Changed the intercom to aprovider model

Switched intercom to AppLayout

Dockerfile.standalone-infisical

@@ -25,6 +25,8 @@ ARG POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 
 # Build
 RUN npm run build
@@ -42,6 +44,9 @@ VOLUME /app/.next/cache/images
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
   BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 
 COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public

backend/package.json

@@ -58,7 +58,7 @@
     "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",

backend/src/controllers/v1/integrationAuthController.ts

@@ -86,47 +86,53 @@ export const saveIntegrationAccessToken = async (
 	// TODO: check if access token is valid for each integration
 
 	let integrationAuth;
-  const {
-    workspaceId,
-    accessId,
-    accessToken,
-    integration
-  }: {
-    workspaceId: string;
-    accessId: string | null;
-    accessToken: string;
-    integration: string;
-  } = req.body;
+	const {
+		workspaceId,
+		accessId,
+		accessToken,
+		url,
+		namespace,
+		integration
+	}: {
+		workspaceId: string;
+		accessId: string | null;
+		accessToken: string;
+		url: string;
+		namespace: string;
+		integration: string;
+	} = req.body;
 
-  const bot = await Bot.findOne({
-          workspace: new Types.ObjectId(workspaceId),
-          isActive: true
-      });
+	const bot = await Bot.findOne({
+		workspace: new Types.ObjectId(workspaceId),
+		isActive: true
+	});
       
-      if (!bot) throw new Error('Bot must be enabled to save integration access token');
+    if (!bot) throw new Error('Bot must be enabled to save integration access token');
 
-  integrationAuth = await IntegrationAuth.findOneAndUpdate({
-          workspace: new Types.ObjectId(workspaceId),
-          integration
-      }, {
-          workspace: new Types.ObjectId(workspaceId),
-          integration,
-    algorithm: ALGORITHM_AES_256_GCM,
-    keyEncoding: ENCODING_SCHEME_UTF8
-  }, {
-          new: true,
-          upsert: true
-      });
+  	integrationAuth = await IntegrationAuth.findOneAndUpdate({
+		workspace: new Types.ObjectId(workspaceId),
+		integration
+    }, {
+		workspace: new Types.ObjectId(workspaceId),
+		integration,
+		url,
+		namespace,
+		algorithm: ALGORITHM_AES_256_GCM,
+		keyEncoding: ENCODING_SCHEME_UTF8
+  	}, {
+		new: true,
+		upsert: true
+    });
   
-  // encrypt and save integration access details
-  integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-    integrationAuthId: integrationAuth._id.toString(),
-    accessId,
-    accessToken,
-    accessExpiresAt: undefined
-  });
+	// encrypt and save integration access details
+	integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+		integrationAuthId: integrationAuth._id.toString(),
+		accessId,
+		accessToken,
+		accessExpiresAt: undefined
+	});
   
-  if (!integrationAuth) throw new Error('Failed to save integration access token');
+  	if (!integrationAuth) throw new Error('Failed to save integration access token');
 	
 	return res.status(200).send({
 		integrationAuth

backend/src/controllers/v1/integrationController.ts

@@ -57,6 +57,7 @@ export const createIntegration = async (req: Request, res: Response) => {
       })
     });
   }
+
   return res.status(200).send({
     integration,
   });

backend/src/controllers/v2/authController.ts

@@ -262,7 +262,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   const user = await User.findOne({
     email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
 
   if (!user) throw new Error('Failed to find user');
 

backend/src/controllers/v2/secretsController.ts

@@ -1,6 +1,6 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
-import { ISecret, Secret } from "../../models";
+import { ISecret, Secret, ServiceTokenData } from "../../models";
 import { IAction, SecretVersion } from "../../ee/models";
 import {
   SECRET_PERSONAL,
@@ -29,6 +29,7 @@ import { BatchSecretRequest, BatchSecret } from "../../types/secret";
 import Folder from "../../models/folder";
 import {
   getFolderByPath,
+  getFolderIdFromServiceToken,
   searchByFolderId,
 } from "../../services/FolderService";
 
@@ -45,14 +46,15 @@ export const batchSecrets = async (req: Request, res: Response) => {
   const {
     workspaceId,
     environment,
-    folderId,
     requests,
+    secretPath,
   }: {
     workspaceId: string;
     environment: string;
-    folderId: string;
     requests: BatchSecretRequest[];
+    secretPath: string;
   } = req.body;
+  let folderId = req.body.folderId as string;
 
   const createSecrets: BatchSecret[] = [];
   const updateSecrets: BatchSecret[] = [];
@@ -70,6 +72,25 @@ export const batchSecrets = async (req: Request, res: Response) => {
     if (!folder) throw BadRequestError({ message: "Folder not found" });
   }
 
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if (
+      (!secretPath && folderId !== "root") ||
+      (secretPath && secretPath !== serviceTkScopedSecretPath)
+    ) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  if (secretPath) {
+    folderId = await getFolderIdFromServiceToken(
+      workspaceId,
+      environment,
+      secretPath
+    );
+  }
+
   for await (const request of requests) {
     // do a validation
 
@@ -152,6 +173,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           numberOfSecrets: createdSecrets.length,
           environment,
           workspaceId,
+          folderId,
           channel,
           userAgent: req.headers?.["user-agent"],
         },
@@ -218,7 +240,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           algorithm: ALGORITHM_AES_256_GCM,
           keyEncoding: ENCODING_SCHEME_UTF8,
           tags: u.tags,
-          folder: u.folder
+          folder: u.folder,
         })
     );
 
@@ -248,6 +270,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           numberOfSecrets: updateSecrets.length,
           environment,
           workspaceId,
+          folderId,
           channel,
           userAgent: req.headers?.["user-agent"],
         },
@@ -395,8 +418,13 @@ export const createSecrets = async (req: Request, res: Response) => {
   const {
     workspaceId,
     environment,
-    folderId,
-  }: { workspaceId: string; environment: string; folderId: string } = req.body;
+    secretPath,
+  }: {
+    workspaceId: string;
+    environment: string;
+    secretPath?: string;
+  } = req.body;
+  let folderId = req.body.folderId;
 
   if (req.user) {
     const hasAccess = await userHasWorkspaceAccess(
@@ -421,6 +449,24 @@ export const createSecrets = async (req: Request, res: Response) => {
     // case: create 1 secret
     listOfSecretsToCreate = [req.body.secrets];
   }
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if (
+      (!secretPath && folderId !== "root") ||
+      (secretPath && secretPath !== serviceTkScopedSecretPath)
+    ) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  if (secretPath) {
+    folderId = await getFolderIdFromServiceToken(
+      workspaceId,
+      environment,
+      secretPath
+    );
+  }
 
   // get secret blind index salt
   const salt = await SecretService.getSecretBlindIndexSalt({
@@ -585,6 +631,7 @@ export const createSecrets = async (req: Request, res: Response) => {
         environment,
         workspaceId,
         channel: channel,
+        folderId,
         userAgent: req.headers?.["user-agent"],
       },
     });
@@ -660,6 +707,18 @@ export const getSecrets = async (req: Request, res: Response) => {
     if (!folder) throw BadRequestError({ message: "Folder not found" });
   }
 
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if (
+      (!secretPath && folderId !== "root") ||
+      (secretPath && secretPath !== serviceTkScopedSecretPath)
+    ) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
   if (folders && secretPath) {
     if (!folders) throw BadRequestError({ message: "Folder not found" });
     const folder = getFolderByPath(folders.nodes, secretPath as string);
@@ -800,6 +859,7 @@ export const getSecrets = async (req: Request, res: Response) => {
         environment,
         workspaceId,
         channel,
+        folderId,
         userAgent: req.headers?.["user-agent"],
       },
     });
@@ -910,13 +970,13 @@ export const updateSecrets = async (req: Request, res: Response) => {
             keyEncoding: ENCODING_SCHEME_UTF8,
             tags,
             ...(secretCommentCiphertext !== undefined &&
-              secretCommentIV &&
-              secretCommentTag
+            secretCommentIV &&
+            secretCommentTag
               ? {
-                secretCommentCiphertext,
-                secretCommentIV,
-                secretCommentTag,
-              }
+                  secretCommentCiphertext,
+                  secretCommentIV,
+                  secretCommentTag,
+                }
               : {}),
           },
         },

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,29 +1,27 @@
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Request, Response } from "express";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
+import { User, ServiceAccount, ServiceTokenData } from "../../models";
+import { userHasWorkspaceAccess } from "../../ee/helpers/checkMembershipPermissions";
 import {
-    User,
-    ServiceAccount,
-    ServiceTokenData
-} from '../../models';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { 
-    PERMISSION_READ_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN
-} from '../../variables';
-import { getSaltRounds } from '../../config';
-import { BadRequestError } from '../../utils/errors';
+  PERMISSION_READ_SECRETS,
+  AUTH_MODE_JWT,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  AUTH_MODE_SERVICE_TOKEN,
+} from "../../variables";
+import { getSaltRounds } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
 
 /**
  * Return service token data associated with service token on request
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getServiceTokenData = async (req: Request, res: Response) => {
-    /* 
+  /* 
     #swagger.summary = 'Return Infisical Token data'
     #swagger.description = 'Return Infisical Token data'
     
@@ -36,111 +34,135 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
             "application/json": {
                 "schema": { 
                     "type": "object",
-					"properties": {
+          "properties": {
                         "serviceTokenData": {
                             "type": "object",
                             $ref: "#/components/schemas/ServiceTokenData",
                             "description": "Details of service token"
                         }
-					}
+          }
                 }
             }           
         }
     }   
     */
 
-    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
-        message: 'Failed accepted client validation for service token data'
+  if (!(req.authData.authPayload instanceof ServiceTokenData))
+    throw BadRequestError({
+      message: "Failed accepted client validation for service token data",
     });
 
-    const serviceTokenData = await ServiceTokenData
-        .findById(req.authData.authPayload._id)
-        .select('+encryptedKey +iv +tag')
-        .populate('user');
+  const serviceTokenData = await ServiceTokenData.findById(
+    req.authData.authPayload._id
+  )
+    .select("+encryptedKey +iv +tag")
+    .populate("user");
 
-    return res.status(200).json(serviceTokenData);
-}
+  return res.status(200).json(serviceTokenData);
+};
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
  * environment [environment].
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
+  let serviceTokenData;
 
-    const {
-        name,
-        workspaceId,
-        environment,
-        encryptedKey,
-        iv,
-        tag,
-        expiresIn,
-        permissions
-    } = req.body;
+  const {
+    name,
+    workspaceId,
+    environment,
+    encryptedKey,
+    iv,
+    tag,
+    expiresIn,
+    secretPath,
+    permissions,
+  } = req.body;
 
-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
 
-    let expiresAt; 
-    if (expiresIn) {
-        expiresAt = new Date()
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (folder == undefined) {
+      throw BadRequestError({ message: "Path for service token does not exist" })
     }
+  }
 
-    let user, serviceAccount;
-    
-    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
-        user = req.authData.authPayload._id;
-    }
+  const secret = crypto.randomBytes(16).toString("hex");
+  const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
-        serviceAccount = req.authData.authPayload._id;
-    }
-        
-    serviceTokenData = await new ServiceTokenData({
-        name,
-        workspace: workspaceId,
-        environment,
-        user,
-        serviceAccount,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-        encryptedKey,
-        iv,
-        tag,
-        permissions
-    }).save();
+  let expiresAt;
+  if (expiresIn) {
+    expiresAt = new Date();
+    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+  }
 
-    // return service token data without sensitive data
-    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+  let user, serviceAccount;
 
-    if (!serviceTokenData) throw new Error('Failed to find service token data');
+  if (
+    req.authData.authMode === AUTH_MODE_JWT &&
+    req.authData.authPayload instanceof User
+  ) {
+    user = req.authData.authPayload._id;
+  }
 
-    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+  if (
+    req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
+    req.authData.authPayload instanceof ServiceAccount
+  ) {
+    serviceAccount = req.authData.authPayload._id;
+  }
 
-    return res.status(200).send({
-        serviceToken,
-        serviceTokenData
-    });
-}
+  serviceTokenData = await new ServiceTokenData({
+    name,
+    workspace: workspaceId,
+    environment,
+    user,
+    serviceAccount,
+    lastUsed: new Date(),
+    expiresAt,
+    secretHash,
+    encryptedKey,
+    iv,
+    tag,
+    secretPath,
+    permissions,
+  }).save();
+
+  // return service token data without sensitive data
+  serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+  if (!serviceTokenData) throw new Error("Failed to find service token data");
+
+  const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+  return res.status(200).send({
+    serviceToken,
+    serviceTokenData,
+  });
+};
 
 /**
  * Delete service token data with id [serviceTokenDataId].
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    const { serviceTokenDataId } = req.params;
+  const { serviceTokenDataId } = req.params;
 
-    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(
+    serviceTokenDataId
+  );
 
-    return res.status(200).send({
-        serviceTokenData
-    });
-}
+  return res.status(200).send({
+    serviceTokenData,
+  });
+};

backend/src/controllers/v3/secretsController.ts

@@ -1,183 +1,420 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { 
-    SecretService, 
-    TelemetryService,
-    EventService
-} from '../../services';
-import { eventPushSecrets } from '../../events';
-import { getAuthDataPayloadIdObj } from '../../utils/auth';
-import { BadRequestError } from '../../utils/errors';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { SecretService, EventService } from "../../services";
+import { eventPushSecrets } from "../../events";
+import { BotService } from "../../services";
+import { repackageSecretToRaw } from "../../helpers/secrets";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
 
 /**
- * Get secrets for workspace with id [workspaceId] and environment
- * [environment]
- * @param req 
- * @param res 
+ * Return secrets for workspace with id [workspaceId] and environment
+ * [environment] in plaintext
+ * @param req
+ * @param res
  */
-export const getSecrets = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
+export const getSecretsRaw = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
 
-    const secrets = await SecretService.getSecrets({
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        authData: req.authData
-    });
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData,
+  });
 
-    return res.status(200).send({
-        secrets
-    });
-}
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secrets: secrets.map((secret) => {
+      const rep = repackageSecretToRaw({
+        secret,
+        key
+      });
+  
+      return rep;
+    })
+  });
+};
 
 /**
- * Get secret with name [secretName]
- * @param req 
- * @param res 
+ * Return secret with name [secretName] in plaintext
+ * @param req
+ * @param res
  */
-export const getSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
-    const type = req.query.type as 'shared' | 'personal' | undefined;
+export const getSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
 
-    const secret = await SecretService.getSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData
-    });
-    
-    return res.status(200).send({
-        secret
-    });
-}
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData,
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
 
 /**
- * Create secret with name [secretName]
- * @param req 
+ * Create secret with name [secretName] in plaintext
+ * @param req
  * @param res 
  */
-export const createSecret = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const { 
-        workspaceId,
-        environment,
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag
-    } = req.body;
-    
-    const secret = await SecretService.createSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag
-        } : {})
-    });
+export const createSecretRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValue,
+    secretComment,
+    secretPath = "/"
+  } = req.body;
+  
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
 
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretName,
+    key
+  });
 
-    const secretWithoutBlindIndex = secret.toObject();
-    delete secretWithoutBlindIndex.secretBlindIndex;
-    
-    return res.status(200).send({
-        secret: secretWithoutBlindIndex
-    });
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+  
+  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretComment,
+    key
+  }); 
+  
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+    secretKeyIV: secretKeyEncrypted.iv,
+    secretKeyTag: secretKeyEncrypted.tag,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+    secretCommentIV: secretCommentEncrypted.iv,
+    secretCommentTag: secretCommentEncrypted.tag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+  
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret: secretWithoutBlindIndex,
+      key
+    })
+  });
 }
 
 /**
  * Update secret with name [secretName]
  * @param req
- * @param res 
+ * @param res
  */
-export const updateSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    } = req.body;
+export const updateSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValue,
+    secretPath = "/",
+  } = req.body;
 
-    const secret = await SecretService.updateSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    });
-    
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
 
-    return res.status(200).send({
-        secret
-    });
-}
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
 
 /**
  * Delete secret with name [secretName]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
+ */
+export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { 
+    workspaceId, 
+    environment, 
+    type, 
+    secretPath = "/" 
+  } = req.body;
+
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req
+ * @param res
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData,
+  });
+
+  return res.status(200).send({
+    secrets,
+  });
+};
+
+/**
+ * Return secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
+
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData,
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};
+
+/**
+ * Create secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag,
+    secretPath = "/",
+  } = req.body;
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: secretWithoutBlindIndex,
+  });
+};
+
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath = "/",
+  } = req.body;
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};
+
+/**
+ * Delete secret with name [secretName]
+ * @param req
+ * @param res
  */
 export const deleteSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type
-    } = req.body;
-    
-    const { secret, secrets } = await SecretService.deleteSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData
-    });
+  const { secretName } = req.params;
+  const { 
+    workspaceId, 
+    environment, 
+    type, 
+    secretPath = "/" 
+  } = req.body;
 
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath,
+  });
 
-    return res.status(200).send({
-        secret
-    });
-}
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};

backend/src/ee/services/EELicenseService.ts

@@ -1,3 +1,4 @@
+import * as Sentry from '@sentry/node';
 import NodeCache from 'node-cache';
 import { 
     getLicenseKey,
@@ -27,6 +28,7 @@ interface FeatureSet {
     customRateLimits: boolean;
     customAlerts: boolean;
     auditLogs: boolean;
+    envLimit?: number | null;
 }
 
 /**
@@ -54,7 +56,8 @@ class EELicenseService {
         rbac: true,
         customRateLimits: true,
         customAlerts: true,
-        auditLogs: false
+        auditLogs: false,
+        envLimit: null
     }
 
     public localFeatureSet: NodeCache;
@@ -92,34 +95,47 @@ class EELicenseService {
 
         return this.globalFeatureSet;
     }
+    
+    public async refreshOrganizationPlan(organizationId: string) {
+        if (this.instanceType === 'cloud') {
+            this.localFeatureSet.del(organizationId);
+            await this.getOrganizationPlan(organizationId);
+        }
+    }
 
     public async initGlobalFeatureSet() {
         const licenseServerKey = await getLicenseServerKey();
         const licenseKey = await getLicenseKey();
 
-        if (licenseServerKey) {
-            // license server key is present -> validate it
-            const token = await refreshLicenseServerKeyToken()
+        try {
+            if (licenseServerKey) {
+                // license server key is present -> validate it
+                const token = await refreshLicenseServerKeyToken()
+                    
+                if (token) {
+                    this.instanceType = 'cloud';
+                }
                 
-            if (token) {
-                this.instanceType = 'cloud';
+                return;
             }
             
-            return;
-        }
-        
-        if (licenseKey) {
-            // license key is present -> validate it
-            const token = await refreshLicenseKeyToken();
-                
-            if (token) {
-                const { data: { currentPlan } } = await licenseKeyRequest.get(
-                    `${await getLicenseServerUrl()}/api/license/v1/plan`
-                );
-                
-                this.globalFeatureSet = currentPlan;
-                this.instanceType = 'enterprise-self-hosted';
+            if (licenseKey) {
+                // license key is present -> validate it
+                const token = await refreshLicenseKeyToken();
+                    
+                if (token) {
+                    const { data: { currentPlan } } = await licenseKeyRequest.get(
+                        `${await getLicenseServerUrl()}/api/license/v1/plan`
+                    );
+                    
+                    this.globalFeatureSet = currentPlan;
+                    this.instanceType = 'enterprise-self-hosted';
+                }
             }
+        } catch (err) {
+            // case: self-hosted free
+            Sentry.setUser(null);
+            Sentry.captureException(err);
         }
     }
 

backend/src/helpers/bot.ts

@@ -86,6 +86,18 @@ export const createBot = async ({
   });
 };
 
+/**
+ * Return whether or not workspace with id [workspaceId] is end-to-end encrypted
+ * @param {Types.ObjectId} workspaceId - id of workspace to check
+ */
+export const getIsWorkspaceE2EEHelper = async (workspaceId: Types.ObjectId) => {
+  const botKey = await BotKey.exists({
+    workspace: workspaceId
+  }); 
+  
+  return botKey ? false : true;
+}
+
 /**
  * Return decrypted secrets for workspace with id [workspaceId]
  * and [environment] using bot
@@ -101,7 +113,7 @@ export const getSecretsBotHelper = async ({
   environment: string;
 }) => {
   const content = {} as any;
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const secrets = await Secret.find({
     workspace: workspaceId,
     environment,
@@ -136,7 +148,7 @@ export const getSecretsBotHelper = async ({
  * @param {String} obj.workspaceId - id of workspace
  * @returns {String} key - decrypted workspace key
  */
-export const getKey = async ({ workspaceId }: { workspaceId: string }) => {
+export const getKey = async ({ workspaceId }: { workspaceId: Types.ObjectId }) => {
   const encryptionKey = await getEncryptionKey();
   const rootEncryptionKey = await getRootEncryptionKey();
 
@@ -201,7 +213,7 @@ export const encryptSymmetricHelper = async ({
   workspaceId: Types.ObjectId;
   plaintext: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
     plaintext,
     key,
@@ -233,7 +245,7 @@ export const decryptSymmetricHelper = async ({
   iv: string;
   tag: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const plaintext = decryptSymmetric128BitHexKeyUTF8({
     ciphertext,
     iv,

backend/src/helpers/organization.ts

@@ -153,22 +153,24 @@ export const updateSubscriptionOrgQuantity = async ({
 
       EELicenseService.localFeatureSet.del(organizationId);
     }
-    
-    if (EELicenseService.instanceType === 'enterprise-self-hosted') {
-      // instance of Infisical is an enterprise self-hosted instance
-      
-      const usedSeats = await MembershipOrg.countDocuments({
-        status: ACCEPTED
-      });
-
-      await licenseKeyRequest.patch(
-        `${await getLicenseServerUrl()}/api/license/v1/license`,
-        {
-          usedSeats
-        }
-      );
-    }
   }
 
