Fix: Updated descriptions

Integration Auth deletion upon Integration deletion

backend/e2e-test/routes/v1/secret-import.spec.ts

@@ -46,7 +46,7 @@ const deleteSecretImport = async (id: string) => {
 
 describe("Secret Import Router", async () => {
   test.each([
-    { importEnv: "dev", importPath: "/" }, // one in root
+    { importEnv: "prod", importPath: "/" }, // one in root
     { importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
   ])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
     // check for default environments
@@ -66,7 +66,7 @@ describe("Secret Import Router", async () => {
   });
 
   test("Get secret imports", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
     const createdImport2 = await createSecretImport("/", "staging");
     const res = await testServer.inject({
       method: "GET",
@@ -103,10 +103,10 @@ describe("Secret Import Router", async () => {
   });
 
   test("Update secret import position", async () => {
-    const devImportDetails = { path: "/", envSlug: "dev" };
+    const prodImportDetails = { path: "/", envSlug: "prod" };
     const stagingImportDetails = { path: "/", envSlug: "staging" };
 
-    const createdImport1 = await createSecretImport(devImportDetails.path, devImportDetails.envSlug);
+    const createdImport1 = await createSecretImport(prodImportDetails.path, prodImportDetails.envSlug);
     const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);
 
     const updateImportRes = await testServer.inject({
@@ -136,7 +136,7 @@ describe("Secret Import Router", async () => {
         position: 2,
         importEnv: expect.objectContaining({
           name: expect.any(String),
-          slug: expect.stringMatching(devImportDetails.envSlug),
+          slug: expect.stringMatching(prodImportDetails.envSlug),
           id: expect.any(String)
         })
       })
@@ -166,7 +166,7 @@ describe("Secret Import Router", async () => {
   });
 
   test("Delete secret import position", async () => {
-    const createdImport1 = await createSecretImport("/", "dev");
+    const createdImport1 = await createSecretImport("/", "prod");
     const createdImport2 = await createSecretImport("/", "staging");
     const deletedImport = await deleteSecretImport(createdImport1.id);
     // check for default environments

backend/src/lib/api-docs/constants.ts

@@ -141,6 +141,12 @@ export const PROJECTS = {
   },
   ROLLBACK_TO_SNAPSHOT: {
     secretSnapshotId: "The ID of the snapshot to rollback to."
+  },
+  LIST_INTEGRATION: {
+    workspaceId: "The ID of the project to list integrations for."
+  },
+  LIST_INTEGRATION_AUTHORIZATION: {
+    workspaceId: "The ID of the project to list integration auths for."
   }
 } as const;
 
@@ -502,11 +508,8 @@ export const INTEGRATION_AUTH = {
     url: "",
     namespace: "",
     refreshToken: "The refresh token for integration authorization."
-  },
-  LIST_AUTHORIZATION: {
-    workspaceId: "The ID of the project to list integration auths for."
   }
-};
+} as const;
 
 export const INTEGRATION = {
   CREATE: {

backend/src/queue/queue-service.ts

@@ -61,11 +61,11 @@ export type TQueueJobTypes = {
   };
   [QueueName.SecretWebhook]: {
     name: QueueJobs.SecWebhook;
-    payload: { projectId: string; environment: string; secretPath: string };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
   };
   [QueueName.IntegrationSync]: {
     name: QueueJobs.IntegrationSync;
-    payload: { projectId: string; environment: string; secretPath: string };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
   };
   [QueueName.SecretFullRepoScan]: {
     name: QueueJobs.SecretScan;

backend/src/server/routes/index.ts

@@ -445,14 +445,6 @@ export const registerRoutes = async (
     projectEnvDAL,
     snapshotService
   });
-  const secretImportService = secretImportServiceFactory({
-    projectEnvDAL,
-    folderDAL,
-    permissionService,
-    secretImportDAL,
-    projectDAL,
-    secretDAL
-  });
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -480,6 +472,15 @@ export const registerRoutes = async (
     secretTagDAL,
     secretVersionTagDAL
   });
+  const secretImportService = secretImportServiceFactory({
+    projectEnvDAL,
+    folderDAL,
+    permissionService,
+    secretImportDAL,
+    projectDAL,
+    secretDAL,
+    secretQueueService
+  });
   const secretBlindIndexService = secretBlindIndexServiceFactory({
     permissionService,
     secretDAL,

