationMessage");
+      t.dateTime("lastOperationAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && hasInternalCATable) {
+    // First add all columns as nullable
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.uuid("parentCaId").nullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.string("type").nullable();
+      t.string("friendlyName").nullable();
+      t.string("organization").nullable();
+      t.string("ou").nullable();
+      t.string("country").nullable();
+      t.string("province").nullable();
+      t.string("locality").nullable();
+      t.string("commonName").nullable();
+      t.string("dn").nullable();
+      t.string("serialNumber").nullable().unique();
+      t.integer("maxPathLength").nullable();
+      t.string("keyAlgorithm").nullable();
+      t.timestamp("notBefore").nullable();
+      t.timestamp("notAfter").nullable();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert);
+      t.renameColumn("enableDirectIssuance", "requireTemplateForIssuance");
+      t.dropColumn("name");
+    });
+
+    // flip requireTemplateForIssuance for existing internal CAs
+    const cas = await knex(TableName.CertificateAuthority).select("id", "requireTemplateForIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        return (
+          knex(TableName.CertificateAuthority)
+            .where({ id: ca.id })
+            // @ts-expect-error intentional: migration
+            .update({ requireTemplateForIssuance: !ca.requireTemplateForIssuance })
+        );
+      })
+    );
+
+    await knex.raw(`
+      UPDATE ${TableName.CertificateAuthority} ca
+      SET
+        type = ica.type,
+        "friendlyName" = ica."friendlyName",
+        organization = ica.organization,
+        ou = ica.ou,
+        country = ica.country,
+        province = ica.province,
+        locality = ica.locality,
+        "commonName" = ica."commonName",
+        dn = ica.dn,
+        "parentCaId" = ica."parentCaId",
+        "serialNumber" = ica."serialNumber",
+        "maxPathLength" = ica."maxPathLength",
+        "keyAlgorithm" = ica."keyAlgorithm",
+        "notBefore" = ica."notBefore",
+        "notAfter" = ica."notAfter",
+        "activeCaCertId" = ica."activeCaCertId"
+      FROM ${TableName.InternalCertificateAuthority} ica
+      WHERE ca.id = ica."caId"
+    `);
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.string("type").notNullable().alter();
+      t.string("friendlyName").notNullable().alter();
+      t.string("organization").notNullable().alter();
+      t.string("ou").notNullable().alter();
+      t.string("country").notNullable().alter();
+      t.string("province").notNullable().alter();
+      t.string("locality").notNullable().alter();
+      t.string("commonName").notNullable().alter();
+      t.string("dn").notNullable().alter();
+      t.string("keyAlgorithm").notNullable().alter();
+      t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false).alter();
+    });
+
+    await knex.schema.dropTable(TableName.InternalCertificateAuthority);
+  }
+
+  if (hasExternalCATable) {
+    await knex.schema.dropTable(TableName.ExternalCertificateAuthority);
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.dropColumn("enableAutoRenewal");
+      t.dropColumn("autoRenewalPeriodInDays");
+      t.dropColumn("lastAutoRenewAt");
+
+      t.dropColumn("lastOperationStatus");
+      t.dropColumn("lastOperationMessage");
+      t.dropColumn("lastOperationAt");
+    });
+  }
+}

backend/src/db/migrations/20250527164523_add-mi-access-token-period.ts

@@ -0,0 +1,139 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+}

backend/src/db/migrations/20250528110936_add-folder-description-to-versioning.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretFolderVersion, "description"))) {
+    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
+      t.string("description").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretFolderVersion, "description")) {
+    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("encryptedSalt");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (!hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.binary("encryptedSalt").nullable();
+      });
+    }
+  }
+}

backend/src/db/migrations/utils/services.ts

@@ -3,12 +3,27 @@ import { Knex } from "knex";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { folderCheckpointDALFactory } from "@app/services/folder-checkpoint/folder-checkpoint-dal";
+import { folderCheckpointResourcesDALFactory } from "@app/services/folder-checkpoint-resources/folder-checkpoint-resources-dal";
+import { folderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import { folderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { folderCommitChangesDALFactory } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { folderTreeCheckpointDALFactory } from "@app/services/folder-tree-checkpoint/folder-tree-checkpoint-dal";
+import { folderTreeCheckpointResourcesDALFactory } from "@app/services/folder-tree-checkpoint-resources/folder-tree-checkpoint-resources-dal";
+import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
 import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { kmsServiceFactory } from "@app/services/kms/kms-service";
 import { orgDALFactory } from "@app/services/org/org-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
+import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { secretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { secretFolderVersionDALFactory } from "@app/services/secret-folder/secret-folder-version-dal";
+import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
+import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
+import { secretVersionV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
+import { userDALFactory } from "@app/services/user/user-dal";
 
 import { TMigrationEnvConfig } from "./env-config";
 
@@ -50,3 +65,77 @@ export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }
 
   return { kmsService };
 };
+
+export const getMigrationPITServices = async ({
+  db,
+  keyStore,
+  envConfig
+}: {
+  db: Knex;
+  keyStore: TKeyStoreFactory;
+  envConfig: TMigrationEnvConfig;
+}) => {
+  const projectDAL = projectDALFactory(db);
+  const folderCommitDAL = folderCommitDALFactory(db);
+  const folderCommitChangesDAL = folderCommitChangesDALFactory(db);
+  const folderCheckpointDAL = folderCheckpointDALFactory(db);
+  const folderTreeCheckpointDAL = folderTreeCheckpointDALFactory(db);
+  const userDAL = userDALFactory(db);
+  const identityDAL = identityDALFactory(db);
+  const folderDAL = secretFolderDALFactory(db);
+  const folderVersionDAL = secretFolderVersionDALFactory(db);
+  const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
+  const folderCheckpointResourcesDAL = folderCheckpointResourcesDALFactory(db);
+  const secretV2BridgeDAL = secretV2BridgeDALFactory({ db, keyStore });
+  const folderTreeCheckpointResourcesDAL = folderTreeCheckpointResourcesDALFactory(db);
+  const secretTagDAL = secretTagDALFactory(db);
+
+  const orgDAL = orgDALFactory(db);
+  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const resourceMetadataDAL = resourceMetadataDALFactory(db);
+
+  const hsmModule = initializeHsmModule(envConfig);
+  hsmModule.initialize();
+
+  const hsmService = hsmServiceFactory({
+    hsmModule: hsmModule.getModule(),
+    envConfig
+  });
+
+  const kmsService = kmsServiceFactory({
+    kmsRootConfigDAL,
+    keyStore,
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL,
+    hsmService,
+    envConfig
+  });
+
+  await hsmService.startService();
+  await kmsService.startService();
+
+  const folderCommitService = folderCommitServiceFactory({
+    folderCommitDAL,
+    folderCommitChangesDAL,
+    folderCheckpointDAL,
+    folderTreeCheckpointDAL,
+    userDAL,
+    identityDAL,
+    folderDAL,
+    folderVersionDAL,
+    secretVersionV2BridgeDAL,
+    projectDAL,
+    folderCheckpointResourcesDAL,
+    secretV2BridgeDAL,
+    folderTreeCheckpointResourcesDAL,
+    kmsService,
+    secretTagDAL,
+    resourceMetadataDAL
+  });
+
+  return { folderCommitService };
+};

backend/src/db/schemas/certificate-authorities.ts

@@ -11,25 +11,10 @@ export const CertificateAuthoritiesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  parentCaId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
-  type: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  requireTemplateForIssuance: z.boolean().default(false)
+  name: z.string()
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificates.ts

@@ -11,7 +11,7 @@ export const CertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  caId: z.string().uuid(),
+  caId: z.string().uuid().nullable().optional(),
   status: z.string(),
   serialNumber: z.string(),
   friendlyName: z.string(),
@@ -21,11 +21,12 @@ export const CertificatesSchema = z.object({
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
   altNames: z.string().nullable().optional(),
-  caCertId: z.string().uuid(),
+  caCertId: z.string().uuid().nullable().optional(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional()
+  pkiSubscriberId: z.string().uuid().nullable().optional(),
+  projectId: z.string()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/external-certificate-authorities.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  type: z.string(),
+  appConnectionId: z.string().uuid().nullable().optional(),
+  dnsAppConnectionId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid(),
+  credentials: zodBuffer.nullable().optional(),
+  configuration: z.unknown().nullable().optional()
+});
+
+export type TExternalCertificateAuthorities = z.infer<typeof ExternalCertificateAuthoritiesSchema>;
+export type TExternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof ExternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TExternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof ExternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/folder-checkpoint-resources.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCheckpointResourcesSchema = z.object({
+  id: z.string().uuid(),
+  folderCheckpointId: z.string().uuid(),
+  secretVersionId: z.string().uuid().nullable().optional(),
+  folderVersionId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCheckpointResources = z.infer<typeof FolderCheckpointResourcesSchema>;
+export type TFolderCheckpointResourcesInsert = Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>;
+export type TFolderCheckpointResourcesUpdate = Partial<
+  Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/folder-checkpoints.ts

@@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCheckpointsSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCheckpoints = z.infer<typeof FolderCheckpointsSchema>;
+export type TFolderCheckpointsInsert = Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>;
+export type TFolderCheckpointsUpdate = Partial<Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-commit-changes.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCommitChangesSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  changeType: z.string(),
+  isUpdate: z.boolean().default(false),
+  secretVersionId: z.string().uuid().nullable().optional(),
+  folderVersionId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCommitChanges = z.infer<typeof FolderCommitChangesSchema>;
+export type TFolderCommitChangesInsert = Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>;
+export type TFolderCommitChangesUpdate = Partial<Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-commits.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCommitsSchema = z.object({
+  id: z.string().uuid(),
+  commitId: z.coerce.bigint(),
+  actorMetadata: z.unknown(),
+  actorType: z.string(),
+  message: z.string().nullable().optional(),
+  folderId: z.string().uuid(),
+  envId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCommits = z.infer<typeof FolderCommitsSchema>;
+export type TFolderCommitsInsert = Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>;
+export type TFolderCommitsUpdate = Partial<Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-tree-checkpoint-resources.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderTreeCheckpointResourcesSchema = z.object({
+  id: z.string().uuid(),
+  folderTreeCheckpointId: z.string().uuid(),
+  folderId: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderTreeCheckpointResources = z.infer<typeof FolderTreeCheckpointResourcesSchema>;
+export type TFolderTreeCheckpointResourcesInsert = Omit<
+  z.input<typeof FolderTreeCheckpointResourcesSchema>,
+  TImmutableDBKeys
+>;
+export type TFolderTreeCheckpointResourcesUpdate = Partial<
+  Omit<z.input<typeof FolderTreeCheckpointResourcesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/folder-tree-checkpoints.ts

@@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderTreeCheckpointsSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderTreeCheckpoints = z.infer<typeof FolderTreeCheckpointsSchema>;
+export type TFolderTreeCheckpointsInsert = Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>;
+export type TFolderTreeCheckpointsUpdate = Partial<Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-access-tokens.ts

@@ -21,7 +21,8 @@ export const IdentityAccessTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   name: z.string().nullable().optional(),
-  authMethod: z.string()
+  authMethod: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -19,7 +19,8 @@ export const IdentityAwsAuthsSchema = z.object({
   type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
+  allowedAccountIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -18,7 +18,8 @@ export const IdentityAzureAuthsSchema = z.object({
   identityId: z.string().uuid(),
   tenantId: z.string(),
   resource: z.string(),
-  allowedServicePrincipalIds: z.string()
+  allowedServicePrincipalIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -19,7 +19,8 @@ export const IdentityGcpAuthsSchema = z.object({
   type: z.string(),
   allowedServiceAccounts: z.string().nullable().optional(),
   allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional()
+  allowedZones: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-jwt-auths.ts

@@ -25,7 +25,8 @@ export const IdentityJwtAuthsSchema = z.object({
   boundClaims: z.unknown(),
   boundSubject: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -30,7 +30,8 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
   encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional()
+  gatewayId: z.string().uuid().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -24,7 +24,8 @@ export const IdentityLdapAuthsSchema = z.object({
   searchFilter: z.string(),
   allowedFields: z.unknown().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -18,7 +18,8 @@ export const IdentityOciAuthsSchema = z.object({
   identityId: z.string().uuid(),
   type: z.string(),
   tenancyOcid: z.string(),
-  allowedUsernames: z.string().nullable().optional()
+  allowedUsernames: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -27,7 +27,8 @@ export const IdentityOidcAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional()
+  claimMetadataMapping: z.unknown().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-token-auths.ts

@@ -15,7 +15,8 @@ export const IdentityTokenAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityTokenAuths = z.infer<typeof IdentityTokenAuthsSchema>;

backend/src/db/schemas/identity-universal-auths.ts

@@ -17,7 +17,8 @@ export const IdentityUniversalAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -20,8 +20,15 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
+export * from "./folder-checkpoint-resources";
+export * from "./folder-checkpoints";
+export * from "./folder-commit-changes";
+export * from "./folder-commits";
+export * from "./folder-tree-checkpoint-resources";
+export * from "./folder-tree-checkpoints";
 export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
@@ -49,6 +56,7 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./internal-certificate-authorities";
 export * from "./internal-kms";
 export * from "./kmip-client-certificates";
 export * from "./kmip-clients";

backend/src/db/schemas/internal-certificate-authorities.ts

@@ -0,0 +1,38 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  parentCaId: z.string().uuid().nullable().optional(),
+  type: z.string(),
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid()
+});
+
+export type TInternalCertificateAuthorities = z.infer<typeof InternalCertificateAuthoritiesSchema>;
+export type TInternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof InternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TInternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof InternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -13,6 +13,8 @@ export enum TableName {
   SshCertificate = "ssh_certificates",
   SshCertificateBody = "ssh_certificate_bodies",
   CertificateAuthority = "certificate_authorities",
+  ExternalCertificateAuthority = "external_certificate_authorities",
+  InternalCertificateAuthority = "internal_certificate_authorities",
   CertificateTemplateEstConfig = "certificate_template_est_configs",
   CertificateAuthorityCert = "certificate_authority_certs",
   CertificateAuthoritySecret = "certificate_authority_secret",
@@ -155,10 +157,16 @@ export enum TableName {
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
   SecretReminderRecipients = "secret_reminder_recipients",
-  GithubOrgSyncConfig = "github_org_sync_configs"
+  GithubOrgSyncConfig = "github_org_sync_configs",
+  FolderCommit = "folder_commits",
+  FolderCommitChanges = "folder_commit_changes",
+  FolderCheckpoint = "folder_checkpoints",
+  FolderCheckpointResources = "folder_checkpoint_resources",
+  FolderTreeCheckpoint = "folder_tree_checkpoints",
+  FolderTreeCheckpointResources = "folder_tree_checkpoint_resources"
 }
 
-export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
+export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
 
 export const UserDeviceSchema = z
   .object({

backend/src/db/schemas/pki-subscribers.ts

@@ -16,10 +16,16 @@ export const PkiSubscribersSchema = z.object({
   name: z.string(),
   commonName: z.string(),
   subjectAlternativeNames: z.string().array(),
-  ttl: z.string(),
+  ttl: z.string().nullable().optional(),
   keyUsages: z.string().array(),
   extendedKeyUsages: z.string().array(),
-  status: z.string()
+  status: z.string(),
+  enableAutoRenewal: z.boolean().default(false),
+  autoRenewalPeriodInDays: z.number().nullable().optional(),
+  lastAutoRenewAt: z.date().nullable().optional(),
+  lastOperationStatus: z.string().nullable().optional(),
+  lastOperationMessage: z.string().nullable().optional(),
+  lastOperationAt: z.date().nullable().optional()
 });
 
 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;

backend/src/db/schemas/secret-folder-versions.ts

@@ -14,7 +14,8 @@ export const SecretFolderVersionsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   envId: z.string().uuid(),
-  folderId: z.string().uuid()
+  folderId: z.string().uuid(),
+  description: z.string().nullable().optional()
 });
 
 export type TSecretFolderVersions = z.infer<typeof SecretFolderVersionsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -28,7 +28,6 @@ export const SecretSharingSchema = z.object({
   encryptedSecret: zodBuffer.nullable().optional(),
   identifier: z.string().nullable().optional(),
   type: z.string().default("share"),
-  encryptedSalt: zodBuffer.nullable().optional(),
   authorizedEmails: z.unknown().nullable().optional()
 });
 

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -154,7 +154,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         requestId: z.string().trim()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
+        bypassReason: z.string().min(10).max(1000).optional()
       }),
       response: {
         200: z.object({
@@ -170,7 +171,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         requestId: req.params.requestId,
-        status: req.body.status
+        status: req.body.status,
+        bypassReason: req.body.bypassReason
       });
 
       return { review };

backend/src/ee/routes/v1/app-connection-routers/oci-connection-router.ts

@@ -1,16 +1,16 @@
 import z from "zod";
 