+  if (EELicenseService.instanceType === 'enterprise-self-hosted') {
+    // instance of Infisical is an enterprise self-hosted instance
+    
+    const usedSeats = await MembershipOrg.countDocuments({
+      status: ACCEPTED
+    });
+
+    await licenseKeyRequest.patch(
+      `${await getLicenseServerUrl()}/api/license/v1/license`,
+      {
+        usedSeats
+      }
+    );
+  }
+
+  await EELicenseService.refreshOrganizationPlan(organizationId);
+
   return stripeSubscription;
 };

backend/src/helpers/rateLimiter.ts

@@ -38,7 +38,7 @@ const authLimit = rateLimit({
   }
 });
 
-// 50 requests per 1 hour
+// 5 requests per 1 hour
 export const passwordLimiter = rateLimit({
   store: new MongoStore({
     uri: process.env.MONGO_URL,
@@ -47,7 +47,7 @@ export const passwordLimiter = rateLimit({
     collectionName: "expressRateRecords-passwordLimiter",
   }),
   windowMs: 1000 * 60 * 60,
-  max: 50,
+  max: 5,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {

backend/src/helpers/secrets.ts

@@ -1,4 +1,4 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import {
   CreateSecretParams,
   GetSecretsParams,
@@ -6,14 +6,20 @@ import {
   UpdateSecretParams,
   DeleteSecretParams,
 } from '../interfaces/services/SecretService';
-import { Secret, ISecret, SecretBlindIndexData } from '../models';
-import { SecretVersion } from '../ee/models';
+import {
+  Secret,
+  ISecret,
+  SecretBlindIndexData,
+  ServiceTokenData,
+} from "../models";
+import { SecretVersion } from "../ee/models";
 import {
   BadRequestError,
   SecretNotFoundError,
   SecretBlindIndexDataNotFoundError,
   InternalServerError,
-} from '../utils/errors';
+  UnauthorizedRequestError,
+} from "../utils/errors";
 import {
   SECRET_PERSONAL,
   SECRET_SHARED,
@@ -24,20 +30,75 @@ import {
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   ENCODING_SCHEME_BASE64,
-} from '../variables';
-import crypto from 'crypto';
-import * as argon2 from 'argon2';
+} from "../variables";
+import crypto from "crypto";
+import * as argon2 from "argon2";
 import {
   encryptSymmetric128BitHexKeyUTF8,
   decryptSymmetric128BitHexKeyUTF8,
 } from '../utils/crypto';
-import { getEncryptionKey, client, getRootEncryptionKey } from '../config';
 import { TelemetryService } from '../services';
-import { EESecretService, EELogService } from '../ee/services';
+import { getEncryptionKey, client, getRootEncryptionKey } from "../config";
+import { EESecretService, EELogService } from "../ee/services";
 import {
   getAuthDataPayloadIdObj,
   getAuthDataPayloadUserObj,
-} from '../utils/auth';
+} from "../utils/auth";
+import { getFolderIdFromServiceToken } from "../services/FolderService";
+
+/**
+ * Returns an object containing secret [secret] but with its value, key, comment decrypted.
+ * 
+ * Precondition: the workspace for secret [secret] must have E2EE disabled
+ * @param {ISecret} secret - secret to repackage to raw
+ * @param {String} key - symmetric key to use to decrypt secret
+ * @returns 
+ */
+export const repackageSecretToRaw = ({
+  secret,
+  key
+}:{
+  secret: ISecret;
+  key: string;
+}) => {
+
+  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+    ciphertext: secret.secretKeyCiphertext,
+    iv: secret.secretKeyIV,
+    tag: secret.secretKeyTag,
+    key
+  });
+
+  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+    ciphertext: secret.secretValueCiphertext,
+    iv: secret.secretValueIV,
+    tag: secret.secretValueTag,
+    key
+  });
+
+  let secretComment: string = ''; 
+  
+  if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
+    secretComment = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretCommentCiphertext,
+      iv: secret.secretCommentIV,
+      tag: secret.secretCommentTag,
+      key
+    });
+  }
+  
+  return ({
+    _id: secret._id,
+    version: secret.version,
+    workspace: secret.workspace,
+    type: secret.type,
+    environment: secret.environment,
+    user: secret.user,
+    secretKey,
+    secretValue,
+    secretComment
+  });
+}
 
 /**
  * Create secret blind index data containing encrypted blind index [salt]
@@ -46,12 +107,12 @@ import {
  * @param {Types.ObjectId} obj.workspaceId
  */
 export const createSecretBlindIndexDataHelper = async ({
-    workspaceId
+  workspaceId,
 }: {
   workspaceId: Types.ObjectId;
 }) => {
   // initialize random blind index salt for workspace
-  const salt = crypto.randomBytes(16).toString('base64');
+  const salt = crypto.randomBytes(16).toString("base64");
 
   const encryptionKey = await getEncryptionKey();
   const rootEncryptionKey = await getRootEncryptionKey();
@@ -99,7 +160,7 @@ export const createSecretBlindIndexDataHelper = async ({
  * @returns
  */
 export const getSecretBlindIndexSaltHelper = async ({
-    workspaceId
+  workspaceId,
 }: {
   workspaceId: Types.ObjectId;
 }) => {
@@ -108,7 +169,7 @@ export const getSecretBlindIndexSaltHelper = async ({
 
   const secretBlindIndexData = await SecretBlindIndexData.findOne({
     workspace: workspaceId,
-  }).select('+algorithm +keyEncoding');
+  }).select("+algorithm +keyEncoding");
 
   if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
 
@@ -136,7 +197,7 @@ export const getSecretBlindIndexSaltHelper = async ({
   }
 
   throw InternalServerError({
-    message: 'Failed to obtain workspace salt needed for secret blind indexing',
+    message: "Failed to obtain workspace salt needed for secret blind indexing",
   });
 };
 
@@ -148,8 +209,8 @@ export const getSecretBlindIndexSaltHelper = async ({
  * @param {String} obj.salt - base64-salt
  */
 export const generateSecretBlindIndexWithSaltHelper = async ({
-    secretName,
-    salt
+  secretName,
+  salt,
 }: {
   secretName: string;
   salt: string;
@@ -158,14 +219,14 @@ export const generateSecretBlindIndexWithSaltHelper = async ({
   const secretBlindIndex = (
     await argon2.hash(secretName, {
       type: argon2.argon2id,
-      salt: Buffer.from(salt, 'base64'),
+      salt: Buffer.from(salt, "base64"),
       saltLength: 16, // default 16 bytes
       memoryCost: 65536, // default pool of 64 MiB per thread.
       hashLength: 32,
       parallelism: 1,
       raw: true,
     })
-  ).toString('base64');
+  ).toString("base64");
 
   return secretBlindIndex;
 };
@@ -178,8 +239,8 @@ export const generateSecretBlindIndexWithSaltHelper = async ({
  * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
  */
 export const generateSecretBlindIndexHelper = async ({
-    secretName,
-    workspaceId
+  secretName,
+  workspaceId,
 }: {
   secretName: string;
   workspaceId: Types.ObjectId;
@@ -190,7 +251,7 @@ export const generateSecretBlindIndexHelper = async ({
 
   const secretBlindIndexData = await SecretBlindIndexData.findOne({
     workspace: workspaceId,
-  }).select('+algorithm +keyEncoding');
+  }).select("+algorithm +keyEncoding");
 
   if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
 
@@ -231,9 +292,9 @@ export const generateSecretBlindIndexHelper = async ({
 
     return secretBlindIndex;
   }
-  
+
   throw InternalServerError({
-    message: 'Failed to generate secret blind index'
+    message: "Failed to generate secret blind index",
   });
 };
 
@@ -262,23 +323,38 @@ export const createSecretHelper = async ({
   secretCommentCiphertext,
   secretCommentIV,
   secretCommentTag,
-  folderId,
+  secretPath = "/",
 }: CreateSecretParams) => {
+
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
     workspaceId: new Types.ObjectId(workspaceId),
   });
 
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
+
   const exists = await Secret.exists({
     secretBlindIndex,
     workspace: new Types.ObjectId(workspaceId),
+    folder: folderId,
     type,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
   });
 
   if (exists)
     throw BadRequestError({
-      message: 'Failed to create secret that already exists',
+      message: "Failed to create secret that already exists",
     });
 
   if (type === SECRET_PERSONAL) {
@@ -287,6 +363,7 @@ export const createSecretHelper = async ({
 
     const exists = await Secret.exists({
       secretBlindIndex,
+      folder: folderId,
       workspace: new Types.ObjectId(workspaceId),
       type: SECRET_SHARED,
     });
@@ -294,7 +371,7 @@ export const createSecretHelper = async ({
     if (!exists)
       throw BadRequestError({
         message:
-          'Failed to create personal secret override for no corresponding shared secret',
+          "Failed to create personal secret override for no corresponding shared secret",
       });
   }
 
@@ -325,6 +402,7 @@ export const createSecretHelper = async ({
     version: secret.version,
     workspace: secret.workspace,
     type,
+    folder: folderId,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
     environment: secret.environment,
     isDeleted: false,
@@ -372,7 +450,7 @@ export const createSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -380,6 +458,7 @@ export const createSecretHelper = async ({
         numberOfSecrets: 1,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
@@ -398,30 +477,45 @@ export const createSecretHelper = async ({
  * @returns
  */
 export const getSecretsHelper = async ({
-    workspaceId,
-    environment,
-    authData
+  workspaceId,
+  environment,
+  authData,
+  secretPath = "/",
 }: GetSecretsParams) => {
   let secrets: ISecret[] = [];
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
 
   // get personal secrets first
   secrets = await Secret.find({
     workspace: new Types.ObjectId(workspaceId),
     environment,
+    folder: folderId,
     type: SECRET_PERSONAL,
     ...getAuthDataPayloadUserObj(authData),
-  });
+  }).lean();
 
   // concat with shared secrets
   secrets = secrets.concat(
     await Secret.find({
       workspace: new Types.ObjectId(workspaceId),
       environment,
+      folder: folderId,
       type: SECRET_SHARED,
       secretBlindIndex: {
         $nin: secrets.map((secret) => secret.secretBlindIndex),
       },
-    })
+    }).lean()
   );
 
   // (EE) create (audit) log
@@ -445,7 +539,7 @@ export const getSecretsHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets pulled',
+      event: "secrets pulled",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -453,12 +547,13 @@ export const getSecretsHelper = async ({
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
     });
   }
-
+  
   return secrets;
 };
 
@@ -478,21 +573,35 @@ export const getSecretHelper = async ({
   environment,
   type,
   authData,
+  secretPath = "/",
 }: GetSecretParams) => {
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
     workspaceId: new Types.ObjectId(workspaceId),
   });
   let secret: ISecret | null = null;
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
 
   // try getting personal secret first (if exists)
   secret = await Secret.findOne({
     secretBlindIndex,
     workspace: new Types.ObjectId(workspaceId),
     environment,
+    folder: folderId,
     type: type ?? SECRET_PERSONAL,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
-  });
+  }).lean();
 
   if (!secret) {
     // case: failed to find personal secret matching criteria
@@ -501,8 +610,9 @@ export const getSecretHelper = async ({
       secretBlindIndex,
       workspace: new Types.ObjectId(workspaceId),
       environment,
+      folder: folderId,
       type: SECRET_SHARED,
-    });
+    }).lean();
   }
 
   if (!secret) throw SecretNotFoundError();
@@ -528,7 +638,7 @@ export const getSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets pull',
+      event: "secrets pull",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -536,12 +646,13 @@ export const getSecretHelper = async ({
         numberOfSecrets: 1,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
     });
   }
-
+  
   return secret;
 };
 
@@ -568,6 +679,7 @@ export const updateSecretHelper = async ({
   secretValueCiphertext,
   secretValueIV,
   secretValueTag,
+  secretPath,
 }: UpdateSecretParams) => {
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
@@ -575,6 +687,18 @@ export const updateSecretHelper = async ({
   });
 
   let secret: ISecret | null = null;
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
 
   if (type === SECRET_SHARED) {
     // case: update shared secret
@@ -583,6 +707,7 @@ export const updateSecretHelper = async ({
         secretBlindIndex,
         workspace: new Types.ObjectId(workspaceId),
         environment,
+        folder: folderId,
         type,
       },
       {
@@ -604,6 +729,7 @@ export const updateSecretHelper = async ({
         workspace: new Types.ObjectId(workspaceId),
         environment,
         type,
+        folder: folderId,
         ...getAuthDataPayloadUserObj(authData),
       },
       {
@@ -624,6 +750,7 @@ export const updateSecretHelper = async ({
     secret: secret._id,
     version: secret.version,
     workspace: secret.workspace,
+    folder: folderId,
     type,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
     environment: secret.environment,
@@ -672,7 +799,7 @@ export const updateSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -680,6 +807,7 @@ export const updateSecretHelper = async ({
         numberOfSecrets: 1,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
@@ -705,12 +833,27 @@ export const deleteSecretHelper = async ({
   environment,
   type,
   authData,
+  secretPath = "/",
 }: DeleteSecretParams) => {
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
     workspaceId: new Types.ObjectId(workspaceId),
   });
 
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
+
   let secrets: ISecret[] = [];
   let secret: ISecret | null = null;
 
@@ -719,28 +862,32 @@ export const deleteSecretHelper = async ({
       secretBlindIndex,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
-    });
+      folder: folderId,
+    }).lean();
 
     secret = await Secret.findOneAndDelete({
       secretBlindIndex,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
       type,
-    });
+      folder: folderId,
+    }).lean();
 
     await Secret.deleteMany({
       secretBlindIndex,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
+      folder: folderId,
     });
   } else {
     secret = await Secret.findOneAndDelete({
       secretBlindIndex,
+      folder: folderId,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
       type,
       ...getAuthDataPayloadUserObj(authData),
-    });
+    }).lean();
 
     if (secret) {
       secrets = [secret];
@@ -761,9 +908,7 @@ export const deleteSecretHelper = async ({
     secretIds: secrets.map((secret) => secret._id),
   });
 
-  // (EE) take a secret snapshot
-  action &&
-    (await EELogService.createLog({
+  action && (await EELogService.createLog({
       ...getAuthDataPayloadIdObj(authData),
       workspaceId,
       actions: [action],
@@ -782,7 +927,7 @@ export const deleteSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -790,14 +935,15 @@ export const deleteSecretHelper = async ({
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
     });
   }
-
-  return {
+  
+  return ({
     secrets,
-    secret,
-  };
-};
+    secret
+  });
+};

backend/src/helpers/workspace.ts

@@ -6,6 +6,7 @@ import {
 	Secret
 } from '../models';
 import { createBot } from '../helpers/bot';
+import { EELicenseService } from '../ee/services';
 import { SecretService } from '../services';
 
 /**
@@ -22,24 +23,25 @@ export const createWorkspace = async ({
 	name: string;
 	organizationId: string;
 }) => {
-  // create workspace
-  const workspace = await new Workspace({
-    name,
-    organization: organizationId,
-    autoCapitalization: true
-  }).save();
+	// create workspace
+	const workspace = await new Workspace({
+		name,
+		organization: organizationId,
+		autoCapitalization: true
+	}).save();
   
-  // initialize bot for workspace
-  await createBot({
-    name: 'Infisical Bot',
-    workspaceId: workspace._id
-  });
+	// initialize bot for workspace
+	await createBot({
+		name: 'Infisical Bot',
+		workspaceId: workspace._id
+	});
   
-  // initialize blind index salt for workspace
-  await SecretService.createSecretBlindIndexData({
-    workspaceId: workspace._id
-  });
+	// initialize blind index salt for workspace
+	await SecretService.createSecretBlindIndexData({
+		workspaceId: workspace._id
+	});
 
+	await EELicenseService.refreshOrganizationPlan(organizationId);
 
 	return workspace;
 };

backend/src/integrations/apps.ts

@@ -16,6 +16,7 @@ import {
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
   INTEGRATION_SUPABASE,
+  INTEGRATION_CHECKLY,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
@@ -26,6 +27,7 @@ import {
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_TRAVISCI_API_URL,
   INTEGRATION_SUPABASE_API_URL,
+  INTEGRATION_CHECKLY_API_URL
 } from "../variables";
 
 interface App {
@@ -120,6 +122,11 @@ const getApps = async ({
         accessToken,
       });
       break;
+    case INTEGRATION_CHECKLY:
+      apps = await getAppsCheckly({
+        accessToken,
+      });
+      break;
   }
 
   return apps;
@@ -601,4 +608,32 @@ const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+/**
+ * Return list of projects for the Checkly integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - api key for the Checkly API
+ * @returns {Object[]} apps - Сheckly accounts
+ * @returns {String} apps.name - name of Checkly account
+ */
+const getAppsCheckly = async ({ accessToken }: { accessToken: string }) => {
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_CHECKLY_API_URL}/v1/accounts`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept": "application/json",
+      },
+    }
+  );
+
+  const apps = data.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+
+  return apps;
+};
+
 export { getApps };

backend/src/integrations/sync.ts

@@ -34,7 +34,10 @@ import {
   INTEGRATION_FLYIO_API_URL,
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_TRAVISCI_API_URL,
-  INTEGRATION_SUPABASE_API_URL
+  INTEGRATION_SUPABASE_API_URL,
+  INTEGRATION_CHECKLY,
+  INTEGRATION_CHECKLY_API_URL,
+  INTEGRATION_HASHICORP_VAULT
 } from "../variables";
 import { standardRequest} from '../config/request';
 
@@ -161,9 +164,53 @@ const syncSecrets = async ({
           integration,
           secrets,
           accessToken
-      });
-      break;
-  }
+        });
+        break;
+      case INTEGRATION_FLYIO:
+        await syncSecretsFlyio({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
+      case INTEGRATION_CIRCLECI:
+        await syncSecretsCircleCI({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
+      case INTEGRATION_TRAVISCI:
+        await syncSecretsTravisCI({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
+      case INTEGRATION_SUPABASE:
+        await syncSecretsSupabase({
+            integration,
+            secrets,
+            accessToken
+        });
+        break;
+      case INTEGRATION_CHECKLY:
+        await syncSecretsCheckly({
+          integration,
+          secrets,
+          accessToken,
+        });
+        break;
+      case INTEGRATION_HASHICORP_VAULT:
+        await syncSecretsHashiCorpVault({
+          integration,
+          integrationAuth,
+          secrets,
+          accessId,
+          accessToken
+        });
+        break;
+    }
 };
 
 /**
@@ -1629,4 +1676,161 @@ const syncSecretsSupabase = async ({
 };
 
 
+/**
+ * Sync/push [secrets] to Checkly app
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for Checkly integration
+ */
+const syncSecretsCheckly = async ({
+  integration,
+  secrets,
+  accessToken,
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  // get secrets from travis-ci  
+  const getSecretsRes = (
+    await standardRequest.get(
+      `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
+      {
+        headers: {
+          "Authorization": `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json",
+          "X-Checkly-Account": integration.appId
+        },
+      }
+    )
+  )
+  .data
+  .reduce((obj: any, secret: any) => ({
+      ...obj,
+      [secret.key]: secret.value
+  }), {});
+  
+  // add secrets
+  for await (const key of Object.keys(secrets)) {
+    if (!(key in getSecretsRes)) {
+      // case: secret does not exist in checkly
+      // -> add secret
+      
+      await standardRequest.post(
+        `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
+        {
+          key,
+          value: secrets[key]
+        },
+        {
+          headers: {
+            "Authorization": `Bearer ${accessToken}`,
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+            "X-Checkly-Account": integration.appId
+          },
+        }
+      );
+    } else {
+      // case: secret exists in checkly
+      // -> update/set secret
+      
+      if (secrets[key] !== getSecretsRes[key]) {
+        await standardRequest.put(
+          `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
+          {
+            value: secrets[key]
+          },
+          {
+            headers: {
+              "Authorization": `Bearer ${accessToken}`,
+              "Content-Type": "application/json",
+              "Accept": "application/json",
+              "X-Checkly-Account": integration.appId
+            },
+          }
+        );
+      }
+    }
+  }
+
+  for await (const key of Object.keys(getSecretsRes)) {
+    if (!(key in secrets)){
+      // delete secret
+      await standardRequest.delete(
+        `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
+        {
+          headers: {
+            "Authorization": `Bearer ${accessToken}`,
+            "Accept": "application/json",
+            "X-Checkly-Account": integration.appId
+          },
+        }
+      );
+    }
+  }
+};
+
+/**
+ * Sync/push [secrets] to HashiCorp Vault path
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for HashiCorp Vault integration
+ */
+const syncSecretsHashiCorpVault = async ({
+  integration,
+  integrationAuth,
+  secrets,
+  accessId,
+  accessToken,
+}: {
+  integration: IIntegration;
+  integrationAuth: IIntegrationAuth;
+  secrets: any;
+  accessId: string | null;
+  accessToken: string;
+}) => {
+  if (!accessId) return;
+  
+  interface LoginAppRoleRes {
+    auth: {
+      client_token: string;
+    }
+  }
+  
+  // get Vault client token (could be optimized)
+  const { data }: { data: LoginAppRoleRes } = await standardRequest.post(
+    `${integrationAuth.url}/v1/auth/approle/login`,
+    {
+      "role_id": accessId,
+      "secret_id": accessToken
+    },
+    {
+      headers: {
+        "X-Vault-Namespace": integrationAuth.namespace
+      }
+    }
+  );
+  
+  const clientToken = data.auth.client_token;
+
+  await standardRequest.post(
+    `${integrationAuth.url}/v1/${integration.app}/data/${integration.path}`,
+    {
+      data: secrets
+    },
+    {
+      headers: {
+        "Authorization": `Bearer ${accessToken}`,
+        "Accept": "application/json",
+        "Content-Type": "application/json",
+        "X-Vault-Token": clientToken,
+        "X-Vault-Namespace": integrationAuth.namespace
+      },
+    }
+  );
+};
+
 export { syncSecrets };

backend/src/interfaces/services/SecretService/index.ts

@@ -5,7 +5,6 @@ export interface CreateSecretParams {
   secretName: string;
   workspaceId: Types.ObjectId;
   environment: string;
-  folderId?: string;
   type: "shared" | "personal";
   authData: AuthData;
   secretKeyCiphertext: string;
@@ -17,17 +16,20 @@ export interface CreateSecretParams {
   secretCommentCiphertext?: string;
   secretCommentIV?: string;
   secretCommentTag?: string;
+  secretPath: string;
 }
 
 export interface GetSecretsParams {
   workspaceId: Types.ObjectId;
   environment: string;
+  secretPath: string;
   authData: AuthData;
 }
 
 export interface GetSecretParams {
   secretName: string;
   workspaceId: Types.ObjectId;
+  secretPath: string;
   environment: string;
   type?: "shared" | "personal";
   authData: AuthData;
@@ -42,7 +44,7 @@ export interface UpdateSecretParams {
   secretValueCiphertext: string;
   secretValueIV: string;
   secretValueTag: string;
-  folderId?: string;
+  secretPath: string;
 }
 
 export interface DeleteSecretParams {
@@ -51,4 +53,5 @@ export interface DeleteSecretParams {
   environment: string;
   type: "shared" | "personal";
   authData: AuthData;
+  secretPath: string;
 }

backend/src/middleware/requestErrorHandler.ts

@@ -3,6 +3,7 @@ import { ErrorRequestHandler } from 'express';
 import { InternalServerError } from '../utils/errors';
 import { getLogger } from '../utils/logger';
 import RequestError, { LogLevel } from '../utils/requestError';
+import { getNodeEnv } from '../config';
 
 export const requestErrorHandler: ErrorRequestHandler = async (
   error: RequestError | Error,
@@ -12,6 +13,11 @@ export const requestErrorHandler: ErrorRequestHandler = async (
 ) => {
   if (res.headersSent) return next();
 
