Update release_build_infisical_cli.yml

Add QUIC to gateway

.github/workflows/release_build_infisical_cli.yml

@@ -26,7 +26,7 @@ jobs:
             CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
     npm-release:
-        runs-on: ubuntu-20.04
+        runs-on: ubuntu-latest
         env:
             working-directory: ./npm
         needs:
@@ -83,7 +83,7 @@ jobs:
                   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     goreleaser:
-        runs-on: ubuntu-20.04
+        runs-on: ubuntu-latest
         needs: [cli-integration-tests]
         steps:
             - uses: actions/checkout@v3

Dockerfile.standalone-infisical

@@ -3,13 +3,10 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
 
-FROM  node:20-alpine AS base
+FROM node:20-slim AS base
 
 FROM base AS frontend-dependencies
 
-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
-
 WORKDIR /app
 
 COPY frontend/package.json frontend/package-lock.json  ./
@@ -45,8 +42,8 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app
 
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
@@ -56,21 +53,23 @@ USER non-root-user
 ## BACKEND
 ##
 FROM base AS backend-build
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
 
 WORKDIR /app
 
 # Install all required dependencies for build
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -86,18 +85,19 @@ FROM base AS backend-runner
 WORKDIR /app
 
 # Install all required dependencies for runtime
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -109,34 +109,35 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 
-RUN apk add --upgrade --no-cache ca-certificates
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.31.1 && apk add --no-cache git
-
-WORKDIR /
-
-# Install all required runtime dependencies
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    bash \
+    curl \
+    git \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
     freetds-dev \
-    bash \
-    curl \
-    git \
-    openssh
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
 
 # Configure ODBC in production
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 # Setup user permissions
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs \
+  && useradd --system --uid 1001 --gid nodejs non-root-user
 
 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@@ -154,9 +155,7 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-
 COPY --from=backend-runner /app /backend
-
 COPY --from=frontend-runner /app ./backend/frontend-build
 
 ARG INFISICAL_PLATFORM_VERSION

backend/Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:20-slim
 
 # ? Setup a test SoftHSM module. In production a real HSM is used.
 
@@ -7,32 +7,32 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
     SOFTHSM2_SOURCES=/tmp/softhsm2
 
-# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
-RUN apk --update add \
-        alpine-sdk \
-        autoconf \
-        automake \
-        git \
-        libtool \
-        openssl-dev \
-        python3 \
-        make \
-        g++ \
-        openssh
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
 
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
-
-# build and install SoftHSM2
-
+# Build and install SoftHSM2
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}
 
@@ -45,16 +45,18 @@ RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}
 
-# install pkcs11-tool
-RUN apk --update add opensc
+# Install pkcs11-tool
+RUN apt-get install -y opensc
 
-RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
 
 # ? App setup
 
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1
 
 WORKDIR /app
 

backend/package.json

@@ -145,6 +145,7 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
+    "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^4.0.4",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/plugin-retry": "^5.0.5",
@@ -152,10 +153,10 @@
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
     "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
     "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
     "@opentelemetry/exporter-prometheus": "^0.55.0",
     "@opentelemetry/instrumentation": "^0.55.0",
+    "@opentelemetry/instrumentation-http": "^0.57.2",
     "@opentelemetry/resources": "^1.28.0",
     "@opentelemetry/sdk-metrics": "^1.28.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",

backend/src/db/migrations/20250226021631_secret-requests.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (!hasSharingTypeColumn) {
+      table.string("type", 32).defaultTo(SecretSharingType.Share).notNullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (hasSharingTypeColumn) {
+      table.dropColumn("type");
+    }
+  });
+}

backend/src/db/migrations/20250303213350_add-folder-description.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/schemas/secret-folders.ts

@@ -15,7 +15,8 @@ export const SecretFoldersSchema = z.object({
   updatedAt: z.date(),
   envId: z.string().uuid(),
   parentId: z.string().uuid().nullable().optional(),
-  isReserved: z.boolean().default(false).nullable().optional()
+  isReserved: z.boolean().default(false).nullable().optional(),
+  description: z.string().nullable().optional()
 });
 
 export type TSecretFolders = z.infer<typeof SecretFoldersSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -12,6 +12,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretSharingSchema = z.object({
   id: z.string().uuid(),
   encryptedValue: z.string().nullable().optional(),
+  type: z.string(),
   iv: z.string().nullable().optional(),
   tag: z.string().nullable().optional(),
   hashedHex: z.string().nullable().optional(),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -235,7 +235,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
   const tagSchema = SecretTagsSchema.pick({
     id: true,
     slug: true,
-    name: true,
     color: true
   })
     .array()

backend/src/ee/routes/v1/snapshot-router.ts

@@ -35,7 +35,6 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
                 tags: SecretTagsSchema.pick({
                   id: true,
                   slug: true,
-                  name: true,
                   color: true
                 }).array()
               })

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -250,6 +250,7 @@ export enum EventType {
   UPDATE_APP_CONNECTION = "update-app-connection",
   DELETE_APP_CONNECTION = "delete-app-connection",
   CREATE_SHARED_SECRET = "create-shared-secret",
+  CREATE_SECRET_REQUEST = "create-secret-request",
   DELETE_SHARED_SECRET = "delete-shared-secret",
   READ_SHARED_SECRET = "read-shared-secret",
   GET_SECRET_SYNCS = "get-secret-syncs",
@@ -1141,6 +1142,7 @@ interface CreateFolderEvent {
     folderId: string;
     folderName: string;
     folderPath: string;
+    description?: string;
   };
 }
 
@@ -2020,6 +2022,15 @@ interface CreateSharedSecretEvent {
   };
 }
 
+interface CreateSecretRequestEvent {
+  type: EventType.CREATE_SECRET_REQUEST;
+  metadata: {
+    id: string;
+    accessType: string;
+    name?: string;
+  };
+}
+
 interface DeleteSharedSecretEvent {
   type: EventType.DELETE_SHARED_SECRET;
   metadata: {
@@ -2470,4 +2481,5 @@ export type Event =
   | KmipOperationActivateEvent
   | KmipOperationRevokeEvent
   | KmipOperationLocateEvent
-  | KmipOperationRegisterEvent;
+  | KmipOperationRegisterEvent
+  | CreateSecretRequestEvent;

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -86,7 +86,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         tlsOptions: {
           ca: relayDetails.certChain,
           cert: relayDetails.certificate,
-          key: relayDetails.privateKey
+          key: relayDetails.privateKey.toString()
         }
       }
     );

backend/src/ee/services/gateway/gateway-service.ts

@@ -474,7 +474,7 @@ export const gatewayServiceFactory = ({
       relayHost,
       relayPort: Number(relayPort),
       tlsOptions: {
-        key: privateKey,
+        key: privateKey.toString(),
         ca: `${gatewayCaCert.toString("pem")}\n${rootCaCert.toString("pem")}`.trim(),
         cert: clientCert.toString("pem")
       },

backend/src/ee/services/ssh-certificate/ssh-certificate-schema.ts

@@ -6,7 +6,6 @@ export const sanitizedSshCertificate = SshCertificatesSchema.pick({
   sshCertificateTemplateId: true,
   serialNumber: true,
   certType: true,
-  publicKey: true,
   principals: true,
   keyId: true,
   notBefore: true,

backend/src/lib/api-docs/constants.ts

@@ -638,7 +638,8 @@ export const FOLDERS = {
     environment: "The slug of the environment to create the folder in.",
     name: "The name of the folder to create.",
     path: "The path of the folder to create.",
-    directory: "The directory of the folder to create. (Deprecated in favor of path)"
+    directory: "The directory of the folder to create. (Deprecated in favor of path)",
+    description: "An optional description label for the folder."
   },
   UPDATE: {
     folderId: "The ID of the folder to update.",
@@ -647,7 +648,8 @@ export const FOLDERS = {
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
     projectSlug: "The slug of the project where the folder is located.",
-    workspaceId: "The ID of the project where the folder is located."
+    workspaceId: "The ID of the project where the folder is located.",
+    description: "An optional description label for the folder."
   },
   DELETE: {
     folderIdOrName: "The ID or name of the folder to delete.",

backend/src/lib/gateway/index.ts

@@ -1,6 +1,8 @@
 /* eslint-disable no-await-in-loop */
+import crypto from "node:crypto";
 import net from "node:net";
-import tls from "node:tls";
+
+import quic from "@infisical/quic";
 
 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -8,34 +10,71 @@ import { logger } from "../logger";
 const DEFAULT_MAX_RETRIES = 3;
 const DEFAULT_RETRY_DELAY = 1000; // 1 second
 
-const createTLSConnection = (relayHost: string, relayPort: number, tlsOptions: tls.TlsOptions = {}) => {
-  return new Promise<tls.TLSSocket>((resolve, reject) => {
-    // @ts-expect-error this is resolved in next connect
-    const socket = new tls.TLSSocket(null, {
-      rejectUnauthorized: true,
-      ...tlsOptions
-    });
-
-    const cleanup = () => {
-      socket.removeAllListeners();
-      socket.end();
-    };
-
-    socket.once("error", (err) => {
-      cleanup();
-      reject(err);
-    });
-
-    socket.connect(relayPort, relayHost, () => {
-      resolve(socket);
-    });
+const parseSubjectDetails = (data: string) => {
+  const values: Record<string, string> = {};
+  data.split("\n").forEach((el) => {
+    const [key, value] = el.split("=");
+    values[key.trim()] = value.trim();
   });
+  return values;
+};
+
+type TTlsOption = { ca: string; cert: string; key: string };
+
+const createQuicConnection = async (
+  relayHost: string,
+  relayPort: number,
+  tlsOptions: TTlsOption,
+  identityId: string,
+  orgId: string
+) => {
+  const client = await quic.QUICClient.createQUICClient({
+    host: relayHost,
+    port: relayPort,
+    config: {
+      ca: tlsOptions.ca,
+      cert: tlsOptions.cert,
+      key: tlsOptions.key,
+      applicationProtos: ["infisical-gateway"],
+      verifyPeer: true,
+      verifyCallback: async (certs) => {
+        if (!certs || certs.length === 0) return quic.native.CryptoError.CertificateRequired;
+        const serverCertificate = new crypto.X509Certificate(Buffer.from(certs[0]));
+        const caCertificate = new crypto.X509Certificate(tlsOptions.ca);
+        const isValidServerCertificate = serverCertificate.checkIssued(caCertificate);
+        if (!isValidServerCertificate) return quic.native.CryptoError.BadCertificate;
+
+        const subjectDetails = parseSubjectDetails(serverCertificate.subject);
+        if (subjectDetails.OU !== "Gateway" || subjectDetails.CN !== identityId || subjectDetails.O !== orgId) {
+          return quic.native.CryptoError.CertificateUnknown;
+        }
+
+        if (new Date() > new Date(serverCertificate.validTo) || new Date() < new Date(serverCertificate.validFrom)) {
+          return quic.native.CryptoError.CertificateExpired;
+        }
+
+        const formatedRelayHost =
+          process.env.NODE_ENV === "development" ? relayHost.replace("host.docker.internal", "127.0.0.1") : relayHost;
+        if (!serverCertificate.checkIP(formatedRelayHost)) return quic.native.CryptoError.BadCertificate;
+      },
+      maxIdleTimeout: 90000,
+      keepAliveIntervalTime: 30000
+    },
+    crypto: {
+      ops: {
+        randomBytes: async (data) => {
+          crypto.getRandomValues(new Uint8Array(data));
+        }
+      }
+    }
+  });
+  return client;
 };
 
 type TPingGatewayAndVerifyDTO = {
   relayHost: string;
   relayPort: number;
-  tlsOptions: tls.TlsOptions;
+  tlsOptions: TTlsOption;
   maxRetries?: number;
   identityId: string;
   orgId: string;
@@ -44,56 +83,44 @@ type TPingGatewayAndVerifyDTO = {
 export const pingGatewayAndVerify = async ({
   relayHost,
   relayPort,
-  tlsOptions = {},
+  tlsOptions,
   maxRetries = DEFAULT_MAX_RETRIES,
   identityId,
   orgId
 }: TPingGatewayAndVerifyDTO) => {
   let lastError: Error | null = null;
-
+  const quicClient = await createQuicConnection(relayHost, relayPort, tlsOptions, identityId, orgId).catch((err) => {
+    throw new BadRequestError({
+      error: err as Error
+    });
+  });
   for (let attempt = 1; attempt <= maxRetries; attempt += 1) {
     try {
-      const socket = await createTLSConnection(relayHost, relayPort, tlsOptions);
-      socket.setTimeout(2000);
+      const stream = quicClient.connection.newStream("bidi");
+      const pingWriter = stream.writable.getWriter();
+      await pingWriter.write(Buffer.from("PING\n"));
+      pingWriter.releaseLock();
 
-      const pingResult = await new Promise((resolve, reject) => {
-        socket.once("timeout", () => {
-          socket.destroy();
-          reject(new Error("Timeout"));
+      // Read PONG response
+      const reader = stream.readable.getReader();
+      const { value, done } = await reader.read();
+
+      if (done) {
+        throw new BadRequestError({
+          message: "Gateway closed before receiving PONG"
         });
-        socket.once("close", () => {
-          socket.destroy();
+      }
+
+      const response = Buffer.from(value).toString();
+
+      if (response !== "PONG\n" && response !== "PONG") {
+        throw new BadRequestError({
+          message: `Failed to Ping. Unexpected response: ${response}`
         });
+      }
 
-        socket.once("end", () => {
-          socket.destroy();
-        });
-        socket.once("error", (err) => {
-          reject(err);
-        });
-
-        socket.write(Buffer.from("PING\n"), () => {
-          socket.once("data", (data) => {
-            const response = (data as string).toString();
-            const certificate = socket.getPeerCertificate();
-
-            if (certificate.subject.CN !== identityId || certificate.subject.O !== orgId) {
-              throw new BadRequestError({
-                message: `Invalid gateway. Certificate not found for ${identityId} in organization ${orgId}`
-              });
-            }
-
-            if (response === "PONG") {
-              resolve(true);
-            } else {
-              reject(new Error(`Unexpected response: ${response}`));
-            }
-          });
-        });
-      });
-
-      socket.end();
-      return pingResult;
+      reader.releaseLock();
+      return;
     } catch (err) {
       lastError = err as Error;
 
@@ -102,6 +129,8 @@ export const pingGatewayAndVerify = async ({
           setTimeout(resolve, DEFAULT_RETRY_DELAY);
         });
       }
+    } finally {
+      await quicClient.destroy();
     }
   }
 
@@ -114,76 +143,125 @@ export const pingGatewayAndVerify = async ({
 interface TProxyServer {
   server: net.Server;
   port: number;
-  cleanup: () => void;
+  cleanup: () => Promise<void>;
 }
 
-const setupProxyServer = ({
+const setupProxyServer = async ({
   targetPort,
   targetHost,
-  tlsOptions = {},
+  tlsOptions,
   relayHost,
-  relayPort
+  relayPort,
+  identityId,
+  orgId
 }: {
   targetHost: string;
   targetPort: number;
   relayPort: number;
   relayHost: string;
-  tlsOptions: tls.TlsOptions;
+  tlsOptions: TTlsOption;
+  identityId: string;
+  orgId: string;
 }): Promise<TProxyServer> => {
+  const quicClient = await createQuicConnection(relayHost, relayPort, tlsOptions, identityId, orgId).catch((err) => {
+    throw new BadRequestError({
+      error: err as Error
+    });
+  });
+
   return new Promise((resolve, reject) => {
     const server = net.createServer();
 
     // eslint-disable-next-line @typescript-eslint/no-misused-promises
-    server.on("connection", async (clientSocket) => {
+    server.on("connection", async (clientConn) => {
       try {
-        const targetSocket = await createTLSConnection(relayHost, relayPort, tlsOptions);
+        clientConn.setKeepAlive(true, 30000); // 30 seconds
+        clientConn.setNoDelay(true);
 
-        targetSocket.write(Buffer.from(`FORWARD-TCP ${targetHost}:${targetPort}\n`), () => {
-          clientSocket.on("data", (data) => {
-            const flushed = targetSocket.write(data);
-            if (!flushed) {
-              clientSocket.pause();
-              targetSocket.once("drain", () => {
-                clientSocket.resume();
-              });
-            }
-          });
+        const stream = quicClient.connection.newStream("bidi");
+        // Send FORWARD-TCP command
+        const forwardWriter = stream.writable.getWriter();
+        await forwardWriter.write(Buffer.from(`FORWARD-TCP ${targetHost}:${targetPort}\n`));
+        forwardWriter.releaseLock();
+        /* eslint-disable @typescript-eslint/no-misused-promises */
+        // Set up bidirectional copy
+        const setupCopy = async () => {
+          // Client to QUIC
+          // eslint-disable-next-line
+          (async () => {
+            try {
+              const writer = stream.writable.getWriter();
 
-          targetSocket.on("data", (data) => {
-            const flushed = clientSocket.write(data as string);
-            if (!flushed) {
-              targetSocket.pause();
-              clientSocket.once("drain", () => {
-                targetSocket.resume();
+              // Create a handler for client data
+              clientConn.on("data", async (chunk) => {
+                await writer.write(chunk);
               });
+
+              // Handle client connection close
+              clientConn.on("end", async () => {
+                await writer.close();
+              });
+
+              clientConn.on("error", async (err) => {
+                await writer.abort(err);
+              });
+            } catch (err) {
+              clientConn.destroy();
             }
-          });
+          })();
+
+          // QUIC to Client
+          void (async () => {
+            try {
+              const reader = stream.readable.getReader();
+
+              let reading = true;
+              while (reading) {
+                const { value, done } = await reader.read();
+
+                if (done) {
+                  reading = false;
+                  clientConn.end(); // Close client connection when QUIC stream ends
+                  break;
+                }
+
+                // Write data to TCP client
+                const canContinue = clientConn.write(Buffer.from(value));
+
+                // Handle backpressure
+                if (!canContinue) {
+                  await new Promise((res) => {
+                    clientConn.once("drain", res);
+                  });
+                }
+              }
+            } catch (err) {
+              clientConn.destroy();
+            }
+          })();
+        };
+        await setupCopy();
+        //
+        // Handle connection closure
+        clientConn.on("close", async () => {
+          await stream.destroy();
         });
 
-        const cleanup = () => {
-          clientSocket?.unpipe();
-          clientSocket?.end();
-          targetSocket?.unpipe();
-          targetSocket?.end();
+        const cleanup = async () => {
+          clientConn?.destroy();
+          await stream.destroy();
         };
 
-        clientSocket.on("error", (err) => {
+        clientConn.on("error", (err) => {
           logger.error(err, "Client socket error");
-          cleanup();
+          void cleanup();
           reject(err);
         });
 
-        targetSocket.on("error", (err) => {
-          logger.error(err, "Target socket error");
-          cleanup();
-          reject(err);
-        });
-
-        clientSocket.on("end", cleanup);
-        targetSocket.on("end", cleanup);
+        clientConn.on("end", cleanup);
       } catch (err) {
         logger.error(err, "Failed to establish target connection:");
-        clientSocket.end();
+        clientConn.end();
         reject(err);
       }
     });
@@ -192,6 +270,12 @@ const setupProxyServer = ({
       reject(err);
     });
 