backend/src/server/routes/v1/project-router.ts

@@ -7,7 +7,7 @@ import {
   UserEncryptionKeysSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { INTEGRATION_AUTH, PROJECTS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -326,8 +326,14 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
+      description: "List integrations for a project.",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       params: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim().describe(PROJECTS.LIST_INTEGRATION.workspaceId)
       }),
       response: {
         200: z.object({
@@ -370,7 +376,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(INTEGRATION_AUTH.LIST_AUTHORIZATION.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECTS.LIST_INTEGRATION_AUTHORIZATION.workspaceId)
       }),
       response: {
         200: z.object({

backend/src/services/integration/integration-service.ts

@@ -146,7 +146,27 @@ export const integrationServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
-    const deletedIntegration = await integrationDAL.deleteById(id);
+    const deletedIntegration = await integrationDAL.transaction(async (tx) => {
+      // delete integration
+      const deletedIntegrationResult = await integrationDAL.deleteById(id, tx);
+
+      // check if there are other integrations that share the same integration auth
+      const integrations = await integrationDAL.find(
+        {
+          integrationAuthId: integration.integrationAuthId
+        },
+        tx
+      );
+
+      if (integrations.length === 0) {
+        // no other integration shares the same integration auth
+        // -> delete the integration auth
+        await integrationAuthDAL.deleteById(integration.integrationAuthId, tx);
+      }
+
+      return deletedIntegrationResult;
+    });
+
     return { ...integration, ...deletedIntegration };
   };
 

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -170,7 +170,8 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
           //  if the given folder id is root folder id then intial path is set as / instead of /root
           //  if not root folder the path here will be /<folder name>
           path: db.raw(`CONCAT('/', (CASE WHEN "parentId" is NULL THEN '' ELSE ${TableName.SecretFolder}.name END))`),
-          child: db.raw("NULL::uuid")
+          child: db.raw("NULL::uuid"),
+          environmentSlug: `${TableName.Environment}.slug`
         })
         .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
         .where({ projectId })
@@ -190,14 +191,15 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
                   ELSE  CONCAT('/', secret_folders.name) 
                 END, parent.path )`
                 ),
-                child: db.raw("COALESCE(parent.child, parent.id)")
+                child: db.raw("COALESCE(parent.child, parent.id)"),
+                environmentSlug: "parent.environmentSlug"
               })
               .from(TableName.SecretFolder)
               .join("parent", "parent.parentId", `${TableName.SecretFolder}.id`)
         );
     })
     .select("*")
-    .from<TSecretFolders & { child: string | null; path: string }>("parent");
+    .from<TSecretFolders & { child: string | null; path: string; environmentSlug: string }>("parent");
 
 export type TSecretFolderDALFactory = ReturnType<typeof secretFolderDALFactory>;
 // never change this. If u do write a migration for it
@@ -257,10 +259,12 @@ export const secretFolderDALFactory = (db: TDbClient) => {
   const findSecretPathByFolderIds = async (projectId: string, folderIds: string[], tx?: Knex) => {
     try {
       const folders = await sqlFindSecretPathByFolderId(tx || db, projectId, folderIds);
+
       const rootFolders = groupBy(
         folders.filter(({ parentId }) => parentId === null),
         (i) => i.child || i.id // root condition then child and parent will null
       );
+
       return folderIds.map((folderId) => rootFolders[folderId]?.[0]);
     } catch (error) {
       throw new DatabaseError({ error, name: "Find by secret path" });

backend/src/services/secret-import/secret-import-dal.ts

@@ -49,7 +49,7 @@ export const secretImportDALFactory = (db: TDbClient) => {
     }
   };
 