+  if (await getNodeEnv() !== "production") {
+    /* eslint-disable no-console */
+    console.error(error);
+  }
+
   //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
   if (!(error instanceof RequestError)) {
     error = InternalServerError({

backend/src/middleware/requireWorkspaceAuth.ts

@@ -16,13 +16,15 @@ const requireWorkspaceAuth = ({
 	locationWorkspaceId,
 	locationEnvironment = undefined,
 	requiredPermissions = [],
-	requireBlindIndicesEnabled = false
+	requireBlindIndicesEnabled = false,
+	requireE2EEOff = false
 }: {
 	acceptedRoles: Array<'admin' | 'member'>;
 	locationWorkspaceId: req;
 	locationEnvironment?: req | undefined;
 	requiredPermissions?: string[];
 	requireBlindIndicesEnabled?: boolean;
+	requireE2EEOff?: boolean;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
 		const workspaceId = req[locationWorkspaceId]?.workspaceId;
@@ -35,7 +37,8 @@ const requireWorkspaceAuth = ({
 			environment,
 			acceptedRoles,
 			requiredPermissions,
-			requireBlindIndicesEnabled
+			requireBlindIndicesEnabled,
+			requireE2EEOff
 		});
 		
 		if (membership) {

backend/src/models/integration.ts

@@ -13,7 +13,9 @@ import {
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
-  INTEGRATION_SUPABASE
+  INTEGRATION_SUPABASE,
+  INTEGRATION_CHECKLY,
+  INTEGRATION_HASHICORP_VAULT
 } from "../variables";
 
 export interface IIntegration {
@@ -45,7 +47,9 @@ export interface IIntegration {
     | 'flyio'
     | 'circleci'
     | 'travisci'
-    | 'supabase';
+    | 'supabase'
+    | 'checkly'
+    | 'hashicorp-vault';
   integrationAuth: Types.ObjectId;
 }
 
@@ -130,7 +134,9 @@ const integrationSchema = new Schema<IIntegration>(
         INTEGRATION_FLYIO,
         INTEGRATION_CIRCLECI,
         INTEGRATION_TRAVISCI,
-        INTEGRATION_SUPABASE
+        INTEGRATION_SUPABASE,
+        INTEGRATION_CHECKLY,
+        INTEGRATION_HASHICORP_VAULT
       ],
       required: true,
     },

backend/src/models/integrationAuth.ts

@@ -14,6 +14,7 @@ import {
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
   INTEGRATION_SUPABASE,
+  INTEGRATION_HASHICORP_VAULT,
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   ENCODING_SCHEME_BASE64
@@ -22,9 +23,11 @@ import {
 export interface IIntegrationAuth extends Document {
   _id: Types.ObjectId;
   workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'gitlab' | 'render' | 'railway' | 'flyio' | 'azure-key-vault' | 'circleci' | 'travisci' | 'supabase' | 'aws-parameter-store' | 'aws-secret-manager';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'gitlab' | 'render' | 'railway' | 'flyio' | 'azure-key-vault' | 'circleci' | 'travisci' | 'supabase' | 'aws-parameter-store' | 'aws-secret-manager' | 'checkly';
   teamId: string;
   accountId: string;
+  url: string;
+  namespace: string;
   refreshCiphertext?: string;
   refreshIV?: string;
   refreshTag?: string;
@@ -62,7 +65,8 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
         INTEGRATION_FLYIO,
         INTEGRATION_CIRCLECI,
         INTEGRATION_TRAVISCI,
-        INTEGRATION_SUPABASE
+        INTEGRATION_SUPABASE,
+        INTEGRATION_HASHICORP_VAULT
       ],
       required: true,
     },
@@ -70,6 +74,14 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
       // vercel-specific integration param
       type: String,
     },
+    url: {
+      // for any self-hosted integrations (e.g. self-hosted hashicorp-vault)
+      type: String
+    },
+    namespace: {
+      // hashicorp-vault-specific integration param
+      type: String
+    },
     accountId: {
       // netlify-specific integration param
       type: String,

backend/src/models/serviceTokenData.ts

@@ -1,79 +1,88 @@
-import { Schema, model, Types, Document } from 'mongoose';
+import { Schema, model, Types, Document } from "mongoose";
 
 export interface IServiceTokenData extends Document {
-    _id: Types.ObjectId;
-    name: string;
-    workspace: Types.ObjectId;
-    environment: string;
-    user: Types.ObjectId;
-    serviceAccount: Types.ObjectId;
-    lastUsed: Date;
-    expiresAt: Date;
-    secretHash: string;
-    encryptedKey: string;
-    iv: string;
-    tag: string;
-    permissions: string[];
+  _id: Types.ObjectId;
+  name: string;
+  workspace: Types.ObjectId;
+  environment: string;
+  user: Types.ObjectId;
+  serviceAccount: Types.ObjectId;
+  lastUsed: Date;
+  expiresAt: Date;
+  secretHash: string;
+  encryptedKey: string;
+  iv: string;
+  tag: string;
+  secretPath: string;
+  permissions: string[];
 }
 
 const serviceTokenDataSchema = new Schema<IServiceTokenData>(
-    {
-        name: {
-            type: String,
-            required: true
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
-        },
-        environment: {
-            type: String,
-            required: true
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: 'User',
-            required: true
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
-        },
-        lastUsed: {
-            type: Date
-        },
-        expiresAt: {
-            type: Date
-        },
-        secretHash: {
-            type: String,
-            required: true,
-            select: false
-        },
-        encryptedKey: {
-            type: String,
-            select: false
-        },
-        iv: {
-            type: String,
-            select: false
-        },
-        tag: {
-            type: String,
-            select: false
-        },
-        permissions: {
-            type: [String],
-            enum: ['read', 'write'],
-            default: ['read']
-        }
-    }, 
-    {
-        timestamps: true
-    }
+  {
+    name: {
+      type: String,
+      required: true,
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    user: {
+      type: Schema.Types.ObjectId,
+      ref: "User",
+      required: true,
+    },
+    serviceAccount: {
+      type: Schema.Types.ObjectId,
+      ref: "ServiceAccount",
+    },
+    lastUsed: {
+      type: Date,
+    },
+    expiresAt: {
+      type: Date,
+    },
+    secretHash: {
+      type: String,
+      required: true,
+      select: false,
+    },
+    encryptedKey: {
+      type: String,
+      select: false,
+    },
+    iv: {
+      type: String,
+      select: false,
+    },
+    tag: {
+      type: String,
+      select: false,
+    },
+    permissions: {
+      type: [String],
+      enum: ["read", "write"],
+      default: ["read"],
+    },
+    secretPath: {
+      type: String,
+      default: "/",
+      required: true,
+    },
+  },
+  {
+    timestamps: true,
+  }
+);
+
+const ServiceTokenData = model<IServiceTokenData>(
+  "ServiceTokenData",
+  serviceTokenDataSchema
 );
 
-const ServiceTokenData = model<IServiceTokenData>('ServiceTokenData', serviceTokenDataSchema);
-    
 export default ServiceTokenData;

backend/src/models/workspace.ts

@@ -37,10 +37,6 @@ const workspaceSchema = new Schema<IWorkspace>({
 				name: "Development",
 				slug: "dev"
 			},
-			{
-				name: "Test",
-				slug: "test"
-			},
 			{
 				name: "Staging",
 				slug: "staging"

backend/src/routes/v1/integration.ts

@@ -15,7 +15,7 @@ import {
 import { body, param } from 'express-validator';
 import { integrationController } from '../../controllers/v1';
 
-router.post( // new: add new integration for integration auth
+router.post(
 	'/',
 	requireAuth({
         acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY]

backend/src/routes/v1/integrationAuth.ts

@@ -57,6 +57,8 @@ router.post(
 	body('workspaceId').exists().trim().notEmpty(),
 	body('accessId').trim(),
 	body('accessToken').exists().trim().notEmpty(),
+	body('url').trim(),
+	body('namespace').trim(),
 	body('integration').exists().trim().notEmpty(),
 	validateRequest,
 	requireAuth({

backend/src/routes/v2/secrets.ts

@@ -1,15 +1,15 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import {
   requireAuth,
   requireWorkspaceAuth,
   requireSecretsAuth,
   validateRequest,
-} from '../../middleware';
-import { validateClientForSecrets } from '../../validation';
-import { query, body } from 'express-validator';
-import { secretsController } from '../../controllers/v2';
+} from "../../middleware";
+import { validateClientForSecrets } from "../../validation";
+import { query, body } from "express-validator";
+import { secretsController } from "../../controllers/v2";
 import {
   ADMIN,
   MEMBER,
@@ -21,11 +21,11 @@ import {
   AUTH_MODE_SERVICE_ACCOUNT,
   AUTH_MODE_SERVICE_TOKEN,
   AUTH_MODE_API_KEY,
-} from '../../variables';
-import { BatchSecretRequest } from '../../types/secret';
+} from "../../variables";
+import { BatchSecretRequest } from "../../types/secret";
 
 router.post(
-  '/batch',
+  "/batch",
   requireAuth({
     acceptedAuthModes: [
       AUTH_MODE_JWT,
@@ -35,12 +35,13 @@ router.post(
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'body',
+    locationWorkspaceId: "body",
   }),
-  body('workspaceId').exists().isString().trim(),
-  body('folderId').default('root').isString().trim(),
-  body('environment').exists().isString().trim(),
-  body('requests')
+  body("workspaceId").exists().isString().trim(),
+  body("folderId").default("root").isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("secretPath").optional().isString().trim(),
+  body("requests")
     .exists()
     .custom(async (requests: BatchSecretRequest[], { req }) => {
       if (Array.isArray(requests)) {
@@ -65,17 +66,18 @@ router.post(
 );
 
 router.post(
-  '/',
-  body('workspaceId').exists().isString().trim(),
-  body('environment').exists().isString().trim(),
-  body('folderId').default('root').isString().trim(),
-  body('secrets')
+  "/",
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("folderId").default("root").isString().trim(),
+  body("secretPath").optional().isString().trim(),
+  body("secrets")
     .exists()
     .custom((value) => {
       if (Array.isArray(value)) {
         // case: create multiple secrets
         if (value.length === 0)
-          throw new Error('secrets cannot be an empty array');
+          throw new Error("secrets cannot be an empty array");
         for (const secret of value) {
           if (
             !secret.type ||
@@ -85,16 +87,16 @@ router.post(
             !secret.secretKeyCiphertext ||
             !secret.secretKeyIV ||
             !secret.secretKeyTag ||
-            typeof secret.secretValueCiphertext !== 'string' ||
+            typeof secret.secretValueCiphertext !== "string" ||
             !secret.secretValueIV ||
             !secret.secretValueTag
           ) {
             throw new Error(
-              'secrets array must contain objects that have required secret properties'
+              "secrets array must contain objects that have required secret properties"
             );
           }
         }
-      } else if (typeof value === 'object') {
+      } else if (typeof value === "object") {
         // case: update 1 secret
         if (
           !value.type ||
@@ -107,11 +109,11 @@ router.post(
           !value.secretValueTag
         ) {
           throw new Error(
-            'secrets object is missing required secret properties'
+            "secrets object is missing required secret properties"
           );
         }
       } else {
-        throw new Error('secrets must be an object or an array of objects');
+        throw new Error("secrets must be an object or an array of objects");
       }
 
       return true;
@@ -126,19 +128,20 @@ router.post(
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'body',
-    locationEnvironment: 'body',
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
     requiredPermissions: [PERMISSION_WRITE_SECRETS],
   }),
   secretsController.createSecrets
 );
 
 router.get(
-  '/',
-  query('workspaceId').exists().trim(),
-  query('environment').exists().trim(),
-  query('tagSlugs'),
-  query('folderId').default('root').isString().trim(),
+  "/",
+  query("workspaceId").exists().trim(),
+  query("environment").exists().trim(),
+  query("tagSlugs"),
+  query("folderId").default("root").isString().trim(),
+  query("secretPath").optional().isString().trim(),
   validateRequest,
   requireAuth({
     acceptedAuthModes: [
@@ -150,34 +153,34 @@ router.get(
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'query',
-    locationEnvironment: 'query',
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
     requiredPermissions: [PERMISSION_READ_SECRETS],
   }),
   secretsController.getSecrets
 );
 
 router.patch(
-  '/',
-  body('secrets')
+  "/",
+  body("secrets")
     .exists()
     .custom((value) => {
       if (Array.isArray(value)) {
         // case: update multiple secrets
         if (value.length === 0)
-          throw new Error('secrets cannot be an empty array');
+          throw new Error("secrets cannot be an empty array");
         for (const secret of value) {
           if (!secret.id) {
-            throw new Error('Each secret must contain a ID property');
+            throw new Error("Each secret must contain a ID property");
           }
         }
-      } else if (typeof value === 'object') {
+      } else if (typeof value === "object") {
         // case: update 1 secret
         if (!value.id) {
-          throw new Error('secret must contain a ID property');
+          throw new Error("secret must contain a ID property");
         }
       } else {
-        throw new Error('secrets must be an object or an array of objects');
+        throw new Error("secrets must be an object or an array of objects");
       }
 
       return true;
@@ -198,21 +201,21 @@ router.patch(
 );
 
 router.delete(
-  '/',
-  body('secretIds')
+  "/",
+  body("secretIds")
     .exists()
     .custom((value) => {
       // case: delete 1 secret
-      if (typeof value === 'string') return true;
+      if (typeof value === "string") return true;
 
       if (Array.isArray(value)) {
         // case: delete multiple secrets
         if (value.length === 0)
-          throw new Error('secrets cannot be an empty array');
-        return value.every((id: string) => typeof id === 'string');
+          throw new Error("secrets cannot be an empty array");
+        return value.every((id: string) => typeof id === "string");
       }
 
-      throw new Error('secretIds must be a string or an array of strings');
+      throw new Error("secretIds must be a string or an array of strings");
     })
     .not()
     .isEmpty(),

backend/src/routes/v2/serviceTokenData.ts

@@ -1,72 +1,79 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    requireAuth,
-    requireWorkspaceAuth,
-    requireServiceTokenDataAuth,
-    validateRequest
-} from '../../middleware';
-import { param, body } from 'express-validator';
+  requireAuth,
+  requireWorkspaceAuth,
+  requireServiceTokenDataAuth,
+  validateRequest,
+} from "../../middleware";
+import { param, body } from "express-validator";
 import {
-    ADMIN,
-    MEMBER,
-    PERMISSION_WRITE_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN
-} from '../../variables';
-import { serviceTokenDataController } from '../../controllers/v2';
+  ADMIN,
+  MEMBER,
+  PERMISSION_WRITE_SECRETS,
+  AUTH_MODE_JWT,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  AUTH_MODE_SERVICE_TOKEN,
+} from "../../variables";
+import { serviceTokenDataController } from "../../controllers/v2";
 
 router.get(
-    '/',
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_SERVICE_TOKEN]
-    }),
-    serviceTokenDataController.getServiceTokenData
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_SERVICE_TOKEN],
+  }),
+  serviceTokenDataController.getServiceTokenData
 );
 
 router.post(
-    '/',
-	requireAuth({
-		acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT]
-	}),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS]
-    }),
-    body('name').exists().isString().trim(),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('encryptedKey').exists().isString().trim(),
-    body('iv').exists().isString().trim(),
-    body('tag').exists().isString().trim(),
-    body('expiresIn').exists().isNumeric(), // measured in ms
-    body('permissions').isArray({ min: 1 }).custom((value: string[]) => {
-        const allowedPermissions = ['read', 'write'];
-        const invalidValues = value.filter((v) => !allowedPermissions.includes(v));
-        if (invalidValues.length > 0) {
-            throw new Error(`permissions contains invalid values: ${invalidValues.join(', ')}`);
-        }
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+  }),
+  body("name").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("encryptedKey").exists().isString().trim(),
+  body("iv").exists().isString().trim(),
+  body("secretPath").isString().default("/").trim(),
+  body("tag").exists().isString().trim(),
+  body("expiresIn").exists().isNumeric(), // measured in ms
+  body("permissions")
+    .isArray({ min: 1 })
+    .custom((value: string[]) => {
+      const allowedPermissions = ["read", "write"];
+      const invalidValues = value.filter(
+        (v) => !allowedPermissions.includes(v)
+      );
+      if (invalidValues.length > 0) {
+        throw new Error(
+          `permissions contains invalid values: ${invalidValues.join(", ")}`
+        );
+      }
 
-        return true
+      return true;
     }),
-    validateRequest,
-    serviceTokenDataController.createServiceTokenData
+  validateRequest,
+  serviceTokenDataController.createServiceTokenData
 );
 
 router.delete(
-    '/:serviceTokenDataId',
-	requireAuth({
-		acceptedAuthModes: [AUTH_MODE_JWT]
-	}),
-    requireServiceTokenDataAuth({
-        acceptedRoles: [ADMIN, MEMBER]
-    }),
-    param('serviceTokenDataId').exists().trim(),
-    validateRequest,
-    serviceTokenDataController.deleteServiceTokenData
+  "/:serviceTokenDataId",
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_JWT],
+  }),
+  requireServiceTokenDataAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+  }),
+  param("serviceTokenDataId").exists().trim(),
+  validateRequest,
+  serviceTokenDataController.deleteServiceTokenData
 );
 
-export default router;
+export default router;

backend/src/routes/v3/secrets.ts

@@ -1,157 +1,302 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    requireAuth, 
-    requireWorkspaceAuth,
-    validateRequest
-} from '../../middleware';
-import { body, param, query } from 'express-validator';
-import { secretsController } from '../../controllers/v3';
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from "../../middleware";
+import { body, param, query } from "express-validator";
+import { secretsController } from "../../controllers/v3";
 import {
-    AUTH_MODE_JWT,
-    AUTH_MODE_API_KEY,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    ADMIN,
-    MEMBER,
-    PERMISSION_WRITE_SECRETS,
-    SECRET_SHARED,
-    SECRET_PERSONAL,
-    PERMISSION_READ_SECRETS
-} from '../../variables';
+  AUTH_MODE_JWT,
+  AUTH_MODE_API_KEY,
+  AUTH_MODE_SERVICE_TOKEN,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  ADMIN,
+  MEMBER,
+  PERMISSION_WRITE_SECRETS,
+  SECRET_SHARED,
+  SECRET_PERSONAL,
+  PERMISSION_READ_SECRETS,
+} from "../../variables";
 
 router.get(
-    '/',
-    query('workspaceId').exists().isString().trim(),
-    query('environment').exists().isString().trim(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY, 
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'query',
-        locationEnvironment: 'query',
-        requiredPermissions: [PERMISSION_READ_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.getSecrets
+  "/raw",
+  query("workspaceId").exists().isString().trim(),
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.getSecretsRaw
+);
+
+router.get(
+  "/raw/:secretName",
+  param("secretName").exists().isString().trim(),
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  query("type").optional().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.getSecretByNameRaw
 );
 
 router.post(
-    '/:secretName',
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('type').exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    body('secretKeyCiphertext').exists().isString().trim(),
-    body('secretKeyIV').exists().isString().trim(),
-    body('secretKeyTag').exists().isString().trim(),
-    body('secretValueCiphertext').exists().isString().trim(),
-    body('secretValueIV').exists().isString().trim(),
-    body('secretValueTag').exists().isString().trim(),
-    body('secretCommentCiphertext').optional().isString().trim(),
-    body('secretCommentIV').optional().isString().trim(),
-    body('secretCommentTag').optional().isString().trim(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.createSecret
-);
-
-router.get(
-    '/:secretName',
-    param('secretName').exists().isString().trim(),
-    query('workspaceId').exists().isString().trim(),
-    query('environment').exists().isString().trim(),
-    query('type').optional().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'query',
-        locationEnvironment: 'query',
-        requiredPermissions: [PERMISSION_READ_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.getSecretByName
+  "/raw/:secretName",
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretValue").exists().isString().trim(),
+  body("secretComment").default("").isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.createSecretRaw
 );
 
 router.patch(
-    '/:secretName',
-    param('secretName').exists().isString().trim(),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('type').exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    body('secretValueCiphertext').exists().isString().trim(),
-    body('secretValueIV').exists().isString().trim(),
-    body('secretValueTag').exists().isString().trim(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.updateSecretByName
+  "/raw/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretValue").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.updateSecretByNameRaw
 );
 
 router.delete(
-    '/:secretName',
-    param('secretName').exists().isString().trim(),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('type').exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.deleteSecretByName 
+  "/raw/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.deleteSecretByNameRaw
 );
 