+    server.on("close", async () => {
+      await quicClient?.destroy();
+    });
+
+    /* eslint-enable */
+
     server.listen(0, () => {
       const address = server.address();
       if (!address || typeof address === "string") {
@@ -204,8 +288,9 @@ const setupProxyServer = ({
       resolve({
         server,
         port: address.port,
-        cleanup: () => {
+        cleanup: async () => {
           server.close();
+          await quicClient?.destroy();
         }
       });
     });
@@ -217,8 +302,7 @@ interface ProxyOptions {
   targetPort: number;
   relayHost: string;
   relayPort: number;
-  tlsOptions?: tls.TlsOptions;
-  maxRetries?: number;
+  tlsOptions: TTlsOption;
   identityId: string;
   orgId: string;
 }
@@ -227,30 +311,19 @@ export const withGatewayProxy = async (
   callback: (port: number) => Promise<void>,
   options: ProxyOptions
 ): Promise<void> => {
-  const {
-    relayHost,
-    relayPort,
+  const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;
+
+  // Setup the proxy server
+  const { port, cleanup } = await setupProxyServer({
     targetHost,
     targetPort,
-    tlsOptions = {},
-    maxRetries = DEFAULT_MAX_RETRIES,
-    identityId,
-    orgId
-  } = options;
-
-  // First, try to ping the gateway
-  await pingGatewayAndVerify({
-    relayHost,
     relayPort,
+    relayHost,
     tlsOptions,
-    maxRetries,
     identityId,
     orgId
   });
 
-  // Setup the proxy server
-  const { port, cleanup } = await setupProxyServer({ targetHost, targetPort, relayPort, relayHost, tlsOptions });
-
   try {
     // Execute the callback with the allocated port
     await callback(port);
@@ -259,6 +332,6 @@ export const withGatewayProxy = async (
     throw new BadRequestError({ message: (err as Error)?.message });
   } finally {
     // Ensure cleanup happens regardless of success or failure
-    cleanup();
+    await cleanup();
   }
 };

backend/src/lib/telemetry/instrumentation.ts

@@ -1,8 +1,8 @@
 import opentelemetry, { diag, DiagConsoleLogger, DiagLogLevel } from "@opentelemetry/api";
-import { getNodeAutoInstrumentations } from "@opentelemetry/auto-instrumentations-node";
 import { OTLPMetricExporter } from "@opentelemetry/exporter-metrics-otlp-proto";
 import { PrometheusExporter } from "@opentelemetry/exporter-prometheus";
 import { registerInstrumentations } from "@opentelemetry/instrumentation";
+import { HttpInstrumentation } from "@opentelemetry/instrumentation-http";
 import { Resource } from "@opentelemetry/resources";
 import { AggregationTemporality, MeterProvider, PeriodicExportingMetricReader } from "@opentelemetry/sdk-metrics";
 import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from "@opentelemetry/semantic-conventions";
@@ -70,7 +70,7 @@ const initTelemetryInstrumentation = ({
   opentelemetry.metrics.setGlobalMeterProvider(meterProvider);
 
   registerInstrumentations({
-    instrumentations: [getNodeAutoInstrumentations()]
+    instrumentations: [new HttpInstrumentation()]
   });
 };
 

backend/src/server/routes/index.ts

@@ -1096,7 +1096,9 @@ export const registerRoutes = async (
     permissionService,
     secretSharingDAL,
     orgDAL,
-    kmsService
+    kmsService,
+    smtpService,
+    userDAL
   });
 
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({

backend/src/server/routes/v1/index.ts

@@ -37,6 +37,7 @@ import { registerProjectMembershipRouter } from "./project-membership-router";
 import { registerProjectRouter } from "./project-router";
 import { registerSecretFolderRouter } from "./secret-folder-router";
 import { registerSecretImportRouter } from "./secret-import-router";
+import { registerSecretRequestsRouter } from "./secret-requests-router";
 import { registerSecretSharingRouter } from "./secret-sharing-router";
 import { registerSecretTagRouter } from "./secret-tag-router";
 import { registerSlackRouter } from "./slack-router";
@@ -110,7 +111,15 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerIntegrationAuthRouter, { prefix: "/integration-auth" });
   await server.register(registerWebhookRouter, { prefix: "/webhooks" });
   await server.register(registerIdentityRouter, { prefix: "/identities" });
-  await server.register(registerSecretSharingRouter, { prefix: "/secret-sharing" });
+
+  await server.register(
+    async (secretSharingRouter) => {
+      await secretSharingRouter.register(registerSecretSharingRouter, { prefix: "/shared" });
+      await secretSharingRouter.register(registerSecretRequestsRouter, { prefix: "/requests" });
+    },
+    { prefix: "/secret-sharing" }
+  );
+
   await server.register(registerUserEngagementRouter, { prefix: "/user-engagement" });
   await server.register(registerDashboardRouter, { prefix: "/dashboard" });
   await server.register(registerCmekRouter, { prefix: "/kms" });

backend/src/server/routes/v1/secret-folder-router.ts

@@ -47,7 +47,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .default("/")
           .transform(prefixWithSlash)
           .transform(removeTrailingSlash)
-          .describe(FOLDERS.CREATE.directory)
+          .describe(FOLDERS.CREATE.directory),
+        description: z.string().optional().nullable().describe(FOLDERS.CREATE.description)
       }),
       response: {
         200: z.object({
@@ -65,7 +66,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectId: req.body.workspaceId,
-        path
+        path,
+        description: req.body.description
       });
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -76,7 +78,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
             environment: req.body.environment,
             folderId: folder.id,
             folderName: folder.name,
-            folderPath: path
+            folderPath: path,
+            ...(req.body.description ? { description: req.body.description } : {})
           }
         }
       });
@@ -125,7 +128,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .default("/")
           .transform(prefixWithSlash)
           .transform(removeTrailingSlash)
-          .describe(FOLDERS.UPDATE.directory)
+          .describe(FOLDERS.UPDATE.directory),
+        description: z.string().optional().nullable().describe(FOLDERS.UPDATE.description)
       }),
       response: {
         200: z.object({
@@ -196,7 +200,8 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
               .default("/")
               .transform(prefixWithSlash)
               .transform(removeTrailingSlash)
-              .describe(FOLDERS.UPDATE.path)
+              .describe(FOLDERS.UPDATE.path),
+            description: z.string().optional().nullable().describe(FOLDERS.UPDATE.description)
           })
           .array()
           .min(1)

backend/src/server/routes/v1/secret-requests-router.ts

@@ -0,0 +1,270 @@
+import { z } from "zod";
+
+import { SecretSharingSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SecretSharingAccessType } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+export const registerSecretRequestsRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          secretRequest: SecretSharingSchema.omit({
+            encryptedSecret: true,
+            tag: true,
+            iv: true,
+            encryptedValue: true
+          }).extend({
+            isSecretValueSet: z.boolean(),
+            requester: z.object({
+              organizationName: z.string(),
+              firstName: z.string().nullish(),
+              lastName: z.string().nullish(),
+              username: z.string()
+            })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const secretRequest = await req.server.services.secretSharing.getSecretRequestById({
+        id: req.params.id,
+        actorOrgId: req.permission?.orgId,
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorAuthMethod: req.permission?.authMethod
+      });
+
+      return { secretRequest };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:id/set-value",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        secretValue: z.string()
+      }),
+      response: {
+        200: z.object({
+          secretRequest: SecretSharingSchema.omit({
+            encryptedSecret: true,
+            tag: true,
+            iv: true,
+            encryptedValue: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const secretRequest = await req.server.services.secretSharing.setSecretRequestValue({
+        id: req.params.id,
+        actorOrgId: req.permission?.orgId,
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorAuthMethod: req.permission?.authMethod,
+        secretValue: req.body.secretValue
+      });
+
+      return { secretRequest };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:id/reveal-value",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          secretRequest: SecretSharingSchema.omit({
+            encryptedSecret: true,
+            tag: true,
+            iv: true,
+            encryptedValue: true
+          }).extend({
+            secretValue: z.string()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const secretRequest = await req.server.services.secretSharing.revealSecretRequestValue({
+        id: req.params.id,
+        actorOrgId: req.permission.orgId,
+        orgId: req.permission.orgId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { secretRequest };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          secretRequest: SecretSharingSchema.omit({
+            encryptedSecret: true,
+            tag: true,
+            iv: true,
+            encryptedValue: true
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const secretRequest = await req.server.services.secretSharing.deleteSharedSecretById({
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorId: req.permission.id,
+        sharedSecretId: req.params.id,
+        orgId: req.permission.orgId,
+        actor: req.permission.type,
+        type: SecretSharingType.Request
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SecretRequestDeleted,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          secretRequestId: req.params.id,
+          organizationId: req.permission.orgId,
+          ...req.auditLogInfo
+        }
+      });
+      return { secretRequest };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        offset: z.coerce.number().min(0).max(100).default(0),
+        limit: z.coerce.number().min(1).max(100).default(25)
+      }),
+      response: {
+        200: z.object({
+          secrets: z.array(SecretSharingSchema),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { secrets, totalCount } = await req.server.services.secretSharing.getSharedSecrets({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        type: SecretSharingType.Request,
+        ...req.query
+      });
+
+      return {
+        secrets,
+        totalCount
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        name: z.string().max(50).optional(),
+        expiresAt: z.string(),
+        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization)
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const shareRequest = await req.server.services.secretSharing.createSecretRequest({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        orgId: req.permission.orgId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.CREATE_SECRET_REQUEST,
+          metadata: {
+            accessType: req.body.accessType,
+            name: req.body.name,
+            id: shareRequest.id
+          }
+        }
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SecretRequestCreated,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          secretRequestId: shareRequest.id,
+          organizationId: req.permission.orgId,
+          secretRequestName: req.body.name,
+          ...req.auditLogInfo
+        }
+      });
+
+      return { id: shareRequest.id };
+    }
+  });
+};

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -11,6 +11,7 @@ import {
 } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
 
 export const registerSecretSharingRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -38,6 +39,7 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
+        type: SecretSharingType.Share,
         ...req.query
       });
 
@@ -211,7 +213,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         orgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        sharedSecretId
+        sharedSecretId,
+        type: SecretSharingType.Share
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/services/resource-cleanup/resource-cleanup-queue.ts

@@ -20,7 +20,7 @@ type TDailyResourceCleanUpQueueServiceFactoryDep = {
   secretDAL: Pick<TSecretDALFactory, "pruneSecretReminders">;
   secretFolderVersionDAL: Pick<TSecretFolderVersionDALFactory, "pruneExcessVersions">;
   snapshotDAL: Pick<TSnapshotDALFactory, "pruneExcessSnapshots">;
-  secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets">;
+  secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets" | "pruneExpiredSecretRequests">;
   queueService: TQueueServiceFactory;
 };
 
@@ -45,6 +45,7 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
     await identityAccessTokenDAL.removeExpiredTokens();
     await identityUniversalAuthClientSecretDAL.removeExpiredClientSecrets();
     await secretSharingDAL.pruneExpiredSharedSecrets();
+    await secretSharingDAL.pruneExpiredSecretRequests();
     await snapshotDAL.pruneExcessSnapshots();
     await secretVersionDAL.pruneExcessVersions();
     await secretVersionV2DAL.pruneExcessVersions();

backend/src/services/secret-folder/secret-folder-service.ts

@@ -50,7 +50,8 @@ export const secretFolderServiceFactory = ({
     actorOrgId,
     name,
     environment,
-    path: secretPath
+    path: secretPath,
+    description
   }: TCreateFolderDTO) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -121,7 +122,10 @@ export const secretFolderServiceFactory = ({
         }
       }
 
-      const doc = await folderDAL.create({ name, envId: env.id, version: 1, parentId: parentFolderId }, tx);
+      const doc = await folderDAL.create(
+        { name, envId: env.id, version: 1, parentId: parentFolderId, description },
+        tx
+      );
       await folderVersionDAL.create(
         {
           name: doc.name,
@@ -170,7 +174,7 @@ export const secretFolderServiceFactory = ({
     const result = await folderDAL.transaction(async (tx) =>
       Promise.all(
         folders.map(async (newFolder) => {
-          const { environment, path: secretPath, id, name } = newFolder;
+          const { environment, path: secretPath, id, name, description } = newFolder;
 
           const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
           if (!parentFolder) {
@@ -217,7 +221,7 @@ export const secretFolderServiceFactory = ({
 
           const [doc] = await folderDAL.update(
             { envId: env.id, id: folder.id, parentId: parentFolder.id },
-            { name },
+            { name, description },
             tx
           );
           await folderVersionDAL.create(
@@ -259,7 +263,8 @@ export const secretFolderServiceFactory = ({
     name,
     environment,
     path: secretPath,
-    id
+    id,
+    description
   }: TUpdateFolderDTO) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -312,7 +317,7 @@ export const secretFolderServiceFactory = ({
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update(
         { envId: env.id, id: folder.id, parentId: parentFolder.id, isReserved: false },
-        { name },
+        { name, description },
         tx
       );
       await folderVersionDAL.create(

backend/src/services/secret-folder/secret-folder-types.ts

@@ -9,6 +9,7 @@ export type TCreateFolderDTO = {
   environment: string;
   path: string;
   name: string;
+  description?: string | null;
 } & TProjectPermission;
 
 export type TUpdateFolderDTO = {
@@ -16,6 +17,7 @@ export type TUpdateFolderDTO = {
   path: string;
   id: string;
   name: string;
+  description?: string | null;
 } & TProjectPermission;
 
 export type TUpdateManyFoldersDTO = {
@@ -25,6 +27,7 @@ export type TUpdateManyFoldersDTO = {
     path: string;
     id: string;
     name: string;
+    description?: string | null;
   }[];
 } & Omit<TProjectPermission, "projectId">;
 

backend/src/services/secret-sharing/secret-sharing-dal.ts

@@ -2,17 +2,61 @@ import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
 import { TableName, TSecretSharing } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { DatabaseError, NotFoundError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 
+import { SecretSharingType } from "./secret-sharing-types";
+
 export type TSecretSharingDALFactory = ReturnType<typeof secretSharingDALFactory>;
 
 export const secretSharingDALFactory = (db: TDbClient) => {
   const sharedSecretOrm = ormify(db, TableName.SecretSharing);
 
-  const countAllUserOrgSharedSecrets = async ({ orgId, userId }: { orgId: string; userId: string }) => {
+  const getSecretRequestById = async (id: string) => {
+    const repDb = db.replicaNode();
+
+    const secretRequest = await repDb(TableName.SecretSharing)
+      .leftJoin(TableName.Organization, `${TableName.Organization}.id`, `${TableName.SecretSharing}.orgId`)
+      .leftJoin(TableName.Users, `${TableName.Users}.id`, `${TableName.SecretSharing}.userId`)
+      .where(`${TableName.SecretSharing}.id`, id)
+      .where(`${TableName.SecretSharing}.type`, SecretSharingType.Request)
+      .select(
+        repDb.ref("name").withSchema(TableName.Organization).as("orgName"),
+        repDb.ref("firstName").withSchema(TableName.Users).as("requesterFirstName"),
+        repDb.ref("lastName").withSchema(TableName.Users).as("requesterLastName"),
+        repDb.ref("username").withSchema(TableName.Users).as("requesterUsername")
+      )
+      .select(selectAllTableCols(TableName.SecretSharing))
+      .first();
+
+    if (!secretRequest) {
+      throw new NotFoundError({
+        message: `Secret request with ID '${id}' not found`
+      });
+    }
+
+    return {
+      ...secretRequest,
+      requester: {
+        organizationName: secretRequest.orgName,
+        firstName: secretRequest.requesterFirstName,
+        lastName: secretRequest.requesterLastName,
+        username: secretRequest.requesterUsername
+      }
+    };
+  };
+
+  const countAllUserOrgSharedSecrets = async ({
+    orgId,
+    userId,
+    type
+  }: {
+    orgId: string;
+    userId: string;
+    type: SecretSharingType;
+  }) => {
     try {
       interface CountResult {
         count: string;
@@ -22,6 +66,7 @@ export const secretSharingDALFactory = (db: TDbClient) => {
         .replicaNode()(TableName.SecretSharing)
         .where(`${TableName.SecretSharing}.orgId`, orgId)
         .where(`${TableName.SecretSharing}.userId`, userId)
+        .where(`${TableName.SecretSharing}.type`, type)
         .count("*")
         .first();
 
@@ -38,6 +83,7 @@ export const secretSharingDALFactory = (db: TDbClient) => {
       const docs = await (tx || db)(TableName.SecretSharing)
         .where("expiresAt", "<", today)
         .andWhere("encryptedValue", "<>", "")
+        .andWhere("type", SecretSharingType.Share)
         .update({
           encryptedValue: "",
           tag: "",
@@ -50,6 +96,26 @@ export const secretSharingDALFactory = (db: TDbClient) => {
     }
   };
 
+  const pruneExpiredSecretRequests = async (tx?: Knex) => {
+    logger.info(`${QueueName.DailyResourceCleanUp}: pruning expired secret requests started`);
+    try {
+      const today = new Date();
+
+      const docs = await (tx || db)(TableName.SecretSharing)
+        .whereNotNull("expiresAt")
+        .andWhere("expiresAt", "<", today)
+        .andWhere("encryptedSecret", null)
+        .andWhere("type", SecretSharingType.Request)
+        .delete();
+
+      logger.info(`${QueueName.DailyResourceCleanUp}: pruning expired secret requests completed`);
+
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "pruneExpiredSecretRequests" });
+    }
+  };
+
   const findActiveSharedSecrets = async (filters: Partial<TSecretSharing>, tx?: Knex) => {
     try {
       const now = new Date();
@@ -57,6 +123,7 @@ export const secretSharingDALFactory = (db: TDbClient) => {
         .where(filters)
         .andWhere("expiresAt", ">", now)
         .andWhere("encryptedValue", "<>", "")
+        .andWhere("type", SecretSharingType.Share)
         .select(selectAllTableCols(TableName.SecretSharing))
         .orderBy("expiresAt", "asc");
     } catch (error) {
@@ -86,7 +153,9 @@ export const secretSharingDALFactory = (db: TDbClient) => {
     ...sharedSecretOrm,
     countAllUserOrgSharedSecrets,
     pruneExpiredSharedSecrets,
+    pruneExpiredSecretRequests,
     softDeleteById,
-    findActiveSharedSecrets
+    findActiveSharedSecrets,
+    getSecretRequestById
   };
 };

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -4,26 +4,36 @@ import bcrypt from "bcrypt";
 
 import { TSecretSharing } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { SecretSharingAccessType } from "@app/lib/types";
 import { isUuidV4 } from "@app/lib/validator";
 