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   CreateOCIConnectionSchema,
   SanitizedOCIConnectionSchema,
   UpdateOCIConnectionSchema
-} from "@app/services/app-connection/oci";
+} from "@app/ee/services/app-connections/oci";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+import { registerAppConnectionEndpoints } from "../../../../server/routes/v1/app-connection-routers/app-connection-endpoints";
 
 export const registerOCIConnectionRouter = async (server: FastifyZodProvider) => {
   registerAppConnectionEndpoints({

backend/src/ee/routes/v1/index.ts

@@ -18,6 +18,7 @@ import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
 import { registerOrgRoleRouter } from "./org-role-router";
+import { registerPITRouter } from "./pit-router";
 import { registerProjectRoleRouter } from "./project-role-router";
 import { registerProjectRouter } from "./project-router";
 import { registerRateLimitRouter } from "./rate-limit-router";
@@ -53,6 +54,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     { prefix: "/workspace" }
   );
   await server.register(registerSnapshotRouter, { prefix: "/secret-snapshot" });
+  await server.register(registerPITRouter, { prefix: "/pit" });
   await server.register(registerSecretApprovalPolicyRouter, { prefix: "/secret-approvals" });
   await server.register(registerSecretApprovalRequestRouter, {
     prefix: "/secret-approval-requests"

backend/src/ee/routes/v1/license-router.ts

@@ -47,7 +47,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
         200: z.object({ plan: z.any() })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const plan = await server.services.license.getOrgPlan({
         actorId: req.permission.id,

backend/src/ee/routes/v1/pit-router.ts

@@ -0,0 +1,416 @@
+/* eslint-disable @typescript-eslint/no-base-to-string */
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
+
+const commitHistoryItemSchema = z.object({
+  id: z.string(),
+  folderId: z.string(),
+  actorType: z.string(),
+  actorMetadata: z.unknown().optional(),
+  message: z.string().optional().nullable(),
+  commitId: z.string(),
+  createdAt: z.string().or(z.date()),
+  envId: z.string()
+});
+
+const folderStateSchema = z.array(
+  z.object({
+    type: z.string(),
+    id: z.string(),
+    versionId: z.string(),
+    secretKey: z.string().optional(),
+    secretVersion: z.number().optional(),
+    folderName: z.string().optional(),
+    folderVersion: z.number().optional()
+  })
+);
+
+export const registerPITRouter = async (server: FastifyZodProvider) => {
+  // Get commits count for a folder
+  server.route({
+    method: "GET",
+    url: "/commits/count",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          count: z.number(),
+          folderId: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitsCount({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        environment: req.query.environment,
+        path: req.query.path
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMIT_COUNT,
+          metadata: {
+            environment: req.query.environment,
+            path: req.query.path,
+            commitCount: result.count.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Get all commits for a folder
+  server.route({
+    method: "GET",
+    url: "/commits",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim(),
+        offset: z.coerce.number().min(0).default(0),
+        limit: z.coerce.number().min(1).max(100).default(20),
+        search: z.string().trim().optional(),
+        sort: z.enum(["asc", "desc"]).default("desc")
+      }),
+      response: {
+        200: z.object({
+          commits: commitHistoryItemSchema.array(),
+          total: z.number(),
+          hasMore: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitsForFolder({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        environment: req.query.environment,
+        path: req.query.path,
+        offset: req.query.offset,
+        limit: req.query.limit,
+        search: req.query.search,
+        sort: req.query.sort
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMITS,
+          metadata: {
+            environment: req.query.environment,
+            path: req.query.path,
+            commitCount: result.commits.length.toString(),
+            offset: req.query.offset.toString(),
+            limit: req.query.limit.toString(),
+            search: req.query.search,
+            sort: req.query.sort
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Get commit changes for a specific commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId/changes",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: commitChangesResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitChanges({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMIT_CHANGES,
+          metadata: {
+            commitId: req.params.commitId,
+            changesCount: (result.changes.changes?.length || 0).toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Retrieve rollback changes for a commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId/compare",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        folderId: z.string().trim(),
+        environment: z.string().trim(),
+        deepRollback: booleanSchema.default(false),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.array(
+          z.object({
+            folderId: z.string(),
+            folderName: z.string(),
+            folderPath: z.string().optional(),
+            changes: z.array(resourceChangeSchema)
+          })
+        )
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.compareCommitChanges({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId,
+        folderId: req.query.folderId,
+        environment: req.query.environment,
+        deepRollback: req.query.deepRollback,
+        secretPath: req.query.secretPath
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.PIT_COMPARE_FOLDER_STATES,
+          metadata: {
+            targetCommitId: req.params.commitId,
+            folderId: req.query.folderId,
+            deepRollback: req.query.deepRollback,
+            diffsCount: result.length.toString(),
+            environment: req.query.environment,
+            folderPath: req.query.secretPath
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Rollback to a previous commit
+  server.route({
+    method: "POST",
+    url: "/commits/:commitId/rollback",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      body: z.object({
+        folderId: z.string().trim(),
+        deepRollback: z.boolean().default(false),
+        message: z.string().max(256).trim().optional(),
+        environment: z.string().trim(),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          success: z.boolean(),
+          secretChangesCount: z.number().optional(),
+          folderChangesCount: z.number().optional(),
+          totalChanges: z.number().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.rollbackToCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.body.projectId,
+        commitId: req.params.commitId,
+        folderId: req.body.folderId,
+        deepRollback: req.body.deepRollback,
+        message: req.body.message,
+        environment: req.body.environment
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_ROLLBACK_COMMIT,
+          metadata: {
+            targetCommitId: req.params.commitId,
+            environment: req.body.environment,
+            folderId: req.body.folderId,
+            deepRollback: req.body.deepRollback,
+            message: req.body.message || "Rollback to previous commit",
+            totalChanges: result.totalChanges?.toString() || "0"
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Revert commit
+  server.route({
+    method: "POST",
+    url: "/commits/:commitId/revert",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      body: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          success: z.boolean(),
+          message: z.string(),
+          originalCommitId: z.string(),
+          revertCommitId: z.string().optional(),
+          changesReverted: z.number().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.revertCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.body.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_REVERT_COMMIT,
+          metadata: {
+            commitId: req.params.commitId,
+            revertCommitId: result.revertCommitId,
+            changesReverted: result.changesReverted?.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Folder state at commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        folderId: z.string().trim(),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: folderStateSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getFolderStateAtCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.PIT_GET_FOLDER_STATE,
+          metadata: {
+            commitId: req.params.commitId,
+            folderId: req.query.folderId,
+            resourceCount: result.length.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+};

backend/src/ee/routes/v1/secret-sync-routers/oci-vault-sync-router.ts

@@ -2,11 +2,10 @@ import {
   CreateOCIVaultSyncSchema,
   OCIVaultSyncSchema,
   UpdateOCIVaultSyncSchema
-} from "@app/services/secret-sync/oci-vault";
+} from "@app/ee/services/secret-sync/oci-vault";
+import { registerSyncSecretsEndpoints } from "@app/server/routes/v1/secret-sync-routers/secret-sync-endpoints";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
 export const registerOCIVaultSyncRouter = async (server: FastifyZodProvider) =>
   registerSyncSecretsEndpoints({
     destination: SecretSync.OCIVault,

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -6,6 +6,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { EnforcementLevel } from "@app/lib/types";
 import { triggerWorkflowIntegrationNotification } from "@app/lib/workflow-integrations/trigger-notification";
 import { TriggerFeature } from "@app/lib/workflow-integrations/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -22,6 +23,7 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
+import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -323,26 +325,22 @@ export const accessApprovalRequestServiceFactory = ({
     status,
     actorId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    bypassReason
   }: TReviewAccessRequestDTO) => {
     const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
     if (!accessApprovalRequest) {
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy } = accessApprovalRequest;
+    const { policy, environment } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
-    if (!policy.allowedSelfApprovals && actorId === accessApprovalRequest.requestedByUserId) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
-    }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -355,6 +353,20 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
 
+    const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
+    const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
+    const canBypassApproval = permission.can(
+      ProjectPermissionApprovalActions.AllowAccessBypass,
+      ProjectPermissionSub.SecretApproval
+    );
+    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
+
+    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
+      throw new BadRequestError({
+        message: "Failed to review access approval request. Users are not authorized to review their own request."
+      });
+    }
+
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
@@ -363,21 +375,49 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
 
+    const project = await projectDAL.findById(accessApprovalRequest.projectId);
+    if (!project) {
+      throw new NotFoundError({ message: "The project associated with this access request was not found." });
+    }
+
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
     }
 
     const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const review = await accessApprovalRequestReviewerDAL.findOne(
+      const isBreakGlassApprovalAttempt =
+        policy.enforcementLevel === EnforcementLevel.Soft &&
+        actorId === accessApprovalRequest.requestedByUserId &&
+        status === ApprovalStatus.APPROVED;
+
+      let reviewForThisActorProcessing: {
+        id: string;
+        requestId: string;
+        reviewerUserId: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+      };
+
+      const existingReviewByActorInTx = await accessApprovalRequestReviewerDAL.findOne(
         {
           requestId: accessApprovalRequest.id,
           reviewerUserId: actorId
         },
         tx
       );
-      if (!review) {
-        const newReview = await accessApprovalRequestReviewerDAL.create(
+
+      // Check if review exists for actor
+      if (existingReviewByActorInTx) {
+        // Check if breakglass re-approval
+        if (isBreakGlassApprovalAttempt && existingReviewByActorInTx.status === ApprovalStatus.APPROVED) {
+          reviewForThisActorProcessing = existingReviewByActorInTx;
+        } else {
+          throw new BadRequestError({ message: "You have already reviewed this request" });
+        }
+      } else {
+        reviewForThisActorProcessing = await accessApprovalRequestReviewerDAL.create(
           {
             status,
             requestId: accessApprovalRequest.id,
@@ -385,19 +425,26 @@ export const accessApprovalRequestServiceFactory = ({
           },
           tx
         );
+      }
 
-        const allReviews = [...existingReviews, newReview];
+      const otherReviews = existingReviews.filter((er) => er.reviewerUserId !== actorId);
+      const allUniqueReviews = [...otherReviews, reviewForThisActorProcessing];
 
-        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+      const approvedReviews = allUniqueReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
+      const meetsStandardApprovalThreshold = approvedReviews.length >= policy.approvals;
 
-        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
-        if (approvedReviews.length === policy.approvals) {
+      if (
+        reviewForThisActorProcessing.status === ApprovalStatus.APPROVED &&
+        (meetsStandardApprovalThreshold || isBreakGlassApprovalAttempt)
+      ) {
+        const currentRequestState = await accessApprovalRequestDAL.findById(accessApprovalRequest.id, tx);
+        let privilegeIdToSet = currentRequestState?.privilegeId || null;
+
+        if (!privilegeIdToSet) {
           if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             throw new BadRequestError({ message: "Temporary range is required for temporary access" });
           }
 
-          let privilegeId: string | null = null;
-
           if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             // Permanent access
             const privilege = await additionalPrivilegeDAL.create(
@@ -409,7 +456,7 @@ export const accessApprovalRequestServiceFactory = ({
               },
               tx
             );
-            privilegeId = privilege.id;
+            privilegeIdToSet = privilege.id;
           } else {
             // Temporary access
             const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
@@ -421,23 +468,57 @@ export const accessApprovalRequestServiceFactory = ({
                 projectId: accessApprovalRequest.projectId,
                 slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
                 permissions: JSON.stringify(accessApprovalRequest.permissions),
-                isTemporary: true,
+                isTemporary: true, // Explicitly set to true for the privilege
                 temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
                 temporaryRange: accessApprovalRequest.temporaryRange!,
                 temporaryAccessStartTime: startTime,
-                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
+                temporaryAccessEndTime: new Date(startTime.getTime() + relativeTempAllocatedTimeInMs)
               },
               tx
             );
-            privilegeId = privilege.id;
+            privilegeIdToSet = privilege.id;
           }
-
-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
         }
-
-        return newReview;
       }
-      throw new BadRequestError({ message: "You have already reviewed this request" });
+
+      // Send notification if this was a breakglass approval
+      if (isBreakGlassApprovalAttempt) {
+        const cfg = getConfig();
+        const actingUser = await userDAL.findById(actorId, tx);
+
+        if (actingUser) {
+          const policyApproverUserIds = policy.approvers
+            .map((ap) => ap.userId)
+            .filter((id): id is string => typeof id === "string");
+
+          if (policyApproverUserIds.length > 0) {
+            const approverUsersForEmail = await userDAL.find({ $in: { id: policyApproverUserIds } }, { tx });
+            const recipientEmails = approverUsersForEmail
+              .map((appUser) => appUser.email)
+              .filter((email): email is string => !!email);
+
+            if (recipientEmails.length > 0) {
+              await smtpService.sendMail({
+                recipients: recipientEmails,
+                subjectLine: "Infisical Secret Access Policy Bypassed",
+                substitutions: {
+                  projectName: project.name,
+                  requesterFullName: `${actingUser.firstName} ${actingUser.lastName}`,
+                  requesterEmail: actingUser.email,
+                  bypassReason: bypassReason || "No reason provided",
+                  secretPath: policy.secretPath || "/",
+                  environment,
+                  approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
+                  requestType: "access"
+                },
+                template: SmtpTemplates.AccessSecretRequestBypassed
+              });
+            }
+          }
+        }
+      }
+      return reviewForThisActorProcessing;
     });
 
     return reviewStatus;

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -17,6 +17,8 @@ export type TGetAccessRequestCountDTO = {
 export type TReviewAccessRequestDTO = {
   requestId: string;
   status: ApprovalStatus;
+  envName?: string;
+  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAccessApprovalRequestDTO = {

backend/src/ee/services/app-connections/oci/oci-connection-service.ts

@@ -1,7 +1,9 @@
+import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 
-import { AppConnection } from "../app-connection-enums";
+import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
+import { TLicenseServiceFactory } from "../../license/license-service";
 import { listOCICompartments, listOCIVaultKeys, listOCIVaults } from "./oci-connection-fns";
 import { TOCIConnection } from "./oci-connection-types";
 
@@ -22,8 +24,23 @@ type TListOCIVaultKeysDTO = {
   vaultOcid: string;
 };
 
-export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+// Enterprise check
+export const checkPlan = async (licenseService: Pick<TLicenseServiceFactory, "getPlan">, orgId: string) => {
+  const plan = await licenseService.getPlan(orgId);
+  if (!plan.enterpriseAppConnections)
+    throw new BadRequestError({
+      message:
+        "Failed to use app connection due to plan restriction. Upgrade plan to access enterprise app connections."
+    });
+};
+
+export const ociConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">
+) => {
   const listCompartments = async (connectionId: string, actor: OrgServiceActor) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {
@@ -36,6 +53,8 @@ export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
   };
 
   const listVaults = async ({ connectionId, compartmentOcid }: TListOCIVaultsDTO, actor: OrgServiceActor) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {
@@ -51,6 +70,8 @@ export const ociConnectionService = (getAppConnection: TGetAppConnectionFunc) =>
     { connectionId, compartmentOcid, vaultOcid }: TListOCIVaultKeysDTO,
     actor: OrgServiceActor
   ) => {
+    await checkPlan(licenseService, actor.orgId);
+
     const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
 
     try {

backend/src/ee/services/app-connections/oci/oci-connection-types.ts

@@ -2,7 +2,7 @@ import z from "zod";
 
 import { DiscriminativePick } from "@app/lib/types";
 
-import { AppConnection } from "../app-connection-enums";
+import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
 import {
   CreateOCIConnectionSchema,
   OCIConnectionSchema,

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,3 +1,4 @@
+import { ProjectType } from "@app/db/schemas";
 import {
   TCreateProjectTemplateDTO,
   TUpdateProjectTemplateDTO
@@ -20,7 +21,7 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
+import { CaStatus } from "@app/services/certificate-authority/certificate-authority-enums";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
@@ -231,6 +232,7 @@ export enum EventType {
   REMOVE_HOST_FROM_SSH_HOST_GROUP = "remove-host-from-ssh-host-group",
   CREATE_CA = "create-certificate-authority",
   GET_CA = "get-certificate-authority",
+  GET_CAS = "get-certificate-authorities",
   UPDATE_CA = "update-certificate-authority",
   DELETE_CA = "delete-certificate-authority",
   RENEW_CA = "renew-certificate-authority",
@@ -241,6 +243,7 @@ export enum EventType {
   IMPORT_CA_CERT = "import-certificate-authority-cert",
   GET_CA_CRLS = "get-certificate-authority-crls",
   ISSUE_CERT = "issue-cert",
+  IMPORT_CERT = "import-cert",
   SIGN_CERT = "sign-cert",
   GET_CA_CERTIFICATE_TEMPLATES = "get-ca-certificate-templates",
   GET_CERT = "get-cert",
@@ -266,7 +269,9 @@ export enum EventType {
   GET_PKI_SUBSCRIBER = "get-pki-subscriber",
   ISSUE_PKI_SUBSCRIBER_CERT = "issue-pki-subscriber-cert",
   SIGN_PKI_SUBSCRIBER_CERT = "sign-pki-subscriber-cert",
+  AUTOMATED_RENEW_SUBSCRIBER_CERT = "automated-renew-subscriber-cert",
   LIST_PKI_SUBSCRIBER_CERTS = "list-pki-subscriber-certs",
+  GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE = "get-subscriber-active-cert-bundle",
   CREATE_KMS = "create-kms",
   UPDATE_KMS = "update-kms",
   DELETE_KMS = "delete-kms",
@@ -315,7 +320,6 @@ export enum EventType {
   CREATE_PROJECT_TEMPLATE = "create-project-template",
   UPDATE_PROJECT_TEMPLATE = "update-project-template",
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
   GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
@@ -375,7 +379,21 @@ export enum EventType {
   MICROSOFT_TEAMS_WORKFLOW_INTEGRATION_LIST = "microsoft-teams-workflow-integration-list",
 
   PROJECT_ASSUME_PRIVILEGE_SESSION_START = "project-assume-privileges-session-start",
-  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end"
+  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end",
+
+  GET_PROJECT_PIT_COMMITS = "get-project-pit-commits",
+  GET_PROJECT_PIT_COMMIT_CHANGES = "get-project-pit-commit-changes",
+  GET_PROJECT_PIT_COMMIT_COUNT = "get-project-pit-commit-count",
+  PIT_ROLLBACK_COMMIT = "pit-rollback-commit",
+  PIT_REVERT_COMMIT = "pit-revert-commit",
+  PIT_GET_FOLDER_STATE = "pit-get-folder-state",
+  PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
+
+  UPDATE_ORG = "update-org",
+
+  CREATE_PROJECT = "create-project",
+  UPDATE_PROJECT = "update-project",
+  DELETE_PROJECT = "delete-project"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1772,7 +1790,8 @@ interface CreateCa {
   type: EventType.CREATE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
   };
 }
 
@@ -1780,7 +1799,15 @@ interface GetCa {
   type: EventType.GET_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
+  };
+}
+
+interface GetCAs {
+  type: EventType.GET_CAS;
+  metadata: {
+    caIds: string[];
   };
 }
 
@@ -1788,7 +1815,8 @@ interface UpdateCa {
   type: EventType.UPDATE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
     status: CaStatus;
   };
 }
@@ -1797,7 +1825,8 @@ interface DeleteCa {
   type: EventType.DELETE_CA;
   metadata: {
     caId: string;
-    dn: string;
+    name: string;
+    dn?: string;
   };
 }
 