-export default router;
+router.get(
+  "/",
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.getSecrets
+);
+
+router.post(
+  "/:secretName",
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretKeyCiphertext").exists().isString().trim(),
+  body("secretKeyIV").exists().isString().trim(),
+  body("secretKeyTag").exists().isString().trim(),
+  body("secretValueCiphertext").exists().isString().trim(),
+  body("secretValueIV").exists().isString().trim(),
+  body("secretValueTag").exists().isString().trim(),
+  body("secretCommentCiphertext").optional().isString().trim(),
+  body("secretCommentIV").optional().isString().trim(),
+  body("secretCommentTag").optional().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.createSecret
+);
+
+router.get(
+  "/:secretName",
+  param("secretName").exists().isString().trim(),
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  query("type").optional().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+  }),
+  secretsController.getSecretByName
+);
+
+router.patch(
+  "/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretValueCiphertext").exists().isString().trim(),
+  body("secretValueIV").exists().isString().trim(),
+  body("secretValueTag").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.updateSecretByName
+);
+
+router.delete(
+  "/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.deleteSecretByName
+);
+
+export default router;

backend/src/routes/v3/workspaces.ts

@@ -8,10 +8,9 @@ import {
 import { workspacesController } from '../../controllers/v3';
 import {
     AUTH_MODE_JWT,
-    ADMIN,
-    PERMISSION_READ_SECRETS
+    ADMIN
 } from '../../variables';
-import { param, body, validationResult } from 'express-validator';
+import { param, body } from 'express-validator';
 
 // -- migration to blind indices endpoints
 

backend/src/services/BotService.ts

@@ -2,7 +2,9 @@ import { Types } from 'mongoose';
 import {
     getSecretsBotHelper,
     encryptSymmetricHelper,
-    decryptSymmetricHelper
+    decryptSymmetricHelper,
+    getKey,
+    getIsWorkspaceE2EEHelper
 } from '../helpers/bot';
 
 /**
@@ -10,6 +12,31 @@ import {
  */
 class BotService {
     
+    /**
+     * Return whether or not workspace with id [workspaceId] is end-to-end encrypted
+     * @param workspaceId - id of workspace
+     * @returns {Boolean}
+     */
+    static async getIsWorkspaceE2EE(workspaceId: Types.ObjectId) {
+        return await getIsWorkspaceE2EEHelper(workspaceId);
+    }
+
+    /**
+     * Get workspace key for workspace with id [workspaceId] shared to bot.
+     * @param {Object} obj
+     * @param {Types.ObjectId} obj.workspaceId - id of workspace to get workspace key for
+     * @returns 
+     */
+    static async getWorkspaceKeyWithBot({
+        workspaceId
+    }: {
+        workspaceId: Types.ObjectId;
+    }) {
+        return await getKey({
+            workspaceId
+        });
+    }
+    
     /**
      * Return decrypted secrets for workspace with id [workspaceId] and 
      * environment [environmen] shared to bot.

backend/src/services/FolderService.ts

@@ -1,5 +1,6 @@
 import { nanoid } from "nanoid";
-import { TFolderSchema } from "../models/folder";
+import { Types } from "mongoose";
+import Folder, { TFolderSchema } from "../models/folder";
 
 type TAppendFolderDTO = {
   folderName: string;
@@ -174,6 +175,11 @@ export const searchByFolderIdWithDir = (
 // to get folder of a path given
 // Like /frontend/folder#1
 export const getFolderByPath = (folders: TFolderSchema, searchPath: string) => {
+  // corner case when its just / return root
+  if (searchPath === "/") {
+    return folders.id === "root" ? folders : undefined;
+  }
+
   const path = searchPath.split("/").filter(Boolean);
   const queue = [folders];
   let segment: TFolderSchema | undefined;
@@ -187,3 +193,25 @@ export const getFolderByPath = (folders: TFolderSchema, searchPath: string) => {
   }
   return segment;
 };
+
+export const getFolderIdFromServiceToken = async (
+  workspaceId: Types.ObjectId | string,
+  environment: string,
+  secretPath: string
+) => {
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
+
+  if (!folders) {
+    if (secretPath !== "/") throw new Error("Invalid path. Folders not found");
+  } else {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw new Error("Folder not found");
+    }
+    return folder.id;
+  }
+  return "root";
+};

backend/src/services/SecretService.ts

@@ -1,7 +1,4 @@
-import { Types } from 'mongoose';
-import {
-    ISecret
-} from '../models';
+import { Types } from "mongoose";
 import {
     CreateSecretParams,
     GetSecretsParams,
@@ -22,150 +19,150 @@ import {
 } from '../helpers/secrets';
 
 class SecretService {
+  /**
+   * Create secret blind index data containing encrypted blind index salt
+   * for workspace with id [workspaceId]
+   * @param {Object} obj
+   * @param {Buffer} obj.salt - 16-byte random salt
+   * @param {Types.ObjectId} obj.workspaceId
+   */
+  static async createSecretBlindIndexData({
+    workspaceId,
+  }: {
+    workspaceId: Types.ObjectId;
+  }) {
+    return await createSecretBlindIndexDataHelper({
+      workspaceId,
+    });
+  }
 
-    /**
-     * Create secret blind index data containing encrypted blind index salt 
-     * for workspace with id [workspaceId]
-     * @param {Object} obj
-     * @param {Buffer} obj.salt - 16-byte random salt
-     * @param {Types.ObjectId} obj.workspaceId
-     */
-    static async createSecretBlindIndexData({
-        workspaceId,
-    }: {
-        workspaceId: Types.ObjectId;
-    }) {
-        return await createSecretBlindIndexDataHelper({
-            workspaceId
-        });
-    }
+  /**
+   * Get secret blind index salt for workspace with id [workspaceId]
+   * @param {Object} obj
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
+   * @returns
+   */
+  static async getSecretBlindIndexSalt({
+    workspaceId,
+  }: {
+    workspaceId: Types.ObjectId;
+  }) {
+    return await getSecretBlindIndexSaltHelper({
+      workspaceId,
+    });
+  }
 
-    /**
-     * Get secret blind index salt for workspace with id [workspaceId]
-     * @param {Object} obj
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
-     * @returns 
-     */
-    static async getSecretBlindIndexSalt({
-        workspaceId
-    }: {
-        workspaceId: Types.ObjectId;
-    }) {
-        return await getSecretBlindIndexSaltHelper({
-            workspaceId
-        });
-    }
+  /**
+   * Generate blind index for secret with name [secretName]
+   * and salt [salt]
+   * @param {Object} obj
+   * @param {Object} obj.secretName - name of secret to generate blind index for
+   * @param {String} obj.salt - base64-salt
+   */
+  static async generateSecretBlindIndexWithSalt({
+    secretName,
+    salt,
+  }: {
+    secretName: string;
+    salt: string;
+  }) {
+    return await generateSecretBlindIndexWithSaltHelper({
+      secretName,
+      salt,
+    });
+  }
 
-    /**
-     * Generate blind index for secret with name [secretName]
-     * and salt [salt]
-     * @param {Object} obj
-     * @param {Object} obj.secretName - name of secret to generate blind index for
-     * @param {String} obj.salt - base64-salt
-     */
-     static async generateSecretBlindIndexWithSalt({
-        secretName,
-        salt
-    }: {
-        secretName: string;
-        salt: string;
-    }) {
-        return await generateSecretBlindIndexWithSaltHelper({
-            secretName,
-            salt
-        });
-    }
+  /**
+   * Create and return blind index for secret with
+   * name [secretName] part of workspace with id [workspaceId]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to generate blind index for
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   */
+  static async generateSecretBlindIndex({
+    secretName,
+    workspaceId,
+  }: {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+  }) {
+    return await generateSecretBlindIndexHelper({
+      secretName,
+      workspaceId,
+    });
+  }
 
-    /**
-     * Create and return blind index for secret with
-     * name [secretName] part of workspace with id [workspaceId]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to generate blind index for
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     */
-    static async generateSecretBlindIndex({
-        secretName,
-        workspaceId,
-    }: {
-        secretName: string;
-        workspaceId: Types.ObjectId;
-    }) {
-        return await generateSecretBlindIndexHelper({
-            secretName,
-            workspaceId
-        });
-    }
-    
-    /**
-     * Create secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to create
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
-     * @param {String} obj.environment - environment in workspace to create secret for
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async createSecret(createSecretParams: CreateSecretParams) {
-        return await createSecretHelper(createSecretParams);
-    }
+  /**
+   * Create secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to create
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
+   * @param {String} obj.environment - environment in workspace to create secret for
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async createSecret(createSecretParams: CreateSecretParams) {
+    return await createSecretHelper(createSecretParams);
+  }
 
-    /**
-     * Get secrets for workspace with id [workspaceId] and environment [environment]
-     * @param {Object} obj
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace
-     * @param {String} obj.environment - environment in workspace
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async getSecrets(getSecretsParams: GetSecretsParams) {
-        return await getSecretsHelper(getSecretsParams);
-    }
-    
-    /**
-     * Get secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to get
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     * @param {String} obj.environment - environment in workspace that secret belongs to
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async getSecret(getSecretParams: GetSecretParams) {
-        return await getSecretHelper(getSecretParams);
-    }
-    
-    /**
-     * Update secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to update
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     * @param {String} obj.environment - environment in workspace that secret belongs to
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {String} obj.secretValueCiphertext - ciphertext of secret value
-     * @param {String} obj.secretValueIV - IV of secret value
-     * @param {String} obj.secretValueTag - tag of secret value
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async updateSecret(updateSecretParams: UpdateSecretParams) {
-        return await updateSecretHelper(updateSecretParams);
-    }
+  /**
+   * Get secrets for workspace with id [workspaceId] and environment [environment]
+   * @param {Object} obj
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace
+   * @param {String} obj.environment - environment in workspace
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async getSecrets(getSecretsParams: GetSecretsParams) {
+    return await getSecretsHelper(getSecretsParams);
+  }
 
-    /**
-     * Delete secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to delete
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     * @param {String} obj.environment - environment in workspace that secret belongs to
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async deleteSecret(deleteSecretParams: DeleteSecretParams) {
-        return await deleteSecretHelper(deleteSecretParams);
-    }
+  /**
+   * Get secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to get
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   * @param {String} obj.environment - environment in workspace that secret belongs to
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async getSecret(getSecretParams: GetSecretParams) {
+    // TODO(akhilmhdh) The one above is diff. Change this to some other name
+    return await getSecretHelper(getSecretParams);
+  }
+
+  /**
+   * Update secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to update
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   * @param {String} obj.environment - environment in workspace that secret belongs to
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {String} obj.secretValueCiphertext - ciphertext of secret value
+   * @param {String} obj.secretValueIV - IV of secret value
+   * @param {String} obj.secretValueTag - tag of secret value
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async updateSecret(updateSecretParams: UpdateSecretParams) {
+    return await updateSecretHelper(updateSecretParams);
+  }
+
+  /**
+   * Delete secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to delete
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   * @param {String} obj.environment - environment in workspace that secret belongs to
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async deleteSecret(deleteSecretParams: DeleteSecretParams) {
+    return await deleteSecretHelper(deleteSecretParams);
+  }
 }
 
-export default SecretService;
+export default SecretService;

backend/src/utils/setup/backfillData.ts

@@ -1,3 +1,4 @@
+/* eslint-disable no-console */
 import crypto from "crypto";
 import { Types } from "mongoose";
 import { encryptSymmetric128BitHexKeyUTF8 } from "../crypto";
@@ -11,6 +12,7 @@ import {
   Bot,
   BackupPrivateKey,
   IntegrationAuth,
+  ServiceTokenData,
 } from "../../models";
 import { generateKeyPair } from "../../utils/crypto";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
@@ -64,7 +66,7 @@ export const backfillSecretVersions = async () => {
       ),
     });
   }
-  console.log("Migration: Secret version migration v1 complete")
+  console.log("Migration: Secret version migration v1 complete");
 };
 
 /**
@@ -380,13 +382,15 @@ export const backfillSecretFolders = async () => {
       });
 
       const newSnapshots = Object.keys(groupSnapByEnv).map((snapEnv) => {
-        const secretIdsOfEnvGroup = groupSnapByEnv[snapEnv] ? groupSnapByEnv[snapEnv].map(secretVersion => secretVersion._id) : []
+        const secretIdsOfEnvGroup = groupSnapByEnv[snapEnv]
+          ? groupSnapByEnv[snapEnv].map((secretVersion) => secretVersion._id)
+          : [];
         return {
           ...secSnapshot.toObject({ virtuals: false }),
           _id: new Types.ObjectId(),
           environment: snapEnv,
           secretVersions: secretIdsOfEnvGroup,
-        }
+        };
       });
 
       await SecretSnapshot.insertMany(newSnapshots);
@@ -402,5 +406,21 @@ export const backfillSecretFolders = async () => {
       .limit(50);
   }
 
-  console.log("Migration: Folder migration v1 complete")
+  console.log("Migration: Folder migration v1 complete");
+};
+
+export const backfillServiceToken = async () => {
+  await ServiceTokenData.updateMany(
+    {
+      secretPath: {
+        $exists: false,
+      },
+    },
+    {
+      $set: {
+        secretPath: "/",
+      },
+    }
+  );
+  console.log("Migration: Service token migration v1 complete");
 };

backend/src/utils/setup/index.ts

@@ -1,30 +1,31 @@
-import * as Sentry from '@sentry/node';
-import { DatabaseService, TelemetryService } from '../../services';
-import { setTransporter } from '../../helpers/nodemailer';
-import { EELicenseService } from '../../ee/services';
-import { initSmtp } from '../../services/smtp';
-import { createTestUserForDevelopment } from '../addDevelopmentUser';
+import * as Sentry from "@sentry/node";
+import { DatabaseService, TelemetryService } from "../../services";
+import { setTransporter } from "../../helpers/nodemailer";
+import { EELicenseService } from "../../ee/services";
+import { initSmtp } from "../../services/smtp";
+import { createTestUserForDevelopment } from "../addDevelopmentUser";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-import { validateEncryptionKeysConfig } from './validateConfig';
+import { validateEncryptionKeysConfig } from "./validateConfig";
 import {
   backfillSecretVersions,
   backfillBots,
   backfillSecretBlindIndexData,
   backfillEncryptionMetadata,
   backfillSecretFolders,
-} from './backfillData';
+  backfillServiceToken,
+} from "./backfillData";
 import {
   reencryptBotPrivateKeys,
   reencryptSecretBlindIndexDataSalts,
-} from './reencryptData';
+} from "./reencryptData";
 import {
   getNodeEnv,
   getMongoURL,
   getSentryDSN,
   getClientSecretGoogle,
   getClientIdGoogle,
-} from '../../config';
-import { initializePassport } from '../auth';
+} from "../../config";
+import { initializePassport } from "../auth";
 
 /**
  * Prepare Infisical upon startup. This includes tasks like:
@@ -75,6 +76,7 @@ export const setup = async () => {
   await backfillSecretBlindIndexData();
   await backfillEncryptionMetadata();
   await backfillSecretFolders();
+  await backfillServiceToken();
 
   // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
   // to base64 256-bit ROOT_ENCRYPTION_KEY
@@ -85,7 +87,7 @@ export const setup = async () => {
   Sentry.init({
     dsn: await getSentryDSN(),
     tracesSampleRate: 1.0,
-    debug: (await getNodeEnv()) === 'production' ? false : true,
+    debug: (await getNodeEnv()) === "production" ? false : true,
     environment: await getNodeEnv(),
   });
 

backend/src/validation/workspace.ts

@@ -13,6 +13,7 @@ import { validateServiceAccountClientForWorkspace } from './serviceAccount';
 import { validateUserClientForWorkspace } from './user';
 import { validateServiceTokenDataClientForWorkspace } from './serviceTokenData';
 import { 
+	BadRequestError,
     UnauthorizedRequestError,
     WorkspaceNotFoundError 
 } from '../utils/errors';
@@ -22,6 +23,7 @@ import {
     AUTH_MODE_SERVICE_TOKEN,
     AUTH_MODE_API_KEY
 } from '../variables';
+import { BotService } from '../services';
 
 /**
  * Validate authenticated clients for workspace with id [workspaceId] based
@@ -39,7 +41,8 @@ export const validateClientForWorkspace = async ({
 	environment,
 	acceptedRoles,
 	requiredPermissions,
-	requireBlindIndicesEnabled
+	requireBlindIndicesEnabled,
+	requireE2EEOff
 }: {
 	authData: {
 		authMode: string;
@@ -50,6 +53,7 @@ export const validateClientForWorkspace = async ({
 	acceptedRoles: Array<'admin' | 'member'>;
 	requiredPermissions?: string[];
 	requireBlindIndicesEnabled: boolean;
+	requireE2EEOff: boolean;
 }) => {
 	const workspace = await Workspace.findById(workspaceId);
 
@@ -70,6 +74,14 @@ export const validateClientForWorkspace = async ({
 			message: 'Failed workspace authorization due to blind indices not being enabled'
 		});
 	}
+	
+	if (requireE2EEOff) {
+		const isWorkspaceE2EE = await BotService.getIsWorkspaceE2EE(workspaceId);
+		
+		if (isWorkspaceE2EE) throw BadRequestError({
+			message: 'Failed workspace authorization due to end-to-end encryption not being disabled'
+		});
+	}
 
 	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
 		const membership = await validateUserClientForWorkspace({

backend/src/variables/integration.ts

@@ -22,6 +22,8 @@ export const INTEGRATION_FLYIO = "flyio";
 export const INTEGRATION_CIRCLECI = "circleci";
 export const INTEGRATION_TRAVISCI = "travisci";
 export const INTEGRATION_SUPABASE = 'supabase';
+export const INTEGRATION_CHECKLY = 'checkly';
+export const INTEGRATION_HASHICORP_VAULT = 'hashicorp-vault';
 export const INTEGRATION_SET = new Set([
     INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
@@ -33,7 +35,9 @@ export const INTEGRATION_SET = new Set([
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
-  INTEGRATION_SUPABASE
+  INTEGRATION_SUPABASE,
+  INTEGRATION_CHECKLY,
+  INTEGRATION_HASHICORP_VAULT
 ]);
 
 // integration types
@@ -60,6 +64,7 @@ export const INTEGRATION_FLYIO_API_URL = "https://api.fly.io/graphql";
 export const INTEGRATION_CIRCLECI_API_URL = "https://circleci.com/api";
 export const INTEGRATION_TRAVISCI_API_URL = "https://api.travis-ci.com";
 export const INTEGRATION_SUPABASE_API_URL = 'https://api.supabase.com';
+export const INTEGRATION_CHECKLY_API_URL = 'https://api.checklyhq.com';
 
 export const getIntegrationOptions = async () => {
     const INTEGRATION_OPTIONS = [
@@ -190,6 +195,24 @@ export const getIntegrationOptions = async () => {
             clientId: '',
             docsLink: ''
         },
+        {
+            name: 'Checkly',
+            slug: 'checkly',
+            image: 'Checkly.png',
+            isAvailable: true,
+            type: 'pat',
+            clientId: '',
+            docsLink: ''
+        },
+        {
+            name: 'HashiCorp Vault',
+            slug: 'hashicorp-vault',
+            image: 'Vault.png',
+            isAvailable: true,
+            type: 'pat',
+            clientId: '',
+            docsLink: ''
+        },
         {
             name: 'Google Cloud Platform',
             slug: 'gcp',

docs/api-reference/overview/authentication.mdx

@@ -5,10 +5,9 @@ description: "How to authenticate with the Infisical Public API"
 
 ## Essentials
 
-The Public API accepts multiple modes of authentication being via API Key, Service Account credentials, or [Infisical Token](/documentation/platform/token).
+The Public API accepts multiple modes of authentication being via API Key or [Infisical Token](/documentation/platform/token).
 
-- API Key: Provides full access to all endpoints representing the user.
-- Service Account: Provides scoped access to an organization and select projects representing a machine such as a VM or application client. 
+- API Key: Provides full access to all endpoints representing the user without ability to encrypt/decrypt secrets in **E2EE** mode.
 - [Infisical Token](/documentation/platform/token): Provides short-lived, scoped CRUD access to the secrets of a specific project and environment.
 
 <AccordionGroup>
@@ -21,14 +20,6 @@ You can obtain an API key in User Settings > API Keys
 
 ![API key dashboard](../../images/api-key-dashboard.png)
 ![API key in personal settings](../../images/api-key-settings.png)
-</Accordion>
-<Accordion title="Service Account">
-The Service Account mode uses an Access Key to authenticate with the API and a Public Key and Private Key to perform any cryptographic operations.
-
-To authenticate requests with Infisical using the Access Key, you must include it in the `Authorization` header of HTTP requests made to the platform with the value `Bearer <access_key>`.
-
-You can create a Service Account in Organization Settings > Service Accounts
-
 </Accordion>
 <Accordion title="Infisical Token">
 
@@ -40,12 +31,4 @@ You can obtain an Infisical Token in Project Settings > Service Tokens.
 