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { TOrgDALFactory } from "../org/org-dal";
+import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
+import { TUserDALFactory } from "../user/user-dal";
 import { TSecretSharingDALFactory } from "./secret-sharing-dal";
 import {
+  SecretSharingType,
   TCreatePublicSharedSecretDTO,
+  TCreateSecretRequestDTO,
   TCreateSharedSecretDTO,
   TDeleteSharedSecretDTO,
   TGetActiveSharedSecretByIdDTO,
-  TGetSharedSecretsDTO
+  TGetSecretRequestByIdDTO,
+  TGetSharedSecretsDTO,
+  TRevealSecretRequestValueDTO,
+  TSetSecretRequestValueDTO
 } from "./secret-sharing-types";
 
 type TSecretSharingServiceFactoryDep = {
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   secretSharingDAL: TSecretSharingDALFactory;
   orgDAL: TOrgDALFactory;
+  userDAL: TUserDALFactory;
   kmsService: TKmsServiceFactory;
+  smtpService: TSmtpService;
 };
 
 export type TSecretSharingServiceFactory = ReturnType<typeof secretSharingServiceFactory>;
@@ -32,7 +42,9 @@ export const secretSharingServiceFactory = ({
   permissionService,
   secretSharingDAL,
   orgDAL,
-  kmsService
+  kmsService,
+  smtpService,
+  userDAL
 }: TSecretSharingServiceFactoryDep) => {
   const $validateSharedSecretExpiry = (expiresAt: string) => {
     if (new Date(expiresAt) < new Date()) {
@@ -75,7 +87,6 @@ export const secretSharingServiceFactory = ({
     }
 
     const encryptWithRoot = kmsService.encryptWithRootKey();
-
     const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));
 
     const id = crypto.randomBytes(32).toString("hex");
@@ -88,6 +99,7 @@ export const secretSharingServiceFactory = ({
       encryptedValue: null,
       encryptedSecret,
       name,
+      type: SecretSharingType.Share,
       password: hashedPassword,
       expiresAt: new Date(expiresAt),
       expiresAfterViews,
@@ -101,6 +113,191 @@ export const secretSharingServiceFactory = ({
     return { id: idToReturn };
   };
 
+  const createSecretRequest = async ({
+    actor,
+    accessType,
+    expiresAt,
+    name,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TCreateSecretRequestDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
+
+    $validateSharedSecretExpiry(expiresAt);
+
+    const newSecretRequest = await secretSharingDAL.create({
+      type: SecretSharingType.Request,
+      userId: actorId,
+      orgId,
+      name,
+      encryptedSecret: null,
+      accessType,
+      expiresAt: new Date(expiresAt)
+    });
+
+    return { id: newSecretRequest.id };
+  };
+
+  const revealSecretRequestValue = async ({
+    id,
+    actor,
+    actorId,
+    actorOrgId,
+    orgId,
+    actorAuthMethod
+  }: TRevealSecretRequestValueDTO) => {
+    const secretRequest = await secretSharingDAL.getSecretRequestById(id);
+
+    if (!secretRequest) {
+      throw new NotFoundError({ message: `Secret request with ID '${id}' not found` });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
+
+    if (secretRequest.userId !== actorId || secretRequest.orgId !== orgId) {
+      throw new ForbiddenRequestError({ name: "User does not have permission to access this secret request" });
+    }
+
+    if (!secretRequest.encryptedSecret) {
+      throw new BadRequestError({ message: "Secret request has no value set" });
+    }
+
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+    const decryptedSecret = decryptWithRoot(secretRequest.encryptedSecret);
+
+    return { ...secretRequest, secretValue: decryptedSecret.toString() };
+  };
+
+  const getSecretRequestById = async ({
+    id,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetSecretRequestByIdDTO) => {
+    const secretRequest = await secretSharingDAL.getSecretRequestById(id);
+
+    if (!secretRequest) {
+      throw new NotFoundError({ message: `Secret request with ID '${id}' not found` });
+    }
+
+    if (secretRequest.accessType === SecretSharingAccessType.Organization) {
+      if (!secretRequest.orgId) {
+        throw new BadRequestError({ message: "No organization ID present on secret request" });
+      }
+
+      if (!actorOrgId) {
+        throw new UnauthorizedError();
+      }
+
+      const { permission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        secretRequest.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+      if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
+    }
+
+    if (secretRequest.expiresAt && secretRequest.expiresAt < new Date()) {
+      throw new ForbiddenRequestError({
+        message: "Access denied: Secret request has expired"
+      });
+    }
+
+    return {
+      ...secretRequest,
+      isSecretValueSet: Boolean(secretRequest.encryptedSecret)
+    };
+  };
+
+  const setSecretRequestValue = async ({
+    id,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    secretValue
+  }: TSetSecretRequestValueDTO) => {
+    const appCfg = getConfig();
+
+    const secretRequest = await secretSharingDAL.getSecretRequestById(id);
+
+    if (!secretRequest) {
+      throw new NotFoundError({ message: `Secret request with ID '${id}' not found` });
+    }
+
+    let respondentUsername: string | undefined;
+
+    if (secretRequest.accessType === SecretSharingAccessType.Organization) {
+      if (!secretRequest.orgId) {
+        throw new BadRequestError({ message: "No organization ID present on secret request" });
+      }
+
+      if (!actorOrgId) {
+        throw new UnauthorizedError();
+      }
+
+      const { permission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        secretRequest.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+      if (!permission) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
+
+      const user = await userDAL.findById(actorId);
+
+      if (!user) {
+        throw new NotFoundError({ message: `User with ID '${actorId}' not found` });
+      }
+
+      respondentUsername = user.username;
+    }
+
+    if (secretRequest.encryptedSecret) {
+      throw new BadRequestError({ message: "Secret request already has a value set" });
+    }
+
+    if (secretValue.length > 10_000) {
+      throw new BadRequestError({ message: "Shared secret value too long" });
+    }
+
+    if (secretRequest.expiresAt && secretRequest.expiresAt < new Date()) {
+      throw new ForbiddenRequestError({
+        message: "Access denied: Secret request has expired"
+      });
+    }
+
+    const encryptWithRoot = kmsService.encryptWithRootKey();
+    const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));
+
+    const request = await secretSharingDAL.transaction(async (tx) => {
+      const updatedRequest = await secretSharingDAL.updateById(id, { encryptedSecret }, tx);
+
+      await smtpService.sendMail({
+        recipients: [secretRequest.requesterUsername],
+        subjectLine: "Secret Request Completed",
+        substitutions: {
+          name: secretRequest.name,
+          respondentUsername,
+          secretRequestUrl: `${appCfg.SITE_URL}/organization/secret-sharing?selectedTab=request-secret`
+        },
+        template: SmtpTemplates.SecretRequestCompleted
+      });
+
+      return updatedRequest;
+    });
+
+    return request;
+  };
+
   const createPublicSharedSecret = async ({
     password,
     secretValue,
@@ -121,6 +318,7 @@ export const secretSharingServiceFactory = ({
       encryptedValue: null,
       iv: null,
       tag: null,
+      type: SecretSharingType.Share,
       encryptedSecret,
       password: hashedPassword,
       expiresAt: new Date(expiresAt),
@@ -137,7 +335,8 @@ export const secretSharingServiceFactory = ({
     actorAuthMethod,
     actorOrgId,
     offset,
-    limit
+    limit,
+    type
   }: TGetSharedSecretsDTO) => {
     if (!actorOrgId) throw new ForbiddenRequestError();
 
@@ -153,14 +352,16 @@ export const secretSharingServiceFactory = ({
     const secrets = await secretSharingDAL.find(
       {
         userId: actorId,
-        orgId: actorOrgId
+        orgId: actorOrgId,
+        type
       },
       { offset, limit, sort: [["createdAt", "desc"]] }
     );
 
     const count = await secretSharingDAL.countAllUserOrgSharedSecrets({
       orgId: actorOrgId,
-      userId: actorId
+      userId: actorId,
+      type
     });
 
     return {
@@ -187,9 +388,11 @@ export const secretSharingServiceFactory = ({
     const sharedSecret = isUuidV4(sharedSecretId)
       ? await secretSharingDAL.findOne({
           id: sharedSecretId,
+          type: SecretSharingType.Share,
           hashedHex
         })
       : await secretSharingDAL.findOne({
+          type: SecretSharingType.Share,
           identifier: Buffer.from(sharedSecretId, "base64url").toString("hex")
         });
 
@@ -254,7 +457,7 @@ export const secretSharingServiceFactory = ({
       secret: {
         ...sharedSecret,
         ...(decryptedSecretValue && {
-          secretValue: Buffer.from(decryptedSecretValue).toString()
+          secretValue: decryptedSecretValue.toString()
         }),
         orgName:
           sharedSecret.accessType === SecretSharingAccessType.Organization && orgId === sharedSecret.orgId
@@ -270,11 +473,17 @@ export const secretSharingServiceFactory = ({
     if (!permission) throw new ForbiddenRequestError({ name: "User does not belong to the specified organization" });
 
     const sharedSecret = isUuidV4(sharedSecretId)
-      ? await secretSharingDAL.findById(sharedSecretId)
-      : await secretSharingDAL.findOne({ identifier: sharedSecretId });
+      ? await secretSharingDAL.findOne({ id: sharedSecretId, type: deleteSharedSecretInput.type })
+      : await secretSharingDAL.findOne({ identifier: sharedSecretId, type: deleteSharedSecretInput.type });
 
-    if (sharedSecret.orgId && sharedSecret.orgId !== orgId)
+    if (sharedSecret.userId !== actorId) {
+      throw new ForbiddenRequestError({
+        message: "User does not have permission to delete shared secret"
+      });
+    }
+    if (sharedSecret.orgId && sharedSecret.orgId !== orgId) {
       throw new ForbiddenRequestError({ message: "User does not have permission to delete shared secret" });
+    }
 
     const deletedSharedSecret = await secretSharingDAL.deleteById(sharedSecretId);
 
@@ -286,6 +495,11 @@ export const secretSharingServiceFactory = ({
     createPublicSharedSecret,
     getSharedSecrets,
     deleteSharedSecretById,
-    getSharedSecretById
+    getSharedSecretById,
+
+    createSecretRequest,
+    getSecretRequestById,
+    setSecretRequestValue,
+    revealSecretRequestValue
   };
 };

backend/src/services/secret-sharing/secret-sharing-types.ts

@@ -1,8 +1,14 @@
-import { SecretSharingAccessType, TGenericPermission } from "@app/lib/types";
+import { SecretSharingAccessType, TGenericPermission, TOrgPermission } from "@app/lib/types";
 
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 
+export enum SecretSharingType {
+  Share = "share",
+  Request = "request"
+}
+
 export type TGetSharedSecretsDTO = {
+  type: SecretSharingType;
   offset: number;
   limit: number;
 } & TGenericPermission;
@@ -39,6 +45,26 @@ export type TValidateActiveSharedSecretDTO = TGetActiveSharedSecretByIdDTO & {
 
 export type TCreateSharedSecretDTO = TSharedSecretPermission & TCreatePublicSharedSecretDTO;
 
+export type TCreateSecretRequestDTO = {
+  name?: string;
+  accessType: SecretSharingAccessType;
+  expiresAt: string;
+} & TOrgPermission;
+
+export type TRevealSecretRequestValueDTO = {
+  id: string;
+} & TOrgPermission;
+
+export type TGetSecretRequestByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TSetSecretRequestValueDTO = {
+  id: string;
+  secretValue: string;
+} & Omit<TOrgPermission, "orgId">;
+
 export type TDeleteSharedSecretDTO = {
   sharedSecretId: string;
+  type: SecretSharingType;
 } & TSharedSecretPermission;

backend/src/services/smtp/smtp-service.ts

@@ -39,7 +39,8 @@ export enum SmtpTemplates {
   SecretSyncFailed = "secretSyncFailed.handlebars",
   ExternalImportSuccessful = "externalImportSuccessful.handlebars",
   ExternalImportFailed = "externalImportFailed.handlebars",
-  ExternalImportStarted = "externalImportStarted.handlebars"
+  ExternalImportStarted = "externalImportStarted.handlebars",
+  SecretRequestCompleted = "secretRequestCompleted.handlebars"
 }
 
 export enum SmtpHost {

backend/src/services/smtp/templates/secretRequestCompleted.handlebars

@@ -0,0 +1,33 @@
+<html>
+
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Secret Request Completed</title>
+  </head>
+
+  <body>
+    <h2>Infisical</h2>
+    <h2>A secret has been shared with you</h2>
+
+    {{#if name}}
+    <p>Secret request name: {{name}}</p>
+    {{/if}}
+    {{#if respondentUsername}}
+    <p>Shared by: {{respondentUsername}}</p>
+    {{/if}}
+
+    <br />
+    <br/>
+
+    <p>
+      You can access the secret by clicking the link below.
+    </p>
+    <p>
+      <a href="{{secretRequestUrl}}">Access Secret</a>
+    </p>
+
+    {{emailFooter}}
+  </body>
+
+</html>

backend/src/services/telemetry/telemetry-types.ts

@@ -13,7 +13,9 @@ export enum PostHogEventTypes {
   IntegrationCreated = "Integration Created",
   MachineIdentityCreated = "Machine Identity Created",
   UserOrgInvitation = "User Org Invitation",
-  TelemetryInstanceStats = "Self Hosted Instance Stats"
+  TelemetryInstanceStats = "Self Hosted Instance Stats",
+  SecretRequestCreated = "Secret Request Created",
+  SecretRequestDeleted = "Secret Request Deleted"
 }
 
 export type TSecretModifiedEvent = {
@@ -120,6 +122,23 @@ export type TTelemetryInstanceStatsEvent = {
   };
 };
 
+export type TSecretRequestCreatedEvent = {
+  event: PostHogEventTypes.SecretRequestCreated;
+  properties: {
+    secretRequestId: string;
+    organizationId: string;
+    secretRequestName?: string;
+  };
+};
+
+export type TSecretRequestDeletedEvent = {
+  event: PostHogEventTypes.SecretRequestDeleted;
+  properties: {
+    secretRequestId: string;
+    organizationId: string;
+  };
+};
+
 export type TPostHogEvent = { distinctId: string } & (
   | TSecretModifiedEvent
   | TAdminInitEvent
@@ -130,4 +149,6 @@ export type TPostHogEvent = { distinctId: string } & (
   | TIntegrationCreatedEvent
   | TProjectCreateEvent
   | TTelemetryInstanceStatsEvent
+  | TSecretRequestCreatedEvent
+  | TSecretRequestDeletedEvent
 );

cli/config/infisical-relay.yaml

@@ -0,0 +1,3 @@
+public_ip: 127.0.0.1
+auth_secret: changeThisOnProduction
+realm: infisical.org

cli/go.mod

@@ -1,6 +1,8 @@
 module github.com/Infisical/infisical-merge
 
-go 1.21
+go 1.23.0
+
+toolchain go1.23.5
 
 require (
 	github.com/bradleyjkemp/cupaloy/v2 v2.8.0
@@ -21,12 +23,13 @@ require (
 	github.com/pion/logging v0.2.3
 	github.com/pion/turn/v4 v4.0.0
 	github.com/posthog/posthog-go v0.0.0-20221221115252-24dfed35d71a
+	github.com/quic-go/quic-go v0.50.0
 	github.com/rs/cors v1.11.0
 	github.com/rs/zerolog v1.26.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/crypto v0.33.0
+	golang.org/x/crypto v0.35.0
 	golang.org/x/term v0.29.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -58,13 +61,15 @@ require (
 	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/errors v0.20.2 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.5 // indirect
@@ -82,6 +87,7 @@ require (
 	github.com/muesli/mango-pflag v0.1.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.22.2 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
 	github.com/pion/dtls/v3 v3.0.4 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
@@ -103,17 +109,21 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/exp v0.0.0-20250228200357-dead58393ab7 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
 	google.golang.org/grpc v1.64.1 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

cli/go.sum

@@ -144,8 +144,8 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8=
@@ -154,6 +154,8 @@ github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtK
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
 github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
 github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -222,6 +224,8 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 h1:+J3r2e8+RsmN3vKfo75g0YSY61ms37qzPglu4p0sGro=
+github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
@@ -342,6 +346,10 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU=
+github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
+github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
+github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.9.3 h1:zeC5b1GviRUyKYd6OJPvBU/mcVDVoL1OhT17FCt5dSQ=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
@@ -369,6 +377,8 @@ github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndr
 github.com/posthog/posthog-go v0.0.0-20221221115252-24dfed35d71a h1:Ey0XWvrg6u6hyIn1Kd/jCCmL+bMv9El81tvuGBbxZGg=
 github.com/posthog/posthog-go v0.0.0-20221221115252-24dfed35d71a/go.mod h1:oa2sAs9tGai3VldabTV0eWejt/O4/OOD7azP8GaikqU=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/quic-go/quic-go v0.50.0 h1:3H/ld1pa3CYhkcc20TPIyG1bNsdhn9qZBGN3b9/UyUo=
+github.com/quic-go/quic-go v0.50.0/go.mod h1:Vim6OmUvlYdwBhXP9ZVrtGmCMWa3wEqhq3NgYrI8b4E=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -461,6 +471,8 @@ go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8p
 go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -472,8 +484,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -484,6 +496,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20250228200357-dead58393ab7 h1:aWwlzYV971S4BXRS9AmqwDLAD85ouC6X+pocatKY58c=
+golang.org/x/exp v0.0.0-20250228200357-dead58393ab7/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -509,6 +523,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -547,8 +563,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -697,6 +713,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -811,8 +829,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

cli/packages/cmd/gateway.go

@@ -109,6 +109,33 @@ var gatewayCmd = &cobra.Command{
 	},
 }
 
+var gatewayRelayCmd = &cobra.Command{
+	Example:               `infisical gateway relay`,
+	Short:                 "Used to run infisical gateway relay",
+	Use:                   "relay",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		relayConfigFilePath, err := cmd.Flags().GetString("config")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		if relayConfigFilePath == "" {
+			util.HandleError(fmt.Errorf("Missing config file"))
+		}
+
+		gatewayRelay, err := gateway.NewGatewayRelay(relayConfigFilePath)
+		if err != nil {
+			util.HandleError(err, "Failed to initialize gateway")
+		}
+		err = gatewayRelay.Run()
+		if err != nil {
+			util.HandleError(err, "Failed to start gateway")
+		}
+	},
+}
+
 func init() {
 	gatewayCmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
 		command.Flags().MarkHidden("domain")
@@ -116,5 +143,9 @@ func init() {
 	})
 	gatewayCmd.Flags().String("token", "", "Connect with Infisical using machine identity access token")
 
+	gatewayRelayCmd.Flags().String("config", "", "Relay config yaml file path")
+
+	gatewayCmd.AddCommand(gatewayRelayCmd)
+
 	rootCmd.AddCommand(gatewayCmd)
 }

cli/packages/gateway/connection.go

@@ -3,20 +3,49 @@ package gateway
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"errors"
 	"io"
 	"net"
+	"strings"
 	"sync"
 
+	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog/log"
 )
 