@@ -1867,6 +1896,15 @@ interface IssueCert {
   };
 }
 
+interface ImportCert {
+  type: EventType.IMPORT_CERT;
+  metadata: {
+    certId: string;
+    cn: string;
+    serialNumber: string;
+  };
+}
+
 interface SignCert {
   type: EventType.SIGN_CERT;
   metadata: {
@@ -2034,7 +2072,7 @@ interface CreatePkiSubscriber {
     caId?: string;
     name: string;
     commonName: string;
-    ttl: string;
+    ttl?: string;
     subjectAlternativeNames: string[];
     keyUsages: CertKeyUsage[];
     extendedKeyUsages: CertExtendedKeyUsage[];
@@ -2076,7 +2114,15 @@ interface IssuePkiSubscriberCert {
   metadata: {
     subscriberId: string;
     name: string;
-    serialNumber: string;
+    serialNumber?: string;
+  };
+}
+
+interface AutomatedRenewPkiSubscriberCert {
+  type: EventType.AUTOMATED_RENEW_SUBSCRIBER_CERT;
+  metadata: {
+    subscriberId: string;
+    name: string;
   };
 }
 
@@ -2098,6 +2144,16 @@ interface ListPkiSubscriberCerts {
   };
 }
 
+interface GetSubscriberActiveCertBundle {
+  type: EventType.GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE;
+  metadata: {
+    subscriberId: string;
+    name: string;
+    certId: string;
+    serialNumber: string;
+  };
+}
+
 interface CreateKmsEvent {
   type: EventType.CREATE_KMS;
   metadata: {
@@ -2451,14 +2507,6 @@ interface DeleteProjectTemplateEvent {
   };
 }
 
-interface ApplyProjectTemplateEvent {
-  type: EventType.APPLY_PROJECT_TEMPLATE;
-  metadata: {
-    template: string;
-    projectId: string;
-  };
-}
-
 interface GetAppConnectionsEvent {
   type: EventType.GET_APP_CONNECTIONS;
   metadata: {
@@ -2913,6 +2961,131 @@ interface MicrosoftTeamsWorkflowIntegrationUpdateEvent {
   };
 }
 
+interface GetProjectPitCommitsEvent {
+  type: EventType.GET_PROJECT_PIT_COMMITS;
+  metadata: {
+    commitCount: string;
+    environment: string;
+    path: string;
+    offset: string;
+    limit: string;
+    search?: string;
+    sort: string;
+  };
+}
+
+interface GetProjectPitCommitChangesEvent {
+  type: EventType.GET_PROJECT_PIT_COMMIT_CHANGES;
+  metadata: {
+    changesCount: string;
+    commitId: string;
+  };
+}
+
+interface GetProjectPitCommitCountEvent {
+  type: EventType.GET_PROJECT_PIT_COMMIT_COUNT;
+  metadata: {
+    environment: string;
+    path: string;
+    commitCount: string;
+  };
+}
+
+interface PitRollbackCommitEvent {
+  type: EventType.PIT_ROLLBACK_COMMIT;
+  metadata: {
+    targetCommitId: string;
+    folderId: string;
+    deepRollback: boolean;
+    message: string;
+    totalChanges: string;
+    environment: string;
+  };
+}
+
+interface PitRevertCommitEvent {
+  type: EventType.PIT_REVERT_COMMIT;
+  metadata: {
+    commitId: string;
+    revertCommitId?: string;
+    changesReverted?: string;
+  };
+}
+
+interface PitGetFolderStateEvent {
+  type: EventType.PIT_GET_FOLDER_STATE;
+  metadata: {
+    commitId: string;
+    folderId: string;
+    resourceCount: string;
+  };
+}
+
+interface PitCompareFolderStatesEvent {
+  type: EventType.PIT_COMPARE_FOLDER_STATES;
+  metadata: {
+    targetCommitId: string;
+    folderId: string;
+    deepRollback: boolean;
+    diffsCount: string;
+    environment: string;
+    folderPath: string;
+  };
+}
+
+interface OrgUpdateEvent {
+  type: EventType.UPDATE_ORG;
+  metadata: {
+    name?: string;
+    slug?: string;
+    authEnforced?: boolean;
+    scimEnabled?: boolean;
+    defaultMembershipRoleSlug?: string;
+    enforceMfa?: boolean;
+    selectedMfaMethod?: string;
+    allowSecretSharingOutsideOrganization?: boolean;
+    bypassOrgAuthEnabled?: boolean;
+    userTokenExpiration?: string;
+    secretsProductEnabled?: boolean;
+    pkiProductEnabled?: boolean;
+    kmsProductEnabled?: boolean;
+    sshProductEnabled?: boolean;
+    scannerProductEnabled?: boolean;
+    shareSecretsProductEnabled?: boolean;
+  };
+}
+
+interface ProjectCreateEvent {
+  type: EventType.CREATE_PROJECT;
+  metadata: {
+    name: string;
+    slug?: string;
+    type: ProjectType;
+  };
+}
+
+interface ProjectUpdateEvent {
+  type: EventType.UPDATE_PROJECT;
+  metadata: {
+    name?: string;
+    description?: string;
+    autoCapitalization?: boolean;
+    hasDeleteProtection?: boolean;
+    slug?: string;
+    secretSharing?: boolean;
+    pitVersionLimit?: number;
+    auditLogsRetentionDays?: number;
+  };
+}
+
+interface ProjectDeleteEvent {
+  type: EventType.DELETE_PROJECT;
+  metadata: {
+    id: string;
+    name: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -3037,6 +3210,7 @@ export type Event =
   | IssueSshHostHostCert
   | CreateCa
   | GetCa
+  | GetCAs
   | UpdateCa
   | DeleteCa
   | RenewCa
@@ -3047,6 +3221,7 @@ export type Event =
   | ImportCaCert
   | GetCaCrls
   | IssueCert
+  | ImportCert
   | SignCert
   | GetCaCertificateTemplates
   | GetCert
@@ -3072,7 +3247,9 @@ export type Event =
   | GetPkiSubscriber
   | IssuePkiSubscriberCert
   | SignPkiSubscriberCert
+  | AutomatedRenewPkiSubscriberCert
   | ListPkiSubscriberCerts
+  | GetSubscriberActiveCertBundle
   | CreateKmsEvent
   | UpdateKmsEvent
   | DeleteKmsEvent
@@ -3117,7 +3294,6 @@ export type Event =
   | CreateProjectTemplateEvent
   | UpdateProjectTemplateEvent
   | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
   | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
@@ -3179,4 +3355,15 @@ export type Event =
   | MicrosoftTeamsWorkflowIntegrationGetTeamsEvent
   | MicrosoftTeamsWorkflowIntegrationGetEvent
   | MicrosoftTeamsWorkflowIntegrationListEvent
-  | MicrosoftTeamsWorkflowIntegrationUpdateEvent;
+  | MicrosoftTeamsWorkflowIntegrationUpdateEvent
+  | GetProjectPitCommitsEvent
+  | GetProjectPitCommitChangesEvent
+  | PitRollbackCommitEvent
+  | GetProjectPitCommitCountEvent
+  | PitRevertCommitEvent
+  | PitCompareFolderStatesEvent
+  | PitGetFolderStateEvent
+  | OrgUpdateEvent
+  | ProjectCreateEvent
+  | ProjectUpdateEvent
+  | ProjectDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -7,6 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
+import { expandInternalCa } from "@app/services/certificate-authority/certificate-authority-fns";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
@@ -14,7 +15,7 @@ import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns
 import { TGetCaCrlsDTO, TGetCrlById } from "./certificate-authority-crl-types";
 
 type TCertificateAuthorityCrlServiceFactoryDep = {
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -37,7 +38,8 @@ export const certificateAuthorityCrlServiceFactory = ({
     const caCrl = await certificateAuthorityCrlDAL.findById(crlId);
     if (!caCrl) throw new NotFoundError({ message: `CRL with ID '${crlId}' not found` });
 
-    const ca = await certificateAuthorityDAL.findById(caCrl.caId);
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caCrl.caId);
+    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caCrl.caId}' not found` });
 
     const keyId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
@@ -54,7 +56,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     const crl = new x509.X509Crl(decryptedCrl);
 
     return {
-      ca,
+      ca: expandInternalCa(ca),
       caCrl,
       crl: crl.rawData
     };
@@ -64,8 +66,8 @@ export const certificateAuthorityCrlServiceFactory = ({
    * Returns a list of CRL ids for CA with id [caId]
    */
   const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
-    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caId);
+    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caId}' not found` });
 
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -108,7 +110,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     );
 
     return {
-      ca,
+      ca: expandInternalCa(ca),
       crls: decryptedCrls
     };
   };

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -6,7 +6,7 @@ import { isCertChainValid } from "@app/services/certificate/certificate-fns";
 import { TCertificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { getCaCertChain, getCaCertChains } from "@app/services/certificate-authority/certificate-authority-fns";
-import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -16,10 +16,10 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { convertRawCertsToPkcs7 } from "./certificate-est-fns";
 
 type TCertificateEstServiceFactoryDep = {
-  certificateAuthorityService: Pick<TCertificateAuthorityServiceFactory, "signCertFromCa">;
+  internalCertificateAuthorityService: Pick<TInternalCertificateAuthorityServiceFactory, "signCertFromCa">;
   certificateTemplateService: Pick<TCertificateTemplateServiceFactory, "getEstConfiguration">;
   certificateTemplateDAL: Pick<TCertificateTemplateDALFactory, "findById">;
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById" | "findByIdWithAssociatedCa">;
   certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -29,7 +29,7 @@ type TCertificateEstServiceFactoryDep = {
 export type TCertificateEstServiceFactory = ReturnType<typeof certificateEstServiceFactory>;
 
 export const certificateEstServiceFactory = ({
-  certificateAuthorityService,
+  internalCertificateAuthorityService,
   certificateTemplateService,
   certificateTemplateDAL,
   certificateAuthorityCertDAL,
@@ -127,7 +127,7 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const { certificate } = await certificateAuthorityService.signCertFromCa({
+    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -188,7 +188,7 @@ export const certificateEstServiceFactory = ({
       }
     }
 
-    const { certificate } = await certificateAuthorityService.signCertFromCa({
+    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -227,15 +227,15 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const ca = await certificateAuthorityDAL.findById(certTemplate.caId);
-    if (!ca) {
+    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certTemplate.caId);
+    if (!ca?.internalCa?.id) {
       throw new NotFoundError({
-        message: `Certificate Authority with ID '${certTemplate.caId}' not found`
+        message: `Internal Certificate Authority with ID '${certTemplate.caId}' not found`
       });
     }
 
     const { caCert, caCertChain } = await getCaCertChain({
-      caCertId: ca.activeCaCertId as string,
+      caCertId: ca.internalCa.activeCaCertId as string,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,

backend/src/ee/services/license/__mocks__/license-fns.ts

@@ -29,7 +29,9 @@ export const getDefaultOnPremFeatures = () => {
     secretApproval: true,
     secretRotation: true,
     caCrl: false,
-    sshHostGroups: false
+    sshHostGroups: false,
+    enterpriseSecretSyncs: false,
+    enterpriseAppConnections: false
   };
 };
 

backend/src/ee/services/license/license-dal.ts

@@ -19,7 +19,7 @@ export const licenseDALFactory = (db: TDbClient) => {
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.Users}.isGhost`, false)
         .count();
-      return Number(doc?.[0].count);
+      return Number(doc?.[0]?.count ?? 0);
     } catch (error) {
       throw new DatabaseError({ error, name: "Count of Org Members" });
     }

backend/src/ee/services/license/license-fns.ts

@@ -55,15 +55,24 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   projectTemplates: false,
   kmip: false,
   gateway: false,
-  sshHostGroups: false
+  sshHostGroups: false,
+  enterpriseSecretSyncs: false,
+  enterpriseAppConnections: false
 });
 
-export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
+export const setupLicenseRequestWithStore = (
+  baseURL: string,
+  refreshUrl: string,
+  licenseKey: string,
+  region?: string
+) => {
   let token: string;
   const licenseReq = axios.create({
     baseURL,
-    timeout: 35 * 1000
-    // signal: AbortSignal.timeout(60 * 1000)
+    timeout: 35 * 1000,
+    headers: {
+      "x-region": region
+    }
   });
 
   const refreshLicense = async () => {

backend/src/ee/services/license/license-service.ts

@@ -17,7 +17,7 @@ import { TIdentityOrgDALFactory } from "@app/services/identity/identity-org-dal"
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionBillingActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { BillingPlanRows, BillingPlanTableHead } from "./licence-enums";
 import { TLicenseDALFactory } from "./license-dal";
@@ -77,13 +77,15 @@ export const licenseServiceFactory = ({
   const licenseServerCloudApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_CLOUD_LOGIN,
-    appCfg.LICENSE_SERVER_KEY || ""
+    appCfg.LICENSE_SERVER_KEY || "",
+    appCfg.INTERNAL_REGION
   );
 
   const licenseServerOnPremApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_ON_PREM_LOGIN,
-    appCfg.LICENSE_KEY || ""
+    appCfg.LICENSE_KEY || "",
+    appCfg.INTERNAL_REGION
   );
 
   const syncLicenseKeyOnPremFeatures = async (shouldThrow: boolean = false) => {
@@ -92,6 +94,10 @@ export const licenseServiceFactory = ({
       const {
         data: { currentPlan }
       } = await licenseServerOnPremApi.request.get<{ currentPlan: TFeatureSet }>("/api/license/v1/plan");
+
+      const workspacesUsed = await projectDAL.countOfOrgProjects(null);
+      currentPlan.workspacesUsed = workspacesUsed;
+
       onPremFeatures = currentPlan;
       logger.info("Successfully synchronized license key features");
     } catch (error) {
@@ -185,6 +191,14 @@ export const licenseServiceFactory = ({
         } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
           `/api/license-server/v1/customers/${org.customerId}/cloud-plan`
         );
+        const workspacesUsed = await projectDAL.countOfOrgProjects(orgId);
+        currentPlan.workspacesUsed = workspacesUsed;
+
+        const membersUsed = await licenseDAL.countOfOrgMembers(orgId);
+        currentPlan.membersUsed = membersUsed;
+        const identityUsed = await licenseDAL.countOrgUsersAndIdentities(orgId);
+        currentPlan.identitiesUsed = identityUsed;
+
         await keyStore.setItemWithExpiry(
           FEATURE_CACHE_KEY(org.id),
           LICENSE_SERVER_CLOUD_PLAN_TTL,
@@ -274,7 +288,7 @@ export const licenseServiceFactory = ({
     billingCycle
   }: TOrgPlansTableDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
     const { data } = await licenseServerCloudApi.request.get(
       `/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
     );
@@ -296,8 +310,10 @@ export const licenseServiceFactory = ({
     success_url
   }: TStartOrgTrialDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -324,8 +340,10 @@ export const licenseServiceFactory = ({
     actorOrgId
   }: TCreateOrgPortalSession) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -371,7 +389,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingInfo = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -399,7 +417,7 @@ export const licenseServiceFactory = ({
   // returns org current plan feature table
   const getOrgPlanTable = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -470,7 +488,7 @@ export const licenseServiceFactory = ({
 
   const getOrgBillingDetails = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgBillInfoDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -495,7 +513,10 @@ export const licenseServiceFactory = ({
     email
   }: TUpdateOrgBillingDetailsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -515,7 +536,7 @@ export const licenseServiceFactory = ({
 
   const getOrgPmtMethods = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgPmtMethodsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -542,7 +563,10 @@ export const licenseServiceFactory = ({
     cancel_url
   }: TAddOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -571,7 +595,10 @@ export const licenseServiceFactory = ({
     pmtMethodId
   }: TDelOrgPmtMethodDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -588,7 +615,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxIds = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TGetOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -606,7 +633,10 @@ export const licenseServiceFactory = ({
 
   const addOrgTaxId = async ({ actorId, actor, actorAuthMethod, actorOrgId, orgId, type, value }: TAddOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -627,7 +657,10 @@ export const licenseServiceFactory = ({
 
   const delOrgTaxId = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId, taxId }: TDelOrgTaxIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionBillingActions.ManageBilling,
+      OrgPermissionSubjects.Billing
+    );
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -644,7 +677,7 @@ export const licenseServiceFactory = ({
 
   const getOrgTaxInvoices = async ({ actorId, actor, actorOrgId, actorAuthMethod, orgId }: TOrgInvoiceDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {
@@ -661,7 +694,7 @@ export const licenseServiceFactory = ({
 
   const getOrgLicenses = async ({ orgId, actor, actorId, actorAuthMethod, actorOrgId }: TOrgLicensesDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) {

backend/src/ee/services/license/license-types.ts

@@ -27,7 +27,7 @@ export type TFeatureSet = {
   slug: null;
   tier: -1;
   workspaceLimit: null;
-  workspacesUsed: 0;
+  workspacesUsed: number;
   dynamicSecret: false;
   memberLimit: null;
   membersUsed: number;
@@ -72,6 +72,8 @@ export type TFeatureSet = {
   kmip: false;
   gateway: false;
   sshHostGroups: false;
+  enterpriseSecretSyncs: false;
+  enterpriseAppConnections: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -44,6 +44,7 @@ import {
   TOidcLoginDTO,
   TUpdateOidcCfgDTO
 } from "./oidc-config-types";
+import { logger } from "@app/lib/logger";
 
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<
@@ -699,6 +700,7 @@ export const oidcConfigServiceFactory = ({
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (_req: any, tokenSet: TokenSet, cb: any) => {
         const claims = tokenSet.claims();
+        logger.info(`User OIDC claims received for [orgId=${org.id}] [claims=${JSON.stringify(claims)}]`);
         if (!claims.email || !claims.given_name) {
           throw new BadRequestError({
             message: "Invalid request. Missing email or first name"

backend/src/ee/services/permission/default-roles.ts

@@ -5,6 +5,7 @@ import {
   ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
+  ProjectPermissionCommitsActions,
   ProjectPermissionDynamicSecretActions,
   ProjectPermissionGroupActions,
   ProjectPermissionIdentityActions,
@@ -61,7 +62,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionApprovalActions.Edit,
       ProjectPermissionApprovalActions.Create,
       ProjectPermissionApprovalActions.Delete,
-      ProjectPermissionApprovalActions.AllowChangeBypass
+      ProjectPermissionApprovalActions.AllowChangeBypass,
+      ProjectPermissionApprovalActions.AllowAccessBypass
     ],
     ProjectPermissionSub.SecretApproval
   );
@@ -77,6 +79,11 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.Certificates
   );
 