-  const find = async (filter: Partial<TSecretImports>, tx?: Knex) => {
+  const find = async (filter: Partial<TSecretImports & { projectId: string }>, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.SecretImport)
         .where(filter)

backend/src/services/secret-import/secret-import-service.ts

@@ -7,6 +7,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretDALFactory } from "../secret/secret-dal";
+import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "./secret-import-dal";
 import { fnSecretsFromImports } from "./secret-import-fns";
@@ -25,6 +26,7 @@ type TSecretImportServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
   projectEnvDAL: TProjectEnvDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets">;
 };
 
 const ERR_SEC_IMP_NOT_FOUND = new BadRequestError({ message: "Secret import not found" });
@@ -37,7 +39,8 @@ export const secretImportServiceFactory = ({
   permissionService,
   folderDAL,
   projectDAL,
-  secretDAL
+  secretDAL,
+  secretQueueService
 }: TSecretImportServiceFactoryDep) => {
   const createImport = async ({
     environment,
@@ -77,10 +80,19 @@ export const secretImportServiceFactory = ({
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
     if (!folder) throw new BadRequestError({ message: "Folder not found", name: "Create import" });
 
-    // TODO(akhilmhdh-pg): updated permission check add here
     const [importEnv] = await projectEnvDAL.findBySlugs(projectId, [data.environment]);
     if (!importEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });
 
+    const sourceFolder = await folderDAL.findBySecretPath(projectId, data.environment, data.path);
+    if (sourceFolder) {
+      const existingImport = await secretImportDAL.findOne({
+        folderId: sourceFolder.id,
+        importEnv: folder.environment.id,
+        importPath: path
+      });
+      if (existingImport) throw new BadRequestError({ message: "Cyclic import not allowed" });
+    }
+
     const secImport = await secretImportDAL.transaction(async (tx) => {
       const lastPos = await secretImportDAL.findLastImportPosition(folder.id, tx);
       return secretImportDAL.create(
@@ -94,6 +106,12 @@ export const secretImportServiceFactory = ({
       );
     });
 
+    await secretQueueService.syncSecrets({
+      secretPath: secImport.importPath,
+      projectId,
+      environment: importEnv.slug
+    });
+
     return { ...secImport, importEnv };
   };
 
@@ -131,6 +149,20 @@ export const secretImportServiceFactory = ({
       : await projectEnvDAL.findById(secImpDoc.importEnv);
     if (!importedEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });
 
+    const sourceFolder = await folderDAL.findBySecretPath(
+      projectId,
+      importedEnv.slug,
+      data.path || secImpDoc.importPath
+    );
+    if (sourceFolder) {
+      const existingImport = await secretImportDAL.findOne({
+        folderId: sourceFolder.id,
+        importEnv: folder.environment.id,
+        importPath: path
+      });
+      if (existingImport) throw new BadRequestError({ message: "Cyclic import not allowed" });
+    }
+
     const updatedSecImport = await secretImportDAL.transaction(async (tx) => {
       const secImp = await secretImportDAL.findOne({ folderId: folder.id, id });
       if (!secImp) throw ERR_SEC_IMP_NOT_FOUND;
@@ -185,6 +217,13 @@ export const secretImportServiceFactory = ({
       if (!importEnv) throw new BadRequestError({ error: "Imported env not found", name: "Create import" });
       return { ...doc, importEnv };
     });
+
+    await secretQueueService.syncSecrets({
+      secretPath: path,
+      projectId,
+      environment
+    });
+
     return secImport;
   };
 

backend/src/services/secret/secret-queue.ts

@@ -3,7 +3,7 @@ import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { BadRequestError } from "@app/lib/errors";
-import { isSamePath } from "@app/lib/fn";
+import { groupBy, isSamePath, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -23,7 +23,6 @@ import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
-import { fnSecretsFromImports } from "../secret-import/secret-import-fns";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TWebhookDALFactory } from "../webhook/webhook-dal";
 import { fnTriggerWebhook } from "../webhook/webhook-fns";
@@ -32,7 +31,6 @@ import { interpolateSecrets } from "./secret-fns";
 import { TCreateSecretReminderDTO, THandleReminderDTO, TRemoveSecretReminderDTO } from "./secret-types";
 
 export type TSecretQueueFactory = ReturnType<typeof secretQueueFactory>;
-
 type TSecretQueueFactoryDep = {
   queueService: TQueueServiceFactory;
   integrationDAL: Pick<TIntegrationDALFactory, "findByProjectIdV2" | "updateById">;
@@ -60,6 +58,8 @@ export type TGetSecrets = {
   environment: string;
 };
 