 ![token add](../../images/project-token-add.png)
 </Accordion>
-</AccordionGroup>
-
-## Use Cases
-
-Depending on your use case, it may make sense to use one or another authentication mode:
-
-- API Key (not recommended): Use if you need full access to the Public API without needing to access any secrets endpoints (because API keys can't encrypt/decrypt secrets).
-- Service Account (recommeded): Use if you need access to multiple projects and environments in an organization; service accounts can generate short-lived access tokens, making them useful for some complex setups.
-- Service Token (recommeded): Use if you need short-lived, scoped CRUD access to the secrets of a specific project and environment.
+</AccordionGroup>

docs/api-reference/overview/encryption-modes/e2ee-mode.mdx

@@ -0,0 +1,861 @@
+---
+title: "E2EE Mode"
+---
+
+End-to-End Encrypted (E2EE) mode is the default way to use Infisical's API. With it, you must perform client-side encryption/decryption
+when reading/writing secrets via HTTP call to Infisical.
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com).
+- Create an [Infisical Token](/documentation/platform/token) for your project and environment with write access enabled.
+- Grasp a basic understanding of the system and its underlying cryptography [here](/api-reference/overview/introduction).
+- [Ensure that your project is blind-indexed](../blind-indices).
+
+Below, we showcase how to execute common CRUD operations to manage secrets in **E2EE** mode:
+
+<AccordionGroup>
+    <Accordion title="Retrieve secrets">
+        <Tabs>
+  <Tab title="Javascript">
+```js
+const crypto = require('crypto');
+const axios = require('axios');
+
+const BASE_URL = 'https://app.infisical.com';
+const ALGORITHM = 'aes-256-gcm';
+
+const decrypt = ({ ciphertext, iv, tag, secret}) => {
+	const decipher = crypto.createDecipheriv(
+		ALGORITHM,
+		secret,
+		Buffer.from(iv, 'base64')
+	);
+	decipher.setAuthTag(Buffer.from(tag, 'base64'));
+
+    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
+    cleartext += decipher.final('utf8');
+
+    return cleartext;
+}
+
+const getSecrets = async () => {
+	const serviceToken = 'your_service_token';
+	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
+
+    // 1. Get your Infisical Token data
+    const { data: serviceTokenData } = await axios.get(
+       `${BASE_URL}/api/v2/service-token`,
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+
+    // 2. Get secrets for your project and environment
+    const { data } = await axios.get(
+       `${BASE_URL}/api/v3/secrets?${new URLSearchParams({
+            environment: serviceTokenData.environment,
+            workspaceId: serviceTokenData.workspace
+        })}`,
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+
+    const encryptedSecrets = data.secrets;
+
+    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
+    const projectKey = decrypt({
+        ciphertext: serviceTokenData.encryptedKey,
+        iv: serviceTokenData.iv,
+        tag: serviceTokenData.tag,
+        secret: serviceTokenSecret
+    });
+
+	// 4. Decrypt the (encrypted) secrets
+    const secrets = encryptedSecrets.map((secret) => {
+        const secretKey = decrypt({
+          ciphertext: secret.secretKeyCiphertext,
+          iv: secret.secretKeyIV,
+          tag: secret.secretKeyTag,
+          secret: projectKey
+        });
+
+        const secretValue = decrypt({
+          ciphertext: secret.secretValueCiphertext,
+          iv: secret.secretValueIV,
+          tag: secret.secretValueTag,
+          secret: projectKey
+        });
+
+        return ({
+            secretKey,
+            secretValue
+        });
+    });
+
+    console.log('secrets: ', secrets);
+}
+
+getSecrets();
+
+```
+  </Tab>
+
+<Tab title="Python">
+```Python
+import requests
+import base64
+from Cryptodome.Cipher import AES
+
+
+BASE_URL = "http://app.infisical.com"
+
+
+def decrypt(ciphertext, iv, tag, secret):
+    secret = bytes(secret, "utf-8")
+    iv = base64.standard_b64decode(iv)
+    tag = base64.standard_b64decode(tag)
+    ciphertext = base64.standard_b64decode(ciphertext)
+
+    cipher = AES.new(secret, AES.MODE_GCM, iv)
+    cipher.update(tag)
+    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
+    return cleartext
+
+
+def get_secrets():
+    service_token = "your_service_token"
+    service_token_secret = service_token[service_token.rindex(".") + 1 :]
+
+    # 1. Get your Infisical Token data
+    service_token_data = requests.get(
+        f"{BASE_URL}/api/v2/service-token",
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json()
+
+    # 2. Get secrets for your project and environment
+    data = requests.get(
+        f"{BASE_URL}/api/v3/secrets",
+        params={
+            "environment": service_token_data["environment"],
+            "workspaceId": service_token_data["workspace"],
+        },
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json()
+
+    encrypted_secrets = data["secrets"]
+
+    # 3. Decrypt the (encrypted) project key with the key from your Infisical Token
+    project_key = decrypt(
+        ciphertext=service_token_data["encryptedKey"],
+        iv=service_token_data["iv"],
+        tag=service_token_data["tag"],
+        secret=service_token_secret,
+    )
+
+    # 4. Decrypt the (encrypted) secrets
+    secrets = []
+    for secret in encrypted_secrets:
+        secret_key = decrypt(
+            ciphertext=secret["secretKeyCiphertext"],
+            iv=secret["secretKeyIV"],
+            tag=secret["secretKeyTag"],
+            secret=project_key,
+        )
+
+        secret_value = decrypt(
+            ciphertext=secret["secretValueCiphertext"],
+            iv=secret["secretValueIV"],
+            tag=secret["secretValueTag"],
+            secret=project_key,
+        )
+
+        secrets.append(
+            {
+                "secret_key": secret_key,
+                "secret_value": secret_value,
+            }
+        )
+
+    print("secrets:", secrets)
+
+
+get_secrets()
+
+```
+</Tab>
+</Tabs>
+    </Accordion>
+    <Accordion title="Create secret">
+        <Tabs>
+<Tab title="Javascript">
+```js
+const crypto = require('crypto');
+const axios = require('axios');
+const nacl = require('tweetnacl');
+
+const BASE_URL = 'https://app.infisical.com';
+const ALGORITHM = 'aes-256-gcm';
+const BLOCK_SIZE_BYTES = 16;
+
+const encrypt = ({ text, secret }) => {
+    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
+    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);
+
+    let ciphertext = cipher.update(text, 'utf8', 'base64');
+    ciphertext += cipher.final('base64');
+    return {
+        ciphertext,
+        iv: iv.toString('base64'),
+        tag: cipher.getAuthTag().toString('base64')
+    };
+}
+
+const decrypt = ({ ciphertext, iv, tag, secret}) => {
+	const decipher = crypto.createDecipheriv(
+		ALGORITHM,
+		secret,
+		Buffer.from(iv, 'base64')
+	);
+	decipher.setAuthTag(Buffer.from(tag, 'base64'));
+
+	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
+	cleartext += decipher.final('utf8');
+
+	return cleartext;
+}
+
+const createSecrets = async () => {
+    const serviceToken = '';
+    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
+    
+    const secretType = 'shared'; // 'shared' or 'personal'
+    const secretKey = 'some_key';
+    const secretValue = 'some_value';
+    const secretComment = 'some_comment';
+
+    // 1. Get your Infisical Token data
+    const { data: serviceTokenData } = await axios.get(
+       `${BASE_URL}/api/v2/service-token`,
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+
+    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
+    const projectKey = decrypt({
+        ciphertext: serviceTokenData.encryptedKey,
+        iv: serviceTokenData.iv,
+        tag: serviceTokenData.tag,
+        secret: serviceTokenSecret
+    });
+    
+	// 3. Encrypt your secret with the project key
+    const {
+        ciphertext: secretKeyCiphertext,
+        iv: secretKeyIV,
+        tag: secretKeyTag
+    } = encrypt({
+        text: secretKey,
+        secret: projectKey
+    });
+
+    const {
+        ciphertext: secretValueCiphertext,
+        iv: secretValueIV,
+        tag: secretValueTag
+    } = encrypt({
+        text: secretValue,
+        secret: projectKey
+    });
+
+    const {
+        ciphertext: secretCommentCiphertext,
+        iv: secretCommentIV,
+        tag: secretCommentTag
+    } = encrypt({
+        text: secretComment,
+        secret: projectKey
+    });
+
+	// 4. Send (encrypted) secret to Infisical
+    await axios.post(
+        `${BASE_URL}/api/v3/secrets/${secretKey}`,
+        {
+            workspaceId: serviceTokenData.workspace,
+            environment: serviceTokenData.environment,
+            type: secretType,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        },
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+}
+
+createSecrets();
+```
+</Tab>
+
+<Tab title="Python">
+```Python
+import base64
+import requests
+from Cryptodome.Cipher import AES
+from Cryptodome.Random import get_random_bytes
+
+
+BASE_URL = "https://app.infisical.com"
+BLOCK_SIZE_BYTES = 16
+
+
+def encrypt(text, secret):
+    iv = get_random_bytes(BLOCK_SIZE_BYTES)
+    secret = bytes(secret, "utf-8")
+    cipher = AES.new(secret, AES.MODE_GCM, iv)
+    ciphertext, tag = cipher.encrypt_and_digest(text.encode("utf-8"))
+    return {
+        "ciphertext": base64.standard_b64encode(ciphertext).decode("utf-8"),
+        "tag": base64.standard_b64encode(tag).decode("utf-8"),
+        "iv": base64.standard_b64encode(iv).decode("utf-8"),
+    }
+
+
+def decrypt(ciphertext, iv, tag, secret):
+    secret = bytes(secret, "utf-8")
+    iv = base64.standard_b64decode(iv)
+    tag = base64.standard_b64decode(tag)
+    ciphertext = base64.standard_b64decode(ciphertext)
+
+    cipher = AES.new(secret, AES.MODE_GCM, iv)
+    cipher.update(tag)
+    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
+    return cleartext
+
+
+def create_secrets():
+    service_token = "your_service_token"
+    service_token_secret = service_token[service_token.rindex(".") + 1 :]
+
+    secret_type = "shared"  # "shared or "personal"
+    secret_key = "some_key"
+    secret_value = "some_value"
+    secret_comment = "some_comment"
+
+    # 1. Get your Infisical Token data
+    service_token_data = requests.get(
+        f"{BASE_URL}/api/v2/service-token",
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json()
+
+    # 2. Decrypt the (encrypted) project key with the key from your Infisical Token
+    project_key = decrypt(
+        ciphertext=service_token_data["encryptedKey"],
+        iv=service_token_data["iv"],
+        tag=service_token_data["tag"],
+        secret=service_token_secret,
+    )
+
+    # 3. Encrypt your secret with the project key
+    encrypted_key_data = encrypt(text=secret_key, secret=project_key)
+    encrypted_value_data = encrypt(text=secret_value, secret=project_key)
+    encrypted_comment_data = encrypt(text=secret_comment, secret=project_key)
+
+    # 4. Send (encrypted) secret to Infisical
+    requests.post(
+        f"{BASE_URL}/api/v3/secrets/{secret_key}",
+        json={
+            "workspaceId": service_token_data["workspace"],
+            "environment": service_token_data["environment"],
+            "type": secret_type,
+            "secretKeyCiphertext": encrypted_key_data["ciphertext"],
+            "secretKeyIV": encrypted_key_data["iv"],
+            "secretKeyTag": encrypted_key_data["tag"],
+            "secretValueCiphertext": encrypted_value_data["ciphertext"],
+            "secretValueIV": encrypted_value_data["iv"],
+            "secretValueTag": encrypted_value_data["tag"],
+            "secretCommentCiphertext": encrypted_comment_data["ciphertext"],
+            "secretCommentIV": encrypted_comment_data["iv"],
+            "secretCommentTag": encrypted_comment_data["tag"]
+        },
+        headers={"Authorization": f"Bearer {service_token}"},
+    )
+
+
+create_secrets()
+
+```
+</Tab>
+</Tabs>
+    </Accordion>
+    <Accordion title="Retrieve secret">
+        <Tabs>
+  <Tab title="Javascript">
+```js
+const crypto = require('crypto');
+const axios = require('axios');
+
+const BASE_URL = 'https://app.infisical.com';
+const ALGORITHM = 'aes-256-gcm';
+
+const decrypt = ({ ciphertext, iv, tag, secret}) => {
+	const decipher = crypto.createDecipheriv(
+		ALGORITHM,
+		secret,
+		Buffer.from(iv, 'base64')
+	);
+	decipher.setAuthTag(Buffer.from(tag, 'base64'));
+
+    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
+    cleartext += decipher.final('utf8');
+
+    return cleartext;
+}
+
+const getSecret = async () => {
+	const serviceToken = 'your_service_token';
+	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
+    
+    const secretType = 'shared' // 'shared' or 'personal'
+    const secretKey = 'some_key';
+
+    // 1. Get your Infisical Token data
+    const { data: serviceTokenData } = await axios.get(
+       `${BASE_URL}/api/v2/service-token`,
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+
+    // 2. Get the secret from your project and environment
+    const { data } = await axios.get(
+       `${BASE_URL}/api/v3/secrets/${secretKey}?${new URLSearchParams({
+            environment: serviceTokenData.environment,
+            workspaceId: serviceTokenData.workspace,
+            type: secretType // optional, defaults to 'shared'
+        })}`,
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+
+    const encryptedSecret = data.secret;
+
+    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
+    const projectKey = decrypt({
+        ciphertext: serviceTokenData.encryptedKey,
+        iv: serviceTokenData.iv,
+        tag: serviceTokenData.tag,
+        secret: serviceTokenSecret
+    });
+
+	// 4. Decrypt the (encrypted) secret value
+
+    const secretValue = decrypt({
+        ciphertext: encryptedSecret.secretValueCiphertext,
+        iv: encryptedSecret.secretValueIV,
+        tag: encryptedSecret.secretValueTag,
+        secret: projectKey
+    });
+
+    console.log('secret: ', ({
+        secretKey,
+        secretValue
+    }));
+}
+
+getSecret();
+
+```
+  </Tab>
+
+<Tab title="Python">
+```Python
+import requests
+import base64
+from Cryptodome.Cipher import AES
+
+
+BASE_URL = "http://app.infisical.com"
+
+
+def decrypt(ciphertext, iv, tag, secret):
+    secret = bytes(secret, "utf-8")
+    iv = base64.standard_b64decode(iv)
+    tag = base64.standard_b64decode(tag)
+    ciphertext = base64.standard_b64decode(ciphertext)
+
+    cipher = AES.new(secret, AES.MODE_GCM, iv)
+    cipher.update(tag)
+    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
+    return cleartext
+
+
+def get_secret():
+    service_token = "your_service_token"
+    service_token_secret = service_token[service_token.rindex(".") + 1 :]
+
+    secret_type = "shared" # "shared" or "personal"
+    secret_key = "some_key"
+
+    # 1. Get your Infisical Token data
+    service_token_data = requests.get(
+        f"{BASE_URL}/api/v2/service-token",
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json()
+
+    # 2. Get secret from your project and environment
+    data = requests.get(
+        f"{BASE_URL}/api/v3/secrets/{secret_key}",
+        params={
+            "environment": service_token_data["environment"],
+            "workspaceId": service_token_data["workspace"],
+            "type": secret_type # optional, defaults to "shared"
+        },
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json()
+
+    encrypted_secret = data["secret"]
+
+    # 3. Decrypt the (encrypted) project key with the key from your Infisical Token
+    project_key = decrypt(
+        ciphertext=service_token_data["encryptedKey"],
+        iv=service_token_data["iv"],
+        tag=service_token_data["tag"],
+        secret=service_token_secret,
+    )
+
+    # 4. Decrypt the (encrypted) secret value
+    secret_value = decrypt(
+        ciphertext=encrypted_secret["secretValueCiphertext"],
+        iv=encrypted_secret["secretValueIV"],
+        tag=encrypted_secret["secretValueTag"],
+        secret=project_key,
+    )
+
+    print("secret: ", {
+        "secret_key": secret_key,
+        "secret_value": secret_value
+    })
+
+
+get_secret()
+
+```
+</Tab>
+</Tabs>
+    </Accordion>
+    <Accordion title="Update secret">
+        <Tabs>
+<Tab title="Javascript">
+```js
+const crypto = require('crypto');
+const axios = require('axios');
+
+const BASE_URL = 'https://app.infisical.com';
+const ALGORITHM = 'aes-256-gcm';
+const BLOCK_SIZE_BYTES = 16;
+
+const encrypt = ({ text, secret }) => {
+    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
+    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);
+
+    let ciphertext = cipher.update(text, 'utf8', 'base64');
+    ciphertext += cipher.final('base64');
+    return {
+        ciphertext,
+        iv: iv.toString('base64'),
+        tag: cipher.getAuthTag().toString('base64')
+    };
+}
+
+const decrypt = ({ ciphertext, iv, tag, secret}) => {
+	const decipher = crypto.createDecipheriv(
+		ALGORITHM,
+		secret,
+		Buffer.from(iv, 'base64')
+	);
+	decipher.setAuthTag(Buffer.from(tag, 'base64'));
+
+	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
+	cleartext += decipher.final('utf8');
+
+	return cleartext;
+}
+
+const updateSecrets = async () => {
+    const serviceToken = 'your_service_token';
+    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
+    
+    const secretType = 'shared' // 'shared' or 'personal'
+    const secretKey = 'some_key';
+    const secretValue = 'updated_value';
+    const secretComment = 'updated_comment';
+
+    // 1. Get your Infisical Token data
+    const { data: serviceTokenData } = await axios.get(
+       `${BASE_URL}/api/v2/service-token`,
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+
+    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
+    const projectKey = decrypt({
+        ciphertext: serviceTokenData.encryptedKey,
+        iv: serviceTokenData.iv,
+        tag: serviceTokenData.tag,
+        secret: serviceTokenSecret
+    });
+    
+	// 3. Encrypt your updated secret with the project key
+    const {
+        ciphertext: secretKeyCiphertext,
+        iv: secretKeyIV,
+        tag: secretKeyTag
+    } = encrypt({
+        text: secretKey,
+        secret: projectKey
+    });
+
+    const {
+        ciphertext: secretValueCiphertext,
+        iv: secretValueIV,
+        tag: secretValueTag
+    } = encrypt({
+        text: secretValue,
+        secret: projectKey
+    });
+
+    const {
+        ciphertext: secretCommentCiphertext,
+        iv: secretCommentIV,
+        tag: secretCommentTag
+    } = encrypt({
+        text: secretComment,
+        secret: projectKey
+    });
+	
+	// 4. Send (encrypted) updated secret to Infisical
+    await axios.patch(
+        `${BASE_URL}/api/v3/secrets/${secretKey}`,
+        {
+            workspaceId: serviceTokenData.workspace,
+            environment: serviceTokenData.environment,
+            type: secretType,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        },
+        {
+            headers: {
+                Authorization: `Bearer ${serviceToken}`
+            }
+        }
+    );
+}
+
+updateSecrets();
+```
+</Tab>
+
+<Tab title="Python">
+```Python
+import base64
+import requests
+from Cryptodome.Cipher import AES
+from Cryptodome.Random import get_random_bytes
+
+
+BASE_URL = "https://app.infisical.com"
+BLOCK_SIZE_BYTES = 16
+
+
+def encrypt(text, secret):
+    iv = get_random_bytes(BLOCK_SIZE_BYTES)
+    secret = bytes(secret, "utf-8")
+    cipher = AES.new(secret, AES.MODE_GCM, iv)
+    ciphertext, tag = cipher.encrypt_and_digest(text.encode("utf-8"))
+    return {
+        "ciphertext": base64.standard_b64encode(ciphertext).decode("utf-8"),
+        "tag": base64.standard_b64encode(tag).decode("utf-8"),
+        "iv": base64.standard_b64encode(iv).decode("utf-8"),
+    }
+
+
+def decrypt(ciphertext, iv, tag, secret):
+    secret = bytes(secret, "utf-8")
+    iv = base64.standard_b64decode(iv)
+    tag = base64.standard_b64decode(tag)
+    ciphertext = base64.standard_b64decode(ciphertext)
+
+    cipher = AES.new(secret, AES.MODE_GCM, iv)
+    cipher.update(tag)
+    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
+    return cleartext
+
+
+def update_secret():
+    service_token = "your_service_token"
+    service_token_secret = service_token[service_token.rindex(".") + 1 :]
+
+    secret_type = "shared" # "shared" or "personal"
+    secret_key = "some_key"
+    secret_value = "updated_value"
+    secret_comment = "updated_comment"
+
+    # 1. Get your Infisical Token data
+    service_token_data = requests.get(
+        f"{BASE_URL}/api/v2/service-token",
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json()
+
+    # 2. Decrypt the (encrypted) project key with the key from your Infisical Token
+    project_key = decrypt(
+        ciphertext=service_token_data["encryptedKey"],
+        iv=service_token_data["iv"],
+        tag=service_token_data["tag"],
+        secret=service_token_secret,
+    )
+
+    # 3. Encrypt your updated secret with the project key
+    encrypted_key_data = encrypt(text=secret_key, secret=project_key)
+    encrypted_value_data = encrypt(text=secret_value, secret=project_key)
+    encrypted_comment_data = encrypt(text=secret_comment, secret=project_key)
+
+    # 4. Send (encrypted) updated secret to Infisical
+    requests.patch(
+        f"{BASE_URL}/api/v3/secrets/{secret_key}",
+        json={
+            "workspaceId": service_token_data["workspace"],
+            "environment": service_token_data["environment"],
+            "type": secret_type,
+            "secretKeyCiphertext": encrypted_key_data["ciphertext"],
+            "secretKeyIV": encrypted_key_data["iv"],
+            "secretKeyTag": encrypted_key_data["tag"],
+            "secretValueCiphertext": encrypted_value_data["ciphertext"],
+            "secretValueIV": encrypted_value_data["iv"],
+            "secretValueTag": encrypted_value_data["tag"],
+            "secretCommentCiphertext": encrypted_comment_data["ciphertext"],
+            "secretCommentIV": encrypted_comment_data["iv"],
+            "secretCommentTag": encrypted_comment_data["tag"]
+        },
+        headers={"Authorization": f"Bearer {service_token}"},
+    )
+
+
+update_secret()
+
+```
+</Tab>
+</Tabs>
+    </Accordion>
+    <Accordion title="Delete secret">
+        <Tabs>
+  <Tab title="Javascript">
+```js
+const axios = require('axios'); 
+const BASE_URL = 'https://app.infisical.com';
+
+const deleteSecrets = async () => {
+  const serviceToken = 'your_service_token';
+  const secretType = 'shared' // 'shared' or 'personal'
+  const secretKey = 'some_key'
+  
+  // 1. Get your Infisical Token data
+  const { data: serviceTokenData } = await axios.get(
+      `${BASE_URL}/api/v2/service-token`,
+      {
+          headers: {
+              Authorization: `Bearer ${serviceToken}`
+          }
+      }
+  );
+
+  // 2. Delete secret from Infisical
+  await axios.delete(
+    `${BASE_URL}/api/v3/secrets/${secretKey}`,
+    {
+      workspaceId: serviceTokenData.workspace,
+      environment: serviceTokenData.environment,
+      type: secretType
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${serviceToken}`
+      },
+    }
+  );
+};
+
+deleteSecrets();
+```
+  </Tab>
+
+  <Tab title="Python">
+```Python
+import requests
+
+BASE_URL = "https://app.infisical.com"
+
+
+def delete_secrets():
+    service_token = "<your_service_token>"
+    secret_type = "shared" # "shared" or "personal"
+    secret_key = "some_key"
+
+    # 1. Get your Infisical Token data
+    service_token_data = requests.get(
+        f"{BASE_URL}/api/v2/service-token",
+        headers={"Authorization": f"Bearer {service_token}"},
+    ).json() 
+
+    # 2. Delete secret from Infisical
+    requests.delete(
+        f"{BASE_URL}/api/v2/secrets/{secret_key}",
+        json={
+            "workspaceId": service_token_data["workspace"],
+            "environment": service_token_data["environment"],
+            "type": secret_type
+        },
+        headers={"Authorization": f"Bearer {service_token}"},
+    )
+
+
+delete_secrets()
+
+```
+  </Tab>
+</Tabs>
+<Info>
+  If using an `API_KEY` to authenticate with the Infisical API, then you should include it in the `X_API_KEY` header.
+</Info>
+
+    </Accordion>
+</AccordionGroup>