+  can(
+    [ProjectPermissionCommitsActions.Read, ProjectPermissionCommitsActions.PerformRollback],
+    ProjectPermissionSub.Commits
+  );
+
   can(
     [
       ProjectPermissionSshHostActions.Edit,
@@ -254,6 +261,11 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
+  can(
+    [ProjectPermissionCommitsActions.Read, ProjectPermissionCommitsActions.PerformRollback],
+    ProjectPermissionSub.Commits
+  );
+
   can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
@@ -423,6 +435,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
   can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
+  can(ProjectPermissionCommitsActions.Read, ProjectPermissionSub.Commits);
 
   return rules;
 };

backend/src/ee/services/permission/org-permission.ts

@@ -67,6 +67,11 @@ export enum OrgPermissionGroupActions {
   RemoveMembers = "remove-members"
 }
 
+export enum OrgPermissionBillingActions {
+  Read = "read",
+  ManageBilling = "manage-billing"
+}
+
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -107,7 +112,7 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
   | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
-  | [OrgPermissionActions, OrgPermissionSubjects.Billing]
+  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
   | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
@@ -298,10 +303,8 @@ const buildAdminPermission = () => {
   can(OrgPermissionGroupActions.AddMembers, OrgPermissionSubjects.Groups);
   can(OrgPermissionGroupActions.RemoveMembers, OrgPermissionSubjects.Groups);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);
+  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionBillingActions.ManageBilling, OrgPermissionSubjects.Billing);
 
   can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
   can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
@@ -362,7 +365,7 @@ const buildMemberPermission = () => {
   can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
+  can(OrgPermissionBillingActions.Read, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.IncidentAccount);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);

backend/src/ee/services/permission/project-permission.ts

@@ -17,6 +17,11 @@ export enum ProjectPermissionActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionCommitsActions {
+  Read = "read",
+  PerformRollback = "perform-rollback"
+}
+
 export enum ProjectPermissionCertificateActions {
   Read = "read",
   Create = "create",
@@ -39,7 +44,8 @@ export enum ProjectPermissionApprovalActions {
   Create = "create",
   Edit = "edit",
   Delete = "delete",
-  AllowChangeBypass = "allow-change-bypass"
+  AllowChangeBypass = "allow-change-bypass",
+  AllowAccessBypass = "allow-access-bypass"
 }
 
 export enum ProjectPermissionCmekActions {
@@ -151,6 +157,7 @@ export enum ProjectPermissionSub {
   SecretRollback = "secret-rollback",
   SecretApproval = "secret-approval",
   SecretRotation = "secret-rotation",
+  Commits = "commits",
   Identity = "identity",
   CertificateAuthorities = "certificate-authorities",
   Certificates = "certificates",
@@ -289,7 +296,8 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
-  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
+  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms]
+  | [ProjectPermissionCommitsActions, ProjectPermissionSub.Commits];
 
 const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
 const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
@@ -610,6 +618,12 @@ const GeneralPermissionSchema = [
     action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionKmipActions).describe(
       "Describe what action an entity can take."
     )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Commits).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCommitsActions).describe(
+      "Describe what action an entity can take."
+    )
   })
 ];
 

backend/src/ee/services/pit/pit-service.ts

@@ -0,0 +1,485 @@
+/* eslint-disable no-await-in-loop */
+import { ForbiddenError } from "@casl/ability";
+
+import { ActionProjectType } from "@app/db/schemas";
+import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
+import { ResourceType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import {
+  isFolderCommitChange,
+  isSecretCommitChange
+} from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
+import { TSecretServiceFactory } from "@app/services/secret/secret-service";
+import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
+
+import { TPermissionServiceFactory } from "../permission/permission-service";
+
+type TPitServiceFactoryDep = {
+  folderCommitService: TFolderCommitServiceFactory;
+  secretService: Pick<TSecretServiceFactory, "getSecretVersionsV2ByIds" | "getChangeVersions">;
+  folderService: Pick<TSecretFolderServiceFactory, "getFolderById" | "getFolderVersions">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+};
+
+export type TPitServiceFactory = ReturnType<typeof pitServiceFactory>;
+
+export const pitServiceFactory = ({
+  folderCommitService,
+  secretService,
+  folderService,
+  permissionService,
+  folderDAL,
+  projectEnvDAL
+}: TPitServiceFactoryDep) => {
+  const getCommitsCount = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    environment,
+    path
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    environment: string;
+    path: string;
+  }) => {
+    const result = await folderCommitService.getCommitsCount({
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId,
+      environment,
+      path
+    });
+
+    return result;
+  };
+
+  const getCommitsForFolder = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    environment,
+    path,
+    offset,
+    limit,
+    search,
+    sort
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    environment: string;
+    path: string;
+    offset: number;
+    limit: number;
+    search?: string;
+    sort: "asc" | "desc";
+  }) => {
+    const result = await folderCommitService.getCommitsForFolder({
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId,
+      environment,
+      path,
+      offset,
+      limit,
+      search,
+      sort
+    });
+
+    return {
+      commits: result.commits.map((commit) => ({
+        ...commit,
+        commitId: commit.commitId.toString()
+      })),
+      total: result.total,
+      hasMore: result.hasMore
+    };
+  };
+
+  const getCommitChanges = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    commitId
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    commitId: string;
+  }) => {
+    const changes = await folderCommitService.getCommitChanges({
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId,
+      commitId
+    });
+
+    const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(projectId, [changes.folderId]);
+
+    for (const change of changes.changes) {
+      if (isSecretCommitChange(change)) {
+        change.versions = await secretService.getChangeVersions(
+          {
+            secretVersion: change.secretVersion,
+            secretId: change.secretId,
+            id: change.id,
+            isUpdate: change.isUpdate,
+            changeType: change.changeType
+          },
+          (Number.parseInt(change.secretVersion, 10) - 1).toString(),
+          actorId,
+          actor,
+          actorOrgId,
+          actorAuthMethod,
+          changes.envId,
+          projectId,
+          folderWithPath?.path || ""
+        );
+      } else if (isFolderCommitChange(change)) {
+        change.versions = await folderService.getFolderVersions(
+          change,
+          (Number.parseInt(change.folderVersion, 10) - 1).toString(),
+          change.folderChangeId
+        );
+      }
+    }
+
+    return {
+      changes: {
+        ...changes,
+        commitId: changes.commitId.toString()
+      }
+    };
+  };
+
+  const compareCommitChanges = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    commitId,
+    folderId,
+    environment,
+    deepRollback,
+    secretPath
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    commitId: string;
+    folderId: string;
+    environment: string;
+    deepRollback: boolean;
+    secretPath: string;
+  }) => {
+    const latestCommit = await folderCommitService.getLatestCommit({
+      folderId,
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId
+    });
+
+    const targetCommit = await folderCommitService.getCommitById({
+      commitId,
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId
+    });
+
+    const env = await projectEnvDAL.findOne({
+      projectId,
+      slug: environment
+    });
+
+    if (!latestCommit) {
+      throw new NotFoundError({ message: "Latest commit not found" });
+    }
+
+    let diffs;
+    if (deepRollback) {
+      diffs = await folderCommitService.deepCompareFolder({
+        targetCommitId: targetCommit.id,
+        envId: env.id,
+        projectId
+      });
+    } else {
+      const folderData = await folderService.getFolderById({
+        actor,
+        actorId,
+        actorOrgId,
+        actorAuthMethod,
+        id: folderId
+      });
+
+      diffs = [
+        {
+          folderId: folderData.id,
+          folderName: folderData.name,
+          folderPath: secretPath,
+          changes: await folderCommitService.compareFolderStates({
+            targetCommitId: commitId,
+            currentCommitId: latestCommit.id
+          })
+        }
+      ];
+    }
+
+    for (const diff of diffs) {
+      for (const change of diff.changes) {
+        // Use discriminated union type checking
+        if (change.type === ResourceType.SECRET) {
+          // TypeScript now knows this is a SecretChange
+          if (change.secretKey && change.secretVersion && change.secretId) {
+            change.versions = await secretService.getChangeVersions(
+              {
+                secretVersion: change.secretVersion,
+                secretId: change.secretId,
+                id: change.id,
+                isUpdate: change.isUpdate,
+                changeType: change.changeType
+              },
+              change.fromVersion || "1",
+              actorId,
+              actor,
+              actorOrgId,
+              actorAuthMethod,
+              env.id,
+              projectId,
+              diff.folderPath || ""
+            );
+          }
+        } else if (change.type === ResourceType.FOLDER) {
+          // TypeScript now knows this is a FolderChange
+          if (change.folderVersion) {
+            change.versions = await folderService.getFolderVersions(change, change.fromVersion || "1", change.id);
+          }
+        }
+      }
+    }
+
+    return diffs;
+  };
+
+  const rollbackToCommit = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    commitId,
+    folderId,
+    deepRollback,
+    message,
+    environment
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    commitId: string;
+    folderId: string;
+    deepRollback: boolean;
+    message?: string;
+    environment: string;
+  }) => {
+    const { permission: userPermission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    ForbiddenError.from(userPermission).throwUnlessCan(
+      ProjectPermissionCommitsActions.PerformRollback,
+      ProjectPermissionSub.Commits
+    );
+
+    const latestCommit = await folderCommitService.getLatestCommit({
+      folderId,
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId
+    });
+
+    if (!latestCommit) {
+      throw new NotFoundError({ message: "Latest commit not found" });
+    }
+
+    logger.info(`PIT - Attempting to rollback folder ${folderId} from commit ${latestCommit.id} to commit ${commitId}`);
+
+    const targetCommit = await folderCommitService.getCommitById({
+      commitId,
+      actor,
+      actorId,
+      actorAuthMethod,
+      actorOrgId,
+      projectId
+    });
+
+    const env = await projectEnvDAL.findOne({
+      projectId,
+      slug: environment
+    });
+
+    if (!targetCommit || targetCommit.folderId !== folderId || targetCommit.envId !== env.id) {
+      throw new NotFoundError({ message: "Target commit not found" });
+    }
+
+    if (!latestCommit || latestCommit.envId !== env.id) {
+      throw new NotFoundError({ message: "Latest commit not found" });
+    }
+
+    if (deepRollback) {
+      await folderCommitService.deepRollbackFolder(commitId, env.id, actorId, actor, projectId, message);
+      return { success: true };
+    }
+
+    const diff = await folderCommitService.compareFolderStates({
+      currentCommitId: latestCommit.id,
+      targetCommitId: commitId
+    });
+
+    const response = await folderCommitService.applyFolderStateDifferences({
+      differences: diff,
+      actorInfo: {
+        actorType: actor,
+        actorId,
+        message: message || "Rollback to previous commit"
+      },
+      folderId,
+      projectId,
+      reconstructNewFolders: deepRollback
+    });
+
+    return {
+      success: true,
+      secretChangesCount: response.secretChangesCount,
+      folderChangesCount: response.folderChangesCount,
+      totalChanges: response.totalChanges
+    };
+  };
+
+  const revertCommit = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    commitId
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    commitId: string;
+  }) => {
+    const response = await folderCommitService.revertCommitChanges({
+      commitId,
+      actor,
+      actorId,
+      actorAuthMethod,
+      actorOrgId,
+      projectId
+    });
+
+    return response;
+  };
+
+  const getFolderStateAtCommit = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    projectId,
+    commitId
+  }: {
+    actor: ActorType;
+    actorId: string;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    projectId: string;
+    commitId: string;
+  }) => {
+    const commit = await folderCommitService.getCommitById({
+      commitId,
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      projectId
+    });
+
+    if (!commit) {
+      throw new NotFoundError({ message: `Commit with ID ${commitId} not found` });
+    }
+
+    const response = await folderCommitService.reconstructFolderState(commitId);
+
+    return response.map((item) => {
+      if (item.type === ResourceType.SECRET) {
+        return {
+          ...item,
+          secretVersion: Number(item.secretVersion)
+        };
+      }
+
+      if (item.type === ResourceType.FOLDER) {
+        return {
+          ...item,
+          folderVersion: Number(item.folderVersion)
+        };
+      }
+
+      return item;
+    });
+  };
+
+  return {
+    getCommitsCount,
+    getCommitsForFolder,
+    getCommitChanges,
+    compareCommitChanges,
+    rollbackToCommit,
+    revertCommit,
+    getFolderStateAtCommit
+  };
+};

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -20,6 +20,7 @@ import { EnforcementLevel } from "@app/lib/types";
 import { triggerWorkflowIntegrationNotification } from "@app/lib/workflow-integrations/trigger-notification";
 import { TriggerFeature } from "@app/lib/workflow-integrations/types";
 import { ActorType } from "@app/services/auth/auth-type";
+import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TMicrosoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
@@ -134,6 +135,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   projectMicrosoftTeamsConfigDAL: Pick<TProjectMicrosoftTeamsConfigDALFactory, "getIntegrationDetailsByProject">;
   microsoftTeamsService: Pick<TMicrosoftTeamsServiceFactory, "sendNotification">;
+  folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
 };
 
 export type TSecretApprovalRequestServiceFactory = ReturnType<typeof secretApprovalRequestServiceFactory>;
@@ -165,7 +167,8 @@ export const secretApprovalRequestServiceFactory = ({
   projectSlackConfigDAL,
   resourceMetadataDAL,
   projectMicrosoftTeamsConfigDAL,
-  microsoftTeamsService
+  microsoftTeamsService,
+  folderCommitService
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -606,6 +609,10 @@ export const secretApprovalRequestServiceFactory = ({
           ? await fnSecretV2BridgeBulkInsert({
               tx,
               folderId,
+              actor: {
+                actorId,
+                type: actor
+              },
               orgId: actorOrgId,
               inputSecrets: secretCreationCommits.map((el) => ({
                 tagIds: el?.tags.map(({ id }) => id),
@@ -628,13 +635,18 @@ export const secretApprovalRequestServiceFactory = ({
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+              folderCommitService
             })
           : [];
         const updatedSecrets = secretUpdationCommits.length
           ? await fnSecretV2BridgeBulkUpdate({
               folderId,
               orgId: actorOrgId,
+              actor: {
+                actorId,
+                type: actor
+              },
               tx,
               inputSecrets: secretUpdationCommits.map((el) => {
                 const encryptedValue =
@@ -668,7 +680,8 @@ export const secretApprovalRequestServiceFactory = ({
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
               secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-              resourceMetadataDAL
+              resourceMetadataDAL,
+              folderCommitService
             })
           : [];
         const deletedSecret = secretDeletionCommits.length
@@ -676,10 +689,13 @@ export const secretApprovalRequestServiceFactory = ({
               projectId,
               folderId,
               tx,
-              actorId: "",
+              actorId,
+              actorType: actor,
               secretDAL: secretV2BridgeDAL,
               secretQueueService,
-              inputSecrets: secretDeletionCommits.map(({ key }) => ({ secretKey: key, type: SecretType.Shared }))
+              inputSecrets: secretDeletionCommits.map(({ key }) => ({ secretKey: key, type: SecretType.Shared })),
+              folderCommitService,
+              secretVersionDAL: secretVersionV2BridgeDAL
             })
           : [];
         const updatedSecretApproval = await secretApprovalRequestDAL.updateById(

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -10,6 +10,7 @@ import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueName, TQueueServiceFactory } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
+import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -87,6 +88,7 @@ type TSecretReplicationServiceFactoryDep = {
 
   projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
 };
 
 export type TSecretReplicationServiceFactory = ReturnType<typeof secretReplicationServiceFactory>;
@@ -132,6 +134,7 @@ export const secretReplicationServiceFactory = ({
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
   kmsService,
+  folderCommitService,
   resourceMetadataDAL
 }: TSecretReplicationServiceFactoryDep) => {
   const $getReplicatedSecrets = (
@@ -419,7 +422,7 @@ export const secretReplicationServiceFactory = ({
                     return {
                       op: operation,
                       requestId: approvalRequestDoc.id,
-                      metadata: doc.metadata,
+                      metadata: doc.metadata ? JSON.stringify(doc.metadata) : [],
                       secretMetadata: JSON.stringify(doc.secretMetadata),
                       key: doc.key,
                       encryptedValue: doc.encryptedValue,
@@ -446,11 +449,12 @@ export const secretReplicationServiceFactory = ({
                     tx,
                     secretTagDAL,
                     resourceMetadataDAL,
+                    folderCommitService,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyCreatedSecrets.map((doc) => {
                       return {
                         type: doc.type,
-                        metadata: doc.metadata,
+                        metadata: doc.metadata ? JSON.stringify(doc.metadata) : [],
                         key: doc.key,
                         encryptedValue: doc.encryptedValue,
                         encryptedComment: doc.encryptedComment,
@@ -466,6 +470,7 @@ export const secretReplicationServiceFactory = ({
                     orgId,
                     folderId: destinationReplicationFolderId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
+                    folderCommitService,
                     secretDAL: secretV2BridgeDAL,
                     tx,
                     resourceMetadataDAL,
@@ -479,7 +484,7 @@ export const secretReplicationServiceFactory = ({
                         },
                         data: {
                           type: doc.type,
-                          metadata: doc.metadata,
+                          metadata: doc.metadata ? JSON.stringify(doc.metadata) : [],
                           key: doc.key,
                           encryptedValue: doc.encryptedValue as Buffer,
                           encryptedComment: doc.encryptedComment,

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -63,6 +63,7 @@ import { TAppConnectionDALFactory } from "@app/services/app-connection/app-conne
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { ActorType } from "@app/services/auth/auth-type";
+import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -98,7 +99,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
     TSecretV2BridgeDALFactory,
     "bulkUpdate" | "insertMany" | "deleteMany" | "upsertSecretReferences" | "find" | "invalidateSecretCacheByProjectId"
   >;
-  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
+  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   secretVersionTagV2BridgeDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
   resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "deleteTagsToSecretV2" | "find">;
@@ -106,6 +107,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   queueService: Pick<TQueueServiceFactory, "queuePg">;
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">;
+  folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
 };
 