+const MAX_SYNC_SECRET_DEPTH = 5;
+
 export const secretQueueFactory = ({
   queueService,
   integrationDAL,
@@ -117,7 +117,10 @@ export const secretQueueFactory = ({
     });
   };
 
-  const syncSecrets = async (dto: TGetSecrets) => {
+  const syncSecrets = async (dto: TGetSecrets & { depth?: number }) => {
+    logger.info(
+      `syncSecrets: syncing project secrets where [projectId=${dto.projectId}]  [environment=${dto.environment}] [path=${dto.secretPath}]`
+    );
     await queueService.queue(QueueName.SecretWebhook, QueueJobs.SecWebhook, dto, {
       jobId: `secret-webhook-${dto.environment}-${dto.projectId}-${dto.secretPath}`,
       removeOnFail: { count: 5 },
@@ -227,62 +230,42 @@ export const secretQueueFactory = ({
     }
   };
 
-  const getIntegrationSecrets = async (dto: TGetSecrets & { folderId: string }, key: string) => {
+  type Content = Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>;
+
+  /**
+   * Return the secrets in a given [folderId] including secrets from
+   * nested imported folders recursively.
+   */
+  const getIntegrationSecrets = async (dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    key: string;
+    depth: number;
+  }) => {
+    let content: Content = {};
+    if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+      logger.info(
+        `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+      );
+      return content;
+    }
+
+    // process secrets in current folder
     const secrets = await secretDAL.findByFolderId(dto.folderId);
-
-    // get imported secrets
-    const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
-    const importedSecrets = await fnSecretsFromImports({
-      allowedImports: secretImport,
-      secretDAL,
-      folderDAL
-    });
-
-    if (!secrets.length && !importedSecrets.length) return {};
-
-    const content: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
-
-    importedSecrets.forEach(({ secrets: secs }) => {
-      secs.forEach((secret) => {
-        const secretKey = decryptSymmetric128BitHexKeyUTF8({
-          ciphertext: secret.secretKeyCiphertext,
-          iv: secret.secretKeyIV,
-          tag: secret.secretKeyTag,
-          key
-        });
-        const secretValue = decryptSymmetric128BitHexKeyUTF8({
-          ciphertext: secret.secretValueCiphertext,
-          iv: secret.secretValueIV,
-          tag: secret.secretValueTag,
-          key
-        });
-        content[secretKey] = { value: secretValue };
-        content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
-
-        if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
-          const commentValue = decryptSymmetric128BitHexKeyUTF8({
-            ciphertext: secret.secretCommentCiphertext,
-            iv: secret.secretCommentIV,
-            tag: secret.secretCommentTag,
-            key
-          });
-          content[secretKey].comment = commentValue;
-        }
-      });
-    });
     secrets.forEach((secret) => {
       const secretKey = decryptSymmetric128BitHexKeyUTF8({
         ciphertext: secret.secretKeyCiphertext,
         iv: secret.secretKeyIV,
         tag: secret.secretKeyTag,
-        key
+        key: dto.key
       });
 
       const secretValue = decryptSymmetric128BitHexKeyUTF8({
         ciphertext: secret.secretValueCiphertext,
         iv: secret.secretValueIV,
         tag: secret.secretValueTag,
-        key
+        key: dto.key
       });
 
       content[secretKey] = { value: secretValue };
@@ -292,38 +275,111 @@ export const secretQueueFactory = ({
           ciphertext: secret.secretCommentCiphertext,
           iv: secret.secretCommentIV,
           tag: secret.secretCommentTag,
-          key
+          key: dto.key
         });
         content[secretKey].comment = commentValue;
       }
 