docs/api-reference/overview/encryption-modes/es-mode.mdx

@@ -0,0 +1,92 @@
+---
+title: "ES Mode"
+---
+
+Encrypted Standard (ES) mode is the easiest way to use Infisical's API. With it, you can make HTTP calls to Infisical
+to read/write secrets in plaintext.
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com).
+- Create an [Infisical Token](/documentation/platform/token) for your project and environment with write access enabled.
+- [Ensure that your project is blind-indexed](../blind-indices).
+
+Below, we showcase how to execute common CRUD operations to manage secrets in **ES** mode:
+
+<AccordionGroup>
+    <Accordion title="Retrieve secrets">
+        <Tabs>  
+            <Tab title="cURL">
+            ```bash
+            curl --location --request GET 'http://localhost:8080/api/v3/secrets/raw?environment=dev&workspaceId=xxx' \
+                --header 'Authorization: Bearer st.xxx'
+
+            ```
+            </Tab>
+        </Tabs>  
+    </Accordion>
+    <Accordion title="Create secret">
+        <Tabs>  
+            <Tab title="cURL">
+            ```bash
+            curl --location --request POST 'http://localhost:8080/api/v3/secrets/raw/SECRET_NAME' \
+                --header 'Authorization: Bearer st.xxx' \
+                --header 'Content-Type: application/json' \
+                --data-raw '{
+                    "workspaceId": "xxx",
+                    "environment": "dev",
+                    "type": "shared",
+                    "secretValue": "SECRET_VALUE",
+                    "secretPath": "/"
+                }'
+            ```
+            </Tab>
+        </Tabs>  
+    </Accordion>
+    <Accordion title="Retrieve secret">
+        <Tabs>
+            <Tab title="cURL">
+            ```bash
+            curl --location --request GET 'http://localhost:8080/api/v3/secrets/raw/SECRET_NAME?workspaceId=xxx&environment=dev&secretPath=/' \
+                --header 'Authorization: Bearer st.xxx'
+            ```
+            </Tab>
+        </Tabs>
+    </Accordion>
+    <Accordion title="Update secret">
+        <Tabs>
+            <Tab title="cURL">
+            ```bash
+            curl --location --request PATCH 'http://localhost:8080/api/v3/secrets/raw/SECRET_NAME' \
+                --header 'Authorization: Bearer st.xxx' \
+                --header 'Content-Type: application/json' \
+                --data-raw '{
+                    "workspaceId": "xxx",
+                    "environment": "dev",
+                    "type": "shared",
+                    "secretValue": "SECRET_VALUE",
+                    "secretPath": "/"
+                }'
+            ```
+            </Tab>
+        </Tabs>
+    </Accordion>
+    <Accordion title="Delete secret">
+        <Tabs>
+            <Tab title="cURL">
+            ```bash
+            curl --location --request DELETE 'http://localhost:8080/api/v3/secrets/raw/SECRET_NAME' \
+                --header 'Authorization: Bearer st.xxx' \
+                --header 'Content-Type: application/json' \
+                --data-raw '{
+                    "workspaceId": "xxx",
+                    "environment": "dev",
+                    "type": "shared",
+                    "secretValue": "SECRET_VALUE",
+                    "secretPath": "/"
+                }'
+            ```
+            </Tab>
+        </Tabs> 
+    </Accordion>
+</AccordionGroup>

docs/api-reference/overview/encryption-modes/overview.mdx

@@ -0,0 +1,57 @@
+---
+title: "Preface"
+---
+
+Each project in Infisical can be used either in **End-to-End Encrypted (E2EE)** mode or **Encrypted Standard (ES)** mode which dictates how it can be interacted with via the Infisical API.
+
+<CardGroup cols={2}>
+  <Card
+    title="Encrypted Standard (ES)"
+    href="/api-reference/overview/encryption-modes/es-mode"
+    icon="shield-halved"
+    color="#3c8639"
+  >
+    Secret operations without client-side encryption/decryption
+  </Card>
+  <Card href="/api-reference/overview/encryption-modes/e2ee-mode" title="End-to-End Encrypted (E2EE)" icon="shield" color="#3775a9">
+    Secret operations with client-side encryption/decryption
+  </Card>
+</CardGroup>
+
+By default, all projects are initialized in **E2EE** mode which means the server is not able to decrypt any values because all secret encryption/decryption operations occur on the client-side. However, this has limitations around functionality and ease-of-use:
+
+- You cannot make HTTP calls to Infisical to read/write secrets in plaintext.
+- You cannot leverage non-E2EE features like native integrations and in-platform automations like dynamic secrets and secret rotation.
+
+For this reason, Infisical also provides the **ES** mode of operation to unlock the above limitations by enabling the server to decrypt your values. You can optionally switch a project to using **ES** mode
+in your Project Settings.
+
+<Note>
+    Make no mistake, the limitations of **E2EE** mode do not prevent you from syncing secrets from Infisical to platforms like GitLab. They just imply
+    that you have to do things the "E2EE-way" such as by embedding the Infisical CLI into your GitLab CI/CD pipelines to fetch and decrypt
+    secrets on the client-side.
+</Note>
+
+## FAQ
+
+<AccordionGroup>
+  <Accordion title="Is E2EE mode or ES mode right for me?">
+    We recommend starting with **E2EE** mode and switching to **ES** mode when:
+    
+    - Your team needs more power out of non-E2EE features available in **ES** mode such as secret rotation, dynamic secrets, etc.
+    - Your team wants an easier way to read/write secrets with Infisical.
+
+  </Accordion>
+  <Accordion title="How can I switch from E2EE mode to ES mode?">
+    By default, all projects in Infisical are initialized to **E2EE** mode and can be switched to **ES** mode in the Project Settings by disabling end-to-end encryption.
+  </Accordion>
+  <Accordion title="Is ES mode secure if it's not E2EE?">
+    **ES** mode is secure and in fact what most vendors in the secret management industry are doing at the moment. In this mode, secrets are encrypted at rest by
+    a series of keys, secured ultimately by a top-level `ROOT_ENCRYPTION_KEY` located on the server.
+
+    If you're concerned about Infisical Cloud's ability to read your secrets if using **ES** mode in Infisical Cloud, then you may wish to
+    use Infisical Cloud in **E2EE** mode or self-host Infisical on your own infrastructure and then use **ES** mode; this of course which means setting up firewalls and securing the instance yourself.
+
+    As an organization, we prohibit reading any customer secrets without explicit permission; access to the `ROOT_ENCRYPTION_KEY` is restricted to one individual in the organization.
+  </Accordion>
+</AccordionGroup>

docs/api-reference/overview/introduction.mdx

@@ -8,31 +8,6 @@ rotating credentials, or for integrating secret management into a larger system.
 
 With the Public API, users can create, read, update, and delete secrets, as well as manage access control, query audit logs, and more.
 
-<Warning>
-  We highly recommend using one of the available SDKs when working with the Infisical API.
-  
-  If you decide to make your own requests using the API reference instead, be prepared for a steeper learning curve and more manual work.
-</Warning>
-
 <Warning>
   In April 2023, we added the capability for users to query for secrets by name to improve the user experience of Infisical. If your project was created prior to April 2023, please read and follow the section on [blind indices](./blind-indices) and how to enable them for better usage of Infisical.
-</Warning>
-
-## Concepts
-
-Using Infisical's API to manage secrets requires a basic understanding of the system and its underlying cryptography detailed [here](/security/overview). A few key points:
-
-- Each user has a public/private key pair that is stored with the platform; private keys are encrypted locally by protected keys that are encrypted by keys derived from Argon2id applied to the user's password before being sent off to the server during the account signup process.
-- Each (encrypted) secret belongs to a project and environment.
-- Each project has an (encrypted) project key used to encrypt the secrets within that project; Infisical stores copies of the project key, for each member of that project, encrypted under each member's public key.
-- Secrets are encrypted symmetrically by your copy of the project key belonging to the project containing.
-- Infisical Tokens contain a symmetric key that can be used to decrypt a copy of a project key from the [call to get the Infisical Token data](/api-reference/endpoints/service-tokens/get).
-- Infisical uses AES256-GCM and [TweetNaCl.js](https://tweetnacl.js.org/#/) for symmetric and asymmetric encryption/decryption operations.
-
-<Info>
-  Infisical's system requires that secrets be encrypted/decrypted on the
-  client-side to maintain E2EE. We strongly recommend you read up on the system
-  prior to using the Infisical API. The (opt-in) ability to retrieve secrets
-  back in decrypted format if you choose to share secrets with Infisical is on
-  our roadmap.
-</Info>
+</Warning>

docs/documentation/getting-started/introduction.mdx

@@ -20,6 +20,9 @@ Start syncing environment variables with [Infisical Cloud](https://app.infisical
 ## Integrate with Infisical
 
 <CardGroup cols={2}>
+  <Card href="/documentation/getting-started/cli" title="Command Line Interface (CLI)" icon="square-terminal" color="#3775a9">
+    Inject secrets into any application process/environment
+  </Card>
   <Card
     title="SDKs"
     href="/documentation/getting-started/sdks"
@@ -28,9 +31,6 @@ Start syncing environment variables with [Infisical Cloud](https://app.infisical
   >
     Fetch secrets with any programming language on demand
   </Card>
-  <Card href="/documentation/getting-started/cli" title="Command Line Interface" icon="square-terminal" color="#3775a9">
-    Inject secrets into any application process/environment
-  </Card>
   <Card href="/documentation/getting-started/docker" title="Docker" icon="docker" color="#0078d3">
     Inject secrets into Docker containers
   </Card>

docs/integrations/cloud/checkly.mdx

@@ -0,0 +1,37 @@
+---
+title: "Checkly"
+description: "How to sync secrets from Infisical to Checkly"
+---
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+
+## Navigate to your project's integrations tab
+
+![integrations](../../images/integrations.png)
+
+## Enter your Checkly API Key
+
+Obtain a Checkly API Key in User Settings > API Keys.
+
+![integrations checkly dashboard](../../images/integrations-checkly-dashboard.png)
+![integrations checkly token](../../images/integrations-checkly-token.png)
+
+Press on the Checkly tile and input your Checkly API Key to grant Infisical access to your Checkly account.
+
+![integrations checkly authorization](../../images/integrations-checkly-auth.png)
+
+<Info>
+  If this is your project's first cloud integration, then you'll have to grant
+  Infisical access to your project's environment variables. Although this step
+  breaks E2EE, it's necessary for Infisical to sync the environment variables to
+  the cloud platform.
+</Info>
+
+## Start integration
+
+Select which Infisical environment secrets you want to sync to Checkly press create integration to start syncing secrets.
+
+![integrations checkly](../../images/integrations-checkly-create.png)
+![integrations checkly](../../images/integrations-checkly.png)

docs/integrations/cloud/hashicorp-vault.mdx

@@ -0,0 +1,161 @@
+---
+title: "HashiCorp Vault"
+description: "How to sync secrets from Infisical to HashiCorp Vault"
+---
+
+<Note>
+    Infisical connects to Vault via the AppRole auth method. 
+    
+    Currently, each Infisical project can only point and sync secrets to one Vault cluster / namespace
+    but with unlimited integrations to different paths within it.
+
+    This tutorial makes use of Vault's UI but, in principle, instructions can executed via
+    Vault CLI or API call.
+    
+    Lastly, you should note that we provide a simple use-case and, in practice, you should adapt and extend it to your own Vault use-case and follow best practices, for instance when defining fine-grained ACL policies.
+</Note>
+
+Prerequisites:
+
+- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
+- Have experience with [HashiCorp Vault](https://www.vaultproject.io/).
+
+## Navigate to your project's integrations tab
+
+![integrations](../../images/integrations.png)
+
+## Prepare Vault
+
+This section mirrors the latter parts of the [Vault quickstart](https://developer.hashicorp.com/vault/tutorials/cloud/getting-started-intro) provided by HashiCorp and uses sample names/values for demonstration.
+
+To begin, navigate to the cluster / namespace that you want to sync secrets to in Vault; we'll use the default `admin` namespace (in practice, we recommend creating a namespace and not using the default `admin` namespace).
+
+### Enable KV Secrets Engine
+
+In Secrets, enable a KV Secrets Engine at a path for Infisical to sync secrets to; we'll use the path `kv`.
+
+![integrations hashicorp vault secrets engine](../../images/integrations-hashicorp-vault-engine-1.png)
+![integrations hashicorp vault secrets engine](../../images/integrations-hashicorp-vault-engine-2.png)
+![integrations hashicorp vault secrets engine](../../images/integrations-hashicorp-vault-engine-3.png)
+
+### Enable the AppRole auth method
+
+In Access > Auth Methods, enable the AppRole auth method.
+
+![integrations hashicorp vault access](../../images/integrations-hashicorp-vault-access-1.png)
+![integrations hashicorp vault access](../../images/integrations-hashicorp-vault-access-2.png)
+![integrations hashicorp vault access](../../images/integrations-hashicorp-vault-access-3.png)
+
+### Create an ACL Policy
+
+Now in Policies, create a new ACL policy scoped to the path(s) you wish Infisical to be able to sync secrets to.
+
+We'll call the policy `test` and have it grant access to the `dev` path in the KV Secrets Engine where we will be syncing secrets to from Infisical.
+
+```console
+path "kv/data/dev" {
+  capabilities = [ "create", "read", "update" ]
+}
+
+path "sys/namespaces/*" {
+   capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+```
+
+<Note>
+    `kv` comes from the path of the KV Secrets Engine that we enabled and `dev` is the chosen path within it
+    that we want to sync secrets to.
+</Note>
+
+![integrations hashicorp vault policy](../../images/integrations-hashicorp-vault-policy-1.png)
+![integrations hashicorp vault policy](../../images/integrations-hashicorp-vault-policy-2.png)
+![integrations hashicorp vault policy](../../images/integrations-hashicorp-vault-policy-3.png)
+
+### Create a role with the policy attached
+
+We now create a `infisical` role with the generated token's time-to-live (TTL) set to 1 hour and can be renewed for up to 4 hours from the time of its creation.
+
+1. Click the Vault CLI shell icon (`>_`) to open a command shell in the browser.
+
+![integrations hashicorp vault shell](../../images/integrations-hashicorp-vault-shell.png)
+
+2. Copy the command below.
+
+```console
+vault write auth/approle/role/infisical token_policies="test" token_ttl=1h token_max_ttl=4h
+```
+
+3. Paste the command into the command shell in the browser and press the enter button.
+
+### Generate a RoleID and SecretID
+
+Finally, we need to generate a **RoleID** and **SecretID** (like a username and password) that Infisical can use
+to authenticate with Vault.
+
+1. Click the Vault CLI shell icon (>_) again to open a command shell.
+
+2. Read the RoleID.
+
+```console
+vault read auth/approle/role/infisical/role-id
+```
+
+Example output:
+
+```console
+Key     Value
+role_id b6ccdcca-183b-ce9c-6b98-b556b9a0edb9
+```
+
+3. Generate a new SecretID of the `infisical` role.
+
+```console
+vault write -force auth/approle/role/infisical/secret-id
+```
+
+Example output:
+
+
+```console
+Key                Value
+secret_id          735a47cc-7a98-77cc-0128-12b1e96a4157
+secret_id_accessor 3ab305d1-1eab-df4b-4079-ef7135635c49
+...snip...
+```
+
+Great. We're now ready to connect Infisical to Vault!
+
+## Enter your Vault instance and authentication details
+
+Back in Infisical, press on the HashiCorp Vault tile and input your Vault instance and `infisical` role RoleID and SecretID.
+
+![integrations hashicorp vault authorization](../../images/integrations-hashicorp-vault-auth.png)
+
+For additional details on each field:
+
+- Vault Cluster URL: The address of your cluster, either HCP or self-hosted.
+
+If using HCP, you can copy your Cluster URL in the Cluster Overview:
+
+![integrations hashicorp vault cluster URL](../../images/integrations-hashicorp-vault-cluster-url.png)
+
+- Vault Namespace: The Vault namespace you wish to connect to.
+- Vault RoleID: The RoleID previously created for the `infisical` role.
+- Vault SecretID: The SecretID previously created for the `infisical` role.
+
+## Start integration
+
+Select which Infisical environment secrets you want to sync to Vault.
+
+For additional details on each field:
+
+- Vault KV Secrets Engine Path: the path at which you enabled the intended KV Secrets Engine; in this demonstration, we used `kv`.
+- Vault Secret(s) Path: the path in the KV Secrets Engine that you wish to sync secrets to.
+
+Press create integration to start syncing secrets to Vault.
+
+![integrations hashicorp vault](../../images/integrations-hashicorp-vault-create.png)
+![integrations hashicorp vault](../../images/integrations-hashicorp-vault.png)
+
+
+

docs/integrations/overview.mdx

@@ -21,6 +21,8 @@ Missing an integration? [Throw in a request](https://github.com/Infisical/infisi
 | [Railway](/integrations/cloud/railway)                         | Cloud     | Available   |
 | [Fly.io](/integrations/cloud/flyio)                            | Cloud     | Available   |
 | [Supabase](/integrations/cloud/supabase)                       | Cloud     | Available   |
+| [Checkly](/integrations/cloud/checkly)                       | Cloud     | Available   |
+| [HashiCorp Vault](/integrations/cloud/hashicorp-vault) | Cloud     | Available   |
 | [AWS Parameter Store](/integrations/cloud/aws-parameter-store) | Cloud     | Available   |
 | [AWS Secret Manager](/integrations/cloud/aws-secret-manager)   | Cloud     | Available   |
 | [Azure Key Vault](/integrations/cloud/azure-key-vault)         | Cloud     | Available   |

docs/mint.json

@@ -197,6 +197,8 @@
         "integrations/cloud/railway",
         "integrations/cloud/flyio",
         "integrations/cloud/supabase",
+        "integrations/cloud/checkly",
+        "integrations/cloud/hashicorp-vault",
         "integrations/cloud/azure-key-vault",
         "integrations/cicd/githubactions",
         "integrations/cicd/gitlab",
@@ -245,17 +247,15 @@
       "pages": [
         "api-reference/overview/introduction",
         "api-reference/overview/authentication",
-        "api-reference/overview/blind-indices",
         {
           "group": "Examples",
           "pages": [
-            "api-reference/overview/examples/retrieve-secrets",
-            "api-reference/overview/examples/create-secret",
-            "api-reference/overview/examples/retrieve-secret",
-            "api-reference/overview/examples/update-secret",
-            "api-reference/overview/examples/delete-secret"
+            "api-reference/overview/encryption-modes/overview",
+            "api-reference/overview/encryption-modes/es-mode",
+            "api-reference/overview/encryption-modes/e2ee-mode"
           ]
-        }
+        },
+        "api-reference/overview/blind-indices"
       ]
     },
     {

frontend/Dockerfile

@@ -28,6 +28,8 @@ ARG POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 
 # Build
 RUN npm run build
@@ -46,6 +48,9 @@ VOLUME /app/.next/cache/images
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
     BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 
 COPY --chown=nextjs:nodejs --chmod=555 scripts ./scripts
 COPY --from=builder /app/public ./public

frontend/next.config.js

@@ -7,14 +7,14 @@ const path = require('path');
 
 const ContentSecurityPolicy = `
 	default-src 'self';
-	script-src 'self' https://app.posthog.com https://js.stripe.com https://api.stripe.com 'unsafe-inline' 'unsafe-eval';
+	script-src 'self' https://app.posthog.com https://js.stripe.com https://api.stripe.com https://widget.intercom.io https://js.intercomcdn.com 'unsafe-inline' 'unsafe-eval';
 	style-src 'self' https://rsms.me 'unsafe-inline';
 	child-src https://api.stripe.com;
-	frame-src https://js.stripe.com/ https://api.stripe.com;
-	connect-src 'self' https://api.heroku.com/ https://id.heroku.com/oauth/authorize https://id.heroku.com/oauth/token https://checkout.stripe.com https://app.posthog.com https://api.stripe.com;
-	img-src 'self' https://*.stripe.com https://i.ytimg.com/ data:;
-	media-src;
-	font-src 'self' https://maxcdn.bootstrapcdn.com https://rsms.me https://fonts.gstatic.com;  
+	frame-src https://js.stripe.com/ https://api.stripe.com https://www.youtube.com/;
+	connect-src 'self' wss://nexus-websocket-a.intercom.io https://api-iam.intercom.io https://api.heroku.com/ https://id.heroku.com/oauth/authorize https://id.heroku.com/oauth/token https://checkout.stripe.com https://app.posthog.com https://api.stripe.com;
+	img-src 'self' https://static.intercomassets.com https://js.intercomcdn.com https://downloads.intercomcdn.com https://*.stripe.com https://i.ytimg.com/ data:;
+	media-src https://js.intercomcdn.com;
+	font-src 'self' https://fonts.intercomcdn.com/ https://maxcdn.bootstrapcdn.com https://rsms.me https://fonts.gstatic.com;  
 `;
 
 // You can choose which headers to add to the list

frontend/public/data/frequentConstants.ts

@@ -16,7 +16,9 @@ const integrationSlugNameMapping: Mapping = {
   'flyio': 'Fly.io',
   'circleci': 'CircleCI',
   'travisci': 'TravisCI',
-  'supabase': 'Supabase'
+  'supabase': 'Supabase',
+  'checkly': 'Checkly',
+  'hashicorp-vault': 'Vault'
 }
 
 const envMapping: Mapping = {

frontend/scripts/start.sh

@@ -2,6 +2,8 @@
 
 scripts/replace-variable.sh "$BAKED_NEXT_PUBLIC_POSTHOG_API_KEY" "$NEXT_PUBLIC_POSTHOG_API_KEY"
 