 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;
@@ -144,6 +146,7 @@ export const secretRotationV2ServiceFactory = ({
   snapshotService,
   keyStore,
   queueService,
+  folderCommitService,
   appConnectionDAL
 }: TSecretRotationV2ServiceFactoryDep) => {
   const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
@@ -537,7 +540,12 @@ export const secretRotationV2ServiceFactory = ({
             secretVersionDAL: secretVersionV2BridgeDAL,
             secretVersionTagDAL: secretVersionTagV2BridgeDAL,
             secretTagDAL,
-            resourceMetadataDAL
+            folderCommitService,
+            resourceMetadataDAL,
+            actor: {
+              type: actor.type,
+              actorId: actor.id
+            }
           });
 
           await secretRotationV2DAL.insertSecretMappings(
@@ -673,7 +681,12 @@ export const secretRotationV2ServiceFactory = ({
             secretVersionDAL: secretVersionV2BridgeDAL,
             secretVersionTagDAL: secretVersionTagV2BridgeDAL,
             secretTagDAL,
-            resourceMetadataDAL
+            folderCommitService,
+            resourceMetadataDAL,
+            actor: {
+              type: actor.type,
+              actorId: actor.id
+            }
           });
 
           secretsMappingUpdated = true;
@@ -791,6 +804,9 @@ export const secretRotationV2ServiceFactory = ({
             projectId,
             folderId,
             actorId: actor.id, // not actually used since rotated secrets are shared
+            actorType: actor.type,
+            folderCommitService,
+            secretVersionDAL: secretVersionV2BridgeDAL,
             tx
           });
         }
@@ -934,6 +950,10 @@ export const secretRotationV2ServiceFactory = ({
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretVersionTagDAL: secretVersionTagV2BridgeDAL,
+              folderCommitService,
+              actor: {
+                type: ActorType.PLATFORM
+              },
               secretTagDAL,
               resourceMetadataDAL
             });

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -14,6 +14,7 @@ import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { ActorType } from "@app/services/auth/auth-type";
+import { CommitType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -53,6 +54,7 @@ type TSecretRotationQueueFactoryDep = {
   secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionMany">;
   telemetryService: Pick<TTelemetryServiceFactory, "sendPostHogEvents">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
 };
 
 // These error should stop the repeatable job and ask user to reconfigure rotation
@@ -77,6 +79,7 @@ export const secretRotationQueueFactory = ({
   telemetryService,
   secretV2BridgeDAL,
   secretVersionV2BridgeDAL,
+  folderCommitService,
   kmsService
 }: TSecretRotationQueueFactoryDep) => {
   const addToQueue = async (rotationId: string, interval: number) => {
@@ -330,7 +333,7 @@ export const secretRotationQueueFactory = ({
             })),
             tx
           );
-          await secretVersionV2BridgeDAL.insertMany(
+          const secretVersions = await secretVersionV2BridgeDAL.insertMany(
             updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
               ...el,
               actorType: ActorType.PLATFORM,
@@ -338,6 +341,22 @@ export const secretRotationQueueFactory = ({
             })),
             tx
           );
+
+          await folderCommitService.createCommit(
+            {
+              actor: {
+                type: ActorType.PLATFORM
+              },
+              message: "Changed by Secret rotation",
+              folderId: secretVersions[0].folderId,
+              changes: secretVersions.map((sv) => ({
+                type: CommitType.ADD,
+                isUpdate: true,
+                secretVersionId: sv.id
+              }))
+            },
+            tx
+          );
         });
 
         await secretV2BridgeDAL.invalidateSecretCacheByProjectId(secretRotation.projectId);

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -8,6 +8,7 @@ import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";
+import { CommitType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -51,8 +52,8 @@ type TSecretSnapshotServiceFactoryDep = {
   snapshotSecretV2BridgeDAL: TSnapshotSecretV2DALFactory;
   snapshotFolderDAL: TSnapshotFolderDALFactory;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "insertMany" | "findLatestVersionByFolderId">;
-  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionByFolderId">;
-  folderVersionDAL: Pick<TSecretFolderVersionDALFactory, "findLatestVersionByFolderId" | "insertMany">;
+  secretVersionV2BridgeDAL: Pick<TSecretVersionV2DALFactory, "insertMany" | "findLatestVersionByFolderId" | "findOne">;
+  folderVersionDAL: Pick<TSecretFolderVersionDALFactory, "findLatestVersionByFolderId" | "insertMany" | "findOne">;
   secretDAL: Pick<TSecretDALFactory, "delete" | "insertMany">;
   secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "delete" | "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecret" | "saveTagsToSecretV2">;
@@ -63,6 +64,7 @@ type TSecretSnapshotServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "isValidLicense">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
   projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
+  folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
 };
 
 export type TSecretSnapshotServiceFactory = ReturnType<typeof secretSnapshotServiceFactory>;
@@ -84,7 +86,8 @@ export const secretSnapshotServiceFactory = ({
   snapshotSecretV2BridgeDAL,
   secretVersionV2TagBridgeDAL,
   kmsService,
-  projectBotService
+  projectBotService,
+  folderCommitService
 }: TSecretSnapshotServiceFactoryDep) => {
   const projectSecretSnapshotCount = async ({
     environment,
@@ -403,6 +406,18 @@ export const secretSnapshotServiceFactory = ({
           .filter((el) => el.isRotatedSecret)
           .map((el) => el.secretId);
 
+        const deletedSecretsChanges = new Map(); // secretId -> version info
+        const deletedFoldersChanges = new Map(); // folderId -> version info
+        const addedSecretsChanges = new Map(); // secretId -> version info
+        const addedFoldersChanges = new Map(); // folderId -> version info
+        const commitChanges: {
+          type: string;
+          secretVersionId?: string;
+          folderVersionId?: string;
+          isUpdate?: boolean;
+          folderId?: string;
+        }[] = [];
+
         // this will remove all secrets in current folder except rotated secrets which we ignore
         const deletedTopLevelSecs = await secretV2BridgeDAL.delete(
           {
@@ -424,7 +439,35 @@ export const secretSnapshotServiceFactory = ({
           },
           tx
         );
+
+        await Promise.all(
+          deletedTopLevelSecs.map(async (sec) => {
+            const version = await secretVersionV2BridgeDAL.findOne({ secretId: sec.id, version: sec.version }, tx);
+            deletedSecretsChanges.set(sec.id, {
+              id: sec.id,
+              version: sec.version,
+              // Store the version ID if available from the snapshot
+              versionId: version?.id
+            });
+          })
+        );
+
         const deletedTopLevelSecsGroupById = groupBy(deletedTopLevelSecs, (item) => item.id);
+
+        const deletedFoldersData = await folderDAL.delete({ parentId: snapshot.folderId, isReserved: false }, tx);
+
+        await Promise.all(
+          deletedFoldersData.map(async (folder) => {
+            const version = await folderVersionDAL.findOne({ folderId: folder.id, version: folder.version }, tx);
+            deletedFoldersChanges.set(folder.id, {
+              id: folder.id,
+              version: folder.version,
+              // Store the version ID if available
+              versionId: version?.id
+            });
+          })
+        );
+
         // this will remove all secrets and folders on child
         // due to sql foreign key and link list connection removing the folders removes everything below too
         const deletedFolders = await folderDAL.delete({ parentId: snapshot.folderId, isReserved: false }, tx);
@@ -489,14 +532,21 @@ export const secretSnapshotServiceFactory = ({
         });
         await secretTagDAL.saveTagsToSecretV2(secretTagsToBeInsert, tx);
         const folderVersions = await folderVersionDAL.insertMany(
-          folders.map(({ version, name, id, envId }) => ({
+          folders.map(({ version, name, id, envId, description }) => ({
             name,
             version,
             folderId: id,
-            envId
+            envId,
+            description
           })),
           tx
         );
+
+        // Track added folders
+        folderVersions.forEach((fv) => {
+          addedFoldersChanges.set(fv.folderId, fv);
+        });
+
         const userActorId = actor === ActorType.USER ? actorId : undefined;
         const identityActorId = actor !== ActorType.USER ? actorId : undefined;
         const actorType = actor || ActorType.PLATFORM;
@@ -511,6 +561,11 @@ export const secretSnapshotServiceFactory = ({
           })),
           tx
         );
+
+        secretVersions.forEach((sv) => {
+          addedSecretsChanges.set(sv.secretId, sv);
+        });
+
         await secretVersionV2TagBridgeDAL.insertMany(
           secretVersions.flatMap(({ secretId, id }) =>
             secretVerTagToBeInsert?.[secretId]?.length
@@ -522,6 +577,70 @@ export const secretSnapshotServiceFactory = ({
           ),
           tx
         );
+
+        // Compute commit changes
+        // Handle secrets
+        deletedSecretsChanges.forEach((deletedInfo, secretId) => {
+          const addedSecret = addedSecretsChanges.get(secretId);
+          if (addedSecret) {
+            // Secret was deleted and re-added - this is an update only if versions are different
+            if (deletedInfo.versionId !== addedSecret.id) {
+              commitChanges.push({
+                type: CommitType.ADD, // In the commit system, updates are tracked as "add" with isUpdate=true
+                secretVersionId: addedSecret.id,
+                isUpdate: true
+              });
+            }
+            // Remove from addedSecrets since we've handled it
+            addedSecretsChanges.delete(secretId);
+          } else if (deletedInfo.versionId) {
+            // Secret was only deleted
+            commitChanges.push({
+              type: CommitType.DELETE,
+              secretVersionId: deletedInfo.versionId
+            });
+          }
+        });
+        // Add remaining new secrets (not updates)
+        addedSecretsChanges.forEach((addedSecret) => {
+          commitChanges.push({
+            type: CommitType.ADD,
+            secretVersionId: addedSecret.id
+          });
+        });
+
+        // Handle folders
+        deletedFoldersChanges.forEach((deletedInfo, folderId) => {
+          const addedFolder = addedFoldersChanges.get(folderId);
+          if (addedFolder) {
+            // Folder was deleted and re-added - this is an update only if versions are different
+            if (deletedInfo.versionId !== addedFolder.id) {
+              commitChanges.push({
+                type: CommitType.ADD,
+                folderVersionId: addedFolder.id,
+                isUpdate: true
+              });
+            }
+            // Remove from addedFolders since we've handled it
+            addedFoldersChanges.delete(folderId);
+          } else if (deletedInfo.versionId) {
+            // Folder was only deleted
+            commitChanges.push({
+              type: CommitType.DELETE,
+              folderVersionId: deletedInfo.versionId,
+              folderId: deletedInfo.id
+            });
+          }
+        });
+
+        // Add remaining new folders (not updates)
+        addedFoldersChanges.forEach((addedFolder) => {
+          commitChanges.push({
+            type: CommitType.ADD,
+            folderVersionId: addedFolder.id
+          });
+        });
+
         const newSnapshot = await snapshotDAL.create(
           {
             folderId: snapshot.folderId,
@@ -550,6 +669,22 @@ export const secretSnapshotServiceFactory = ({
             })),
           tx
         );
+        if (commitChanges.length > 0) {
+          await folderCommitService.createCommit(
+            {
+              actor: {
+                type: actorType,
+                metadata: {
+                  id: userActorId || identityActorId
+                }
+              },
+              message: "Rollback to snapshot",
+              folderId: snapshot.folderId,
+              changes: commitChanges
+            },
+            tx
+          );
+        }
 
         return { ...newSnapshot, snapshotSecrets, snapshotFolders };
       });
@@ -609,11 +744,12 @@ export const secretSnapshotServiceFactory = ({
       });
       await secretTagDAL.saveTagsToSecret(secretTagsToBeInsert, tx);
       const folderVersions = await folderVersionDAL.insertMany(
-        folders.map(({ version, name, id, envId }) => ({
+        folders.map(({ version, name, id, envId, description }) => ({
           name,
           version,
           folderId: id,
-          envId
+          envId,
+          description
         })),
         tx
       );

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-constants.ts

@@ -6,5 +6,6 @@ export const OCI_VAULT_SYNC_LIST_OPTION: TSecretSyncListItem = {
   name: "OCI Vault",
   destination: SecretSync.OCIVault,
   connection: AppConnection.OCI,
-  canImportSecrets: true
+  canImportSecrets: true,
+  enterprise: true
 };

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-fns.ts

@@ -1,7 +1,6 @@
 import { secrets, vault } from "oci-sdk";
 
-import { delay } from "@app/lib/delay";
-import { getOCIProvider } from "@app/services/app-connection/oci";
+import { getOCIProvider } from "@app/ee/services/app-connections/oci";
 import {
   TCreateOCIVaultVariable,
   TDeleteOCIVaultVariable,
@@ -9,7 +8,8 @@ import {
   TOCIVaultSyncWithCredentials,
   TUnmarkOCIVaultVariableFromDeletion,
   TUpdateOCIVaultVariable
-} from "@app/services/secret-sync/oci-vault/oci-vault-sync-types";
+} from "@app/ee/services/secret-sync/oci-vault/oci-vault-sync-types";
+import { delay } from "@app/lib/delay";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
 import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-schemas.ts

@@ -66,5 +66,6 @@ export const OCIVaultSyncListItemSchema = z.object({
   name: z.literal("OCI Vault"),
   connection: z.literal(AppConnection.OCI),
   destination: z.literal(SecretSync.OCIVault),
-  canImportSecrets: z.literal(true)
+  canImportSecrets: z.literal(true),
+  enterprise: z.boolean()
 });

backend/src/ee/services/secret-sync/oci-vault/oci-vault-sync-types.ts

@@ -1,7 +1,7 @@
 import { SimpleAuthenticationDetailsProvider } from "oci-sdk";
 import { z } from "zod";
 
-import { TOCIConnection } from "@app/services/app-connection/oci";
+import { TOCIConnection } from "@app/ee/services/app-connections/oci";
 
 import { CreateOCIVaultSyncSchema, OCIVaultSyncListItemSchema, OCIVaultSyncSchema } from "./oci-vault-sync-schemas";
 

backend/src/keystore/keystore.ts

@@ -1,5 +1,4 @@
-import { Redis } from "ioredis";
-
+import { buildRedisFromConfig, TRedisConfigKeys } from "@app/lib/config/redis";
 import { pgAdvisoryLockHashText } from "@app/lib/crypto/hashtext";
 import { applyJitter } from "@app/lib/dates";
 import { delay as delayMs } from "@app/lib/delay";
@@ -27,6 +26,7 @@ export const KeyStorePrefixes = {
   KmsOrgDataKeyCreation: "kms-org-data-key-creation-lock",
   WaitUntilReadyKmsOrgKeyCreation: "wait-until-ready-kms-org-key-creation-",
   WaitUntilReadyKmsOrgDataKeyCreation: "wait-until-ready-kms-org-data-key-creation-",
+  FolderTreeCheckpoint: (envId: string) => `folder-tree-checkpoint-${envId}`,
 
   WaitUntilReadyProjectEnvironmentOperation: (projectId: string) =>
     `wait-until-ready-project-environments-operation-${projectId}`,
@@ -37,6 +37,8 @@ export const KeyStorePrefixes = {
     `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
   SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
   SecretRotationLock: (rotationId: string) => `secret-rotation-v2-mutex-${rotationId}` as const,
+  CaOrderCertificateForSubscriberLock: (subscriberId: string) =>
+    `ca-order-certificate-for-subscriber-lock-${subscriberId}` as const,
   SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
   IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
     `identity-access-token-status:${identityAccessTokenId}`,
@@ -66,8 +68,8 @@ type TWaitTillReady = {
   jitter?: number;
 };
 
-export const keyStoreFactory = (redisUrl: string) => {
-  const redis = new Redis(redisUrl);
+export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys) => {
+  const redis = buildRedisFromConfig(redisConfigKeys);
   const redisLock = new Redlock([redis], { retryCount: 2, retryDelay: 200 });
 
   const setItem = async (key: string, value: string | number | Buffer, prefix?: string) =>

backend/src/lib/api-docs/constants.ts

@@ -5,6 +5,8 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import { CERTIFICATE_AUTHORITIES_TYPE_MAP } from "@app/services/certificate-authority/certificate-authority-maps";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
@@ -145,7 +147,9 @@ export const UNIVERSAL_AUTH = {
     accessTokenMaxTTL:
       "The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.",
     accessTokenNumUsesLimit:
-      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
+      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
+    accessTokenPeriod:
+      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0."
   },
   RETRIEVE: {
     identityId: "The ID of the identity to retrieve the auth method for."
@@ -159,7 +163,8 @@ export const UNIVERSAL_AUTH = {
     accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
-    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenPeriod: "The new period for an access token in seconds."
   },
   CREATE_CLIENT_SECRET: {
     identityId: "The ID of the identity to create a client secret for.",
@@ -1707,6 +1712,19 @@ export const CERTIFICATES = {
     certificateChain: "The certificate chain of the certificate.",
     serialNumberRes: "The serial number of the certificate.",
     privateKey: "The private key of the certificate."
+  },
+  IMPORT: {
+    projectSlug: "Slug of the project to import the certificate into.",
+    certificatePem: "The PEM-encoded leaf certificate.",
+    privateKeyPem: "The PEM-encoded private key corresponding to the certificate.",
+    chainPem: "The PEM-encoded chain of intermediate certificates.",
+    friendlyName: "A friendly name for the certificate.",
+    pkiCollectionId: "The ID of the PKI collection to add the certificate to.",
+
+    certificate: "The issued certificate.",
+    certificateChain: "The certificate chain of the issued certificate.",
+    privateKey: "The private key of the issued certificate.",
+    serialNumber: "The serial number of the issued certificate."
   }
 };
 
@@ -1778,6 +1796,14 @@ export const PKI_SUBSCRIBERS = {
     subscriberName: "The name of the PKI subscriber to get.",
     projectId: "The ID of the project to get the PKI subscriber for."
   },
+  GET_LATEST_CERT_BUNDLE: {
+    subscriberName: "The name of the PKI subscriber to get the active certificate bundle for.",
+    projectId: "The ID of the project to get the active certificate bundle for.",
+    certificate: "The active certificate for the subscriber.",
+    certificateChain: "The certificate chain of the active certificate for the subscriber.",
+    privateKey: "The private key of the active certificate for the subscriber.",
+    serialNumber: "The serial number of the active certificate for the subscriber."
+  },
   CREATE: {
     projectId: "The ID of the project to create the PKI subscriber in.",
     caId: "The ID of the CA that will issue certificates for the PKI subscriber.",
@@ -1788,7 +1814,9 @@ export const PKI_SUBSCRIBERS = {
     subjectAlternativeNames:
       "A list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
     keyUsages: "The key usage extension to be used on certificates issued for this subscriber.",
-    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber."
+    extendedKeyUsages: "The extended key usage extension to be used on certificates issued for this subscriber.",
+    enableAutoRenewal: "Whether or not to enable auto renewal for the PKI subscriber.",
+    autoRenewalPeriodInDays: "The period in days to auto renew the PKI subscriber's certificates."
   },
   UPDATE: {
     projectId: "The ID of the project to update the PKI subscriber in.",
@@ -1802,7 +1830,9 @@ export const PKI_SUBSCRIBERS = {
       "A comma-delimited list of Subject Alternative Names (SANs) to be used on certificates issued for this subscriber; these can be host names or email addresses.",
     keyUsages: "The key usage extension to be used on certificates issued for this subscriber to update to.",
     extendedKeyUsages:
-      "The extended key usage extension to be used on certificates issued for this subscriber to update to."
+      "The extended key usage extension to be used on certificates issued for this subscriber to update to.",
+    enableAutoRenewal: "Whether or not to enable auto renewal for the PKI subscriber.",
+    autoRenewalPeriodInDays: "The period in days to auto renew the PKI subscriber's certificates."
   },
   DELETE: {
     subscriberName: "The name of the PKI subscriber to delete.",
@@ -1991,6 +2021,47 @@ export const ProjectTemplates = {
   }
 };
 