-func handleConnection(conn net.Conn) {
-	defer conn.Close()
-	log.Info().Msgf("New connection from: %s", conn.RemoteAddr().String())
+func handleConnection(ctx context.Context, quicConn quic.Connection) {
+	log.Info().Msgf("New connection from: %s", quicConn.RemoteAddr().String())
+	// Use WaitGroup to track all streams
+	var wg sync.WaitGroup
+	for {
+		// Accept the first stream, which we'll use for commands
+		stream, err := quicConn.AcceptStream(ctx)
+		if err != nil {
+			log.Printf("Failed to accept QUIC stream: %v", err)
+			break
+		}
+		wg.Add(1)
+		go func(stream quic.Stream) {
+			defer wg.Done()
+			defer stream.Close()
+
+			handleStream(stream, quicConn)
+		}(stream)
+	}
+
+	wg.Wait()
+	log.Printf("All streams closed for connection: %s", quicConn.RemoteAddr().String())
+}
+
+func handleStream(stream quic.Stream, quicConn quic.Connection) {
+	streamID := stream.StreamID()
+	log.Printf("New stream %d from: %s", streamID, quicConn.RemoteAddr().String())
 
 	// Use buffered reader for better handling of fragmented data
-	reader := bufio.NewReader(conn)
+	reader := bufio.NewReader(stream)
+	defer stream.Close()
+
 	for {
 		msg, err := reader.ReadBytes('\n')
 		if err != nil {
@@ -32,6 +61,7 @@ func handleConnection(conn net.Conn) {
 
 		switch string(cmd) {
 		case "FORWARD-TCP":
+			log.Info().Msg("Starting secure connector proxy...")
 			proxyAddress := string(bytes.Split(args, []byte(" "))[0])
 			destTarget, err := net.Dial("tcp", proxyAddress)
 			if err != nil {
@@ -56,10 +86,10 @@ func handleConnection(conn net.Conn) {
 				}
 			}
 
-			CopyData(conn, destTarget)
+			CopyDataFromQuicToTcp(stream, destTarget)
 			return
 		case "PING":
-			if _, err := conn.Write([]byte("PONG")); err != nil {
+			if _, err := stream.Write([]byte("PONG\n")); err != nil {
 				log.Error().Msgf("Error writing PONG response: %v", err)
 			}
 			return
@@ -74,34 +104,38 @@ type CloseWrite interface {
 	CloseWrite() error
 }
 
-func CopyData(src, dst net.Conn) {
+func CopyDataFromQuicToTcp(quicStream quic.Stream, tcpConn net.Conn) {
+	// Create a WaitGroup to wait for both copy operations
 	var wg sync.WaitGroup
 	wg.Add(2)
 
-	copyAndClose := func(dst, src net.Conn, done chan<- bool) {
+	// Start copying from QUIC stream to TCP
+	go func() {
 		defer wg.Done()
-		_, err := io.Copy(dst, src)
-		if err != nil && !errors.Is(err, io.EOF) {
-			log.Error().Msgf("Copy error: %v", err)
+		if _, err := io.Copy(tcpConn, quicStream); err != nil {
+			log.Error().Msgf("Error copying quic->postgres: %v", err)
 		}
 
-		// Signal we're done writing
-		done <- true
-
-		// Half close the connection if possible
-		if c, ok := dst.(CloseWrite); ok {
-			c.CloseWrite()
+		if e, ok := tcpConn.(CloseWrite); ok {
+			log.Debug().Msg("Closing TCP write end")
+			e.CloseWrite()
+		} else {
+			log.Debug().Msg("TCP connection does not support CloseWrite")
 		}
-	}
+	}()
 
-	done1 := make(chan bool, 1)
-	done2 := make(chan bool, 1)
-
-	go copyAndClose(dst, src, done1)
-	go copyAndClose(src, dst, done2)
+	// Start copying from TCP to QUIC stream
+	go func() {
+		defer wg.Done()
+		if _, err := io.Copy(quicStream, tcpConn); err != nil {
+			log.Debug().Msgf("Error copying postgres->quic: %v", err)
+		}
+		// Close the write side of the QUIC stream
+		if err := quicStream.Close(); err != nil && !strings.Contains(err.Error(), "close called for canceled stream") {
+			log.Error().Msgf("Error closing QUIC stream write: %v", err)
+		}
+	}()
 
 	// Wait for both copies to complete
-	<-done1
-	<-done2
 	wg.Wait()
 }

cli/packages/gateway/gateway.go

@@ -15,6 +15,8 @@ import (
 	"github.com/pion/logging"
 	"github.com/pion/turn/v4"
 	"github.com/rs/zerolog/log"
+
+	"github.com/quic-go/quic-go"
 )
 
 type GatewayConfig struct {
@@ -56,13 +58,12 @@ func (g *Gateway) ConnectWithRelay() error {
 	if relayPort == "5349" {
 		log.Info().Msgf("Provided relay port %s. Using TLS", relayPort)
 		conn, err = tls.Dial("tcp", relayDetails.TurnServerAddress, &tls.Config{
-			InsecureSkipVerify: false,
-			ServerName:         relayAddress,
+			ServerName: relayAddress,
 		})
 	} else {
 		log.Info().Msgf("Provided relay port %s. Using non TLS connection.", relayPort)
-		peerAddr, err := net.ResolveTCPAddr("tcp", relayDetails.TurnServerAddress)
-		if err != nil {
+		peerAddr, errPeer := net.ResolveTCPAddr("tcp", relayDetails.TurnServerAddress)
+		if errPeer != nil {
 			return fmt.Errorf("Failed to parse turn server address: %w", err)
 		}
 		conn, err = net.DialTCP("tcp", nil, peerAddr)
@@ -116,20 +117,20 @@ func (g *Gateway) Listen(ctx context.Context) error {
 	// Allocate a relay socket on the TURN server. On success, it
 	// will return a net.PacketConn which represents the remote
 	// socket.
-	relayNonTlsConn, err := g.client.AllocateTCP()
+	relayUdpConnection, err := g.client.Allocate()
 	if err != nil {
 		return fmt.Errorf("Failed to allocate relay connection: %w", err)
 	}
 
-	log.Info().Msg(relayNonTlsConn.Addr().String())
+	log.Info().Msg(relayUdpConnection.LocalAddr().String())
 	defer func() {
-		if closeErr := relayNonTlsConn.Close(); closeErr != nil {
+		if closeErr := relayUdpConnection.Close(); closeErr != nil {
 			log.Error().Msgf("Failed to close connection: %s", closeErr)
 		}
 	}()
 
 	gatewayCert, err := api.CallExchangeRelayCertV1(g.httpClient, api.ExchangeRelayCertRequestV1{
-		RelayAddress: relayNonTlsConn.Addr().String(),
+		RelayAddress: relayUdpConnection.LocalAddr().String(),
 	})
 	if err != nil {
 		return err
@@ -144,45 +145,58 @@ func (g *Gateway) Listen(ctx context.Context) error {
 
 	if g.config.InfisicalStaticIp != "" {
 		log.Info().Msgf("Found static ip from Infisical: %s. Creating permission IP lifecycle", g.config.InfisicalStaticIp)
-		peerAddr, err := net.ResolveTCPAddr("tcp", g.config.InfisicalStaticIp)
+		peerAddr, err := net.ResolveUDPAddr("udp", g.config.InfisicalStaticIp)
 		if err != nil {
 			return fmt.Errorf("Failed to parse infisical static ip: %w", err)
 		}
-		g.registerPermissionLifecycle(func() error {
-			err := relayNonTlsConn.CreatePermissions(peerAddr)
-			return err
-		}, shutdownCh)
+		err = g.client.CreatePermission(peerAddr)
+		if err != nil {
+			return fmt.Errorf("Failed to set permission: %w", err)
+		}
 	}
 
 	cert, err := tls.X509KeyPair([]byte(gatewayCert.Certificate), []byte(gatewayCert.PrivateKey))
 	if err != nil {
-		return fmt.Errorf("failed to parse cert: %s", err)
+		return fmt.Errorf("failed to parse cert: %w", err)
 	}
 
 	caCertPool := x509.NewCertPool()
 	caCertPool.AppendCertsFromPEM([]byte(gatewayCert.CertificateChain))
 
-	relayConn := tls.NewListener(relayNonTlsConn, &tls.Config{
+	// Setup QUIC server
+	tlsConfig := &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		MinVersion:   tls.VersionTLS12,
 		ClientCAs:    caCertPool,
 		ClientAuth:   tls.RequireAndVerifyClientCert,
-	})
+		NextProtos:   []string{"infisical-gateway"},
+	}
+
+	// Setup QUIC listener on the relayConn
+	quicConfig := &quic.Config{
+		EnableDatagrams: true,
+		MaxIdleTimeout:  30 * time.Second,
+		KeepAlivePeriod: 15 * time.Second,
+	}
+
+	quicListener, err := quic.Listen(relayUdpConnection, tlsConfig, quicConfig)
+	if err != nil {
+		return fmt.Errorf("Failed to listen for QUIC: %w", err)
+	}
+	defer quicListener.Close()
+
+	log.Printf("Listener started on %s", quicListener.Addr())
 
 	errCh := make(chan error, 1)
 	log.Info().Msg("Gateway started successfully")
 	g.registerHeartBeat(errCh, shutdownCh)
-	g.registerRelayIsActive(relayNonTlsConn.Addr().String(), errCh, shutdownCh)
+	g.registerRelayIsActive(relayUdpConnection.LocalAddr().String(), tlsConfig, quicConfig, errCh, shutdownCh)
 
 	// Create a WaitGroup to track active connections
 	var wg sync.WaitGroup
 
 	go func() {
 		for {
-			if relayDeadlineConn, ok := relayConn.(*net.TCPListener); ok {
-				relayDeadlineConn.SetDeadline(time.Now().Add(1 * time.Second))
-			}
-
 			select {
 			case <-ctx.Done():
 				return
@@ -190,67 +204,42 @@ func (g *Gateway) Listen(ctx context.Context) error {
 				return
 			default:
 				// Accept new relay connection
-				conn, err := relayConn.Accept()
+				quicConn, err := quicListener.Accept(context.Background())
 				if err != nil {
-					// Check if it's a timeout error (which we expect due to our deadline)
-					if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
-						continue
-					}
-
-					if !strings.Contains(err.Error(), "data contains incomplete STUN or TURN frame") {
-						log.Error().Msgf("Failed to accept connection: %v", err)
-					}
+					log.Printf("Failed to accept QUIC connection: %v", err)
 					continue
 				}
 
-				tlsConn, ok := conn.(*tls.Conn)
-				if !ok {
-					log.Error().Msg("Failed to convert to TLS connection")
-					conn.Close()
-					continue
-				}
-
-				// Set a deadline for the handshake to prevent hanging
-				tlsConn.SetDeadline(time.Now().Add(10 * time.Second))
-				err = tlsConn.Handshake()
-				// Clear the deadline after handshake
-				tlsConn.SetDeadline(time.Time{})
-				if err != nil {
-					log.Error().Msgf("TLS handshake failed: %v", err)
-					conn.Close()
-					continue
-				}
-
-				// Get connection state which contains certificate information
-				state := tlsConn.ConnectionState()
-				if len(state.PeerCertificates) > 0 {
-					organizationUnit := state.PeerCertificates[0].Subject.OrganizationalUnit
-					commonName := state.PeerCertificates[0].Subject.CommonName
+				tlsState := quicConn.ConnectionState().TLS
+				if len(tlsState.PeerCertificates) > 0 {
+					organizationUnit := tlsState.PeerCertificates[0].Subject.OrganizationalUnit
+					commonName := tlsState.PeerCertificates[0].Subject.CommonName
 					if organizationUnit[0] != "gateway-client" || commonName != "cloud" {
-						log.Error().Msgf("Client certificate verification failed. Received %s, %s", organizationUnit, commonName)
-						conn.Close()
+						errMsg := fmt.Sprintf("Client certificate verification failed. Received %s, %s", organizationUnit, commonName)
+						log.Error().Msg(errMsg)
+						quicConn.CloseWithError(1, errMsg)
 						continue
 					}
 				}
 
 				// Handle the connection in a goroutine
 				wg.Add(1)
-				go func(c net.Conn) {
+				go func(c quic.Connection) {
 					defer wg.Done()
-					defer c.Close()
+					defer c.CloseWithError(0, "connection closed")
 
 					// Monitor parent context to close this connection when needed
 					go func() {
 						select {
 						case <-ctx.Done():
-							c.Close() // Force close connection when context is canceled
+							c.CloseWithError(0, "connection closed") // Force close connection when context is canceled
 						case <-shutdownCh:
-							c.Close() // Force close connection when accepting loop is done
+							c.CloseWithError(0, "connection closed") // Force close connection when accepting loop is done
 						}
 					}()
 
-					handleConnection(c)
-				}(conn)
+					handleConnection(ctx, c)
+				}(quicConn)
 			}
 		}
 	}()
@@ -282,7 +271,7 @@ func (g *Gateway) Listen(ctx context.Context) error {
 }
 
 func (g *Gateway) registerHeartBeat(errCh chan error, done chan bool) {
-	ticker := time.NewTicker(1 * time.Hour)
+	ticker := time.NewTicker(30 * time.Minute)
 
 	go func() {
 		time.Sleep(10 * time.Second)
@@ -306,26 +295,7 @@ func (g *Gateway) registerHeartBeat(errCh chan error, done chan bool) {
 	}()
 }
 
-func (g *Gateway) registerPermissionLifecycle(permissionFn func() error, done chan bool) {
-	ticker := time.NewTicker(3 * time.Minute)
-
-	go func() {
-		// wait for 5 mins
-		permissionFn()
-		log.Printf("Created permission for incoming connections")
-		for {
-			select {
-			case <-done:
-				ticker.Stop()
-				return
-			case <-ticker.C:
-				permissionFn()
-			}
-		}
-	}()
-}
-
-func (g *Gateway) registerRelayIsActive(serverAddr string, errCh chan error, done chan bool) {
+func (g *Gateway) registerRelayIsActive(serverAddr string, tlsConf *tls.Config, quicConf *quic.Config, errCh chan error, done chan bool) {
 	ticker := time.NewTicker(10 * time.Second)
 
 	go func() {
@@ -336,14 +306,19 @@ func (g *Gateway) registerRelayIsActive(serverAddr string, errCh chan error, don
 				ticker.Stop()
 				return
 			case <-ticker.C:
-				conn, err := net.Dial("tcp", serverAddr)
-				if err != nil {
-					errCh <- err
-					return
-				}
-				if conn != nil {
-					conn.Close()
-				}
+				func() {
+					ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) // 3s handshake timeout
+					defer cancel()
+					conn, err := quic.DialAddr(ctx, serverAddr, tlsConf, quicConf)
+					if conn != nil {
+						conn.CloseWithError(0, "connection closed")
+					}
+					// this error means quic connection is alive
+					if err != nil && !strings.Contains(err.Error(), "tls: failed to verify certificate") {
+						errCh <- err
+						return
+					}
+				}()
 			}
 		}
 	}()

cli/packages/gateway/relay.go

@@ -0,0 +1,187 @@
+package gateway
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"runtime"
+	"strconv"
+	"syscall"
+
+	"github.com/pion/logging"
+	"github.com/pion/turn/v4"
+	"github.com/rs/zerolog/log"
+	"golang.org/x/sys/unix"
+	"gopkg.in/yaml.v2"
+)
+
+var (
+	errMissingTlsCert = errors.New("Missing TLS files")
+)
+
+type GatewayRelay struct {
+	Config *GatewayRelayConfig
+}
+
+type GatewayRelayConfig struct {
+	PublicIP          string `yaml:"public_ip"`
+	Port              int    `yaml:"port"`
+	Realm             string `yaml:"realm"`
+	AuthSecret        string `yaml:"auth_secret"`
+	RelayMinPort      uint16 `yaml:"relay_min_port"`
+	RelayMaxPort      uint16 `yaml:"relay_max_port"`
+	TlsCertPath       string `yaml:"tls_cert_path"`
+	TlsPrivateKeyPath string `yaml:"tls_private_key_path"`
+
+	tls          tls.Certificate
+	isTlsEnabled bool
+}
+
+func NewGatewayRelay(configFilePath string) (*GatewayRelay, error) {
+	cfgFile, err := os.ReadFile(configFilePath)
+	if err != nil {
+		return nil, err
+	}
+	var cfg GatewayRelayConfig
+	if err := yaml.Unmarshal(cfgFile, &cfg); err != nil {
+		return nil, err
+	}
+
+	if cfg.PublicIP == "" {
+		return nil, fmt.Errorf("Missing public ip")
+	}
+
+	if cfg.AuthSecret == "" {
+		return nil, fmt.Errorf("Missing auth secret")
+	}
+
+	if cfg.Realm == "" {
+		cfg.Realm = "infisical.org"
+	}
+
+	if cfg.RelayMinPort == 0 {
+		cfg.RelayMinPort = 49152
+	}
+
+	if cfg.RelayMaxPort == 0 {
+		cfg.RelayMaxPort = 65535
+	}
+
+	if cfg.Port == 0 {
+		cfg.Port = 3478
+	} else if cfg.Port == 5349 {
+		if cfg.TlsCertPath == "" || cfg.TlsPrivateKeyPath == "" {
+			return nil, errMissingTlsCert
+		}
+
+		tlsCertFile, err := os.ReadFile(cfg.TlsCertPath)
+		if err != nil {
+			return nil, err
+		}
+		tlsPrivateKeyFile, err := os.ReadFile(cfg.TlsPrivateKeyPath)
+		if err != nil {
+			return nil, err
+		}
+
+		cert, err := tls.LoadX509KeyPair(string(tlsCertFile), string(tlsPrivateKeyFile))
+		if err != nil {
+			return nil, err
+		}
+		cfg.tls = cert
+		cfg.isTlsEnabled = true
+	}
+
+	return &GatewayRelay{
+		Config: &cfg,
+	}, nil
+}
+
+func (g *GatewayRelay) Run() error {
+	addr, err := net.ResolveTCPAddr("tcp", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
+	if err != nil {
+		return fmt.Errorf("Failed to parse server address: %s", err)
+	}
+
+	// NewLongTermAuthHandler takes a pion.LeveledLogger. This allows you to intercept messages
+	// and process them yourself.
+	logger := logging.NewDefaultLeveledLoggerForScope("lt-creds", logging.LogLevelTrace, os.Stdout)
+
+	// Create `numThreads` UDP listeners to pass into pion/turn
+	// pion/turn itself doesn't allocate any UDP sockets, but lets the user pass them in
+	// this allows us to add logging, storage or modify inbound/outbound traffic
+	// UDP listeners share the same local address:port with setting SO_REUSEPORT and the kernel
+	// will load-balance received packets per the IP 5-tuple
+	listenerConfig := &net.ListenConfig{
+		Control: func(network, address string, conn syscall.RawConn) error { // nolint: revive
+			var operr error
+			if err = conn.Control(func(fd uintptr) {
+				operr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, unix.SO_REUSEPORT, 1)
+			}); err != nil {
+				return err
+			}
+
+			return operr
+		},
+	}
+
+	publicIP := g.Config.PublicIP
+	relayAddressGenerator := &turn.RelayAddressGeneratorPortRange{
+		RelayAddress: net.ParseIP(publicIP), // Claim that we are listening on IP passed by user
+		Address:      "0.0.0.0",             // But actually be listening on every interface
+		MinPort:      g.Config.RelayMinPort,
+		MaxPort:      g.Config.RelayMaxPort,
+	}
+
+	threadNum := runtime.NumCPU()
+	listenerConfigs := make([]turn.ListenerConfig, threadNum)
+	var connAddress string
+	for i := 0; i < threadNum; i++ {
+		conn, listErr := listenerConfig.Listen(context.Background(), addr.Network(), addr.String())
+		if listErr != nil {
+			return fmt.Errorf("Failed to allocate TCP listener at %s:%s %s", addr.Network(), addr.String(), listErr)
+		}
+
+		listenerConfigs[i] = turn.ListenerConfig{
+			RelayAddressGenerator: relayAddressGenerator,
+		}
+
+		if g.Config.isTlsEnabled {
+			listenerConfigs[i].Listener = tls.NewListener(conn, &tls.Config{
+				Certificates: []tls.Certificate{g.Config.tls},
+			})
+		} else {
+			listenerConfigs[i].Listener = conn
+		}
+		connAddress = conn.Addr().String()
+	}
+
+	loggerF := logging.NewDefaultLoggerFactory()
+	loggerF.DefaultLogLevel = logging.LogLevelDebug
+
+	server, err := turn.NewServer(turn.ServerConfig{
+		Realm:       g.Config.Realm,
+		AuthHandler: turn.LongTermTURNRESTAuthHandler(g.Config.AuthSecret, logger),
+		// PacketConnConfigs is a list of UDP Listeners and the configuration around them
+		ListenerConfigs: listenerConfigs,
+		LoggerFactory:   loggerF,
+	})
+
+	if err != nil {
+		return fmt.Errorf("Failed to start server: %w", err)
+	}
+
+	log.Info().Msgf("Relay listening on %s\n", connAddress)
+	// Block until user sends SIGINT or SIGTERM
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+	<-sigs
+
+	if err = server.Close(); err != nil {
+		return fmt.Errorf("Failed to close server: %w", err)
+	}
+	return nil
+}

docs/integrations/secret-syncs/overview.mdx

@@ -75,7 +75,7 @@ via the UI or API for the third-party service you intend to sync secrets to.
 2. <strong>Create Secret Sync:</strong> Configure a Secret Sync in the desired project by specifying the following parameters via the UI or API:
     - <strong>Source:</strong> The project environment and folder path you wish to retrieve secrets from.
     - <strong>Destination:</strong> The App Connection to utilize and the destination endpoint to deploy secrets to. These can vary between services.
-    - <strong>Options:</strong> Customize how secrets should be synced. Examples include adding a suffix or prefix to your secrets, or importing secrets from the destination on the initial sync.
+    - <strong>Options:</strong> Customize how secrets should be synced, such as whether or not secrets should be imported from the destination on the initial sync.
 