+scripts/replace-variable.sh "$BAKED_NEXT_PUBLIC_INTERCOM_ID" "$NEXT_PUBLIC_INTERCOM_ID"
+
 if [ "$TELEMETRY_ENABLED" != "false" ]; then
     echo "Telemetry is enabled"
     scripts/set-telemetry.sh true

frontend/src/components/basic/buttons/Button.tsx

@@ -57,7 +57,7 @@ const Button = ({
     color === 'mineshaft' && !activityStatus && 'bg-mineshaft',
     (color === 'primary' || !color) && activityStatus && 'bg-primary border border-primary-400 opacity-80 hover:opacity-100',
     (color === 'primary' || !color) && !activityStatus && 'bg-primary',
-    color === 'red' && 'bg-red',
+    color === 'red' && 'bg-red-800 border border-red',
 
     // Changing the opacity when active vs when not
     activityStatus ? 'opacity-100 cursor-pointer' : 'opacity-40',

frontend/src/components/basic/dialog/AddProjectMemberDialog.tsx

@@ -53,7 +53,7 @@ const AddProjectMemberDialog = ({
                 leaveFrom="opacity-100 scale-100"
                 leaveTo="opacity-0 scale-95"
               >
-                <Dialog.Panel className="w-full max-w-md transform rounded-md border border-gray-700 bg-bunker-800 p-6 text-left align-middle shadow-xl transition-all">
+                <Dialog.Panel className="w-full max-w-md transform rounded-md border border-mineshaft-600 bg-mineshaft-800 p-6 text-left align-middle shadow-xl transition-all">
                   {data?.length > 0 ? (
                     <Dialog.Title
                       as="h3"
@@ -64,7 +64,7 @@ const AddProjectMemberDialog = ({
                   ) : (
                     <Dialog.Title
                       as="h3"
-                      className="z-50 text-lg font-medium leading-6 text-gray-400"
+                      className="z-50 text-lg font-medium text-mineshaft-300 mb-4"
                     >
                       {t('section.members.add-dialog.already-all-invited')}
                     </Dialog.Title>

frontend/src/components/basic/table/ProjectUsersTable.tsx

@@ -25,6 +25,7 @@ type Props = {
   changeData: (users: any[]) => void;
   myUser: string;
   filter: string;
+  isUserListLoading: boolean;
 };
 
 type EnvironmentProps = {
@@ -38,7 +39,7 @@ type EnvironmentProps = {
  * @param {*} props
  * @returns
  */
-const ProjectUsersTable = ({ userData, changeData, myUser, filter }: Props) => {
+const ProjectUsersTable = ({ userData, changeData, myUser, filter, isUserListLoading }: Props) => {
   const [roleSelected, setRoleSelected] = useState(
     Array(userData?.length).fill(userData.map((user) => user.role))
   );
@@ -205,7 +206,7 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter }: Props) => {
   };
 
   return (
-    <div className="table-container relative mb-6 mt-1 min-w-max rounded-md border border-mineshaft-700 bg-bunker">
+    <div className="table-container relative mb-6 mt-1 min-w-max rounded-md border border-mineshaft-600 bg-bunker">
       <div className="absolute h-[3.1rem] w-full rounded-t-md bg-white/5" />
       <UpgradePlanModal
         isOpen={isUpgradeModalOpen}
@@ -213,7 +214,7 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter }: Props) => {
         text="You can change user permissions if you switch to Infisical's Professional plan."
       />
       <table className="my-0.5 w-full">
-        <thead className="text-xs font-light text-gray-400">
+        <thead className="text-xs font-light text-gray-400 bg-mineshaft-800">
           <tr>
             <th className="py-3.5 pl-4 text-left">NAME</th>
             <th className="py-3.5 pl-4 text-left">EMAIL</th>
@@ -231,7 +232,7 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter }: Props) => {
           </tr>
         </thead>
         <tbody>
-          {userData?.filter(
+          {!isUserListLoading && userData?.filter(
             (user) =>
               user.firstName?.toLowerCase().includes(filter) ||
               user.lastName?.toLowerCase().includes(filter) ||
@@ -245,14 +246,14 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter }: Props) => {
                   user.email?.toLowerCase().includes(filter)
               )
               .map((row, index) => (
-                <tr key={guidGenerator()} className="bg-bunker-600 text-sm hover:bg-bunker-500">
-                  <td className="border-t border-mineshaft-700 py-2 pl-4 text-gray-300">
+                <tr key={guidGenerator()} className="bg-mineshaft-800 text-sm">
+                  <td className="border-t border-mineshaft-600 py-2 pl-4 text-gray-300">
                     {row.firstName} {row.lastName}
                   </td>
-                  <td className="border-t border-mineshaft-700 py-2 pl-4 text-gray-300">
+                  <td className="border-t border-mineshaft-600 py-2 pl-4 text-gray-300">
                     {row.email}
                   </td>
-                  <td className="border-t border-mineshaft-700 py-2 pl-6 pr-10 text-gray-300">
+                  <td className="border-t border-mineshaft-600 py-2 pl-6 pr-10 text-gray-300">
                     <div className="flex h-full flex-row items-center justify-start">
                       <Select
                         className="w-36 bg-mineshaft-700"
@@ -391,6 +392,10 @@ const ProjectUsersTable = ({ userData, changeData, myUser, filter }: Props) => {
                   </td>
                 </tr>
               ))}
+              {isUserListLoading && <>
+                <tr key={guidGenerator()} className="bg-mineshaft-800 text-sm animate-pulse h-14 w-full"/>
+                <tr key={guidGenerator()} className="bg-mineshaft-800 text-sm animate-pulse h-14 w-full"/>
+              </>}
         </tbody>
       </table>
     </div>

frontend/src/components/integrations/CloudIntegration.tsx

@@ -1,5 +1,5 @@
 import Image from 'next/image';
-import { faCheck, faX } from '@fortawesome/free-solid-svg-icons';
+import { faCheck, faXmark } from '@fortawesome/free-solid-svg-icons';
 import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 
 import deleteIntegrationAuth from '../../pages/api/integrations/DeleteIntegrationAuth';
@@ -44,9 +44,9 @@ const CloudIntegration = ({
       tabIndex={0}
       className={`relative ${
         cloudIntegrationOption.isAvailable
-          ? 'cursor-pointer duration-200 hover:bg-white/10'
+          ? 'cursor-pointer duration-200 hover:bg-mineshaft-700'
           : 'opacity-50'
-      } flex h-32 flex-row items-center rounded-md bg-white/5 p-4`}
+      } flex h-32 flex-row items-center rounded-md bg-mineshaft-800 border border-mineshaft-600 p-4`}
       onClick={() => {
         if (!cloudIntegrationOption.isAvailable) return;
         setSelectedIntegrationOption(cloudIntegrationOption);
@@ -95,12 +95,12 @@ const CloudIntegration = ({
                   integrationAuth: deletedIntegrationAuth
                 });
               }}
-              className="flex w-max cursor-pointer flex-row items-center rounded-b-md bg-red py-0.5 px-2 text-xs opacity-0 duration-200 group-hover:opacity-100"
+              className="flex w-max cursor-pointer flex-row items-center rounded-bl-md bg-red py-0.5 px-2 text-xs opacity-30 duration-200 group-hover:opacity-100"
             >
-              <FontAwesomeIcon icon={faX} className="mr-2 py-px text-xs" />
+              <FontAwesomeIcon icon={faXmark} className="mr-2 text-xs" />
               Revoke
             </div>
-            <div className="flex w-max flex-row items-center rounded-bl-md rounded-tr-md bg-primary py-0.5 px-2 text-xs text-black opacity-90 duration-200 group-hover:opacity-100">
+            <div className="flex w-max flex-row items-center rounded-tr-md bg-primary py-0.5 px-2 text-xs text-black opacity-70 duration-200 group-hover:opacity-100">
               <FontAwesomeIcon icon={faCheck} className="mr-2 text-xs" />
               Authorized
             </div>

frontend/src/components/integrations/FrameworkIntegration.tsx

@@ -12,10 +12,10 @@ const FrameworkIntegration = ({ framework }: { framework: Framework }) => (
     href={framework.docsLink}
     rel="noopener noreferrer"
     target="_blank"
-    className="relative flex flex-row justify-center bg-bunker-500 hover:bg-gradient-to-tr  duration-200 h-32 rounded-md p-0.5 items-center cursor-pointer"
+    className="relative flex flex-row justify-center duration-200 h-32 rounded-md p-0.5 items-center cursor-pointer"
   >
     <div
-      className={`hover:bg-white/10 cursor-pointer font-semibold bg-bunker-500 flex flex-col items-center justify-center h-full w-full rounded-md text-gray-300 group-hover:text-gray-200 duration-200 ${
+      className={`hover:bg-mineshaft-700 cursor-pointer font-semibold bg-mineshaft-800 border border-mineshaft-600 flex flex-col items-center justify-center h-full w-full rounded-md text-gray-300 group-hover:text-gray-200 duration-200 ${
         framework?.name?.split(' ').length > 1 ? 'text-sm px-1' : 'text-xl px-2'
       } text-center w-full max-w-xs`}
     >

frontend/src/components/integrations/Integration.tsx

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-unused-vars */
 import { useEffect, useState } from 'react';
 import { useRouter } from 'next/router';
-import { faArrowRight, faRotate, faX } from '@fortawesome/free-solid-svg-icons';
+import { faArrowRight, faCheck, faXmark } from '@fortawesome/free-solid-svg-icons';
 import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 // TODO: This needs to be moved from public folder
 import { contextNetlifyMapping, integrationSlugNameMapping, reverseContextNetlifyMapping } from 'public/data/frequentConstants';
@@ -212,10 +212,12 @@ const IntegrationTile = ({
     return <div />;
   };
 
-  if (!integrationApp) return <div />;
+  if (!integrationApp && integration.integration !== "checkly") return  <div />;
+  
+  const isSelected = integration.integration === 'hashicorp-vault' ? `${integration.app} - path: ${integration.path}` : integrationApp;
 
   return (
-    <div className="mx-6 mb-8 flex max-w-5xl justify-between rounded-md bg-white/5 p-6">
+    <div className="mx-6 mb-8 flex max-w-5xl justify-between rounded-md bg-mineshaft-800 border border-mineshaft-600 p-6">
       <div className="flex">
         <div>
           <p className="mb-2 text-xs font-semibold text-gray-400">ENVIRONMENT</p>
@@ -238,27 +240,29 @@ const IntegrationTile = ({
         </div>
         <div className="mr-2">
           <p className="text-gray-400 text-xs font-semibold mb-2">INTEGRATION</p>
-          <div className="py-2.5 bg-white/[.07] rounded-md pl-4 pr-10 text-sm font-semibold text-gray-300">
+          <div className="py-2.5 bg-white/[.07] rounded-md pl-4 pr-10 text-sm font-semibold text-gray-300 cursor-default">
             {/* {integration.integration.charAt(0).toUpperCase() + integration.integration.slice(1)} */}
             {integrationSlugNameMapping[integration.integration]}
           </div>
         </div>
         <div className="mr-2">
           <div className="mb-2 text-xs font-semibold text-gray-400">APP</div>
-          <ListBox
+          {integrationApp ? <div title={integrationApp}>
+            <ListBox
             data={!integration.isActive ? apps.map((app) => app.name) : null}
-            isSelected={integrationApp}
+            isSelected={isSelected}
             onChange={(app) => {
               setIntegrationApp(app);
             }}
           />
+          </div> : <div className='w-52 h-10 rounded-md bg-mineshaft-600 animate-pulse px-4 font-bold py-2'>-</div>}
         </div>
         {renderIntegrationSpecificParams(integration)}
       </div>
-      <div className="flex items-end">
+      <div className="flex items-end cursor-default">
         {integration.isActive ? (
-          <div className="flex max-w-5xl flex-row items-center rounded-md bg-white/5 p-2 px-4">
-            <FontAwesomeIcon icon={faRotate} className="mr-2.5 animate-spin text-lg text-primary" />
+          <div className="flex max-w-5xl flex-row items-center rounded-md bg-mineshaft-600 p-[0.44rem] px-4 border border-mineshaft-500">
+            <FontAwesomeIcon icon={faCheck} className="mr-2.5 text-lg text-primary" />
             <div className="font-semibold text-gray-300">In Sync</div>
           </div>
         ) : (
@@ -269,7 +273,7 @@ const IntegrationTile = ({
             size="md"
           />
         )}
-        <div className="ml-2 opacity-50 duration-200 hover:opacity-100">
+        <div className="ml-2 opacity-80 duration-200 hover:opacity-100">
           <Button
             onButtonPressed={() =>
               handleDeleteIntegration({
@@ -278,7 +282,7 @@ const IntegrationTile = ({
             }
             color="red"
             size="icon-md"
-            icon={faX}
+            icon={faXmark}
           />
         </div>
       </div>

frontend/src/components/integrations/IntegrationSection.tsx

@@ -37,7 +37,7 @@ const ProjectIntegrationSection = ({
     <div className="mb-12">
       <div className="mx-4 mb-4 mt-6 flex max-w-5xl flex-col items-start justify-between px-2 text-xl">
         <h1 className="text-3xl font-semibold">Current Integrations</h1>
-        <p className="text-base text-gray-400">Manage integrations with third-party services.</p>
+        <p className="text-base text-bunker-300">Manage integrations with third-party services.</p>
       </div>
       {integrations.map((integration: Integration) => {
         return (

frontend/src/components/navigation/NavHeader.tsx

@@ -121,7 +121,7 @@ export default function NavHeader({
                 <span className="text-sm font-semibold text-bunker-300">{name}</span>
               ) : (
                 <Link passHref legacyBehavior href={{ pathname: '/dashboard/[id]', query }}>
-                  <a className="text-sm font-semibold capitalize text-primary/80 hover:text-primary">
+                  <a className="text-sm font-semibold text-primary/80 hover:text-primary">
                     {name === 'root' ? selectedEnv?.name : name}
                   </a>
                 </Link>

frontend/src/components/signup/TeamInviteStep.tsx

@@ -23,7 +23,7 @@ export default function TeamInviteStep(): JSX.Element {
   const redirectToHome = async () => {
     const userWorkspaces = await getWorkspaces();
     const userWorkspace = userWorkspaces[0]._id;
-    router.push(`/home/${userWorkspace}`);
+    router.push(`/dashboard/${userWorkspace}`);
   };
 
   const inviteUsers = async ({ emails: inviteEmails }: { emails: string }) => {

frontend/src/components/utilities/config/index.ts

@@ -4,11 +4,12 @@ const POSTHOG_HOST =
   process.env.NEXT_PUBLIC_POSTHOG_HOST! || "https://app.posthog.com";
 const STRIPE_PRODUCT_PRO = process.env.NEXT_PUBLIC_STRIPE_PRODUCT_PRO!;
 const STRIPE_PRODUCT_STARTER = process.env.NEXT_PUBLIC_STRIPE_PRODUCT_STARTER!;
+const INTERCOM_ID = process.env.NEXT_PUBLIC_INTERCOM_ID!;
 
 export {
   ENV,
+  INTERCOM_ID,
   POSTHOG_API_KEY,
   POSTHOG_HOST,
   STRIPE_PRODUCT_PRO,
-  STRIPE_PRODUCT_STARTER
-};
+  STRIPE_PRODUCT_STARTER};

frontend/src/components/utilities/intercom/intercom.ts

@@ -0,0 +1,64 @@
+/* eslint-disable prefer-template */
+/* eslint-disable prefer-rest-params */
+/* eslint-disable @typescript-eslint/no-unused-expressions */
+/* eslint-disable no-nested-ternary */
+/* eslint-disable no-unexpected-multiline */
+/* eslint-disable react-hooks/exhaustive-deps */
+/* eslint-disable vars-on-top */
+/* eslint-disable no-var */
+/* eslint-disable func-names */
+// @ts-nocheck
+
+import { INTERCOM_ID as APP_ID } from '@app/components/utilities/config';
+
+// Loads Intercom with the snippet
+// This must be run before boot, it initializes window.Intercom
+
+// prettier-ignore
+export const load = () => {
+  (function(){
+    var w=window;
+    var ic=w.Intercom;
+    
+    if(typeof ic==="function"){
+      ic('reattach_activator');
+      ic('update',w.intercomSettings);
+    } else {
+      var d=document;
+      var i=function() {
+        i.c(arguments);
+      };
+      i.q=[];
+      i.c=function(args) {
+        i.q.push(args);
+      };
+      w.Intercom=i;
+      var l=function() {
+        var s=d.createElement('script');
+        s.type='text/javascript';
+        s.async=true;
+        s.src='https://widget.intercom.io/widget/' + APP_ID;
+        var x=d.getElementsByTagName('script')[0];
+        x.parentNode.insertBefore(s, x);
+      };
+      if (document.readyState==='complete') {
+        l();
+      } else if (w.attachEvent) {
+        w.attachEvent('onload',l);
+      } else {
+        w.addEventListener('load',l,false);
+      }
+    }
+  })();
+}
+
+// Initializes Intercom
+export const boot = (options = {}) => {
+  window &&
+    window.Intercom &&
+    window.Intercom("boot", { app_id: APP_ID, ...options });
+};
+
+export const update = () => {
+  window && window.Intercom && window.Intercom("update");
+};

frontend/src/components/utilities/intercom/intercomProvider.ts

@@ -0,0 +1,37 @@
+import { useEffect } from "react";
+import { useRouter } from "next/router";
+
+import {
+  boot as bootIntercom,
+  load as loadIntercom,
+  update as updateIntercom,
+} from "./intercom";
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export const IntercomProvider = ({ children }: { children: any }) => {
+  const router = useRouter();
+
+  if (typeof window !== "undefined") {
+    loadIntercom();
+    bootIntercom();
+  }
+
+  useEffect(() => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const handleRouteChange = (url: string) => {
+      if (typeof window !== "undefined") {
+        updateIntercom();
+      }
+    };
+
+    router.events.on("routeChangeStart", handleRouteChange);
+
+    // If the component is unmounted, unsubscribe
+    // from the event with the `off` method:
+    return () => {
+      router.events.off("routeChangeStart", handleRouteChange);
+    };
+  }, [router.events]);
+
+  return children;
+};

frontend/src/components/v2/EmptyState/EmptyState.tsx

@@ -21,7 +21,7 @@ export const EmptyState = ({
 }: Props) => (
   <div
     className={twMerge(
-      'flex w-full flex-col items-center bg-bunker-700 px-2 pt-6 text-bunker-300',
+      'flex w-full flex-col items-center bg-mineshaft-800 px-2 pt-6 text-bunker-300',
       className
     )}
   >

frontend/src/components/v2/Select/Select.tsx

@@ -40,7 +40,7 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
           ref={ref}
           className={twMerge(
             `inline-flex items-center justify-between rounded-md
-            bg-bunker-800 px-3 py-2 font-inter text-sm font-normal text-bunker-200 outline-none data-[placeholder]:text-gray-500`,
+            bg-mineshaft-900 px-3 py-2 font-inter text-sm font-normal text-bunker-200 outline-none data-[placeholder]:text-gray-500`,
             className
           )}
         >
@@ -56,7 +56,7 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
         <SelectPrimitive.Portal>
           <SelectPrimitive.Content
             className={twMerge(
-              'relative top-1 z-[100] overflow-hidden rounded-md bg-bunker-800 font-inter text-bunker-100 shadow-md',
+              'relative top-1 z-[100] overflow-hidden rounded-md bg-mineshaft-900 border border-mineshaft-600 font-inter text-bunker-100 shadow-md',
               dropdownContainerClassName
             )}
             position={position}

frontend/src/components/v2/Table/Table.tsx

@@ -16,8 +16,8 @@ export const TableContainer = ({
 }: TableContainerProps): JSX.Element => (
   <div
     className={twMerge(
-      'relative w-full overflow-x-auto border border-solid border-mineshaft-700 bg-mineshaft-800 font-inter shadow-md',
-      isRounded && 'rounded-md',
+      'relative w-full overflow-x-auto border border-solid border-mineshaft-700 bg-mineshaft-800 font-inter',
+      isRounded && 'rounded-lg',
       className
     )}
   >
@@ -34,7 +34,7 @@ export type TableProps = {
 export const Table = ({ children, className }: TableProps): JSX.Element => (
   <table
     className={twMerge(
-      'w-full rounded-md  bg-bunker-800 p-2 text-left text-sm text-gray-300',
+      'w-full bg-mineshaft-800 p-2 text-left text-sm text-gray-300',
       className
     )}
   >
@@ -49,7 +49,7 @@ export type THeadProps = {
 };
 
 export const THead = ({ children, className }: THeadProps): JSX.Element => (
-  <thead className={twMerge('bg-bunker text-xs uppercase text-bunker-300', className)}>
+  <thead className={twMerge('bg-mineshaft-800 text-xs uppercase text-bunker-300', className)}>
     {children}
   </thead>
 );
@@ -62,7 +62,7 @@ export type TrProps = {
 
 export const Tr = ({ children, className, ...props }: TrProps): JSX.Element => (
   <tr
-    className={twMerge('border border-solid border-mineshaft-700 hover:bg-bunker-700', className)}
+    className={twMerge('border border-solid border-mineshaft-700 cursor-default', className)}
     {...props}
   >
     {children}
@@ -76,7 +76,7 @@ export type ThProps = {
 };
 
 export const Th = ({ children, className }: ThProps): JSX.Element => (
-  <th className={twMerge('bg-bunker-500 px-5 pt-4 pb-3.5 font-semibold', className)}>{children}</th>
+  <th className={twMerge('bg-mineshaft-800 px-5 pt-4 pb-3.5 font-semibold border-b-2 border-mineshaft-600', className)}>{children}</th>
 );
 
 // table body

frontend/src/components/v2/UpgradePlanModal/UpgradePlanModal.tsx

@@ -18,7 +18,7 @@ export const UpgradePlanModal = ({ text, isOpen, onOpenChange }: Props): JSX.Ele
           href={`/settings/billing/${localStorage.getItem('projectData.id') as string}`}
           key="upgrade-plan"
         >
-          <Button className="mr-4 ml-2">Upgrade Plan</Button>
+          <Button className="mr-4 ml-2 mb-2">Upgrade Plan</Button>
         </Link>,
         <ModalClose asChild key="upgrade-plan-cancel">
           <Button colorSchema="secondary" variant="plain">

frontend/src/context/SubscriptionContext/SubscriptionContext.tsx

@@ -1,14 +1,13 @@
 import { createContext, ReactNode, useContext, useMemo } from 'react';
 
 import { useGetOrgSubscription } from '@app/hooks/api';
-import { GetSubscriptionPlan } from '@app/hooks/api/types';
+import { SubscriptionPlan } from '@app/hooks/api/types';
 
 import { useWorkspace } from '../WorkspaceContext';
 // import { Subscription } from '@app/hooks/api/workspace/types';
 
 type TSubscriptionContext = {
-  subscription?: GetSubscriptionPlan;
-  subscriptionPlan: string;
+  subscription?: SubscriptionPlan;
   isLoading: boolean;
 };
 