+export const CertificateAuthorities = {
+  CREATE: (type: CaType) => ({
+    name: `The name of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority to create. Must be slug-friendly.`,
+    projectId: `The ID of the project to create the Certificate Authority in.`,
+    enableDirectIssuance: `Whether or not to enable direct issuance of certificates for the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`,
+    status: `The status of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`
+  }),
+  UPDATE: (type: CaType) => ({
+    caId: `The ID of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority to update.`,
+    projectId: `The ID of the project to update the Certificate Authority in.`,
+    name: `The updated name of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority. Must be slug-friendly.`,
+    enableDirectIssuance: `Whether or not to enable direct issuance of certificates for the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`,
+    status: `The updated status of the ${CERTIFICATE_AUTHORITIES_TYPE_MAP[type]} Certificate Authority.`
+  }),
+  CONFIGURATIONS: {
+    ACME: {
+      dnsAppConnectionId: `The ID of the App Connection to use for creating and managing DNS TXT records required for ACME domain validation. This connection must have permissions to create and delete TXT records in your DNS provider (e.g., Route53) for the ACME challenge process.`,
+      directoryUrl: `The directory URL for the ACME Certificate Authority.`,
+      accountEmail: `The email address for the ACME Certificate Authority.`,
+      provider: `The DNS provider for the ACME Certificate Authority.`,
+      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`
+    },
+    INTERNAL: {
+      type: "The type of CA to create.",
+      friendlyName: "A friendly name for the CA.",
+      organization: "The organization (O) for the CA.",
+      ou: "The organization unit (OU) for the CA.",
+      country: "The country name (C) for the CA.",
+      province: "The state of province name for the CA.",
+      locality: "The locality name for the CA.",
+      commonName: "The common name (CN) for the CA.",
+      notBefore: "The date and time when the CA becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+      notAfter: "The date and time when the CA expires in YYYY-MM-DDTHH:mm:ss.sssZ format.",
+      maxPathLength:
+        "The maximum number of intermediate CAs that may follow this CA in the certificate / CA chain. A maxPathLength of -1 implies no path limit on the chain.",
+      keyAlgorithm:
+        "The type of public key algorithm and size, in bits, of the key pair for the CA; when you create an intermediate CA, you must use a key algorithm supported by the parent CA."
+    }
+  }
+};
+
 export const AppConnections = {
   GET_BY_ID: (app: AppConnection) => ({
     connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`
@@ -2084,6 +2155,10 @@ export const AppConnections = {
       region: "The region identifier in Oracle Cloud Infrastructure where the vault is located.",
       fingerprint: "The fingerprint of the public key uploaded to the user's API keys.",
       privateKey: "The private key content in PEM format used to sign API requests."
+    },
+    ONEPASS: {
+      instanceUrl: "The URL of the 1Password Connect Server instance to authenticate with.",
+      apiToken: "The API token used to access the 1Password Connect Server."
     }
   }
 };
@@ -2237,6 +2312,9 @@ export const SecretSyncs = {
       compartmentOcid: "The OCID (Oracle Cloud Identifier) of the compartment where the vault is located.",
       vaultOcid: "The OCID (Oracle Cloud Identifier) of the vault to sync secrets to.",
       keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
+    },
+    ONEPASS: {
+      vaultId: "The ID of the 1Password vault to sync secrets to."
     }
   }
 };

backend/src/lib/config/env.ts

@@ -30,7 +30,19 @@ const envSchema = z
       .enum(["true", "false"])
       .default("false")
       .transform((el) => el === "true"),
-    REDIS_URL: zpStr(z.string()),
+    REDIS_URL: zpStr(z.string().optional()),
+    REDIS_SENTINEL_HOSTS: zpStr(
+      z
+        .string()
+        .optional()
+        .describe("Comma-separated list of Sentinel host:port pairs. Eg: 192.168.65.254:26379,192.168.65.254:26380")
+    ),
+    REDIS_SENTINEL_MASTER_NAME: zpStr(
+      z.string().optional().default("mymaster").describe("The name of the Redis master set monitored by Sentinel")
+    ),
+    REDIS_SENTINEL_ENABLE_TLS: zodStrBool.optional().describe("Whether to use TLS/SSL for Redis Sentinel connection"),
+    REDIS_SENTINEL_USERNAME: zpStr(z.string().optional().describe("Authentication username for Redis Sentinel")),
+    REDIS_SENTINEL_PASSWORD: zpStr(z.string().optional().describe("Authentication password for Redis Sentinel")),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
       `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
@@ -69,6 +81,9 @@ const envSchema = z
     SMTP_PASSWORD: zpStr(z.string().optional()),
     SMTP_FROM_ADDRESS: zpStr(z.string().optional()),
     SMTP_FROM_NAME: zpStr(z.string().optional().default("Infisical")),
+    SMTP_CUSTOM_CA_CERT: zpStr(
+      z.string().optional().describe("Base64 encoded custom CA certificate PEM(s) for the SMTP server")
+    ),
     COOKIE_SECRET_SIGN_KEY: z
       .string()
       .min(32)
@@ -229,8 +244,11 @@ const envSchema = z
     DATADOG_SERVICE: zpStr(z.string().optional().default("infisical-core")),
     DATADOG_HOSTNAME: zpStr(z.string().optional()),
 
-    /* CORS ----------------------------------------------------------------------------- */
+    // PIT
+    PIT_CHECKPOINT_WINDOW: zpStr(z.string().optional().default("2")),
+    PIT_TREE_CHECKPOINT_WINDOW: zpStr(z.string().optional().default("30")),
 
+    /* CORS ----------------------------------------------------------------------------- */
     CORS_ALLOWED_ORIGINS: zpStr(
       z
         .string()
@@ -240,7 +258,6 @@ const envSchema = z
           return JSON.parse(val) as string[];
         })
     ),
-
     CORS_ALLOWED_HEADERS: zpStr(
       z
         .string()
@@ -249,33 +266,44 @@ const envSchema = z
           if (!val) return undefined;
           return JSON.parse(val) as string[];
         })
-    )
+    ),
+
+    /* INTERNAL ----------------------------------------------------------------------------- */
+    INTERNAL_REGION: zpStr(z.enum(["us", "eu"]).optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(
     (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
     "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
   )
+  .refine(
+    (data) => Boolean(data.REDIS_URL) || Boolean(data.REDIS_SENTINEL_HOSTS),
+    "Either REDIS_URL or REDIS_SENTINEL_HOSTS must be defined."
+  )
   .transform((data) => ({
     ...data,
-
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
     isCloud: Boolean(data.LICENSE_SERVER_KEY),
     isSmtpConfigured: Boolean(data.SMTP_HOST),
-    isRedisConfigured: Boolean(data.REDIS_URL),
+    isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
     isDevelopmentMode: data.NODE_ENV === "development",
     isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
-
+    isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
+    REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()
+      ?.split(",")
+      .map((el) => {
+        const [host, port] = el.trim().split(":");
+        return { host: host.trim(), port: Number(port.trim()) };
+      }),
     isSecretScanningConfigured:
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
     isHsmConfigured:
       Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
-
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));
@@ -298,6 +326,17 @@ export const initEnvConfig = (logger?: CustomLogger) => {
 };
 
 export const formatSmtpConfig = () => {
+  const tlsOptions: {
+    rejectUnauthorized: boolean;
+    ca?: string | string[];
+  } = {
+    rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
+  };
+
+  if (envCfg.SMTP_CUSTOM_CA_CERT) {
+    tlsOptions.ca = Buffer.from(envCfg.SMTP_CUSTOM_CA_CERT, "base64").toString("utf-8");
+  }
+
   return {
     host: envCfg.SMTP_HOST,
     port: envCfg.SMTP_PORT,
@@ -309,8 +348,6 @@ export const formatSmtpConfig = () => {
     from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`,
     ignoreTLS: envCfg.SMTP_IGNORE_TLS,
     requireTLS: envCfg.SMTP_REQUIRE_TLS,
-    tls: {
-      rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
-    }
+    tls: tlsOptions
   };
 };

backend/src/lib/config/redis.ts

@@ -0,0 +1,24 @@
+import { Redis } from "ioredis";
+
+export type TRedisConfigKeys = Partial<{
+  REDIS_URL: string;
+  REDIS_SENTINEL_HOSTS: { host: string; port: number }[];
+  REDIS_SENTINEL_MASTER_NAME: string;
+  REDIS_SENTINEL_ENABLE_TLS: boolean;
+  REDIS_SENTINEL_USERNAME: string;
+  REDIS_SENTINEL_PASSWORD: string;
+}>;
+
+export const buildRedisFromConfig = (cfg: TRedisConfigKeys) => {
+  if (cfg.REDIS_URL) return new Redis(cfg.REDIS_URL, { maxRetriesPerRequest: null });
+
+  return new Redis({
+    // refine at tope will catch this case
+    sentinels: cfg.REDIS_SENTINEL_HOSTS!,
+    name: cfg.REDIS_SENTINEL_MASTER_NAME!,
+    maxRetriesPerRequest: null,
+    sentinelUsername: cfg.REDIS_SENTINEL_USERNAME,
+    sentinelPassword: cfg.REDIS_SENTINEL_PASSWORD,
+    enableTLSForSentinelMode: cfg.REDIS_SENTINEL_ENABLE_TLS
+  });
+};

backend/src/lib/logger/logger.ts

@@ -95,11 +95,20 @@ const extractReqId = () => {
   try {
     return requestContext.get("reqId") || UNKNOWN_REQUEST_ID;
   } catch (err) {
+    // eslint-disable-next-line no-console
     console.log("failed to get request context", err);
     return UNKNOWN_REQUEST_ID;
   }
 };
 
+const extractOrgId = () => {
+  try {
+    return requestContext.get("orgId");
+  } catch {
+    return "";
+  }
+};
+
 export const initLogger = () => {
   const cfg = loggerConfig.parse(process.env);
   const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -135,22 +144,22 @@ export const initLogger = () => {
   const wrapLogger = (originalLogger: Logger): CustomLogger => {
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.info = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).info(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).info(obj, msg, ...args);
     };
 
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.error = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).error(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).error(obj, msg, ...args);
     };
 
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.warn = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).warn(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).warn(obj, msg, ...args);
     };
 
     // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
     originalLogger.debug = (obj: unknown, msg?: string, ...args: any[]) => {
-      return originalLogger.child({ reqId: extractReqId() }).debug(obj, msg, ...args);
+      return originalLogger.child({ reqId: extractReqId(), orgId: extractOrgId() }).debug(obj, msg, ...args);
     };
 
     return originalLogger;

backend/src/main.ts

@@ -1,7 +1,6 @@
 import "./lib/telemetry/instrumentation";
 
 import dotenv from "dotenv";
-import { Redis } from "ioredis";
 
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 
@@ -9,6 +8,7 @@ import { runMigrations } from "./auto-start-migrations";
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig } from "./lib/config/env";
+import { buildRedisFromConfig } from "./lib/config/redis";
 import { removeTemporaryBaseDirectory } from "./lib/files";
 import { initLogger } from "./lib/logger";
 import { queueServiceFactory } from "./queue";
@@ -44,15 +44,15 @@ const run = async () => {
 
   const smtp = smtpServiceFactory(formatSmtpConfig());
 
-  const queue = queueServiceFactory(envConfig.REDIS_URL, {
+  const queue = queueServiceFactory(envConfig, {
     dbConnectionUrl: envConfig.DB_CONNECTION_URI,
     dbRootCert: envConfig.DB_ROOT_CERT
   });
 
   await queue.initialize();
 
-  const keyStore = keyStoreFactory(envConfig.REDIS_URL);
-  const redis = new Redis(envConfig.REDIS_URL);
+  const keyStore = keyStoreFactory(envConfig);
+  const redis = buildRedisFromConfig(envConfig);
 
   const hsmModule = initializeHsmModule(envConfig);
   hsmModule.initialize();

backend/src/queue/queue-service.ts

@@ -1,5 +1,4 @@
 import { Job, JobsOptions, Queue, QueueOptions, RepeatOptions, Worker, WorkerListener } from "bullmq";
-import Redis from "ioredis";
 import PgBoss, { WorkOptions } from "pg-boss";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
@@ -13,7 +12,9 @@ import {
   TScanPushEventPayload
 } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
 import { getConfig } from "@app/lib/config/env";
+import { buildRedisFromConfig, TRedisConfigKeys } from "@app/lib/config/redis";
 import { logger } from "@app/lib/logger";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
 import {
   TFailedIntegrationSyncEmailsPayload,
   TIntegrationSyncPayload,
@@ -36,6 +37,7 @@ export enum QueueName {
   AuditLogPrune = "audit-log-prune",
   DailyResourceCleanUp = "daily-resource-cleanup",
   DailyExpiringPkiItemAlert = "daily-expiring-pki-item-alert",
+  PkiSubscriber = "pki-subscriber",
   TelemetryInstanceStats = "telemtry-self-hosted-stats",
   IntegrationSync = "sync-integrations",
   SecretWebhook = "secret-webhook",
@@ -44,6 +46,7 @@ export enum QueueName {
   UpgradeProjectToGhost = "upgrade-project-to-ghost",
   DynamicSecretRevocation = "dynamic-secret-revocation",
   CaCrlRotation = "ca-crl-rotation",
+  CaLifecycle = "ca-lifecycle", // parent queue to ca-order-certificate-for-subscriber
   SecretReplication = "secret-replication",
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
@@ -51,6 +54,7 @@ export enum QueueName {
   ImportSecretsFromExternalSource = "import-secrets-from-external-source",
   AppConnectionSecretSync = "app-connection-secret-sync",
   SecretRotationV2 = "secret-rotation-v2",
+  FolderTreeCheckpoint = "folder-tree-checkpoint",
   InvalidateCache = "invalidate-cache"
 }
 
@@ -84,7 +88,10 @@ export enum QueueJobs {
   SecretRotationV2QueueRotations = "secret-rotation-v2-queue-rotations",
   SecretRotationV2RotateSecrets = "secret-rotation-v2-rotate-secrets",
   SecretRotationV2SendNotification = "secret-rotation-v2-send-notification",
-  InvalidateCache = "invalidate-cache"
+  CreateFolderTreeCheckpoint = "create-folder-tree-checkpoint",
+  InvalidateCache = "invalidate-cache",
+  CaOrderCertificateForSubscriber = "ca-order-certificate-for-subscriber",
+  PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal"
 }
 
 export type TQueueJobTypes = {
@@ -194,6 +201,12 @@ export type TQueueJobTypes = {
     name: QueueJobs.ProjectV3Migration;
     payload: { projectId: string };
   };
+  [QueueName.FolderTreeCheckpoint]: {
+    name: QueueJobs.CreateFolderTreeCheckpoint;
+    payload: {
+      envId: string;
+    };
+  };
   [QueueName.ImportSecretsFromExternalSource]: {
     name: QueueJobs.ImportSecretsFromExternalSource;
     payload: {
@@ -245,14 +258,25 @@ export type TQueueJobTypes = {
       };
     };
   };
+  [QueueName.CaLifecycle]: {
+    name: QueueJobs.CaOrderCertificateForSubscriber;
+    payload: {
+      subscriberId: string;
+      caType: CaType;
+    };
+  };
+  [QueueName.PkiSubscriber]: {
+    name: QueueJobs.PkiSubscriberDailyAutoRenewal;
+    payload: undefined;
+  };
 };
 
 export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;
 export const queueServiceFactory = (
-  redisUrl: string,
+  redisCfg: TRedisConfigKeys,
   { dbConnectionUrl, dbRootCert }: { dbConnectionUrl: string; dbRootCert?: string }
 ) => {
-  const connection = new Redis(redisUrl, { maxRetriesPerRequest: null });
+  const connection = buildRedisFromConfig(redisCfg);
   const queueContainer = {} as Record<
     QueueName,
     Queue<TQueueJobTypes[QueueName]["payload"], void, TQueueJobTypes[QueueName]["name"]>

backend/src/server/boot-strap-check.ts

@@ -1,9 +1,9 @@
 /* eslint-disable no-console */
-import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { createTransport } from "nodemailer";
 
 import { formatSmtpConfig, getConfig } from "@app/lib/config/env";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { logger } from "@app/lib/logger";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
@@ -65,12 +65,15 @@ export const bootstrapCheck = async ({ db }: BootstrapOpt) => {
     });
 
   console.log("Testing redis connection");
-  const redis = new Redis(appCfg.REDIS_URL);
+  const redis = buildRedisFromConfig(appCfg);
   const redisPing = await redis?.ping();
   if (!redisPing) {
     console.error("Redis - Failed to connect");
   } else {
-    console.error("Redis successfully connected");
+    console.log("Redis successfully connected");
+    if (appCfg.isRedisSentinelMode) {
+      console.log("Redis Sentinel Mode");
+    }
     redis.disconnect();
   }
 

backend/src/server/config/rateLimiter.ts

@@ -1,14 +1,12 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
-import { Redis } from "ioredis";
 
 import { getConfig } from "@app/lib/config/env";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { RateLimitError } from "@app/lib/errors";
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
   const appCfg = getConfig();
-  const redis = appCfg.isRedisConfigured
-    ? new Redis(appCfg.REDIS_URL, { connectTimeout: 500, maxRetriesPerRequest: 1 })
-    : null;
+  const redis = appCfg.isRedisConfigured ? buildRedisFromConfig(appCfg) : null;
 