       content[secretKey].skipMultilineEncoding = Boolean(secret.skipMultilineEncoding);
     });
+
     const expandSecrets = interpolateSecrets({
       projectId: dto.projectId,
-      secretEncKey: key,
+      secretEncKey: dto.key,
       folderDAL,
       secretDAL
     });
+
     await expandSecrets(content);
+
+    // check if current folder has any imports from other folders
+    const secretImport = await secretImportDAL.find({ folderId: dto.folderId });
+
+    // if no imports then return secrets in the current folder
+    if (!secretImport) return content;
+
+    const importedFolders = await folderDAL.findByManySecretPath(
+      secretImport.map(({ importEnv, importPath }) => ({
+        envId: importEnv.id,
+        secretPath: importPath
+      }))
+    );
+
+    for await (const folder of importedFolders) {
+      if (folder) {
+        // get secrets contained in each imported folder by recursively calling
+        // this function against the imported folder
+        const importedSecrets = await getIntegrationSecrets({
+          environment: dto.environment,
+          projectId: dto.projectId,
+          folderId: folder.id,
+          key: dto.key,
+          depth: dto.depth + 1
+        });
+
+        // add the imported secrets to the current folder secrets
+        content = { ...content, ...importedSecrets };
+      }
+    }
+
     return content;
   };
 
   queueService.start(QueueName.IntegrationSync, async (job) => {
-    const { environment, projectId, secretPath } = job.data;
+    const { environment, projectId, secretPath, depth = 1 } = job.data;
+
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder) {
-      logger.error("Secret path not found");
+      logger.error(new Error("Secret path not found"));
       return;
     }
 
-    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment);
+    // start syncing all linked imports also
+    if (depth < MAX_SYNC_SECRET_DEPTH) {
+      // find all imports made with the given environment and secret path
+      const linkSourceDto = {
+        projectId,
+        importEnv: folder.environment.id,
+        importPath: secretPath
+      };
+      const imports = await secretImportDAL.find(linkSourceDto);
+
+      if (imports.length) {
+        // keep calling sync secret for all the imports made
+        const importedFolderIds = unique(imports, (i) => i.folderId).map(({ folderId }) => folderId);
+        const importedFolders = await folderDAL.findSecretPathByFolderIds(projectId, importedFolderIds);
+        const foldersGroupedById = groupBy(importedFolders, (i) => i.child || i.id);
+        await Promise.all(
+          imports
+            .filter(({ folderId }) => Boolean(foldersGroupedById[folderId][0].path))
+            .map(({ folderId }) => {
+              const syncDto = {
+                depth: depth + 1,
+                projectId,
+                secretPath: foldersGroupedById[folderId][0].path,
+                environment: foldersGroupedById[folderId][0].environmentSlug
+              };
+              logger.info(
+                `getIntegrationSecrets: Syncing secret due to link change [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${depth}]`
+              );
+              return syncSecrets(syncDto);
+            })
+        );
+      }
+    } else {
+      logger.info(`getIntegrationSecrets: Secret depth exceeded for [projectId=${projectId}] [folderId=${folder.id}]`);
+    }
+
+    const integrations = await integrationDAL.findByProjectIdV2(projectId, environment); // note: returns array of integrations + integration auths in this environment
     const toBeSyncedIntegrations = integrations.filter(
+      // note: sync only the integrations sourced from secretPath
       ({ secretPath: integrationSecPath, isActive }) => isActive && isSamePath(secretPath, integrationSecPath)
     );
 
     if (!integrations.length) return;
-    logger.info("Secret integration sync started", job.data, job.id);
+    logger.info(
+      `getIntegrationSecrets: secret integration sync started [jobId=${job.id}] [jobId=${job.id}] [projectId=${job.data.projectId}] [environment=${job.data.environment}]  [secretPath=${job.data.secretPath}] [depth=${job.data.depth}]`
+    );
     for (const integration of toBeSyncedIntegrations) {
       const integrationAuth = {
         ...integration.integrationAuth,
@@ -334,7 +390,13 @@ export const secretQueueFactory = ({
 
       const botKey = await projectBotService.getBotKey(projectId);
       const { accessToken, accessId } = await integrationAuthService.getIntegrationAccessToken(integrationAuth, botKey);
-      const secrets = await getIntegrationSecrets({ environment, projectId, secretPath, folderId: folder.id }, botKey);
+      const secrets = await getIntegrationSecrets({
+        environment,
+        projectId,
+        folderId: folder.id,
+        key: botKey,
+        depth: 1
+      });
       const suffixedSecrets: typeof secrets = {};
       const metadata = integration.metadata as Record<string, string>;
       if (metadata) {
@@ -362,7 +424,7 @@ export const secretQueueFactory = ({
       });
     }
 