 <Note>
     Secret Syncs are the source of truth for connected third-party services. Any secret,

frontend/src/const.ts

@@ -25,6 +25,7 @@ export const publicPaths = [
   "/login/sso",
   "/admin/signup",
   "/shared/secret/[id]",
+  "/secret-request/secret/[id]",
   "/share-secret"
 ];
 

frontend/src/const/routes.ts

@@ -21,6 +21,10 @@ export const ROUTE_PATHS = Object.freeze({
       "/organization/secret-scanning",
       "/_authenticate/_inject-org-details/_org-layout/organization/secret-scanning"
     ),
+    SecretSharing: setRoute(
+      "/organization/secret-sharing",
+      "/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing"
+    ),
     SettingsPage: setRoute(
       "/organization/settings",
       "/_authenticate/_inject-org-details/_org-layout/organization/settings"
@@ -285,6 +289,10 @@ export const ROUTE_PATHS = Object.freeze({
     )
   },
   Public: {
-    ViewSharedSecretByIDPage: setRoute("/shared/secret/$secretId", "/shared/secret/$secretId")
+    ViewSharedSecretByIDPage: setRoute("/shared/secret/$secretId", "/shared/secret/$secretId"),
+    ViewSecretRequestByIDPage: setRoute(
+      "/secret-request/secret/$secretRequestId",
+      "/secret-request/secret/$secretRequestId"
+    )
   }
 });

frontend/src/hooks/api/secretFolders/queries.tsx

@@ -148,12 +148,13 @@ export const useUpdateFolder = () => {
   const queryClient = useQueryClient();
 
   return useMutation<object, object, TUpdateFolderDTO>({
-    mutationFn: async ({ path = "/", folderId, name, environment, projectId }) => {
+    mutationFn: async ({ path = "/", folderId, name, environment, projectId, description }) => {
       const { data } = await apiRequest.patch(`/api/v1/folders/${folderId}`, {
         name,
         environment,
         workspaceId: projectId,
-        path
+        path,
+        description
       });
       return data;
     },

frontend/src/hooks/api/secretFolders/types.ts

@@ -5,6 +5,7 @@ export enum ReservedFolders {
 export type TSecretFolder = {
   id: string;
   name: string;
+  description?: string;
 };
 
 export type TGetProjectFoldersDTO = {
@@ -24,6 +25,7 @@ export type TCreateFolderDTO = {
   environment: string;
   name: string;
   path?: string;
+  description?: string | null;
 };
 
 export type TUpdateFolderDTO = {
@@ -32,6 +34,7 @@ export type TUpdateFolderDTO = {
   name: string;
   folderId: string;
   path?: string;
+  description?: string | null;
 };
 
 export type TDeleteFolderDTO = {
@@ -49,5 +52,6 @@ export type TUpdateFolderBatchDTO = {
     environment: string;
     id: string;
     path?: string;
+    description?: string | null;
   }[];
 };

frontend/src/hooks/api/secretSharing/mutations.ts

@@ -5,8 +5,13 @@ import { apiRequest } from "@app/config/request";
 import { secretSharingKeys } from "./queries";
 import {
   TCreatedSharedSecret,
+  TCreateSecretRequestRequestDTO,
   TCreateSharedSecretRequest,
-  TDeleteSharedSecretRequest,
+  TDeleteSecretRequestDTO,
+  TDeleteSharedSecretRequestDTO,
+  TRevealedSecretRequest,
+  TRevealSecretRequestValueRequest,
+  TSetSecretRequestValueRequest,
   TSharedSecret
 } from "./types";
 
@@ -15,7 +20,7 @@ export const useCreateSharedSecret = () => {
   return useMutation({
     mutationFn: async (inputData: TCreateSharedSecretRequest) => {
       const { data } = await apiRequest.post<TCreatedSharedSecret>(
-        "/api/v1/secret-sharing",
+        "/api/v1/secret-sharing/shared",
         inputData
       );
       return data;
@@ -30,7 +35,7 @@ export const useCreatePublicSharedSecret = () => {
   return useMutation({
     mutationFn: async (inputData: TCreateSharedSecretRequest) => {
       const { data } = await apiRequest.post<TCreatedSharedSecret>(
-        "/api/v1/secret-sharing/public",
+        "/api/v1/secret-sharing/shared/public",
         inputData
       );
       return data;
@@ -40,12 +45,50 @@ export const useCreatePublicSharedSecret = () => {
   });
 };
 
+export const useCreateSecretRequest = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async (inputData: TCreateSecretRequestRequestDTO) => {
+      const { data } = await apiRequest.post<TCreatedSharedSecret>(
+        "/api/v1/secret-sharing/requests",
+        inputData
+      );
+      return data;
+    },
+    onSuccess: () =>
+      queryClient.invalidateQueries({ queryKey: secretSharingKeys.allSecretRequests() })
+  });
+};
+
+export const useSetSecretRequestValue = () => {
+  return useMutation({
+    mutationFn: async (inputData: TSetSecretRequestValueRequest) => {
+      const { data } = await apiRequest.post<TSharedSecret>(
+        `/api/v1/secret-sharing/requests/${inputData.id}/set-value`,
+        inputData
+      );
+      return data;
+    }
+  });
+};
+
+export const useRevealSecretRequestValue = () => {
+  return useMutation({
+    mutationFn: async (inputData: TRevealSecretRequestValueRequest) => {
+      const { data } = await apiRequest.post<TRevealedSecretRequest>(
+        `/api/v1/secret-sharing/requests/${inputData.id}/reveal-value`,
+        inputData
+      );
+      return data.secretRequest;
+    }
+  });
+};
 export const useDeleteSharedSecret = () => {
   const queryClient = useQueryClient();
   return useMutation<TSharedSecret, { message: string }, { sharedSecretId: string }>({
-    mutationFn: async ({ sharedSecretId }: TDeleteSharedSecretRequest) => {
+    mutationFn: async ({ sharedSecretId }: TDeleteSharedSecretRequestDTO) => {
       const { data } = await apiRequest.delete<TSharedSecret>(
-        `/api/v1/secret-sharing/${sharedSecretId}`
+        `/api/v1/secret-sharing/shared/${sharedSecretId}`
       );
       return data;
     },
@@ -53,3 +96,19 @@ export const useDeleteSharedSecret = () => {
       queryClient.invalidateQueries({ queryKey: secretSharingKeys.allSharedSecrets() })
   });
 };
+
+export const useDeleteSecretRequest = () => {
+  const queryClient = useQueryClient();
+  return useMutation<TSharedSecret, unknown, TDeleteSecretRequestDTO>({
+    mutationFn: async ({ secretRequestId }: TDeleteSecretRequestDTO) => {
+      const { data } = await apiRequest.delete<TSharedSecret>(
+        `/api/v1/secret-sharing/requests/${secretRequestId}`
+      );
+
+      return data;
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: secretSharingKeys.allSecretRequests() });
+    }
+  });
+};

frontend/src/hooks/api/secretSharing/queries.ts

@@ -2,16 +2,20 @@ import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
-import { TSharedSecret, TViewSharedSecretResponse } from "./types";
+import { TGetSecretRequestByIdResponse, TSharedSecret, TViewSharedSecretResponse } from "./types";
 
 export const secretSharingKeys = {
   allSharedSecrets: () => ["sharedSecrets"] as const,
   specificSharedSecrets: ({ offset, limit }: { offset: number; limit: number }) =>
     [...secretSharingKeys.allSharedSecrets(), { offset, limit }] as const,
+  allSecretRequests: () => ["secretRequests"] as const,
+  specificSecretRequests: ({ offset, limit }: { offset: number; limit: number }) =>
+    [...secretSharingKeys.allSecretRequests(), { offset, limit }] as const,
   getSecretById: (arg: { id: string; hashedHex: string | null; password?: string }) => [
     "shared-secret",
     arg
-  ]
+  ],
+  getSecretRequestById: (arg: { id: string }) => ["secret-request", arg] as const
 };
 
 export const useGetSharedSecrets = ({
@@ -30,7 +34,7 @@ export const useGetSharedSecrets = ({
       });
 
       const { data } = await apiRequest.get<{ secrets: TSharedSecret[]; totalCount: number }>(
-        "/api/v1/secret-sharing/",
+        "/api/v1/secret-sharing/shared",
         {
           params
         }
@@ -40,6 +44,29 @@ export const useGetSharedSecrets = ({
   });
 };
 
+export const useGetSecretRequests = ({
+  offset = 0,
+  limit = 25
+}: {
+  offset: number;
+  limit: number;
+}) => {
+  return useQuery({
+    queryKey: secretSharingKeys.specificSecretRequests({ offset, limit }),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<{ secrets: TSharedSecret[]; totalCount: number }>(
+        "/api/v1/secret-sharing/requests",
+        {
+          params: {
+            offset: String(offset),
+            limit: String(limit)
+          }
+        }
+      );
+      return data;
+    }
+  });
+};
 export const useGetActiveSharedSecretById = ({
   sharedSecretId,
   hashedHex,
@@ -53,7 +80,7 @@ export const useGetActiveSharedSecretById = ({
     queryKey: secretSharingKeys.getSecretById({ id: sharedSecretId, hashedHex, password }),
     queryFn: async () => {
       const { data } = await apiRequest.post<TViewSharedSecretResponse>(
-        `/api/v1/secret-sharing/public/${sharedSecretId}`,
+        `/api/v1/secret-sharing/shared/public/${sharedSecretId}`,
         {
           ...(hashedHex && { hashedHex }),
           password
@@ -65,3 +92,16 @@ export const useGetActiveSharedSecretById = ({
     enabled: Boolean(sharedSecretId)
   });
 };
+
+export const useGetSecretRequestById = ({ secretRequestId }: { secretRequestId: string }) => {
+  return useQuery({
+    queryKey: secretSharingKeys.getSecretRequestById({ id: secretRequestId }),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TGetSecretRequestByIdResponse>(
+        `/api/v1/secret-sharing/requests/${secretRequestId}`
+      );
+
+      return data.secretRequest;
+    }
+  });
+};

frontend/src/hooks/api/secretSharing/types.ts

@@ -6,13 +6,21 @@ export type TSharedSecret = {
   updatedAt: Date;
   name: string | null;
   lastViewedAt?: Date;
+  accessType: SecretSharingAccessType;
   expiresAt: Date;
   expiresAfterViews: number | null;
   encryptedValue: string;
+  encryptedSecret: string;
   iv: string;
   tag: string;
 };
 
+export type TRevealedSecretRequest = {
+  secretRequest: {
+    secretValue: string;
+  } & TSharedSecret;
+};
+
 export type TCreatedSharedSecret = {
   id: string;
 };
@@ -26,6 +34,21 @@ export type TCreateSharedSecretRequest = {
   accessType?: SecretSharingAccessType;
 };
 
+export type TCreateSecretRequestRequestDTO = {
+  name?: string;
+  accessType?: SecretSharingAccessType;
+  expiresAt: Date;
+};
+
+export type TSetSecretRequestValueRequest = {
+  secretValue: string;
+  id: string;
+};
+
+export type TRevealSecretRequestValueRequest = {
+  id: string;
+};
+
 export type TViewSharedSecretResponse = {
   isPasswordProtected: boolean;
   secret: {
@@ -38,10 +61,27 @@ export type TViewSharedSecretResponse = {
   };
 };
 
-export type TDeleteSharedSecretRequest = {
+export type TGetSecretRequestByIdResponse = {
+  secretRequest: {
+    isSecretValueSet: boolean;
+    accessType: SecretSharingAccessType;
+    requester: {
+      organizationName: string;
+      username: string;
+      firstName?: string;
+      lastName?: string;
+    };
+  };
+};
+
+export type TDeleteSharedSecretRequestDTO = {
   sharedSecretId: string;
 };
 
+export type TDeleteSecretRequestDTO = {
+  secretRequestId: string;
+};
+
 export enum SecretSharingAccessType {
   Anyone = "anyone",
   Organization = "organization"

frontend/src/hooks/utils/secrets-overview.tsx

@@ -2,13 +2,22 @@ import { useCallback, useMemo } from "react";
 
 import { DashboardProjectSecretsOverview } from "@app/hooks/api/dashboard/types";
 
+type FolderNameAndDescription = {
+  name: string;
+  description?: string;
+};
+
 export const useFolderOverview = (folders: DashboardProjectSecretsOverview["folders"]) => {
-  const folderNames = useMemo(() => {
-    const names = new Set<string>();
+  const folderNamesAndDescriptions = useMemo(() => {
+    const namesAndDescriptions = new Map<string, FolderNameAndDescription>();
+  
     folders?.forEach((folder) => {
-      names.add(folder.name);
+      if (!namesAndDescriptions.has(folder.name)) {
+        namesAndDescriptions.set(folder.name, { name: folder.name, description: folder.description });
+      }
     });
-    return [...names];
+  
+    return Array.from(namesAndDescriptions.values());
   }, [folders]);
 
   const isFolderPresentInEnv = useCallback(
@@ -31,7 +40,7 @@ export const useFolderOverview = (folders: DashboardProjectSecretsOverview["fold
     [folders]
   );
 
-  return { folderNames, isFolderPresentInEnv, getFolderByNameAndEnv };
+  return { folderNamesAndDescriptions, isFolderPresentInEnv, getFolderByNameAndEnv };
 };
 
 export const useDynamicSecretOverview = (

frontend/src/pages/organization/SecretSharingPage/SecretSharingPage.tsx

@@ -5,7 +5,7 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { PageHeader } from "@app/components/v2";
 
-import { ShareSecretSection } from "./components";
+import { ShareSecretSection } from "./ShareSecretSection";
 
 export const SecretSharingPage = () => {
   const { t } = useTranslation();

frontend/src/pages/organization/SecretSharingPage/ShareSecretSection.tsx

@@ -0,0 +1,56 @@
+import { Helmet } from "react-helmet";
+import { useNavigate, useSearch } from "@tanstack/react-router";
+
+import { Badge, Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
+import { ROUTE_PATHS } from "@app/const/routes";
+
+import { RequestSecretTab } from "./components/RequestSecret/RequestSecretTab";
+import { ShareSecretTab } from "./components/ShareSecret/ShareSecretTab";
+
+enum SecretSharingPageTabs {
+  ShareSecret = "share-secret",
+  RequestSecret = "request-secret"
+}
+
+export const ShareSecretSection = () => {
+  const navigate = useNavigate();
+
+  const { selectedTab } = useSearch({
+    from: ROUTE_PATHS.Organization.SecretSharing.id
+  });
+
+  const updateSelectedTab = (tab: string) => {
+    navigate({
+      to: ROUTE_PATHS.Organization.SecretSharing.path,
+      search: (prev) => ({ ...prev, selectedTab: tab as SecretSharingPageTabs })
+    });
+  };
+
+  return (
+    <div>
+      <Helmet>
+        <title>Secret Sharing</title>
+        <link rel="icon" href="/infisical.ico" />
+        <meta property="og:image" content="/images/message.png" />
+      </Helmet>
+
+      <Tabs value={selectedTab} onValueChange={updateSelectedTab}>
+        <TabList>
+          <Tab value={SecretSharingPageTabs.ShareSecret}>Share Secrets</Tab>
+          <Tab value={SecretSharingPageTabs.RequestSecret}>
+            Request Secrets
+            <Badge variant="primary" className="ml-1 cursor-pointer text-xs">
+              New
+            </Badge>
+          </Tab>
+        </TabList>
+        <TabPanel value={SecretSharingPageTabs.ShareSecret}>
+          <ShareSecretTab />
+        </TabPanel>
+        <TabPanel value={SecretSharingPageTabs.RequestSecret}>
+          <RequestSecretTab />
+        </TabPanel>
+      </Tabs>
+    </div>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/RequestSecret/AddSecretRequestModal.tsx

@@ -0,0 +1,30 @@
+import { Modal, ModalContent } from "@app/components/v2";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+import { RequestSecretForm } from "./RequestSecretForm";
+
+type Props = {
+  popUp: UsePopUpState<["createSecretRequest"]>;
+  handlePopUpToggle: (
+    popUpName: keyof UsePopUpState<["createSecretRequest"]>,
+    state?: boolean
+  ) => void;
+};
+
+export const AddSecretRequestModal = ({ popUp, handlePopUpToggle }: Props) => {
+  return (
+    <Modal
+      isOpen={popUp?.createSecretRequest?.isOpen}
+      onOpenChange={(isOpen) => {
+        handlePopUpToggle("createSecretRequest", isOpen);
+      }}
+    >
+      <ModalContent
+        title="Request a Secret"
+        subTitle="Securely request one off secrets from your team or people outside your organization."
+      >
+        <RequestSecretForm />
+      </ModalContent>
+    </Modal>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/RequestSecret/RequestSecretForm.tsx