   return {
     errorResponseBuilder: (_, context) => {

backend/src/server/plugins/auth/inject-identity.ts

@@ -123,6 +123,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
     switch (authMode) {
       case AuthMode.JWT: {
         const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
+        requestContext.set("orgId", orgId);
         req.auth = {
           authMode: AuthMode.JWT,
           user,
@@ -138,6 +139,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       case AuthMode.IDENTITY_ACCESS_TOKEN: {
         const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
         const serverCfg = await getServerCfg();
+        requestContext.set("orgId", identity.orgId);
         req.auth = {
           authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
           actor,
@@ -157,6 +159,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       }
       case AuthMode.SERVICE_TOKEN: {
         const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
+        requestContext.set("orgId", serviceToken.orgId);
         req.auth = {
           orgId: serviceToken.orgId,
           authMode: AuthMode.SERVICE_TOKEN as const,
@@ -181,6 +184,7 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       }
       case AuthMode.SCIM_TOKEN: {
         const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
+        requestContext.set("orgId", orgId);
         req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
         break;
       }

backend/src/server/routes/index.ts

@@ -57,6 +57,7 @@ import { oidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
 import { oidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
 import { permissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { pitServiceFactory } from "@app/ee/services/pit/pit-service";
 import { projectTemplateDALFactory } from "@app/ee/services/project-template/project-template-dal";
 import { projectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { projectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
@@ -132,6 +133,10 @@ import { certificateAuthorityDALFactory } from "@app/services/certificate-author
 import { certificateAuthorityQueueFactory } from "@app/services/certificate-authority/certificate-authority-queue";
 import { certificateAuthoritySecretDALFactory } from "@app/services/certificate-authority/certificate-authority-secret-dal";
 import { certificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { externalCertificateAuthorityDALFactory } from "@app/services/certificate-authority/external-certificate-authority-dal";
+import { internalCertificateAuthorityDALFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-dal";
+import { InternalCertificateAuthorityFns } from "@app/services/certificate-authority/internal/internal-certificate-authority-fns";
+import { internalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { certificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { certificateTemplateEstConfigDALFactory } from "@app/services/certificate-template/certificate-template-est-config-dal";
 import { certificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
@@ -140,6 +145,14 @@ import { externalGroupOrgRoleMappingDALFactory } from "@app/services/external-gr
 import { externalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { externalMigrationQueueFactory } from "@app/services/external-migration/external-migration-queue";
 import { externalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
+import { folderCheckpointDALFactory } from "@app/services/folder-checkpoint/folder-checkpoint-dal";
+import { folderCheckpointResourcesDALFactory } from "@app/services/folder-checkpoint-resources/folder-checkpoint-resources-dal";
+import { folderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import { folderCommitQueueServiceFactory } from "@app/services/folder-commit/folder-commit-queue";
+import { folderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { folderCommitChangesDALFactory } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { folderTreeCheckpointDALFactory } from "@app/services/folder-tree-checkpoint/folder-tree-checkpoint-dal";
+import { folderTreeCheckpointResourcesDALFactory } from "@app/services/folder-tree-checkpoint-resources/folder-tree-checkpoint-resources-dal";
 import { groupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { groupProjectMembershipRoleDALFactory } from "@app/services/group-project/group-project-membership-role-dal";
 import { groupProjectServiceFactory } from "@app/services/group-project/group-project-service";
@@ -199,6 +212,7 @@ import { pkiCollectionDALFactory } from "@app/services/pki-collection/pki-collec
 import { pkiCollectionItemDALFactory } from "@app/services/pki-collection/pki-collection-item-dal";
 import { pkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { pkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
+import { pkiSubscriberQueueServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-queue";
 import { pkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
@@ -559,6 +573,41 @@ export const registerRoutes = async (
     projectRoleDAL,
     permissionService
   });
+
+  const folderCommitChangesDAL = folderCommitChangesDALFactory(db);
+  const folderCheckpointDAL = folderCheckpointDALFactory(db);
+  const folderCheckpointResourcesDAL = folderCheckpointResourcesDALFactory(db);
+  const folderTreeCheckpointDAL = folderTreeCheckpointDALFactory(db);
+  const folderCommitDAL = folderCommitDALFactory(db);
+  const folderTreeCheckpointResourcesDAL = folderTreeCheckpointResourcesDALFactory(db);
+  const folderCommitQueueService = folderCommitQueueServiceFactory({
+    queueService,
+    folderTreeCheckpointDAL,
+    keyStore,
+    folderTreeCheckpointResourcesDAL,
+    folderCommitDAL,
+    folderDAL
+  });
+  const folderCommitService = folderCommitServiceFactory({
+    folderCommitDAL,
+    folderCommitChangesDAL,
+    folderCheckpointDAL,
+    folderTreeCheckpointDAL,
+    userDAL,
+    identityDAL,
+    folderDAL,
+    folderVersionDAL,
+    secretVersionV2BridgeDAL,
+    projectDAL,
+    folderCheckpointResourcesDAL,
+    secretV2BridgeDAL,
+    folderTreeCheckpointResourcesDAL,
+    folderCommitQueueService,
+    permissionService,
+    kmsService,
+    secretTagDAL,
+    resourceMetadataDAL
+  });
   const scimService = scimServiceFactory({
     licenseService,
     scimDAL,
@@ -817,6 +866,8 @@ export const registerRoutes = async (
   });
 
   const certificateAuthorityDAL = certificateAuthorityDALFactory(db);
+  const internalCertificateAuthorityDAL = internalCertificateAuthorityDALFactory(db);
+  const externalCertificateAuthorityDAL = externalCertificateAuthorityDALFactory(db);
   const certificateAuthorityCertDAL = certificateAuthorityCertDALFactory(db);
   const certificateAuthoritySecretDAL = certificateAuthoritySecretDALFactory(db);
   const certificateAuthorityCrlDAL = certificateAuthorityCrlDALFactory(db);
@@ -842,17 +893,9 @@ export const registerRoutes = async (
     certificateAuthoritySecretDAL,
     projectDAL,
     kmsService,
-    permissionService
-  });
-
-  const certificateAuthorityQueue = certificateAuthorityQueueFactory({
-    certificateAuthorityCrlDAL,
-    certificateAuthorityDAL,
-    certificateAuthoritySecretDAL,
-    certificateDAL,
-    projectDAL,
-    kmsService,
-    queueService
+    permissionService,
+    pkiCollectionDAL,
+    pkiCollectionItemDAL
   });
 
   const sshCertificateAuthorityService = sshCertificateAuthorityServiceFactory({
@@ -901,23 +944,6 @@ export const registerRoutes = async (
     groupDAL
   });
 
-  const certificateAuthorityService = certificateAuthorityServiceFactory({
-    certificateAuthorityDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthoritySecretDAL,
-    certificateAuthorityCrlDAL,
-    certificateTemplateDAL,
-    certificateAuthorityQueue,
-    certificateDAL,
-    certificateBodyDAL,
-    certificateSecretDAL,
-    pkiCollectionDAL,
-    pkiCollectionItemDAL,
-    projectDAL,
-    kmsService,
-    permissionService
-  });
-
   const certificateAuthorityCrlService = certificateAuthorityCrlServiceFactory({
     certificateAuthorityDAL,
     certificateAuthorityCrlDAL,
@@ -937,17 +963,6 @@ export const registerRoutes = async (
     licenseService
   });
 
-  const certificateEstService = certificateEstServiceFactory({
-    certificateAuthorityService,
-    certificateTemplateService,
-    certificateTemplateDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthorityDAL,
-    projectDAL,
-    kmsService,
-    licenseService
-  });
-
   const pkiAlertService = pkiAlertServiceFactory({
     pkiAlertDAL,
     pkiCollectionDAL,
@@ -965,20 +980,6 @@ export const registerRoutes = async (
     projectDAL
   });
 
-  const pkiSubscriberService = pkiSubscriberServiceFactory({
-    pkiSubscriberDAL,
-    certificateAuthorityDAL,
-    certificateAuthorityCertDAL,
-    certificateAuthoritySecretDAL,
-    certificateAuthorityCrlDAL,
-    certificateDAL,
-    certificateBodyDAL,
-    certificateSecretDAL,
-    projectDAL,
-    kmsService,
-    permissionService
-  });
-
   const projectTemplateService = projectTemplateServiceFactory({
     licenseService,
     permissionService,
@@ -1007,6 +1008,7 @@ export const registerRoutes = async (
     projectMembershipDAL,
     projectBotDAL,
     secretDAL,
+    folderCommitService,
     secretBlindIndexDAL,
     secretVersionDAL,
     secretTagDAL,
@@ -1014,7 +1016,8 @@ export const registerRoutes = async (
     secretVersionV2BridgeDAL,
     secretVersionTagV2BridgeDAL,
     resourceMetadataDAL,
-    appConnectionDAL
+    appConnectionDAL,
+    licenseService
   });
 
   const secretQueueService = secretQueueFactory({
@@ -1053,6 +1056,7 @@ export const registerRoutes = async (
     secretReminderRecipientsDAL,
     orgService,
     resourceMetadataDAL,
+    folderCommitService,
     secretSyncQueue
   });
 
@@ -1129,6 +1133,7 @@ export const registerRoutes = async (
     snapshotDAL,
     snapshotFolderDAL,
     snapshotSecretDAL,
+    folderCommitService,
     secretVersionDAL,
     folderVersionDAL,
     secretTagDAL,
@@ -1155,7 +1160,8 @@ export const registerRoutes = async (
     folderVersionDAL,
     projectEnvDAL,
     snapshotService,
-    projectDAL
+    projectDAL,
+    folderCommitService
   });
 
   const secretImportService = secretImportServiceFactory({
@@ -1180,6 +1186,7 @@ export const registerRoutes = async (
   const secretV2BridgeService = secretV2BridgeServiceFactory({
     folderDAL,
     secretVersionDAL: secretVersionV2BridgeDAL,
+    folderCommitService,
     secretQueueService,
     secretDAL: secretV2BridgeDAL,
     permissionService,
@@ -1223,7 +1230,8 @@ export const registerRoutes = async (
     projectSlackConfigDAL,
     resourceMetadataDAL,
     projectMicrosoftTeamsConfigDAL,
-    microsoftTeamsService
+    microsoftTeamsService,
+    folderCommitService
   });
 
   const secretService = secretServiceFactory({
@@ -1308,7 +1316,8 @@ export const registerRoutes = async (
     secretV2BridgeDAL,
     secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
     secretVersionV2BridgeDAL,
-    resourceMetadataDAL
+    resourceMetadataDAL,
+    folderCommitService
   });
 
   const secretRotationQueue = secretRotationQueueFactory({
@@ -1320,6 +1329,7 @@ export const registerRoutes = async (
     projectBotService,
     secretVersionV2BridgeDAL,
     secretV2BridgeDAL,
+    folderCommitService,
     kmsService
   });
 
@@ -1471,6 +1481,15 @@ export const registerRoutes = async (
     permissionService
   });
 
+  const pitService = pitServiceFactory({
+    folderCommitService,
+    secretService,
+    folderService,
+    permissionService,
+    folderDAL,
+    projectEnvDAL
+  });
+
   const identityOidcAuthService = identityOidcAuthServiceFactory({
     identityOidcAuthDAL,
     identityOrgMembershipDAL,
@@ -1612,7 +1631,9 @@ export const registerRoutes = async (
     secretDAL: secretV2BridgeDAL,
     queueService,
     secretV2BridgeService,
-    resourceMetadataDAL
+    resourceMetadataDAL,
+    folderCommitService,
+    folderVersionDAL
   });
 
   const migrationService = externalMigrationServiceFactory({
@@ -1631,7 +1652,8 @@ export const registerRoutes = async (
   const appConnectionService = appConnectionServiceFactory({
     appConnectionDAL,
     permissionService,
-    kmsService
+    kmsService,
+    licenseService
   });
 
   const secretSyncService = secretSyncServiceFactory({
@@ -1642,7 +1664,54 @@ export const registerRoutes = async (
     folderDAL,
     secretSyncQueue,
     projectBotService,
-    keyStore
+    keyStore,
+    licenseService
+  });
+
+  const certificateAuthorityQueue = certificateAuthorityQueueFactory({
+    certificateAuthorityCrlDAL,
+    certificateAuthorityDAL,
+    certificateAuthoritySecretDAL,
+    certificateDAL,
+    projectDAL,
+    kmsService,
+    queueService,
+    pkiSubscriberDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    externalCertificateAuthorityDAL,
+    keyStore,
+    appConnectionDAL,
+    appConnectionService
+  });
+
+  const internalCertificateAuthorityService = internalCertificateAuthorityServiceFactory({
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateTemplateDAL,
+    certificateAuthorityQueue,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    pkiCollectionDAL,
+    pkiCollectionItemDAL,
+    projectDAL,
+    internalCertificateAuthorityDAL,
+    kmsService,
+    permissionService
+  });
+
+  const certificateEstService = certificateEstServiceFactory({
+    internalCertificateAuthorityService,
+    certificateTemplateService,
+    certificateTemplateDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthorityDAL,
+    projectDAL,
+    kmsService,
+    licenseService
   });
 
   const kmipService = kmipServiceFactory({
@@ -1674,6 +1743,7 @@ export const registerRoutes = async (
     auditLogService,
     secretV2BridgeDAL,
     secretTagDAL,
+    folderCommitService,
     secretVersionTagV2BridgeDAL,
     secretVersionV2BridgeDAL,
     keyStore,
@@ -1684,6 +1754,59 @@ export const registerRoutes = async (
     appConnectionDAL
   });
 
+  const certificateAuthorityService = certificateAuthorityServiceFactory({
+    certificateAuthorityDAL,
+    projectDAL,
+    permissionService,
+    appConnectionDAL,
+    appConnectionService,
+    externalCertificateAuthorityDAL,
+    internalCertificateAuthorityService,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    kmsService,
+    pkiSubscriberDAL
+  });
+
+  const internalCaFns = InternalCertificateAuthorityFns({
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    projectDAL,
+    kmsService
+  });
+
+  const pkiSubscriberQueue = pkiSubscriberQueueServiceFactory({
+    queueService,
+    pkiSubscriberDAL,
+    certificateAuthorityDAL,
+    certificateAuthorityQueue,
+    certificateDAL,
+    auditLogService,
+    internalCaFns
+  });
+
+  const pkiSubscriberService = pkiSubscriberServiceFactory({
+    pkiSubscriberDAL,
+    certificateAuthorityDAL,
+    certificateAuthorityCertDAL,
+    certificateAuthoritySecretDAL,
+    certificateAuthorityCrlDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    projectDAL,
+    kmsService,
+    permissionService,
+    certificateAuthorityQueue,
+    internalCaFns
+  });
+
   await secretRotationV2QueueServiceFactory({
     secretRotationV2Service,
     secretRotationV2DAL,
@@ -1704,6 +1827,7 @@ export const registerRoutes = async (
   await telemetryQueue.startTelemetryCheck();
   await dailyResourceCleanUp.startCleanUp();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
+  await pkiSubscriberQueue.startDailyAutoRenewalJob();
   await kmsService.startService();
   await microsoftTeamsService.start();
 
@@ -1769,9 +1893,11 @@ export const registerRoutes = async (
     sshHost: sshHostService,
     sshHostGroup: sshHostGroupService,
     certificateAuthority: certificateAuthorityService,
+    internalCertificateAuthority: internalCertificateAuthorityService,
     certificateTemplate: certificateTemplateService,
     certificateAuthorityCrl: certificateAuthorityCrlService,
     certificateEst: certificateEstService,
+    pit: pitService,
     pkiAlert: pkiAlertService,
     pkiCollection: pkiCollectionService,
     pkiSubscriber: pkiSubscriberService,
@@ -1804,7 +1930,8 @@ export const registerRoutes = async (
     secretRotationV2: secretRotationV2Service,
     microsoftTeams: microsoftTeamsService,
     assumePrivileges: assumePrivilegeService,
-    githubOrgSync: githubOrgSyncConfigService
+    githubOrgSync: githubOrgSyncConfigService,
+    folderCommit: folderCommitService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/sanitizedSchemas.ts

@@ -1,9 +1,11 @@
 import { z } from "zod";
 
 import {
+  CertificateAuthoritiesSchema,
   DynamicSecretsSchema,
   IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
+  InternalCertificateAuthoritiesSchema,
   ProjectRolesSchema,
   ProjectsSchema,
   SecretApprovalPoliciesSchema,
@@ -272,3 +274,15 @@ export const SanitizedTagSchema = SecretTagsSchema.pick({
 }).extend({
   name: z.string()
 });
+
+export const InternalCertificateAuthorityResponseSchema = CertificateAuthoritiesSchema.merge(
+  InternalCertificateAuthoritiesSchema.omit({
+    caId: true,
+    notAfter: true,
+    notBefore: true
+  })
+).extend({
+  requireTemplateForIssuance: z.boolean().optional(),
+  notAfter: z.string().optional(),
+  notBefore: z.string().optional()
+});

backend/src/server/routes/v1/app-connection-routers/1password-connection-router.ts

@@ -0,0 +1,60 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import {
+  CreateOnePassConnectionSchema,
+  SanitizedOnePassConnectionSchema,
+  UpdateOnePassConnectionSchema
+} from "@app/services/app-connection/1password";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerOnePassConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.OnePass,
+    server,
+    sanitizedResponseSchema: SanitizedOnePassConnectionSchema,
+    createSchema: CreateOnePassConnectionSchema,
+    updateSchema: UpdateOnePassConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/vaults`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string(),
+            type: z.string(),
+            items: z.number(),
+
+            attributeVersion: z.number(),
+            contentVersion: z.number(),
+
+            // Corresponds to ISO8601 date string
+            createdAt: z.string(),
+            updatedAt: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const vaults = await server.services.appConnection.onepass.listVaults(connectionId, req.permission);
+      return vaults;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -1,9 +1,14 @@
 import { z } from "zod";
 