-    logger.info("Secret integration sync ended", job.id);
+    logger.info("Secret integration sync ended: %s", job.id);
   });
 
   queueService.start(QueueName.SecretReminder, async ({ data }) => {
@@ -403,7 +465,7 @@ export const secretQueueFactory = ({
   });
 
   queueService.listen(QueueName.IntegrationSync, "failed", (job, err) => {
-    logger.error("Failed to sync integration", job?.data, err);
+    logger.error(err, "Failed to sync integration %s", job?.id);
   });
 
   queueService.start(QueueName.SecretWebhook, async (job) => {
@@ -411,7 +473,8 @@ export const secretQueueFactory = ({
   });
 
   return {
-    syncSecrets,
+    // depth is internal only field thus no need to make it available outside
+    syncSecrets: (dto: TGetSecrets) => syncSecrets(dto),
     syncIntegrations,
     addSecretReminder,
     removeSecretReminder,

docs/api-reference/endpoints/integrations/list-project-integrations.mdx

@@ -0,0 +1,4 @@
+---
+title: "List project integrations"
+openapi: "GET /api/v1/workspace/{workspaceId}/integrations"
+---

docs/api-reference/overview/examples/integration.mdx

@@ -1,5 +1,5 @@
 ---
-title: "Configure native integrations programmatically"
+title: "Configure native integrations via API"
 description: "How to use Infisical API to sync secrets to external secret managers"
 ---
 

docs/api-reference/overview/examples/note.mdx

@@ -1,54 +0,0 @@
----
-title: "Note on E2EE"
----
-
-Each project in Infisical can have **End-to-End Encryption (E2EE)** enabled or disabled.
-
-By default, all projects have **E2EE** enabled which means the server is not able to decrypt any values because all secret encryption/decryption operations occur on the client-side; this can be (optionally) disabled. However, this has limitations around functionality and ease-of-use:
-
-- You cannot make HTTP calls to Infisical to read/write secrets in plaintext.
-- You cannot leverage non-E2EE features like native integrations and in-platform automations like dynamic secrets and secret rotation.
-
-<CardGroup cols={2}>
-    <Card
-        title="E2EE Disabled"
-        href="/api-reference/overview/examples/e2ee-disabled"
-        icon="shield-halved"
-        color="#3c8639"
-    >
-        Example read/write secrets without client-side encryption/decryption
-    </Card>
-    <Card 
-        href="/api-reference/overview/examples/e2ee-enabled" 
-        title="E2EE Enabled" 
-        icon="shield" 
-        color="#3775a9"
-    >
-        Example read/write secrets with client-side encryption/decryption
-    </Card>
-</CardGroup>
-
-## FAQ
-
-<AccordionGroup>
-  <Accordion title="Should I have E2EE enabled or disabled?">
-    We recommend starting with having **E2EE** enabled and disabling it if:
-    
-    - You're self-hosting Infisical, so having your instance of Infisical be able to read your secrets isn't an issue.
-    - You want an easier way to read/write secrets with Infisical.
-    - You need more power out of non-E2EE features such as secret rotation, dynamic secrets, etc.
-
-  </Accordion>
-  <Accordion title="How can I enable/disable E2EE?">
-    You can enable/disable E2EE for your project in Infisical in the Project Settings.
-  </Accordion>
-  <Accordion title="Is disabling E2EE secure?">
-    It is secure and in fact how most vendors in our industry are able to offer features like secret rotation. In this mode, secrets are encrypted at rest by
-    a series of keys, secured ultimately by a top-level `ROOT_ENCRYPTION_KEY` located on the server.
-
-    If you're concerned about Infisical Cloud's ability to read your secrets, then you may wish to
-    use it with **E2EE** enabled or self-host Infisical on your own infrastructure and disable E2EE there.
-
-    As an organization, we do not read any customer secrets without explicit permission; access to the `ROOT_ENCRYPTION_KEY` is restricted to one individual in the organization.
-  </Accordion>
-</AccordionGroup>