@@ -0,0 +1,187 @@
+import { useState } from "react";
+import { Controller, useForm } from "react-hook-form";
+import { faCheck, faCopy, faRedo } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, IconButton, Input, Select, SelectItem } from "@app/components/v2";
+import { useTimedReset } from "@app/hooks";
+import { SecretSharingAccessType, useCreateSecretRequest } from "@app/hooks/api/secretSharing";
+
+const schema = z.object({
+  name: z.string().optional(),
+  accessType: z
+    .nativeEnum(SecretSharingAccessType)
+    .default(SecretSharingAccessType.Anyone)
+    .optional(),
+  expiresIn: z.string()
+});
+
+const expiresInOptions = [
+  { label: "5 min", value: 5 * 60 * 1000 },
+  { label: "30 min", value: 30 * 60 * 1000 },
+  { label: "1 hour", value: 60 * 60 * 1000 },
+  { label: "1 day", value: 24 * 60 * 60 * 1000 },
+  { label: "7 days", value: 7 * 24 * 60 * 60 * 1000 },
+  { label: "14 days", value: 14 * 24 * 60 * 60 * 1000 },
+  { label: "30 days", value: 30 * 24 * 60 * 60 * 1000 }
+];
+
+export type FormData = z.infer<typeof schema>;
+
+export const RequestSecretForm = () => {
+  const [secretLink, setSecretLink] = useState("");
+  const [, isCopyingSecret, setCopyTextSecret] = useTimedReset<string>({
+    initialState: "Copy to clipboard"
+  });
+
+  const { mutateAsync: createSecretRequest } = useCreateSecretRequest();
+
+  const {
+    control,
+    reset,
+    handleSubmit,
+    formState: { isSubmitting }
+  } = useForm<FormData>({
+    resolver: zodResolver(schema)
+  });
+
+  const onFormSubmit = async ({ name, accessType, expiresIn }: FormData) => {
+    const expiresAt = new Date(new Date().getTime() + Number(expiresIn));
+
+    try {
+      const { id } = await createSecretRequest({
+        name,
+        accessType,
+        expiresAt
+      });
+
+      const link = `${window.location.origin}/secret-request/secret/${id}`;
+
+      setSecretLink(link);
+      reset();
+
+      navigator.clipboard.writeText(link);
+      setCopyTextSecret("secret");
+
+      createNotification({
+        text: "Shared secret link copied to clipboard.",
+        type: "success"
+      });
+    } catch (error) {
+      console.error(error);
+      createNotification({
+        text: "Failed to create a shared secret.",
+        type: "error"
+      });
+    }
+  };
+
+  const hasSecretLink = Boolean(secretLink);
+
+  return !hasSecretLink ? (
+    <form onSubmit={handleSubmit(onFormSubmit)}>
+      <Controller
+        control={control}
+        name="name"
+        render={({ field, fieldState: { error } }) => (
+          <FormControl label="Name (Optional)" isError={Boolean(error)} errorText={error?.message}>
+            <Input {...field} placeholder="API Key" type="text" />
+          </FormControl>
+        )}
+      />
+
+      <Controller
+        control={control}
+        name="expiresIn"
+        defaultValue="3600000"
+        render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+          <FormControl
+            label="Expires In"
+            errorText={error?.message}
+            tooltipText="Select for how long someone is able to input the secret. If a secret is shared with you in time, it will remain available to you, even after the expiration."
+            isError={Boolean(error)}
+          >
+            <Select
+              defaultValue={field.value}
+              {...field}
+              onValueChange={(e) => onChange(e)}
+              className="w-full"
+            >
+              {expiresInOptions.map(({ label, value: expiresInValue }) => (
+                <SelectItem value={String(expiresInValue || "")} key={label}>
+                  {label}
+                </SelectItem>
+              ))}
+            </Select>
+          </FormControl>
+        )}
+      />
+
+      <Controller
+        control={control}
+        name="accessType"
+        defaultValue={SecretSharingAccessType.Organization}
+        render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+          <FormControl
+            tooltipText="Select who is able to input the secret"
+            label="General Access"
+            errorText={error?.message}
+            isError={Boolean(error)}
+          >
+            <Select
+              defaultValue={field.value}
+              {...field}
+              onValueChange={(e) => onChange(e)}
+              className="w-full"
+            >
+              <SelectItem value={SecretSharingAccessType.Anyone}>Anyone</SelectItem>
+              <SelectItem value={SecretSharingAccessType.Organization}>
+                People within your organization
+              </SelectItem>
+            </Select>
+          </FormControl>
+        )}
+      />
+
+      <Button
+        className="mt-4"
+        size="sm"
+        type="submit"
+        isLoading={isSubmitting}
+        isDisabled={isSubmitting}
+      >
+        Create Request Link
+      </Button>
+    </form>
+  ) : (
+    <>
+      <div className="mr-2 flex items-center justify-end rounded-md bg-white/[0.05] p-2 text-base text-gray-400">
+        <p className="mr-4 break-all">{secretLink}</p>
+        <IconButton
+          ariaLabel="copy icon"
+          colorSchema="secondary"
+          className="group relative ml-2"
+          onClick={() => {
+            navigator.clipboard.writeText(secretLink);
+            setCopyTextSecret("Copied");
+          }}
+        >
+          <FontAwesomeIcon icon={isCopyingSecret ? faCheck : faCopy} />
+        </IconButton>
+      </div>
+      <Button
+        className="mt-4 w-full bg-mineshaft-700 py-3 text-bunker-200"
+        colorSchema="primary"
+        variant="outline_bg"
+        size="sm"
+        onClick={() => setSecretLink("")}
+        rightIcon={<FontAwesomeIcon icon={faRedo} className="pl-2" />}
+      >
+        Request Another Secret
+      </Button>
+    </>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/RequestSecret/RequestSecretTab.tsx

@@ -0,0 +1,77 @@
+import { faPlus } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, DeleteActionModal } from "@app/components/v2";
+import { useDeleteSecretRequest } from "@app/hooks/api";
+import { usePopUp } from "@app/hooks/usePopUp";
+
+import { AddSecretRequestModal } from "./AddSecretRequestModal";
+import { RequestedSecretsTable } from "./RequestedSecretsTable";
+import { RevealSecretValueModal } from "./RevealSecretValueModal";
+
+type DeleteModalData = { name: string; id: string };
+
+export const RequestSecretTab = () => {
+  const { popUp, handlePopUpToggle, handlePopUpClose, handlePopUpOpen } = usePopUp([
+    "createSecretRequest",
+    "deleteSecretRequestConfirmation",
+    "revealSecretRequestValue"
+  ] as const);
+
+  const { mutateAsync: deleteSecretRequest } = useDeleteSecretRequest();
+
+  const onDeleteApproved = async () => {
+    try {
+      await deleteSecretRequest({
+        secretRequestId: popUp.deleteSecretRequestConfirmation.data?.id
+      });
+      createNotification({
+        text: "Successfully deleted secret request",
+        type: "success"
+      });
+
+      handlePopUpClose("deleteSecretRequestConfirmation");
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to delete shared secret",
+        type: "error"
+      });
+    }
+  };
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="mb-4 flex justify-between">
+        <p className="text-xl font-semibold text-mineshaft-100">Secret Requests</p>
+        <Button
+          colorSchema="primary"
+          leftIcon={<FontAwesomeIcon icon={faPlus} />}
+          onClick={() => {
+            handlePopUpOpen("createSecretRequest");
+          }}
+        >
+          Request Secret
+        </Button>
+      </div>
+      <RequestedSecretsTable handlePopUpOpen={handlePopUpOpen} />
+      <AddSecretRequestModal popUp={popUp} handlePopUpToggle={handlePopUpToggle} />
+      <RevealSecretValueModal
+        isOpen={popUp.revealSecretRequestValue.isOpen}
+        popUp={popUp}
+        onOpenChange={(isOpen) => handlePopUpToggle("revealSecretRequestValue", isOpen)}
+      />
+      <DeleteActionModal
+        isOpen={popUp.deleteSecretRequestConfirmation.isOpen}
+        title={`Delete ${
+          (popUp?.deleteSecretRequestConfirmation?.data as DeleteModalData)?.name || " "
+        } secret request?`}
+        onChange={(isOpen) => handlePopUpToggle("deleteSecretRequestConfirmation", isOpen)}
+        deleteKey={(popUp?.deleteSecretRequestConfirmation?.data as DeleteModalData)?.name}
+        onClose={() => handlePopUpClose("deleteSecretRequestConfirmation")}
+        onDeleteApproved={onDeleteApproved}
+      />
+    </div>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/RequestSecret/RequestedSecretsRow.tsx

@@ -0,0 +1,138 @@
+import { faCopy, faEye, faSpinner, faTrash } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { format } from "date-fns";
+
+import { createNotification } from "@app/components/notifications";
+import { Badge, IconButton, Td, Tooltip, Tr } from "@app/components/v2";
+import {
+  SecretSharingAccessType,
+  TSharedSecret,
+  useRevealSecretRequestValue
+} from "@app/hooks/api/secretSharing";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+export const RequestedSecretsRow = ({
+  row,
+  handlePopUpOpen
+}: {
+  row: TSharedSecret;
+  handlePopUpOpen: (
+    popUpName: keyof UsePopUpState<["deleteSecretRequestConfirmation", "revealSecretRequestValue"]>,
+    data: unknown
+  ) => void;
+}) => {
+  const { mutateAsync: revealSecretValue, isPending } = useRevealSecretRequestValue();
+
+  let isExpired = false;
+  if (row.expiresAt !== null && new Date(row.expiresAt) < new Date()) {
+    isExpired = true;
+  }
+
+  return (
+    <Tr key={row.id}>
+      <Td>{row.name ? `${row.name}` : "-"}</Td>
+      <Td>
+        {isExpired && !row.encryptedSecret ? (
+          <Badge variant="danger">Expired</Badge>
+        ) : (
+          <Badge variant={row.encryptedSecret ? "success" : "primary"}>
+            {row.encryptedSecret ? "Secret Provided" : "Pending Secret"}
+          </Badge>
+        )}
+      </Td>
+      <Td>
+        <Badge variant="primary">
+          <Tooltip
+            content={
+              row.accessType === SecretSharingAccessType.Anyone
+                ? "Anyone can input the secret."
+                : "Only members of the organization can input the secret."
+            }
+          >
+            <div>
+              {row.accessType === SecretSharingAccessType.Anyone
+                ? "Anyone"
+                : "Organization Members"}
+            </div>
+          </Tooltip>
+        </Badge>
+      </Td>
+      <Td>{`${format(new Date(row.createdAt), "yyyy-MM-dd - HH:mm a")}`}</Td>
+      <Td>{row.expiresAt ? format(new Date(row.expiresAt), "yyyy-MM-dd - HH:mm a") : "-"}</Td>
+      <Td>
+        <div className="flex items-center gap-2">
+          <Tooltip
+            content={
+              row.encryptedSecret
+                ? "Reveal secret"
+                : "Secret value must be provided before it can be viewed."
+            }
+          >
+            <IconButton
+              isDisabled={!row.encryptedSecret}
+              className={row.encryptedSecret ? "" : "opacity-50"}
+              onClick={async (e) => {
+                e.stopPropagation();
+
+                const secretRequest = await revealSecretValue({
+                  id: row.id
+                });
+
+                handlePopUpOpen("revealSecretRequestValue", {
+                  secretValue: secretRequest.secretValue,
+                  secretRequestName: secretRequest.name
+                });
+              }}
+              variant="plain"
+              ariaLabel="reveal"
+            >
+              <FontAwesomeIcon
+                className={isPending ? "animate-spin" : ""}
+                icon={!isPending ? faEye : faSpinner}
+              />
+            </IconButton>
+          </Tooltip>
+
+          <Tooltip content="Copy link">
+            <IconButton
+              isDisabled={Boolean(row.encryptedSecret) || isExpired}
+              className={Boolean(row.encryptedSecret) || isExpired ? "opacity-50" : ""}
+              onClick={async (e) => {
+                e.stopPropagation();
+
+                navigator.clipboard.writeText(
+                  `${window.location.origin}/secret-request/secret/${row.id}`
+                );
+
+                createNotification({
+                  text: "Shared secret link copied to clipboard.",
+                  type: "success"
+                });
+              }}
+              variant="plain"
+              ariaLabel="copy link"
+            >
+              <FontAwesomeIcon icon={faCopy} />
+            </IconButton>
+          </Tooltip>
+
+          <Tooltip content="Delete">
+            <IconButton
+              onClick={(e) => {
+                e.stopPropagation();
+                handlePopUpOpen("deleteSecretRequestConfirmation", {
+                  name: "delete",
+                  id: row.id
+                });
+              }}
+              variant="plain"
+              ariaLabel="delete"
+            >
+              <FontAwesomeIcon icon={faTrash} />
+            </IconButton>
+          </Tooltip>
+        </div>
+      </Td>
+    </Tr>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/RequestSecret/RequestedSecretsTable.tsx

@@ -0,0 +1,72 @@
+import { useState } from "react";
+import { faKey } from "@fortawesome/free-solid-svg-icons";
+
+import {
+  EmptyState,
+  Pagination,
+  Table,
+  TableContainer,
+  TableSkeleton,
+  TBody,
+  Th,
+  THead,
+  Tr
+} from "@app/components/v2";
+import { useGetSecretRequests } from "@app/hooks/api/secretSharing";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+import { RequestedSecretsRow } from "./RequestedSecretsRow";
+
+type Props = {
+  handlePopUpOpen: (
+    popUpName: keyof UsePopUpState<["deleteSecretRequestConfirmation", "revealSecretRequestValue"]>,
+    data: unknown
+  ) => void;
+};
+
+export const RequestedSecretsTable = ({ handlePopUpOpen }: Props) => {
+  const [page, setPage] = useState(1);
+  const [perPage, setPerPage] = useState(10);
+  const { isPending, data } = useGetSecretRequests({
+    offset: (page - 1) * perPage,
+    limit: perPage
+  });
+  return (
+    <TableContainer>
+      <Table>
+        <THead>
+          <Tr>
+            <Th>Name</Th>
+            <Th>Status</Th>
+            <Th>Access Type</Th>
+            <Th>Created At</Th>
+            <Th>Valid Until</Th>
+            <Th aria-label="button" className="w-5" />
+          </Tr>
+        </THead>
+        <TBody>
+          {isPending && <TableSkeleton columns={7} innerKey="shared-secrets" />}
+          {!isPending &&
+            data?.secrets?.map((row) => (
+              <RequestedSecretsRow key={row.id} row={row} handlePopUpOpen={handlePopUpOpen} />
+            ))}
+        </TBody>
+      </Table>
+      {!isPending &&
+        data?.secrets &&
+        data?.totalCount >= perPage &&
+        data?.totalCount !== undefined && (
+          <Pagination
+            count={data.totalCount}
+            page={page}
+            perPage={perPage}
+            onChangePage={(newPage) => setPage(newPage)}
+            onChangePerPage={(newPerPage) => setPerPage(newPerPage)}
+          />
+        )}
+      {!isPending && !data?.secrets?.length && (
+        <EmptyState title="No secrets requested yet" icon={faKey} />
+      )}
+    </TableContainer>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/RequestSecret/RevealSecretValueModal.tsx

@@ -0,0 +1,73 @@
+import { faCheck, faCopy } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { Button, IconButton, Modal, ModalClose, ModalContent, Tooltip } from "@app/components/v2";
+import { useToggle } from "@app/hooks";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+type Props = {
+  isOpen: boolean;
+  onOpenChange?: (isOpen: boolean) => void;
+  popUp: UsePopUpState<["revealSecretRequestValue"]>;
+};
+
+type ContentProps = {
+  secretValue: string;
+  secretRequestName?: string;
+};
+
+const Content = ({ secretValue, secretRequestName }: ContentProps) => {
+  const [isSecretValueCopied, setIsSecretValueCopied] = useToggle(false);
+
+  return (
+    <>
+      {secretRequestName && (
+        <p className="mb-8 text-sm text-mineshaft-200">
+          Shared secret value for <strong>{secretRequestName}</strong>
+        </p>
+      )}
+
+      <div className="mb-8 flex items-center justify-between rounded-md bg-mineshaft-700 p-2 text-base text-gray-400">
+        <p className="mr-4 break-all">{secretValue}</p>
+        <Tooltip content="Click to copy">
+          <IconButton
+            ariaLabel="copy icon"
+            colorSchema="secondary"
+            className="group relative"
+            onClick={() => {
+              navigator.clipboard.writeText(secretValue);
+              setIsSecretValueCopied.on();
+            }}
+          >
+            <FontAwesomeIcon icon={isSecretValueCopied ? faCheck : faCopy} />
+          </IconButton>
+        </Tooltip>
+      </div>
+
+      <div className="mt-8 flex w-full items-center justify-between gap-2">
+        <ModalClose asChild>
+          <Button colorSchema="secondary">Close</Button>
+        </ModalClose>
+      </div>
+    </>
+  );
+};
+
+export const RevealSecretValueModal = ({ isOpen, onOpenChange, popUp }: Props) => {
+  const data = popUp.revealSecretRequestValue.data as {
+    secretValue: string;
+    secretRequestName?: string;
+  };
+
+  const title = data?.secretRequestName
+    ? `Shared secret value for secret request ${data.secretRequestName}`
+    : "Shared secret value";
+
+  return (
+    <Modal isOpen={isOpen} onOpenChange={onOpenChange}>
+      <ModalContent title={title}>
+        <Content secretRequestName={data?.secretRequestName} secretValue={data?.secretValue} />
+      </ModalContent>
+    </Modal>
+  );
+};

frontend/src/pages/organization/SecretSharingPage/components/ShareSecret/ShareSecretTab.tsx

@@ -1,27 +1,27 @@
-import { Helmet } from "react-helmet";
 import { faPlus } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { createNotification } from "@app/components/notifications";
 import { Button, DeleteActionModal } from "@app/components/v2";
-import { usePopUp } from "@app/hooks";
-import { useDeleteSharedSecret } from "@app/hooks/api/secretSharing";
+import { useDeleteSharedSecret } from "@app/hooks/api";
+import { usePopUp } from "@app/hooks/usePopUp";
 
 import { AddShareSecretModal } from "./AddShareSecretModal";
 import { ShareSecretsTable } from "./ShareSecretsTable";
 
 type DeleteModalData = { name: string; id: string };
 
-export const ShareSecretSection = () => {
-  const deleteSharedSecret = useDeleteSharedSecret();
+export const ShareSecretTab = () => {
   const { popUp, handlePopUpToggle, handlePopUpClose, handlePopUpOpen } = usePopUp([
     "createSharedSecret",
     "deleteSharedSecretConfirmation"
   ] as const);
 