+import { OCIConnectionListItemSchema, SanitizedOCIConnectionSchema } from "@app/ee/services/app-connections/oci";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import {
+  OnePassConnectionListItemSchema,
+  SanitizedOnePassConnectionSchema
+} from "@app/services/app-connection/1password";
 import { Auth0ConnectionListItemSchema, SanitizedAuth0ConnectionSchema } from "@app/services/app-connection/auth0";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
 import {
@@ -38,7 +43,6 @@ import {
 } from "@app/services/app-connection/humanitec";
 import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
 import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
-import { OCIConnectionListItemSchema, SanitizedOCIConnectionSchema } from "@app/services/app-connection/oci";
 import {
   PostgresConnectionListItemSchema,
   SanitizedPostgresConnectionSchema
@@ -78,7 +82,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedWindmillConnectionSchema.options,
   ...SanitizedLdapConnectionSchema.options,
   ...SanitizedTeamCityConnectionSchema.options,
-  ...SanitizedOCIConnectionSchema.options
+  ...SanitizedOCIConnectionSchema.options,
+  ...SanitizedOnePassConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -100,7 +105,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   WindmillConnectionListItemSchema,
   LdapConnectionListItemSchema,
   TeamCityConnectionListItemSchema,
-  OCIConnectionListItemSchema
+  OCIConnectionListItemSchema,
+  OnePassConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,5 +1,7 @@
+import { registerOCIConnectionRouter } from "@app/ee/routes/v1/app-connection-routers/oci-connection-router";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
+import { registerOnePassConnectionRouter } from "./1password-connection-router";
 import { registerAuth0ConnectionRouter } from "./auth0-connection-router";
 import { registerAwsConnectionRouter } from "./aws-connection-router";
 import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
@@ -13,7 +15,6 @@ import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
-import { registerOCIConnectionRouter } from "./oci-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
@@ -42,5 +43,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.HCVault]: registerHCVaultConnectionRouter,
     [AppConnection.LDAP]: registerLdapConnectionRouter,
     [AppConnection.TeamCity]: registerTeamCityConnectionRouter,
-    [AppConnection.OCI]: registerOCIConnectionRouter
+    [AppConnection.OCI]: registerOCIConnectionRouter,
+    [AppConnection.OnePass]: registerOnePassConnectionRouter
   };

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-floating-promises */
 import { z } from "zod";
 
-import { CertificateAuthoritiesSchema, CertificateTemplatesSchema } from "@app/db/schemas";
+import { CertificateTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
@@ -10,13 +10,19 @@ import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import { CaRenewalType, CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
+import {
+  CaRenewalType,
+  CaStatus,
+  InternalCaType
+} from "@app/services/certificate-authority/certificate-authority-enums";
 import {
   validateAltNamesField,
   validateCaDateField
 } from "@app/services/certificate-authority/certificate-authority-validators";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
+import { InternalCertificateAuthorityResponseSchema } from "../sanitizedSchemas";
+
 export const registerCaRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -32,7 +38,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       body: z
         .object({
           projectSlug: z.string().trim().describe(CERTIFICATE_AUTHORITIES.CREATE.projectSlug),
-          type: z.nativeEnum(CaType).describe(CERTIFICATE_AUTHORITIES.CREATE.type),
+          type: z.nativeEnum(InternalCaType).describe(CERTIFICATE_AUTHORITIES.CREATE.type),
           friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
           commonName: z.string().trim().describe(CERTIFICATE_AUTHORITIES.CREATE.commonName),
           organization: z.string().trim().describe(CERTIFICATE_AUTHORITIES.CREATE.organization),
@@ -68,16 +74,18 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         ),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.createCa({
+      const ca = await server.services.internalCertificateAuthority.createCa({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
+        isInternal: false,
         actorOrgId: req.permission.orgId,
+        enableDirectIssuance: !req.body.requireTemplateForIssuance,
         ...req.body
       });
 
@@ -87,6 +95,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         event: {
           type: EventType.CREATE_CA,
           metadata: {
+            name: ca.name,
             caId: ca.id,
             dn: ca.dn
           }
@@ -115,12 +124,12 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.getCaById({
+      const ca = await server.services.internalCertificateAuthority.getCaById({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -135,6 +144,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
           type: EventType.GET_CA,
           metadata: {
             caId: ca.id,
+            name: ca.name,
             dn: ca.dn
           }
         }
@@ -167,7 +177,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req, res) => {
-      const caCert = await server.services.certificateAuthority.getCaCertById(req.params);
+      const caCert = await server.services.internalCertificateAuthority.getCaCertById(req.params);
 
       res.header("Content-Type", "application/pkix-cert");
 
@@ -198,17 +208,19 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.updateCaById({
+      const ca = await server.services.internalCertificateAuthority.updateCaById({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
+        isInternal: false,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
+        enableDirectIssuance: !req.body.requireTemplateForIssuance,
         ...req.body
       });
 
@@ -220,6 +232,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
           metadata: {
             caId: ca.id,
             dn: ca.dn,
+            name: ca.name,
             status: ca.status as CaStatus
           }
         }
@@ -247,12 +260,12 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          ca: CertificateAuthoritiesSchema
+          ca: InternalCertificateAuthorityResponseSchema
         })
       }
     },
     handler: async (req) => {
-      const ca = await server.services.certificateAuthority.deleteCaById({
+      const ca = await server.services.internalCertificateAuthority.deleteCaById({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -266,6 +279,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         event: {
           type: EventType.DELETE_CA,
           metadata: {
+            name: ca.name,
             caId: ca.id,
             dn: ca.dn
           }
@@ -299,7 +313,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { ca, csr } = await server.services.certificateAuthority.getCaCsr({
+      const { ca, csr } = await server.services.internalCertificateAuthority.getCaCsr({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -353,7 +367,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, serialNumber, ca } =
-        await server.services.certificateAuthority.renewCaCert({
+        await server.services.internalCertificateAuthority.renewCaCert({
           caId: req.params.caId,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -408,7 +422,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { caCerts, ca } = await server.services.certificateAuthority.getCaCerts({
+      const { caCerts, ca } = await server.services.internalCertificateAuthority.getCaCerts({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -455,13 +469,14 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, serialNumber, ca } = await server.services.certificateAuthority.getCaCert({
-        caId: req.params.caId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
+      const { certificate, certificateChain, serialNumber, ca } =
+        await server.services.internalCertificateAuthority.getCaCert({
+          caId: req.params.caId,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId
+        });
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -517,7 +532,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
-        await server.services.certificateAuthority.signIntermediate({
+        await server.services.internalCertificateAuthority.signIntermediate({
           caId: req.params.caId,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -574,7 +589,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { ca } = await server.services.certificateAuthority.importCertToCa({
+      const { ca } = await server.services.internalCertificateAuthority.importCertToCa({
         caId: req.params.caId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -653,7 +668,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, privateKey, serialNumber, ca } =
-        await server.services.certificateAuthority.issueCertFromCa({
+        await server.services.internalCertificateAuthority.issueCertFromCa({
           caId: req.params.caId,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -746,7 +761,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
-        await server.services.certificateAuthority.signCertFromCa({
+        await server.services.internalCertificateAuthority.signCertFromCa({
           isInternal: false,
           caId: req.params.caId,
           actor: req.permission.type,
@@ -809,13 +824,15 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificateTemplates, ca } = await server.services.certificateAuthority.getCaCertificateTemplates({
-        caId: req.params.caId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
+      const { certificateTemplates, ca } = await server.services.internalCertificateAuthority.getCaCertificateTemplates(
+        {
+          caId: req.params.caId,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId
+        }
+      );
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,

backend/src/server/routes/v1/certificate-authority-routers/acme-certificate-authority-router.ts

@@ -0,0 +1,18 @@
+import {
+  AcmeCertificateAuthoritySchema,
+  CreateAcmeCertificateAuthoritySchema,
+  UpdateAcmeCertificateAuthoritySchema
+} from "@app/services/certificate-authority/acme/acme-certificate-authority-schemas";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+
+import { registerCertificateAuthorityEndpoints } from "./certificate-authority-endpoints";
+
+export const registerAcmeCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
+  registerCertificateAuthorityEndpoints({
+    caType: CaType.ACME,
+    server,
+    responseSchema: AcmeCertificateAuthoritySchema,
+    createSchema: CreateAcmeCertificateAuthoritySchema,
+    updateSchema: UpdateAcmeCertificateAuthoritySchema
+  });
+};

backend/src/server/routes/v1/certificate-authority-routers/certificate-authority-endpoints.ts

@@ -0,0 +1,258 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import {
+  TCertificateAuthority,
+  TCertificateAuthorityInput
+} from "@app/services/certificate-authority/certificate-authority-types";
+
+export const registerCertificateAuthorityEndpoints = <
+  T extends TCertificateAuthority,
+  I extends TCertificateAuthorityInput
+>({
+  server,
+  caType,
+  createSchema,
+  updateSchema,
+  responseSchema
+}: {
+  caType: CaType;
+  server: FastifyZodProvider;
+  createSchema: z.ZodType<{
+    name: string;
+    projectId: string;
+    status: CaStatus;
+    configuration: I["configuration"];
+    enableDirectIssuance: boolean;
+  }>;
+  updateSchema: z.ZodType<{
+    projectId: string;
+    name?: string;
+    status?: CaStatus;
+    configuration?: I["configuration"];
+    enableDirectIssuance?: boolean;
+  }>;
+  responseSchema: z.ZodTypeAny;
+}) => {
+  server.route({
+    method: "GET",
+    url: `/`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required")
+      }),
+      response: {
+        200: responseSchema.array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId }
+      } = req;
+
+      const certificateAuthorities = (await server.services.certificateAuthority.listCertificateAuthoritiesByProjectId(
+        { projectId, type: caType },
+        req.permission
+      )) as T[];
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_CAS,
+          metadata: {
+            caIds: certificateAuthorities.map((ca) => ca.id)
+          }
+        }
+      });
+
+      return certificateAuthorities;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:caName",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      params: z.object({
+        caName: z.string()
+      }),
+      querystring: z.object({
+        projectId: z.string().uuid()
+      }),
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { caName } = req.params;
+      const { projectId } = req.query;
+
+      const certificateAuthority =
+        (await server.services.certificateAuthority.findCertificateAuthorityByNameAndProjectId(
+          { caName, type: caType, projectId },
+          req.permission
+        )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.GET_CA,
+          metadata: {
+            caId: certificateAuthority.id,
+            name: certificateAuthority.name
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      body: createSchema,
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const certificateAuthority = (await server.services.certificateAuthority.createCertificateAuthority(
+        { ...req.body, type: caType },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.CREATE_CA,
+          metadata: {
+            name: certificateAuthority.name,
+            caId: certificateAuthority.id
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:caName",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      params: z.object({
+        caName: z.string()
+      }),
+      body: updateSchema,
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { caName } = req.params;
+
+      const certificateAuthority = (await server.services.certificateAuthority.updateCertificateAuthority(
+        {
+          ...req.body,
+          type: caType,
+          caName
+        },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.UPDATE_CA,
+          metadata: {
+            name: certificateAuthority.name,
+            caId: certificateAuthority.id,
+            status: certificateAuthority.status
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:caName",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateAuthorities],
+      params: z.object({
+        caName: z.string()
+      }),
+      body: z.object({
+        projectId: z.string().uuid()
+      }),
+      response: {
+        200: responseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { caName } = req.params;
+      const { projectId } = req.body;
+
+      const certificateAuthority = (await server.services.certificateAuthority.deleteCertificateAuthority(
+        { caName, type: caType, projectId },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: certificateAuthority.projectId,
+        event: {
+          type: EventType.DELETE_CA,
+          metadata: {
+            name: certificateAuthority.name,
+            caId: certificateAuthority.id
+          }
+        }
+      });
+
+      return certificateAuthority;
+    }
+  });
+};

backend/src/server/routes/v1/certificate-authority-routers/index.ts

@@ -0,0 +1,12 @@
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+
+import { registerAcmeCertificateAuthorityRouter } from "./acme-certificate-authority-router";
+import { registerInternalCertificateAuthorityRouter } from "./internal-certificate-authority-router";
+
+export * from "./internal-certificate-authority-router";
+
+export const CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP: Record<CaType, (server: FastifyZodProvider) => Promise<void>> =
+  {
+    [CaType.INTERNAL]: registerInternalCertificateAuthorityRouter,
+    [CaType.ACME]: registerAcmeCertificateAuthorityRouter
+  };

backend/src/server/routes/v1/certificate-authority-routers/internal-certificate-authority-router.ts

@@ -0,0 +1,18 @@
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import {
+  CreateInternalCertificateAuthoritySchema,
+  InternalCertificateAuthoritySchema,
+  UpdateInternalCertificateAuthoritySchema
+} from "@app/services/certificate-authority/internal/internal-certificate-authority-schemas";
+
+import { registerCertificateAuthorityEndpoints } from "./certificate-authority-endpoints";
+
+export const registerInternalCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
+  registerCertificateAuthorityEndpoints({
+    caType: CaType.INTERNAL,
+    server,
+    responseSchema: InternalCertificateAuthoritySchema,
+    createSchema: CreateInternalCertificateAuthoritySchema,
+    updateSchema: UpdateInternalCertificateAuthoritySchema
+  });
+};

backend/src/server/routes/v1/certificate-router.ts

@@ -39,7 +39,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { cert, ca } = await server.services.certificate.getCert({
+      const { cert } = await server.services.certificate.getCert({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -49,7 +49,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT,
           metadata: {
@@ -86,7 +86,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req, reply) => {
-      const { ca, cert, certPrivateKey } = await server.services.certificate.getCertPrivateKey({
+      const { cert, certPrivateKey } = await server.services.certificate.getCertPrivateKey({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -96,7 +96,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT_PRIVATE_KEY,
           metadata: {
@@ -138,7 +138,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req, reply) => {
-      const { certificate, certificateChain, serialNumber, cert, ca, privateKey } =
+      const { certificate, certificateChain, serialNumber, cert, privateKey } =
         await server.services.certificate.getCertBundle({
           serialNumber: req.params.serialNumber,
           actor: req.permission.type,
@@ -149,7 +149,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT_BUNDLE,
           metadata: {
@@ -242,7 +242,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, privateKey, serialNumber, ca } =
-        await server.services.certificateAuthority.issueCertFromCa({
+        await server.services.internalCertificateAuthority.issueCertFromCa({
           actor: req.permission.type,
           actorId: req.permission.id,
           actorAuthMethod: req.permission.authMethod,
@@ -284,6 +284,68 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/import-certificate",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificates],
+      description: "Import certificate",
+      body: z.object({
+        projectSlug: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.projectSlug),
+
+        certificatePem: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.certificatePem),
+        privateKeyPem: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.privateKeyPem),
+        chainPem: z.string().trim().min(1).describe(CERTIFICATES.IMPORT.chainPem),
+
+        friendlyName: z.string().trim().optional().describe(CERTIFICATES.IMPORT.friendlyName),
+        pkiCollectionId: z.string().trim().optional().describe(CERTIFICATES.IMPORT.pkiCollectionId)
+      }),
+      response: {
+        200: z.object({
+          certificate: z.string().trim().describe(CERTIFICATES.IMPORT.certificate),
+          certificateChain: z.string().trim().describe(CERTIFICATES.IMPORT.certificateChain),
+          privateKey: z.string().trim().describe(CERTIFICATES.IMPORT.privateKey),
+          serialNumber: z.string().trim().describe(CERTIFICATES.IMPORT.serialNumber)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { certificate, certificateChain, privateKey, serialNumber, cert } =
+        await server.services.certificate.importCert({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          ...req.body
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: cert.projectId,
+        event: {
+          type: EventType.IMPORT_CERT,
+          metadata: {
+            certId: cert.id,
+            cn: cert.commonName,
+            serialNumber
+          }
+        }
+      });
+
+      return {
+        certificate,
+        certificateChain,
+        privateKey,
+        serialNumber
+      };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/sign-certificate",
@@ -355,7 +417,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
     },
     handler: async (req) => {
       const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
-        await server.services.certificateAuthority.signCertFromCa({
+        await server.services.internalCertificateAuthority.signCertFromCa({
           isInternal: false,
           actor: req.permission.type,
           actorId: req.permission.id,
@@ -474,7 +536,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { deletedCert, ca } = await server.services.certificate.deleteCert({
+      const { deletedCert } = await server.services.certificate.deleteCert({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -484,7 +546,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: deletedCert.projectId,
         event: {
           type: EventType.DELETE_CERT,
           metadata: {
@@ -524,7 +586,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, serialNumber, cert, ca } = await server.services.certificate.getCertBody({
+      const { certificate, certificateChain, serialNumber, cert } = await server.services.certificate.getCertBody({
         serialNumber: req.params.serialNumber,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -534,7 +596,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        projectId: ca.projectId,
+        projectId: cert.projectId,
         event: {
           type: EventType.GET_CERT_BODY,
           metadata: {

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -47,8 +47,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { identityUa, accessToken, identityAccessToken, validClientSecretInfo, identityMembershipOrg } =
-        await server.services.identityUa.login(req.body.clientId, req.body.clientSecret, req.realIp);
+      const {
+        identityUa,
+        accessToken,
+        identityAccessToken,
+        validClientSecretInfo,
+        identityMembershipOrg,
+        accessTokenTTL,
+        accessTokenMaxTTL
+      } = await server.services.identityUa.login(req.body.clientId, req.body.clientSecret, req.realIp);
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -63,11 +70,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           }
         }
       });
+
       return {
         accessToken,
         tokenType: "Bearer" as const,
-        expiresIn: identityUa.accessTokenTTL,
-        accessTokenMaxTTL: identityUa.accessTokenMaxTTL
+        expiresIn: accessTokenTTL,
+        accessTokenMaxTTL
       };
     }
   });
@@ -128,7 +136,8 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             .int()
             .min(0)
             .default(0)
-            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit),
+          accessTokenPeriod: z.number().int().min(0).default(0).describe(UNIVERSAL_AUTH.ATTACH.accessTokenPeriod)
         })
         .refine(
           (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
@@ -227,7 +236,14 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
             .min(0)
             .max(315360000)
             .optional()
-            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL),
+          accessTokenPeriod: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenPeriod)
         })
         .refine(
           (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),

backend/src/server/routes/v1/index.ts

@@ -10,6 +10,7 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerCaRouter } from "./certificate-authority-router";
+import { CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP } from "./certificate-authority-routers";
 import { registerCertRouter } from "./certificate-router";
 import { registerCertificateTemplateRouter } from "./certificate-template-router";
 import { registerExternalGroupOrgRoleMappingRouter } from "./external-group-org-role-mapping-router";
@@ -104,6 +105,16 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(
     async (pkiRouter) => {
       await pkiRouter.register(registerCaRouter, { prefix: "/ca" });
+      await pkiRouter.register(
+        async (caRouter) => {
+          for await (const [caType, router] of Object.entries(CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP)) {
+            await caRouter.register(router, { prefix: `/${caType}` });
+          }
+        },
+        {
+          prefix: "/ca"
+        }
+      );
       await pkiRouter.register(registerCertRouter, { prefix: "/certificates" });
       await pkiRouter.register(registerCertificateTemplateRouter, { prefix: "/certificate-templates" });
       await pkiRouter.register(registerPkiAlertRouter, { prefix: "/alerts" });