docs/documentation/getting-started/introduction.mdx

@@ -38,7 +38,7 @@ Infisical helps developers achieve secure centralized secret management and prov
 - Simple secret management inside **[CI/CD pipelines](/integrations/cicd/githubactions)** and staging environments. 
 - Secure and compliant secret management practices in **[production environments](/sdks/overview)**. 
 - **Facilitated workflows** around [secret change management](/documentation/platform/pr-workflows), [access requests](/documentation/platform/access-controls/access-requests), [temporary access provisioning](/documentation/platform/access-controls/temporary-access), and more.
-- **Improved security posture** thanks to [secret scanning](/cli/scanning-overview), [granular access control policies](/documentation/platform/access-controls/overview), [automated secret rotation](http://localhost:3000/documentation/platform/secret-rotation/overview), and [dynamic secrets](/documentation/platform/dynamic-secrets/overview) capabilities.
+- **Improved security posture** thanks to [secret scanning](/cli/scanning-overview), [granular access control policies](/documentation/platform/access-controls/overview), [automated secret rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview), and [dynamic secrets](/documentation/platform/dynamic-secrets/overview) capabilities.
 
 ## How does Infisical work? 
 

docs/mint.json

@@ -387,7 +387,6 @@
         {
           "group": "Examples",
           "pages": [
-            "api-reference/overview/examples/note",
             "api-reference/overview/examples/integration"
           ]
         }
@@ -520,7 +519,8 @@
             "api-reference/endpoints/integrations/delete-auth-by-id",
             "api-reference/endpoints/integrations/create",
             "api-reference/endpoints/integrations/update",
-            "api-reference/endpoints/integrations/delete"
+            "api-reference/endpoints/integrations/delete",
+            "api-reference/endpoints/integrations/list-project-integrations"
           ]
         },
         {

docs/self-hosting/configuration/envars.mdx

@@ -121,24 +121,35 @@ Without email configuration, Infisical's core functions like sign-up/login and s
 </Accordion>
 
 <Accordion title="AWS SES">
-  1. Create an account and [configure AWS SES](https://aws.amazon.com/premiumsupport/knowledge-center/ses-set-up-connect-smtp/) to send emails in the Amazon SES console.
-  2. Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
+  <Steps>
+    <Step title="Create a verifed identity">
+      This will be used to verify the email you are sending from.
+      ![Create SES identity](../../images/self-hosting/configuration/email/ses-create-identity.png)
+      <Info>
+        If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies. 
+      </Info>
+    </Step>
+    <Step title="Create an account and configure AWS SES">
+      Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
 
-  ![opening AWS SES console](../../images/self-hosting/configuration/email/email-aws-ses-console.png)
+      ![opening AWS SES console](../../images/self-hosting/configuration/email/email-aws-ses-console.png)
 
-  ![creating AWS IAM SES user](../../images/self-hosting/configuration/email/email-aws-ses-user.png)
+      ![creating AWS IAM SES user](../../images/self-hosting/configuration/email/email-aws-ses-user.png)
+    </Step>
+    <Step title="Set up your SMTP environment variables">
+      With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.
 
-  3. With your AWS SES SMTP credentials, you can now set up your SMTP environment variables:
-
-  ```
-  SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
-  SMTP_USERNAME=xxx # your SMTP username
-  SMTP_PASSWORD=xxx # your SMTP password
-  SMTP_PORT=587
-  SMTP_SECURE=true
-  SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
-  SMTP_FROM_NAME=Infisical
-  ```
+      ```
+      SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
+      SMTP_USERNAME=xxx # your SMTP username
+      SMTP_PASSWORD=xxx # your SMTP password
+      SMTP_PORT=587
+      SMTP_SECURE=false
+      SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
+      SMTP_FROM_NAME=Infisical
+      ```
+    </Step>
+  </Steps>
 
   <Info>
     Remember that you will need to restart Infisical for this to work properly.