+  const deleteSecretShare = useDeleteSharedSecret();
+
   const onDeleteApproved = async () => {
     try {
-      deleteSharedSecret.mutateAsync({
+      deleteSecretShare.mutateAsync({
         sharedSecretId: (popUp?.deleteSharedSecretConfirmation?.data as DeleteModalData)?.id
       });
       createNotification({
@@ -41,11 +41,6 @@ export const ShareSecretSection = () => {
 
   return (
     <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
-      <Helmet>
-        <title>Secret Sharing</title>
-        <link rel="icon" href="/infisical.ico" />
-        <meta property="og:image" content="/images/message.png" />
-      </Helmet>
       <div className="mb-4 flex justify-between">
         <p className="text-xl font-semibold text-mineshaft-100">Shared Secrets</p>
         <Button

frontend/src/pages/organization/SecretSharingPage/components/index.tsx

@@ -1 +0,0 @@
-export { ShareSecretSection } from "./ShareSecretSection";

frontend/src/pages/organization/SecretSharingPage/route.tsx

@@ -1,13 +1,24 @@
 import { faHome } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { createFileRoute, linkOptions } from "@tanstack/react-router";
+import { createFileRoute, linkOptions, stripSearchParams } from "@tanstack/react-router";
+import { zodValidator } from "@tanstack/zod-adapter";
+import { z } from "zod";
 
 import { SecretSharingPage } from "./SecretSharingPage";
 
+const SecretSharingQueryParams = z.object({
+  selectedTab: z.string().catch("").default("share-secret")
+});
+
 export const Route = createFileRoute(
   "/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing"
 )({
   component: SecretSharingPage,
+
+  validateSearch: zodValidator(SecretSharingQueryParams),
+  search: {
+    middlewares: [stripSearchParams({ selectedTab: "" })]
+  },
   context: () => ({
     breadcrumbs: [
       {
@@ -16,7 +27,7 @@ export const Route = createFileRoute(
         link: linkOptions({ to: "/" })
       },
       {
-        label: "secret sharing"
+        label: "Secret Sharing"
       }
     ]
   })

frontend/src/pages/public/ViewSecretRequestByIDPage/ViewSecretRequestByIDPage.tsx

@@ -0,0 +1,184 @@
+import { useEffect, useState } from "react";
+import { Helmet } from "react-helmet";
+import { faArrowRight } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { useNavigate, useParams } from "@tanstack/react-router";
+import { AxiosError } from "axios";
+import { addSeconds, formatISO } from "date-fns";
+
+import { createNotification } from "@app/components/notifications";
+import { SessionStorageKeys } from "@app/const";
+import { ROUTE_PATHS } from "@app/const/routes";
+import { useGetSecretRequestById } from "@app/hooks/api/secretSharing";
+
+import { SecretRequestErrorContainer } from "./components/SecretErrorContainer";
+import { SecretRequestContainer } from "./components/SecretRequestContainer";
+import { SecretRequestSuccessContainer } from "./components/SecretRequestSuccessContainer";
+import { SecretValueAlreadySharedContainer } from "./components/SecretValueAlreadySharedContainer";
+
+export const ViewSecretRequestByIDPage = () => {
+  const id = useParams({
+    from: ROUTE_PATHS.Public.ViewSecretRequestByIDPage.id,
+    select: (el) => el.secretRequestId
+  });
+
+  const [step, setStep] = useState<"set-value" | "success">("set-value");
+
+  const {
+    data: secretRequest,
+    error,
+    isPending
+  } = useGetSecretRequestById({
+    secretRequestId: id
+  });
+
+  const navigate = useNavigate();
+
+  const statusCode = ((error as AxiosError)?.response?.data as { statusCode: number })?.statusCode;
+  const message = ((error as AxiosError)?.response?.data as { message: string })?.message;
+
+  const isUnauthorized = statusCode === 401;
+  const isForbidden = statusCode === 403;
+  const isInvalidCredential = message === "Invalid credentials";
+
+  useEffect(() => {
+    if (isUnauthorized && !isInvalidCredential) {
+      // persist current URL in session storage so that we can come back to this after successful login
+      sessionStorage.setItem(
+        SessionStorageKeys.ORG_LOGIN_SUCCESS_REDIRECT_URL,
+        JSON.stringify({
+          expiry: formatISO(addSeconds(new Date(), 60)),
+          data: window.location.href
+        })
+      );
+
+      createNotification({
+        type: "info",
+        text: "Login is required in order to access the shared secret."
+      });
+
+      navigate({
+        to: "/login"
+      });
+    }
+
+    if (isForbidden) {
+      createNotification({
+        type: "error",
+        text: "You do not have access to this shared secret."
+      });
+    }
+  }, [error]);
+
+  return (
+    <>
+      <Helmet>
+        <title>Securely Share Secrets | Infisical</title>
+        <link rel="icon" href="/infisical.ico" />
+        <meta property="og:image" content="/images/message.png" />
+        <meta property="og:title" content="" />
+        <meta name="og:description" content="" />
+      </Helmet>
+      <div className="flex h-screen flex-col justify-between overflow-auto bg-gradient-to-tr from-mineshaft-700 to-bunker-800 text-gray-200 dark:[color-scheme:dark]">
+        <div />
+        <div className="mx-auto w-full max-w-xl px-4 py-4 md:px-0">
+          <div className="mb-8 text-center">
+            <div className="mb-4 flex justify-center pt-8">
+              <a target="_blank" rel="noopener noreferrer" href="https://infisical.com">
+                <img
+                  src="/images/gradientLogo.svg"
+                  height={90}
+                  width={120}
+                  alt="Infisical logo"
+                  className="cursor-pointer"
+                />
+              </a>
+            </div>
+            <h1 className="bg-gradient-to-b from-white to-bunker-200 bg-clip-text text-center text-4xl font-medium text-transparent">
+              {step === "set-value" ? "Secret Request" : "Secret request shared"}
+            </h1>
+            <p className="text-sm text-mineshaft-300">
+              Secret requested by {secretRequest?.requester.username} from the{" "}
+              {secretRequest?.requester.organizationName} organization
+            </p>
+            <p className="text-md mt-2">
+              Powered by{" "}
+              <a
+                href="https://github.com/infisical/infisical"
+                target="_blank"
+                rel="noopener noreferrer"
+                className="text-bold bg-gradient-to-tr from-yellow-500 to-primary-500 bg-clip-text text-transparent"
+              >
+                Infisical &rarr;
+              </a>
+            </p>
+          </div>
+          {!isPending && (
+            <>
+              {!error &&
+                secretRequest &&
+                step === "set-value" &&
+                !secretRequest.isSecretValueSet && (
+                  <SecretRequestContainer
+                    onSuccess={() => setStep("success")}
+                    secretRequestId={id}
+                  />
+                )}
+              {secretRequest?.isSecretValueSet && <SecretValueAlreadySharedContainer />}
+              {error && !isInvalidCredential && !isUnauthorized && <SecretRequestErrorContainer />}
+              {step === "success" && (
+                <SecretRequestSuccessContainer
+                  requesterUsername={secretRequest!.requester.username}
+                />
+              )}
+            </>
+          )}
+          <div className="m-auto my-8 flex w-full">
+            <div className="w-full border-t border-mineshaft-600" />
+          </div>
+          <div className="m-auto flex w-full flex-col rounded-md border border-primary-500/30 bg-primary/5 p-6 pt-5">
+            <p className="w-full pb-2 text-lg font-semibold text-mineshaft-100 md:pb-3 md:text-xl">
+              Open source{" "}
+              <span className="bg-gradient-to-tr from-yellow-500 to-primary-500 bg-clip-text text-transparent">
+                secret management
+              </span>{" "}
+              for developers
+            </p>
+            <div className="flex flex-col items-start sm:flex-row sm:items-center">
+              <p className="md:text-md text-md mr-4">
+                <a
+                  href="https://github.com/infisical/infisical"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="text-bold bg-gradient-to-tr from-yellow-500 to-primary-500 bg-clip-text text-transparent"
+                >
+                  Infisical
+                </a>{" "}
+                is the all-in-one secret management platform to securely manage secrets, configs,
+                and certificates across your team and infrastructure.
+              </p>
+              <div className="mt-4 cursor-pointer sm:mt-0">
+                <a target="_blank" rel="noopener noreferrer" href="https://infisical.com">
+                  <div className="flex items-center justify-between rounded-md border border-mineshaft-400/40 bg-mineshaft-600 px-3 py-2 duration-200 hover:border-primary/60 hover:bg-primary/20 hover:text-white">
+                    <p className="mr-4 whitespace-nowrap">Try Infisical</p>
+                    <FontAwesomeIcon icon={faArrowRight} />
+                  </div>
+                </a>
+              </div>
+            </div>
+          </div>
+        </div>
+        <div className="w-full bg-mineshaft-600 p-2">
+          <p className="text-center text-sm text-mineshaft-300">
+            Made with ❤️ by{" "}
+            <a className="text-primary" href="https://infisical.com">
+              Infisical
+            </a>
+            <br />
+            156 2nd st, 3rd Floor, San Francisco, California, 94105, United States. 🇺🇸
+          </p>
+        </div>
+      </div>
+    </>
+  );
+};

frontend/src/pages/public/ViewSecretRequestByIDPage/components/SecretErrorContainer.tsx

@@ -0,0 +1,13 @@
+import { faKey } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+export const SecretRequestErrorContainer = () => {
+  return (
+    <div className="rounded-lg border border-mineshaft-600 bg-mineshaft-800 p-8">
+      <div className="text-center">
+        <FontAwesomeIcon icon={faKey} size="2x" />
+        <p className="mt-4">The secret request you are looking for is missing or has expired.</p>
+      </div>
+    </div>
+  );
+};

frontend/src/pages/public/ViewSecretRequestByIDPage/components/SecretRequestContainer.tsx

@@ -0,0 +1,80 @@
+import { Controller, FormProvider, useForm } from "react-hook-form";
+import { faArrowRight } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import { Button, FormControl, TextArea } from "@app/components/v2";
+import { useSetSecretRequestValue } from "@app/hooks/api";
+
+const formSchema = z.object({
+  secretValue: z.string().min(1)
+});
+
+type FormData = z.infer<typeof formSchema>;
+
+type Props = {
+  onSuccess: () => void;
+  secretRequestId: string;
+};
+
+export const SecretRequestContainer = ({ onSuccess, secretRequestId }: Props) => {
+  const form = useForm<FormData>({
+    resolver: zodResolver(formSchema)
+  });
+
+  const { mutateAsync: setSecretValue, isPending } = useSetSecretRequestValue();
+
+  const onSubmit = async (data: FormData) => {
+    await setSecretValue({
+      id: secretRequestId,
+      secretValue: data.secretValue
+    });
+
+    createNotification({
+      title: "Secret request value shared",
+      text: "The secret request value has been shared",
+      type: "success"
+    });
+
+    onSuccess();
+  };
+
+  return (
+    <FormProvider {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)}>
+        <div className="rounded-lg border border-mineshaft-600 bg-mineshaft-800 p-4">
+          <div className="flex items-center justify-between rounded-md bg-white/[0.05] p-2 text-base text-gray-400">
+            <div className="w-full">
+              <Controller
+                control={form.control}
+                name="secretValue"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error)}
+                    errorText={error?.message}
+                    isRequired
+                    label="Secret Value"
+                  >
+                    <TextArea {...field} rows={10} reSize="none" />
+                  </FormControl>
+                )}
+              />
+              <Button
+                isLoading={isPending}
+                isDisabled={isPending}
+                colorSchema="secondary"
+                className="w-full"
+                type="submit"
+              >
+                Share Secret
+                <FontAwesomeIcon className="ml-2" icon={faArrowRight} />
+              </Button>
+            </div>
+          </div>
+        </div>
+      </form>
+    </FormProvider>
+  );
+};

frontend/src/pages/public/ViewSecretRequestByIDPage/components/SecretRequestSuccessContainer.tsx

@@ -0,0 +1,23 @@
+import { faCheck } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+type Props = {
+  requesterUsername: string;
+};
+
+export const SecretRequestSuccessContainer = ({ requesterUsername }: Props) => {
+  return (
+    <div className="rounded-lg border border-mineshaft-600 bg-mineshaft-800 p-8">
+      <div className="text-center">
+        <div className="mx-auto w-min rounded-md border border-mineshaft-800 bg-mineshaft-600 p-3">
+          <FontAwesomeIcon icon={faCheck} size="2x" className="text-primary-500" />
+        </div>
+        <p className="text-md mt-2 font-semibold">Secret Shared</p>
+        <p className="mt-2 text-sm text-mineshaft-300">
+          <strong>{requesterUsername}</strong> has now been notified of your shared secret, and will
+          be able to access it shortly.
+        </p>
+      </div>
+    </div>
+  );
+};

frontend/src/pages/public/ViewSecretRequestByIDPage/components/SecretValueAlreadySharedContainer.tsx

@@ -0,0 +1,18 @@
+import { faKey } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+export const SecretValueAlreadySharedContainer = () => {
+  return (
+    <div className="rounded-lg border border-mineshaft-600 bg-mineshaft-800 p-8">
+      <div className="text-center">
+        <div className="mx-auto w-min rounded-md border border-mineshaft-800 bg-mineshaft-600 p-3">
+          <FontAwesomeIcon icon={faKey} size="2x" className="text-primary-500" />
+        </div>
+        <p className="text-md mt-2 font-semibold">Secret Already Shared</p>
+        <p className="mt-2 text-sm text-mineshaft-300">
+          A secret value has already been shared for this secret request.
+        </p>
+      </div>
+    </div>
+  );
+};

frontend/src/pages/public/ViewSecretRequestByIDPage/route.tsx

@@ -0,0 +1,17 @@
+import { createFileRoute } from "@tanstack/react-router";
+
+import { authKeys, fetchAuthToken } from "@app/hooks/api/auth/queries";
+
+import { ViewSecretRequestByIDPage } from "./ViewSecretRequestByIDPage";
+
+export const Route = createFileRoute("/secret-request/secret/$secretRequestId")({
+  component: ViewSecretRequestByIDPage,
+  beforeLoad: async ({ context }) => {
+    await context.queryClient
+      .ensureQueryData({
+        queryKey: authKeys.getAuthToken,
+        queryFn: fetchAuthToken
+      })
+      .catch(() => undefined);
+  }
+});

frontend/src/pages/secret-manager/OverviewPage/OverviewPage.tsx

@@ -228,7 +228,7 @@ export const OverviewPage = () => {
     setPage
   });
 
-  const { folderNames, getFolderByNameAndEnv, isFolderPresentInEnv } = useFolderOverview(folders);
+  const { folderNamesAndDescriptions, getFolderByNameAndEnv, isFolderPresentInEnv } = useFolderOverview(folders);
 
   const { dynamicSecretNames, isDynamicSecretPresentInEnv } =
     useDynamicSecretOverview(dynamicSecrets);
@@ -251,14 +251,15 @@ export const OverviewPage = () => {
     "updateFolder"
   ] as const);
 
-  const handleFolderCreate = async (folderName: string) => {
+  const handleFolderCreate = async (folderName: string, description: string | null) => {    
     const promises = userAvailableEnvs.map((env) => {
       const environment = env.slug;
       return createFolder({
         name: folderName,
         path: secretPath,
         environment,
-        projectId: workspaceId
+        projectId: workspaceId,
+        description
       });
     });
 
@@ -279,7 +280,7 @@ export const OverviewPage = () => {
     }
   };
 
-  const handleFolderUpdate = async (newFolderName: string) => {
+  const handleFolderUpdate = async (newFolderName: string, description: string | null) => {
     const { name: oldFolderName } = popUp.updateFolder.data as TSecretFolder;
 
     const updatedFolders: TUpdateFolderBatchDTO["folders"] = [];
@@ -296,7 +297,8 @@ export const OverviewPage = () => {
             environment: env.slug,
             name: newFolderName,
             id: folder.id,
-            path: secretPath
+            path: secretPath,
+            description
           });
         }
       }
@@ -1027,7 +1029,7 @@ export const OverviewPage = () => {
                 )}
                 {!isOverviewLoading && visibleEnvs.length > 0 && (
                   <>
-                    {folderNames.map((folderName, index) => (
+                    {folderNamesAndDescriptions.map(({name: folderName, description}, index) => (
                       <SecretOverviewFolderRow
                         folderName={folderName}
                         isFolderPresentInEnv={isFolderPresentInEnv}
@@ -1039,7 +1041,7 @@ export const OverviewPage = () => {
                         key={`overview-${folderName}-${index + 1}`}
                         onClick={handleFolderClick}
                         onToggleFolderEdit={(name: string) =>
-                          handlePopUpOpen("updateFolder", { name })
+                          handlePopUpOpen("updateFolder", { name, description })
                         }
                       />
                     ))}
@@ -1159,7 +1161,9 @@ export const OverviewPage = () => {
           <FolderForm
             isEdit
             defaultFolderName={(popUp.updateFolder?.data as Pick<TSecretFolder, "name">)?.name}
+            defaultDescription={(popUp.updateFolder?.data as Pick<TSecretFolder, "description">)?.description}
             onUpdateFolder={handleFolderUpdate}
+            showDescriptionOverwriteWarning
           />
         </ModalContent>
       </Modal>

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/ActionBar.tsx

@@ -128,13 +128,14 @@ export const ActionBar = ({
 
   const { currentWorkspace } = useWorkspace();
 
-  const handleFolderCreate = async (folderName: string) => {
+  const handleFolderCreate = async (folderName: string, description: string | null) => {
     try {
       await createFolder({
         name: folderName,
         path: secretPath,
         environment,
-        projectId: workspaceId
+        projectId: workspaceId,
+        description
       });
       handlePopUpClose("addFolder");
       createNotification({

frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/FolderForm.tsx

@@ -1,16 +1,22 @@
+import { useRef } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
 
 import { Button, FormControl, Input, ModalClose } from "@app/components/v2";
+import { TextArea } from "@app/components/v2/TextArea/TextArea";
 
 type Props = {
-  onCreateFolder?: (folderName: string) => Promise<void>;
-  onUpdateFolder?: (folderName: string) => Promise<void>;
+  onCreateFolder?: (folderName: string, description: string | null) => Promise<void>;
+  onUpdateFolder?: (folderName: string, description: string | null) => Promise<void>;
   isEdit?: boolean;
   defaultFolderName?: string;
+  defaultDescription?: string;
+  showDescriptionOverwriteWarning?: boolean;
 };
 
+const descriptionOverwriteWarningMessage = "Warning: Any changes made here will overwrite any custom edits in individual environment folders."
+
 const formSchema = z.object({
   name: z
     .string()
@@ -18,15 +24,20 @@ const formSchema = z.object({
     .regex(
       /^[a-zA-Z0-9-_]+$/,
       "Folder name can only contain letters, numbers, dashes, and underscores"
-    )
+    ),
+  description: z
+  .string()
+  .optional()
 });
 type TFormData = z.infer<typeof formSchema>;
 
 export const FolderForm = ({
   isEdit,
   defaultFolderName,
+  defaultDescription,
   onCreateFolder,
-  onUpdateFolder
+  onUpdateFolder,
+  showDescriptionOverwriteWarning = false
 }: Props): JSX.Element => {
   const {
     control,
@@ -36,15 +47,32 @@ export const FolderForm = ({
   } = useForm<TFormData>({
     resolver: zodResolver(formSchema),
     defaultValues: {
-      name: defaultFolderName
+      name: defaultFolderName,
+      description: defaultDescription || ""
     }
   });
 