@@ -28,7 +27,6 @@ export const SubscriptionProvider = ({ children }: Props): JSX.Element => {
   const value = useMemo<TSubscriptionContext>(
     () => ({
       subscription: data,
-      subscriptionPlan: data?.data?.[0]?.plan?.product || '',
       isLoading
     }),
     [data, isLoading]

frontend/src/ee/components/ActivityTable.tsx

@@ -1,7 +1,6 @@
 /* eslint-disable jsx-a11y/no-noninteractive-element-interactions */
 import React, { useState } from 'react';
 import { useTranslation } from 'react-i18next';
-import Image from 'next/image';
 import { faAngleDown, faAngleRight, faUpRightFromSquare } from '@fortawesome/free-solid-svg-icons';
 import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 
@@ -48,7 +47,7 @@ const ActivityLogsRow = ({
   const { t } = useTranslation();
 
   const renderUser = () => {
-    if (row?.user) return `User: ${row.user}`;
+    if (row?.user) return `${row.user}`;
     if (row?.serviceAccount) return `Service Account: ${row.serviceAccount.name}`;
     if (row?.serviceTokenData.name) return `Service Token: ${row.serviceTokenData.name}`;
 
@@ -56,71 +55,77 @@ const ActivityLogsRow = ({
   };
   return (
     <>
-      <tr key={guidGenerator()} className="w-full bg-bunker-800 text-sm duration-100">
-        <td
-          onKeyDown={() => null}
+      <div key={guidGenerator()} className="w-full bg-mineshaft-800 text-sm text-mineshaft-200 duration-100 flex flex-row items-center">
+        <button
+          type="button"
           onClick={() => setPayloadOpened(!payloadOpened)}
-          className="flex cursor-pointer items-center border-t border-mineshaft-700 text-gray-300"
+          className="border-t border-mineshaft-700 pt-[0.58rem]"
         >
           <FontAwesomeIcon
             icon={payloadOpened ? faAngleDown : faAngleRight}
-            className={`mt-2.5 ml-6 text-bunker-100 hover:bg-mineshaft-700 ${
-              payloadOpened && 'bg-mineshaft-500'
+            className={`ml-6 mb-2 text-mineshaft-300 cursor-pointer ${
+              payloadOpened ? 'bg-mineshaft-500 hover:bg-mineshaft-500' : 'hover:bg-mineshaft-700'
             } h-4 w-4 rounded-md p-1 duration-100`}
           />
-        </td>
-        <td className="border-t border-mineshaft-700 py-3 text-gray-300">
+        </button>
+        <div className="border-t border-mineshaft-700 py-3 w-1/4 pl-6">
           {row.payload
             ?.map(
               (action) =>
                 `${String(action.secretVersions.length)} ${t(`activity.event.${action.name}`)}`
             )
             .join(' and ')}
-        </td>
-        <td className="border-t border-mineshaft-700 py-3 pl-6 text-gray-300">{renderUser()}</td>
-        <td className="border-t border-mineshaft-700 py-3 pl-6 text-gray-300">{row.channel}</td>
-        <td className="border-t border-mineshaft-700 py-3 pl-6 text-gray-300">
+        </div>
+        <div className="border-t border-mineshaft-700 py-3 pl-6 w-1/4">{renderUser()}</div>
+        <div className="border-t border-mineshaft-700 py-3 pl-6 w-1/4">{row.channel}</div>
+        <div className="border-t border-mineshaft-700 py-3 pl-6 w-1/4">
           {timeSince(new Date(row.createdAt))}
-        </td>
-      </tr>
+        </div>
+      </div>
       {payloadOpened && (
-        <tr className="h-9 border-t border-mineshaft-700 text-sm text-bunker-200">
-          <td />
-          <td>{String(t('common.timestamp'))}</td>
-          <td>{row.createdAt}</td>
-        </tr>
+        <div className="h-9 border-t border-mineshaft-700 text-sm text-bunker-200 bg-mineshaft-900/50 w-full flex flex-row items-center">
+          <div className='max-w-xl w-full flex flex-row items-center'>
+            <div className='w-24' />
+            <div className='w-1/2'>{String(t('common.timestamp'))}</div>
+            <div className='w-1/2'>{row.createdAt}</div>
+          </div>
+        </div>
       )}
       {payloadOpened &&
         row.payload?.map(
           (action) =>
             action.secretVersions.length > 0 && (
-              <tr
-                key={action._id}
-                className="h-9 border-t border-mineshaft-700 text-sm text-bunker-200"
+              <div 
+                key={action.name}
+                className="h-9 border-t border-mineshaft-700 text-sm text-bunker-200 bg-mineshaft-900/50 w-full flex flex-row items-center"
               >
-                <td />
-                <td className="">{t(`activity.event.${action.name}`)}</td>
-                <td
-                  onKeyDown={() => null}
-                  className="cursor-pointer text-primary-300 duration-200 hover:text-primary"
-                  onClick={() => toggleSidebar(action._id)}
-                >
-                  {action.secretVersions.length +
-                    (action.secretVersions.length !== 1 ? ' secrets' : ' secret')}
-                  <FontAwesomeIcon
-                    icon={faUpRightFromSquare}
-                    className="ml-2 mb-0.5 h-3 w-3 font-light"
-                  />
-                </td>
-              </tr>
+                <div className='max-w-xl w-full flex flex-row items-center'>
+                  <div className='w-24' />
+                  <div className='w-1/2'>{t(`activity.event.${action.name}`)}</div>
+                  <button 
+                    type="button"
+                    onClick={() => toggleSidebar(action._id)}
+                    className='w-1/2 text-primary-300 hover:text-primary-500 flex flex-row justify-left items-center duration-100'
+                  >
+                    {action.secretVersions.length +
+                        (action.secretVersions.length !== 1 ? ' secrets' : ' secret')}
+                      <FontAwesomeIcon
+                        icon={faUpRightFromSquare}
+                        className="ml-2 mb-0.5 h-3 w-3 font-light"
+                      />
+                  </button>
+                </div>
+              </div>
             )
         )}
       {payloadOpened && (
-        <tr className="h-9 border-t border-mineshaft-700 text-sm text-bunker-200">
-          <td />
-          <td>{String(t('activity.ip-address'))}</td>
-          <td>{row.ipAddress}</td>
-        </tr>
+        <div className="h-9 border-t border-mineshaft-700 text-sm text-bunker-200 bg-mineshaft-900/50 w-full flex flex-row items-center">
+          <div className='max-w-xl w-full flex flex-row items-center'>
+            <div className='w-24' />
+            <div className='w-1/2'>{String(t('activity.ip-address'))}</div>
+            <div className='w-1/2'>{row.ipAddress}</div>
+          </div>
+        </div>
       )}
     </>
   );
@@ -147,47 +152,48 @@ const ActivityTable = ({
 
   return (
     <div className="mt-8 w-full px-6">
-      <div className="table-container relative mb-6 w-full rounded-md border border-mineshaft-700 bg-bunker">
-        <div className="absolute h-[3rem] w-full rounded-t-md bg-white/5" />
-        <table className="my-1 w-full">
-          <thead className="text-bunker-300">
-            <tr className="text-sm">
-              <th aria-label="actions" className="pl-6 pt-2.5 pb-3 text-left" />
-              <th className="pt-2.5 pb-3 text-left font-semibold">
-                {String(t('common.event')).toUpperCase()}
-              </th>
-              <th className="pl-6 pt-2.5 pb-3 text-left font-semibold">
-                {String(t('common.user')).toUpperCase()}
-              </th>
-              <th className="pl-6 pt-2.5 pb-3 text-left font-semibold">
-                {String(t('common.source')).toUpperCase()}
-              </th>
-              <th className="pl-6 pt-2.5 pb-3 text-left font-semibold">
-                {String(t('common.time')).toUpperCase()}
-              </th>
-              <th aria-label="action" />
-            </tr>
-          </thead>
-          <tbody>
-            {data?.map((row, index) => (
-              <ActivityLogsRow
-                key={`activity.${index + 1}.${row._id}`}
-                row={row}
-                toggleSidebar={toggleSidebar}
-              />
-            ))}
-          </tbody>
-        </table>
+      <div className="table-container relative mb-6 w-full rounded-md border border-mineshaft-700 bg-mineshaft-800">
+        {/* <div className="absolute h-[3rem] w-full rounded-t-md bg-white/5" /> */}
+        <div className="my-1 w-full">
+          <div className="text-bunker-300 border-b border-mineshaft-600">
+            <div className="text-sm flex flex-row w-full">
+              <button
+                type="button"
+                onClick={() => {}}
+                className="opacity-0"
+              >
+                <FontAwesomeIcon
+                  icon={faAngleRight}
+                  className="ml-6 mb-2 text-bunker-100 hover:bg-mineshaft-700 cursor-pointer h-4 w-4 rounded-md p-1 duration-100"
+                />
+              </button>
+              <div className="flex flex-row justify-between w-full">
+                <div className="pt-2.5 pb-3 text-left font-semibold w-1/4 pl-6">
+                  {String(t('common.event')).toUpperCase()}
+                </div>
+                <div className="pl-6 pt-2.5 pb-3 text-left font-semibold w-1/4 pl-6">
+                  {String(t('common.user')).toUpperCase()}
+                </div>
+                <div className="pl-6 pt-2.5 pb-3 text-left font-semibold w-1/4 pl-6">
+                  {String(t('common.source')).toUpperCase()}
+                </div>
+                <div className="pl-6 pt-2.5 pb-3 text-left font-semibold w-1/4 pl-6">
+                  {String(t('common.time')).toUpperCase()}
+                </div>
+              </div>
+            </div>
+          </div>
+          {data?.map((row, index) => (
+            <ActivityLogsRow
+              key={`activity.${index + 1}.${row._id}`}
+              row={row}
+              toggleSidebar={toggleSidebar}
+            />
+          ))}
+        </div>
       </div>
       {isLoading && (
-        <div className="mb-8 mt-4 flex w-full justify-center">
-          <Image
-            src="/images/loading/loading.gif"
-            height={60}
-            width={100}
-            alt="loading animation"
-          />
-        </div>
+        <div className="mb-8 mt-4 bg-mineshaft-800 rounded-md h-60 flex w-full justify-center animate-pulse" />
       )}
     </div>
   );

frontend/src/hooks/api/serviceTokens/types.ts

@@ -3,6 +3,7 @@ export type ServiceToken = {
   name: string;
   workspace: string;
   environment: string;
+  secretPath: string;
   user: string;
   expiresAt: string;
   createdAt: string;
@@ -15,6 +16,7 @@ export type CreateServiceTokenDTO = {
   workspaceId: string;
   environment: string;
   expiresIn: number;
+  secretPath: string;
   encryptedKey: string;
   iv: string;
   tag: string;

frontend/src/hooks/api/subscriptions/queries.tsx

@@ -2,20 +2,20 @@ import { useQuery } from '@tanstack/react-query';
 
 import { apiRequest } from '@app/config/request';
 
-import { GetSubscriptionPlan } from './types';
+import { SubscriptionPlan } from './types';
 
 // import { Workspace } from './types';
 
 const subscriptionKeys = {
-  getOrgSubsription: (orgID: string) => ['subscription', { orgID }] as const
+  getOrgSubsription: (orgID: string) => ['plan', { orgID }] as const
 };
 
 const fetchOrgSubscription = async (orgID: string) => {
-  const { data } = await apiRequest.get<{ subscriptions: GetSubscriptionPlan }>(
-    `/api/v1/organization/${orgID}/subscriptions`
+  const { data } = await apiRequest.get<{ plan: SubscriptionPlan }>(
+    `/api/v1/organizations/${orgID}/plan`
   );
 
-  return data.subscriptions;
+  return data.plan;
 };
 
 type UseGetOrgSubscriptionProps = {

frontend/src/hooks/api/subscriptions/types.ts

@@ -1,25 +1,16 @@
-export type GetSubscriptionPlan = {
-  data: { plan: SubscriptionPlan }[];
-};
-
 export type SubscriptionPlan = {
-  id: string;
-  object: string;
-  active: boolean;
-  aggregate_usage: unknown;
-  amount: 1400;
-  amount_decimal: 1400;
-  billing_scheme: string;
-  created: 1674833546;
-  currency: string;
-  interval: string;
-  interval_count: 1;
-  livemode: false;
-  metadata: {};
-  nickname: null;
-  product: string;
-  tiers_mode: unknown;
-  transform_usage: unknown;
-  trial_period_days: unknown;
-  usage_type: string;
+  _id: string;
+  membersUsed: number;
+  memberLimit: number;
+  auditLogs: boolean;
+  customAlerts: boolean;
+  customRateLimits: boolean;
+  pitRecovery: boolean;
+  rbac: boolean;
+  secretVersioning: boolean;
+  slug: string;
+  tier: number;
+  workspaceLimit: number;
+  workspacesUsed: number;
+  envLimit: number;
 };

frontend/src/hooks/api/types.ts

@@ -3,7 +3,7 @@ export type { IncidentContact } from './incidentContacts/types';
 export type { UserWsKeyPair } from './keys/types';
 export type { Organization } from './organization/types';
 export type { CreateServiceTokenDTO, ServiceToken } from './serviceTokens/types';
-export type { GetSubscriptionPlan, SubscriptionPlan } from './subscriptions/types';
+export type { SubscriptionPlan } from './subscriptions/types';
 export type { WsTag } from './tags/types';
 export type { AddUserToWsDTO, AddUserToWsRes, OrgUser, User } from './users/types';
 export type {

frontend/src/hooks/api/workspace/index.tsx

@@ -12,4 +12,5 @@ export {
   useNameWorkspaceSecrets,
   useRenameWorkspace,
   useToggleAutoCapitalization,
-  useUpdateWsEnvironment} from './queries';
+  useUpdateWsEnvironment
+} from './queries';

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -1,6 +1,10 @@
 /* eslint-disable no-nested-ternary */
 /* eslint-disable no-unexpected-multiline */
 /* eslint-disable react-hooks/exhaustive-deps */
+/* eslint-disable vars-on-top */
+/* eslint-disable no-var */
+/* eslint-disable func-names */
+// @ts-nocheck
 import crypto from 'crypto';
 
 import { useEffect, useState } from 'react';
@@ -31,7 +35,6 @@ import {
   SelectItem,
   UpgradePlanModal
 } from '@app/components/v2';
-import { plans } from '@app/const';
 import { useOrganization, useSubscription, useUser, useWorkspace } from '@app/context';
 import { usePopUp } from '@app/hooks';
 import { fetchOrgUsers, useAddUserToWs, useCreateWorkspace, useUploadWsKey } from '@app/hooks/api';
@@ -59,10 +62,9 @@ export const AppLayout = ({ children }: LayoutProps) => {
   const { workspaces, currentWorkspace } = useWorkspace();
   const { currentOrg } = useOrganization();
   const { user } = useUser();
-  const { subscriptionPlan } = useSubscription();
-  const host = window.location.origin;
-  const isAddingProjectsAllowed =
-    subscriptionPlan !== plans.starter || (subscriptionPlan === plans.starter && workspaces.length < 3) || host !== 'https://app.infisical.com';
+  const { subscription } = useSubscription();
+
+  const isAddingProjectsAllowed = subscription?.workspaceLimit ? (subscription.workspacesUsed < subscription.workspaceLimit) : true;
 
   const createWs = useCreateWorkspace();
   const uploadWsKey = useUploadWsKey();
@@ -87,6 +89,18 @@ export const AppLayout = ({ children }: LayoutProps) => {
 
   const { t } = useTranslation();
 
+	useEffect(() => {
+		const handleRouteChange = () => {
+			(window).Intercom('update');
+		};
+		
+		router.events.on('routeChangeComplete', handleRouteChange);
+		
+		return () => {
+		  router.events.off('routeChangeComplete', handleRouteChange);
+		};
+	}, []);
+
   // TODO(akhilmhdh): This entire logic will be rechecked and will try to avoid
   // Placing the localstorage as much as possible
   // Wait till tony integrates the azure and its launched
@@ -104,7 +118,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
       });
       const userWorkspaces = orgUserProjects;
       if (
-        (userWorkspaces.length === 0 &&
+        (userWorkspaces?.length === 0 &&
           router.asPath !== '/noprojects' &&
           !router.asPath.includes('home') &&
           !router.asPath.includes('settings')) ||

frontend/src/pages/_app.tsx

@@ -1,4 +1,9 @@
+/* eslint-disable vars-on-top */
+/* eslint-disable no-var */
+/* eslint-disable func-names */
 /* eslint-disable react/jsx-props-no-spreading */
+// @ts-nocheck
+
 import { useEffect } from 'react';
 import { AppProps } from 'next/app';
 import { useRouter } from 'next/router';
@@ -6,6 +11,7 @@ import { config } from '@fortawesome/fontawesome-svg-core';
 import { QueryClientProvider } from '@tanstack/react-query';
 
 import NotificationProvider from '@app/components/context/Notifications/NotificationProvider';
+import { IntercomProvider } from '@app/components/utilities/intercom/intercomProvider';
 import Telemetry from '@app/components/utilities/telemetry/Telemetry';
 import { TooltipProvider } from '@app/components/v2';
 import { publicPaths } from '@app/const';
@@ -38,6 +44,7 @@ const App = ({ Component, pageProps, ...appProps }: NextAppProp): JSX.Element =>
     const telemetry = new Telemetry().getInstance();
 
     const handleRouteChange = () => {
+			// (window).Intercom('update');
       if (typeof window !== 'undefined') {
         telemetry.capture('$pageview');
       }
@@ -75,9 +82,11 @@ const App = ({ Component, pageProps, ...appProps }: NextAppProp): JSX.Element =>
               <SubscriptionProvider>
                 <UserProvider>
                   <NotificationProvider>
-                    <AppLayout>
-                      <Component {...pageProps} />
-                    </AppLayout>
+                    <IntercomProvider>
+                      <AppLayout>
+                        <Component {...pageProps} />
+                      </AppLayout>
+                    </IntercomProvider>
                   </NotificationProvider>
                 </UserProvider>
               </SubscriptionProvider>

frontend/src/pages/activity/[id].tsx

@@ -6,7 +6,10 @@ import { useRouter } from 'next/router';
 import Button from '@app/components/basic/buttons/Button';
 import EventFilter from '@app/components/basic/EventFilter';
 import NavHeader from '@app/components/navigation/NavHeader';
+import { UpgradePlanModal } from '@app/components/v2';
+import { useSubscription } from '@app/context';
 import ActivitySideBar from '@app/ee/components/ActivitySideBar';
+import { usePopUp } from '@app/hooks/usePopUp';
 
 import getProjectLogs from '../../ee/api/secrets/GetProjectLogs';
 import ActivityTable from '../../ee/components/ActivityTable';
@@ -67,6 +70,10 @@ export default function Activity() {
   const currentLimit = 10;
   const [currentSidebarAction, toggleSidebar] = useState<string>();
   const { t } = useTranslation();
+  const { subscription } = useSubscription();
+  const { popUp, handlePopUpOpen, handlePopUpClose } = usePopUp([
+    'upgradePlan'
+  ] as const);
 
   // this use effect updates the data in case of a new filter being added
   useEffect(() => {
@@ -137,11 +144,15 @@ export default function Activity() {
   }, [currentLimit, currentOffset]);
 
   const loadMoreLogs = () => {
-    setCurrentOffset(currentOffset + currentLimit);
+    if (subscription?.auditLogs === false) {
+      handlePopUpOpen('upgradePlan');
+    } else {
+      setCurrentOffset(currentOffset + currentLimit);
+    }
   };
 
   return (
-    <div className="mx-6 lg:mx-0 w-full h-screen">
+    <div className="mx-6 lg:mx-0 w-full h-full">
       <Head>
         <title>Audit Logs</title>
         <link rel="icon" href="/infisical.ico" />
@@ -173,6 +184,11 @@ export default function Activity() {
           />
         </div>
       </div>
+      <UpgradePlanModal
+        isOpen={popUp.upgradePlan.isOpen}
+        onOpenChange={() => handlePopUpClose('upgradePlan')}
+        text="You can see more logs if you switch to Infisical's Business/Professional Plan."
+      />
     </div>
   );
 }

frontend/src/pages/api/integrations/saveIntegrationAccessToken.ts

@@ -1,10 +1,12 @@
 import SecurityClient from '@app/components/utilities/SecurityClient';
 
 interface Props {
-    workspaceId: string | null;
-    integration: string | undefined;
-    accessId: string | null;
-    accessToken: string;
+  workspaceId: string | null;
+  integration: string | undefined;
+  accessId: string | null;
+  accessToken: string;
+  url: string | null;
+  namespace: string | null;
 }
 /**
  * This route creates a new integration authorization for integration [integration]
@@ -15,13 +17,17 @@ interface Props {
  * @param {String} obj.workspaceId - id of workspace to authorize integration for
  * @param {String} obj.integration - integration
  * @param {String} obj.accessToken - access token to save
+ * @param {String} obj.url - URL of the Vault instance
+ * @param {String} obj.namespace - Vault-specific namespace param
  * @returns
  */
 const saveIntegrationAccessToken = ({ 
     workspaceId,
     integration,
     accessId,
-    accessToken
+    accessToken,
+    url,
+    namespace
 }: Props) =>
   SecurityClient.fetchCall(`/api/v1/integration-auth/access-token`, {
     method: 'POST',
@@ -32,7 +38,9 @@ const saveIntegrationAccessToken = ({
         workspaceId,
         integration,
         accessId,
-        accessToken
+        accessToken,
+        url,
+        namespace
     })
   }).then(async (res) => {
     if (res && res.status === 200) {