-  const onSubmit = async ({ name }: TFormData) => {
+  const descriptionRef = useRef<HTMLTextAreaElement>(null);
+
+  const handleInput = () => {
+    const textarea = descriptionRef.current;
+    if (textarea) {
+      const lines = textarea.value.split("\n");
+      const maxDescriptionLines = 10;
+  
+      if (lines.length > maxDescriptionLines) {
+        textarea.value = lines.slice(0, maxDescriptionLines).join("\n");
+      }
+    }
+  };
+
+  const onSubmit = async ({ name, description }: TFormData) => {
+    const descriptionShaped = description && description.trim() !== "" ? description : null;
+
     if (isEdit) {
-      await onUpdateFolder?.(name);
+      await onUpdateFolder?.(name, descriptionShaped);
     } else {
-      await onCreateFolder?.(name);
+      await onCreateFolder?.(name, descriptionShaped);
     }
     reset();
   };
@@ -61,6 +89,31 @@ export const FolderForm = ({
           </FormControl>
         )}
       />
+      <Controller
+          control={control}
+          name="description"
+          defaultValue=""
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              label="Folder Description"
+              isError={Boolean(error)}
+              tooltipText={showDescriptionOverwriteWarning ? descriptionOverwriteWarningMessage : undefined}
+              isOptional
+              errorText={error?.message}
+              className="flex-1"
+            >
+              <TextArea
+                placeholder="Folder description"
+                {...field}
+                rows={3}
+                ref={descriptionRef}
+                onInput={handleInput}
+                className="thin-scrollbar w-full !resize-none bg-mineshaft-900"
+                maxLength={255}
+              />
+            </FormControl>
+          )}
+        />
       <div className="mt-8 flex items-center">
         <Button className="mr-4" type="submit" isDisabled={isSubmitting} isLoading={isSubmitting}>
           {isEdit ? "Save" : "Create"}

frontend/src/pages/secret-manager/SecretDashboardPage/components/FolderListView/FolderListView.tsx

@@ -1,5 +1,5 @@
 import { subject } from "@casl/ability";
-import { faClose, faFolder, faPencilSquare } from "@fortawesome/free-solid-svg-icons";
+import { faClose, faFolder, faPencilSquare, faInfoCircle } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { useNavigate, useSearch } from "@tanstack/react-router";
 
@@ -11,6 +11,7 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
 import { usePopUp } from "@app/hooks";
 import { useDeleteFolder, useUpdateFolder } from "@app/hooks/api";
 import { TSecretFolder } from "@app/hooks/api/secretFolders/types";
+import { Tooltip } from "@app/components/v2/Tooltip/Tooltip";
 
 import { FolderForm } from "../ActionBar/FolderForm";
 
@@ -42,7 +43,7 @@ export const FolderListView = ({
   const { mutateAsync: updateFolder } = useUpdateFolder();
   const { mutateAsync: deleteFolder } = useDeleteFolder();
 
-  const handleFolderUpdate = async (newFolderName: string) => {
+  const handleFolderUpdate = async (newFolderName: string, newFolderDescription: string | null) => {
     try {
       const { id: folderId } = popUp.updateFolder.data as TSecretFolder;
       await updateFolder({
@@ -50,7 +51,8 @@ export const FolderListView = ({
         name: newFolderName,
         path: secretPath,
         environment,
-        projectId: workspaceId
+        projectId: workspaceId,
+        description: newFolderDescription
       });
       handlePopUpClose("updateFolder");
       createNotification({
@@ -98,7 +100,7 @@ export const FolderListView = ({
 
   return (
     <>
-      {folders.map(({ name, id }) => (
+      {folders.map(({ name, id, description }) => (
         <div
           key={id}
           className="group flex cursor-pointer border-b border-mineshaft-600 hover:bg-mineshaft-700"
@@ -116,6 +118,16 @@ export const FolderListView = ({
             onClick={() => handleFolderClick(name)}
           >
             {name}
+            {
+              description &&
+              <Tooltip
+                position="right"
+                className="flex items-center space-x-4 max-w-lg py-4 whitespace-pre-wrap"
+                content={description}
+              >
+                <FontAwesomeIcon icon={faInfoCircle} className="text-mineshaft-400 ml-1" />
+              </Tooltip>
+            }
           </div>
           <div className="flex items-center space-x-4 border-l border-mineshaft-600 px-3 py-3">
             <ProjectPermissionCan
@@ -130,7 +142,7 @@ export const FolderListView = ({
                   variant="plain"
                   size="sm"
                   className="p-0 opacity-0 group-hover:opacity-100"
-                  onClick={() => handlePopUpOpen("updateFolder", { id, name })}
+                  onClick={() => handlePopUpOpen("updateFolder", { id, name, description })}
                   isDisabled={!isAllowed}
                 >
                   <FontAwesomeIcon icon={faPencilSquare} size="lg" />
@@ -167,6 +179,7 @@ export const FolderListView = ({
           <FolderForm
             isEdit
             defaultFolderName={(popUp.updateFolder?.data as TSecretFolder)?.name}
+            defaultDescription={(popUp.updateFolder?.data as TSecretFolder)?.description}
             onUpdateFolder={handleFolderUpdate}
           />
         </ModalContent>

frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretListView.tsx

@@ -13,7 +13,7 @@ import { secretKeys } from "@app/hooks/api/secrets/queries";
 import { SecretType, SecretV3RawSanitized } from "@app/hooks/api/secrets/types";
 import { secretSnapshotKeys } from "@app/hooks/api/secretSnapshots/queries";
 import { WsTag } from "@app/hooks/api/types";
-import { AddShareSecretModal } from "@app/pages/organization/SecretSharingPage/components/AddShareSecretModal";
+import { AddShareSecretModal } from "@app/pages/organization/SecretSharingPage/components/ShareSecret/AddShareSecretModal";
 
 import { useSelectedSecretActions, useSelectedSecrets } from "../../SecretMainPage.store";
 import { SecretDetailSidebar } from "./SecretDetailSidebar";

frontend/src/pages/secret-manager/integrations/BitbucketConfigurePage/BitbucketConfigurePage.tsx

@@ -45,17 +45,33 @@ const formSchema = z
   .object({
     secretPath: z.string().default("/"),
     sourceEnvironment: z.object({ name: z.string(), slug: z.string() }),
-    targetRepo: z.object({ name: z.string(), appId: z.string() }),
+    targetRepo: z.object({ name: z.string(), appId: z.string().optional() }).nullish(),
     targetWorkspace: z.object({ name: z.string(), slug: z.string() }),
-    targetEnvironment: z.object({ name: z.string(), uuid: z.string() }).optional(),
+    targetEnvironment: z.object({ name: z.string(), uuid: z.string() }).nullish(),
     scope: z.object({ label: z.string(), value: z.nativeEnum(BitbucketScope) })
   })
   .superRefine((val, ctx) => {
+    if (!val.targetWorkspace) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targetWorkspace"],
+        message: "Bitbucket Workspace required"
+      });
+    }
+
+    if (!val.targetRepo) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["targetRepo"],
+        message: "Bitbucket Repo required"
+      });
+    }
+
     if (val.scope.value === BitbucketScope.Env && !val.targetEnvironment) {
       ctx.addIssue({
         code: z.ZodIssueCode.custom,
         path: ["targetEnvironment"],
-        message: "Required"
+        message: "Bitbucket Deployment Environment required"
       });
     }
   });
@@ -66,7 +82,7 @@ export const BitbucketConfigurePage = () => {
   const navigate = useNavigate();
   const createIntegration = useCreateIntegration();
 
-  const { watch, control, reset, handleSubmit } = useForm<TFormData>({
+  const { watch, control, handleSubmit, setValue, reset } = useForm<TFormData>({
     resolver: zodResolver(formSchema),
     defaultValues: {
       secretPath: "/"
@@ -90,14 +106,15 @@ export const BitbucketConfigurePage = () => {
     workspaceSlug: bitBucketWorkspace?.slug
   });
 
-  const { data: bitbucketEnvironments } = useGetIntegrationAuthBitBucketEnvironments(
-    {
-      integrationAuthId: (integrationAuthId as string) ?? "",
-      workspaceSlug: bitBucketWorkspace?.slug,
-      repoSlug: bitBucketRepo?.appId
-    },
-    { enabled: Boolean(bitBucketWorkspace?.slug && bitBucketRepo?.appId) }
-  );
+  const { data: bitbucketEnvironments, isPending: isBitbucketEnvironmentsLoading } =
+    useGetIntegrationAuthBitBucketEnvironments(
+      {
+        integrationAuthId: (integrationAuthId as string) ?? "",
+        workspaceSlug: bitBucketWorkspace?.slug ?? "",
+        repoSlug: bitBucketRepo?.appId ?? ""
+      },
+      { enabled: Boolean(bitBucketWorkspace?.slug && bitBucketRepo?.appId) }
+    );
 
   const onSubmit = async ({
     targetRepo,
@@ -107,6 +124,8 @@ export const BitbucketConfigurePage = () => {
     targetEnvironment,
     scope
   }: TFormData) => {
+    if (!targetRepo || !targetWorkspace) return;
+
     try {
       await createIntegration.mutateAsync({
         integrationAuthId,
@@ -147,7 +166,14 @@ export const BitbucketConfigurePage = () => {
   };
 
   useEffect(() => {
-    if (!bitbucketRepos || !bitbucketWorkspaces || !currentWorkspace) return;
+    if (
+      bitBucketWorkspace ||
+      bitBucketRepo ||
+      !bitbucketRepos ||
+      !bitbucketWorkspaces ||
+      !currentWorkspace
+    )
+      return;
 
     reset({
       targetRepo: bitbucketRepos[0],
@@ -224,12 +250,17 @@ export const BitbucketConfigurePage = () => {
                 getOptionValue={(option) => option.slug}
                 value={value}
                 getOptionLabel={(option) => option.name}
-                onChange={onChange}
+                onChange={(option) => {
+                  onChange(option);
+                  setValue("targetRepo", null);
+                  setValue("targetEnvironment", null);
+                }}
                 options={bitbucketWorkspaces}
                 placeholder={
                   bitbucketWorkspaces?.length ? "Select a workspace..." : "No workspaces found..."
                 }
-                isDisabled={!bitbucketWorkspaces?.length}
+                isLoading={isBitbucketWorkspacesLoading}
+                isDisabled={!bitbucketWorkspaces?.length || isBitbucketWorkspacesLoading}
               />
             </FormControl>
           )}
@@ -243,12 +274,16 @@ export const BitbucketConfigurePage = () => {
                 getOptionValue={(option) => option.appId!}
                 value={value}
                 getOptionLabel={(option) => option.name}
-                onChange={onChange}
+                onChange={(option) => {
+                  onChange(option);
+                  setValue("targetEnvironment", null);
+                }}
                 options={bitbucketRepos}
                 placeholder={
                   bitbucketRepos?.length ? "Select a repository..." : "No repositories found..."
                 }
-                isDisabled={!bitbucketRepos?.length}
+                isLoading={isBitbucketReposLoading}
+                isDisabled={!bitbucketRepos?.length || isBitbucketReposLoading}
               />
             </FormControl>
           )}
@@ -290,7 +325,8 @@ export const BitbucketConfigurePage = () => {
                       ? "Select an environment..."
                       : "No environments found..."
                   }
-                  isDisabled={!bitbucketEnvironments?.length}
+                  isLoading={isBitbucketEnvironmentsLoading && Boolean(bitBucketRepo)}
+                  isDisabled={!bitbucketEnvironments?.length || isBitbucketEnvironmentsLoading}
                 />
               </FormControl>
             )}

frontend/src/routeTree.gen.ts

@@ -28,6 +28,7 @@ import { Route as authPasswordSetupPageRouteImport } from './pages/auth/Password
 import { Route as userLayoutImport } from './pages/user/layout'
 import { Route as organizationLayoutImport } from './pages/organization/layout'
 import { Route as publicViewSharedSecretByIDPageRouteImport } from './pages/public/ViewSharedSecretByIDPage/route'
+import { Route as publicViewSecretRequestByIDPageRouteImport } from './pages/public/ViewSecretRequestByIDPage/route'
 import { Route as authSignUpSsoPageRouteImport } from './pages/auth/SignUpSsoPage/route'
 import { Route as authLoginSsoPageRouteImport } from './pages/auth/LoginSsoPage/route'
 import { Route as authSelectOrgPageRouteImport } from './pages/auth/SelectOrgPage/route'
@@ -354,6 +355,13 @@ const publicViewSharedSecretByIDPageRouteRoute =
     getParentRoute: () => rootRoute,
   } as any)
 
+const publicViewSecretRequestByIDPageRouteRoute =
+  publicViewSecretRequestByIDPageRouteImport.update({
+    id: '/secret-request/secret/$secretRequestId',
+    path: '/secret-request/secret/$secretRequestId',
+    getParentRoute: () => rootRoute,
+  } as any)
+
 const authSignUpSsoPageRouteRoute = authSignUpSsoPageRouteImport.update({
   id: '/sso',
   path: '/sso',
@@ -1760,6 +1768,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof authSignUpSsoPageRouteImport
       parentRoute: typeof RestrictLoginSignupSignupImport
     }
+    '/secret-request/secret/$secretRequestId': {
+      id: '/secret-request/secret/$secretRequestId'
+      path: '/secret-request/secret/$secretRequestId'
+      fullPath: '/secret-request/secret/$secretRequestId'
+      preLoaderRoute: typeof publicViewSecretRequestByIDPageRouteImport
+      parentRoute: typeof rootRoute
+    }
     '/shared/secret/$secretId': {
       id: '/shared/secret/$secretId'
       path: '/shared/secret/$secretId'
@@ -3643,6 +3658,7 @@ export interface FileRoutesByFullPath {
   '/login/select-organization': typeof authSelectOrgPageRouteRoute
   '/login/sso': typeof authLoginSsoPageRouteRoute
   '/signup/sso': typeof authSignUpSsoPageRouteRoute
+  '/secret-request/secret/$secretRequestId': typeof publicViewSecretRequestByIDPageRouteRoute
   '/shared/secret/$secretId': typeof publicViewSharedSecretByIDPageRouteRoute
   '/admin': typeof adminLayoutRouteWithChildren
   '/personal-settings/': typeof userPersonalSettingsPageRouteRoute
@@ -3817,6 +3833,7 @@ export interface FileRoutesByTo {
   '/login/select-organization': typeof authSelectOrgPageRouteRoute
   '/login/sso': typeof authLoginSsoPageRouteRoute
   '/signup/sso': typeof authSignUpSsoPageRouteRoute
+  '/secret-request/secret/$secretRequestId': typeof publicViewSecretRequestByIDPageRouteRoute
   '/shared/secret/$secretId': typeof publicViewSharedSecretByIDPageRouteRoute
   '/admin': typeof adminOverviewPageRouteRoute
   '/login/provider/error': typeof authProviderErrorPageRouteRoute
@@ -3991,6 +4008,7 @@ export interface FileRoutesById {
   '/_restrict-login-signup/login/select-organization': typeof authSelectOrgPageRouteRoute
   '/_restrict-login-signup/login/sso': typeof authLoginSsoPageRouteRoute
   '/_restrict-login-signup/signup/sso': typeof authSignUpSsoPageRouteRoute
+  '/secret-request/secret/$secretRequestId': typeof publicViewSecretRequestByIDPageRouteRoute
   '/shared/secret/$secretId': typeof publicViewSharedSecretByIDPageRouteRoute
   '/_authenticate/_inject-org-details/_org-layout': typeof organizationLayoutRouteWithChildren
   '/_authenticate/_inject-org-details/admin': typeof AuthenticateInjectOrgDetailsAdminRouteWithChildren
@@ -4176,6 +4194,7 @@ export interface FileRouteTypes {
     | '/login/select-organization'
     | '/login/sso'
     | '/signup/sso'
+    | '/secret-request/secret/$secretRequestId'
     | '/shared/secret/$secretId'
     | '/admin'
     | '/personal-settings/'
@@ -4349,6 +4368,7 @@ export interface FileRouteTypes {
     | '/login/select-organization'
     | '/login/sso'
     | '/signup/sso'
+    | '/secret-request/secret/$secretRequestId'
     | '/shared/secret/$secretId'
     | '/admin'
     | '/login/provider/error'
@@ -4521,6 +4541,7 @@ export interface FileRouteTypes {
     | '/_restrict-login-signup/login/select-organization'
     | '/_restrict-login-signup/login/sso'
     | '/_restrict-login-signup/signup/sso'
+    | '/secret-request/secret/$secretRequestId'
     | '/shared/secret/$secretId'
     | '/_authenticate/_inject-org-details/_org-layout'
     | '/_authenticate/_inject-org-details/admin'
@@ -4689,6 +4710,7 @@ export interface RootRouteChildren {
   publicShareSecretPageRouteRoute: typeof publicShareSecretPageRouteRoute
   middlewaresAuthenticateRoute: typeof middlewaresAuthenticateRouteWithChildren
   middlewaresRestrictLoginSignupRoute: typeof middlewaresRestrictLoginSignupRouteWithChildren
+  publicViewSecretRequestByIDPageRouteRoute: typeof publicViewSecretRequestByIDPageRouteRoute
   publicViewSharedSecretByIDPageRouteRoute: typeof publicViewSharedSecretByIDPageRouteRoute
 }
 
@@ -4699,6 +4721,8 @@ const rootRouteChildren: RootRouteChildren = {
   middlewaresAuthenticateRoute: middlewaresAuthenticateRouteWithChildren,
   middlewaresRestrictLoginSignupRoute:
     middlewaresRestrictLoginSignupRouteWithChildren,
+  publicViewSecretRequestByIDPageRouteRoute:
+    publicViewSecretRequestByIDPageRouteRoute,
   publicViewSharedSecretByIDPageRouteRoute:
     publicViewSharedSecretByIDPageRouteRoute,
 }
@@ -4718,6 +4742,7 @@ export const routeTree = rootRoute
         "/share-secret",
         "/_authenticate",
         "/_restrict-login-signup",
+        "/secret-request/secret/$secretRequestId",
         "/shared/secret/$secretId"
       ]
     },
@@ -4843,6 +4868,9 @@ export const routeTree = rootRoute
       "filePath": "auth/SignUpSsoPage/route.tsx",
       "parent": "/_restrict-login-signup/signup"
     },
+    "/secret-request/secret/$secretRequestId": {
+      "filePath": "public/ViewSecretRequestByIDPage/route.tsx"
+    },
     "/shared/secret/$secretId": {
       "filePath": "public/ViewSharedSecretByIDPage/route.tsx"
     },

frontend/src/routes.ts

@@ -316,6 +316,7 @@ const sshRoutes = route("/ssh/$projectId", [
 export const routes = rootRoute("root.tsx", [
   index("index.tsx"),
   route("/shared/secret/$secretId", "public/ViewSharedSecretByIDPage/route.tsx"),
+  route("/secret-request/secret/$secretRequestId", "public/ViewSecretRequestByIDPage/route.tsx"),
   route("/share-secret", "public/ShareSecretPage/route.tsx"),
   route("/cli-redirect", "auth/CliRedirectPage/route.tsx"),
   middleware("restrict-login-signup.tsx", [