docs(sso): fixed azure attributes typo

docs(guides): updated python guide
Merge pull request #3031 from Infisical/project-list-pagination-fix
2025-07-05 04:29:09 +00:00 · 2025-01-23 05:20:44 +01:00 · 2025-01-23 05:20:26 +01:00 · 2025-01-22 16:27:59 -08:00 · 2025-01-22 18:42:05 -05:00 · 2025-01-22 14:18:38 -08:00
1956 changed files with 71722 additions and 45583 deletions
--- a/.env.example
+++ b/.env.example
@ -88,3 +88,20 @@ PLAIN_WISH_LABEL_IDS=
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
 ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
 # App Connections
 # aws assume-role
 INF_APP_CONNECTION_AWS_ACCESS_KEY_ID=
 INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY=
 # github oauth
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET=
 #github app
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
--- a/.github/workflows/check-fe-ts-and-lint.yml
+++ b/.github/workflows/check-fe-ts-and-lint.yml
@ -18,18 +18,18 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 20
        uses: actions/setup-node@v3
        with:
-          node-version: "16"
+          node-version: "20"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: 📦 Install dependencies
        run: npm install
        working-directory: frontend
      - name: 🏗️ Run Type check
-        run: npm run type:check 
+        run: npm run type:check
        working-directory: frontend
      - name: 🏗️ Run Link check
-        run: npm run lint:fix 
+        run: npm run lint:fix
        working-directory: frontend
--- a/.github/workflows/deployment-pipeline.yml
+++ b/.github/workflows/deployment-pipeline.yml
@ -5,6 +5,10 @@ permissions:
  id-token: write
  contents: read
 concurrency: 
  group: "infisical-core-deployment"
  cancel-in-progress: true  
 jobs:
  infisical-tests:
    name: Integration tests
@ -97,7 +101,7 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-gamma-stage
@ -113,10 +117,6 @@ jobs:
    steps:
      - uses: twingate/github-action@v1
        with:
        # The Twingate Service Key used to connect Twingate to the proper service
        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
        #
        # Required
          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
@ -153,12 +153,37 @@ jobs:
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
          service: infisical-core-platform
          cluster: infisical-core-platform
          wait-for-service-stability: true
      - name: Post slack message 
        uses: slackapi/slack-github-action@v2.0.0
        with:
          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "*Deployment Status Update*: ${{ job.status }}"
            blocks:
              - type: "section"
                text:
                  type: "mrkdwn"
                  text: "*Deployment Status Update*: ${{ job.status }}"
              - type: "section"
                fields:
                  - type: "mrkdwn"
                    text: "*Application:*\nInfisical Core"
                  - type: "mrkdwn"
                    text: "*Instance Type:*\nShared Infisical Cloud"
              - type: "section"
                fields:
                  - type: "mrkdwn"
                    text: "*Region:*\nUS"
                  - type: "mrkdwn"
                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
  production-eu:
      name: EU production deploy
@ -204,9 +229,34 @@ jobs:
            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
            environment-variables: "LOG_LEVEL=info"
        - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
          with:
            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
            service: infisical-core-platform
            cluster: infisical-core-platform
            wait-for-service-stability: true
        - name: Post slack message 
          uses: slackapi/slack-github-action@v2.0.0
          with:
            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
            webhook-type: incoming-webhook
            payload: |
              text: "*Deployment Status Update*: ${{ job.status }}"
              blocks:
                - type: "section"
                  text:
                    type: "mrkdwn"
                    text: "*Deployment Status Update*: ${{ job.status }}"
                - type: "section"
                  fields:
                    - type: "mrkdwn"
                      text: "*Application:*\nInfisical Core"
                    - type: "mrkdwn"
                      text: "*Instance Type:*\nShared Infisical Cloud"
                - type: "section"
                  fields:
                    - type: "mrkdwn"
                      text: "*Region:*\nEU"
                    - type: "mrkdwn"
                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
--- a/.infisicalignore
+++ b/.infisicalignore
@ -7,3 +7,4 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -8,7 +8,7 @@ FROM node:20-slim AS base
 FROM base AS frontend-dependencies
 WORKDIR /app
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -23,17 +23,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 ENV NODE_ENV production
 ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 # Build
 RUN npm run build
@ -44,20 +43,10 @@ WORKDIR /app
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 VOLUME /app/.next/cache/images
 COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
 RUN chown non-root-user:nodejs ./public/data
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 USER non-root-user
 ENV NEXT_TELEMETRY_DISABLED 1
 ##
 ## BACKEND
 ##
@ -137,6 +126,7 @@ RUN apt-get update && apt-get install -y \
    freetds-dev \
    freetds-bin \
    tdsodbc \
    openssh-client \
    && rm -rf /var/lib/apt/lists/*
 # Configure ODBC in production
@ -159,14 +149,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+ENV INTERCOM_ID=$INTERCOM_ID
    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 WORKDIR / 
@ -191,4 +178,4 @@ EXPOSE 443
 USER non-root-user
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -12,7 +12,7 @@ RUN apk add --no-cache libc6-compat
 WORKDIR /app
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+COPY frontend/package.json frontend/package-lock.json  ./
 # Install dependencies
 RUN npm ci --only-production --ignore-scripts
@ -27,17 +27,16 @@ COPY --from=frontend-dependencies /app/node_modules ./node_modules
 COPY /frontend .
 ENV NODE_ENV production
 ENV NEXT_PUBLIC_ENV production
 ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ENV VITE_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
 ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
+ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
 # Build
 RUN npm run build
@ -49,20 +48,10 @@ WORKDIR /app
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 non-root-user
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
+COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 VOLUME /app/.next/cache/images
 COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
 RUN chown non-root-user:nodejs ./public/data
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
 USER non-root-user
 ENV NEXT_TELEMETRY_DISABLED 1
 ##
 ## BACKEND
 ##
@ -139,7 +128,8 @@ RUN apk --update add \
    freetds-dev \
    bash \
    curl \
-    git
+    git \
    openssh
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
@ -158,14 +148,11 @@ RUN chmod u+rx /usr/sbin/update-ca-certificates
 ## set pre baked keys
 ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
 ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+ENV INTERCOM_ID=$INTERCOM_ID
  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 COPY --from=backend-runner /app /backend
@ -188,4 +175,4 @@ EXPOSE 443
 USER non-root-user
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/README.md
+++ b/README.md
@ -56,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.
-### Internal PKI:
+### Infisical (Internal) PKI:
 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@ -64,12 +64,17 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
-### Key Management (KMS):
+### Infisical Key Management System (KMS):
 - **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 ### Infisical SSH
 - **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -7,7 +7,8 @@ WORKDIR /app
 RUN apk --update add \
        python3 \
        make \
-        g++
+        g++ \
        openssh
 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -17,7 +17,8 @@ RUN apk --update add \
        openssl-dev \
        python3 \
        make \
-        g++
+        g++ \
        openssh
 # install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apk add --no-cache \
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -22,8 +22,10 @@ export const mockQueue = (): TQueueServiceFactory => {
    listen: (name, event) => {
      events[name] = event;
    },
    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true
+    stopRepeatableJobByJobId: async () => true,
    stopRepeatableJobByKey: async () => true
  };
 };
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -26,6 +26,7 @@
        "@fastify/rate-limit": "^9.0.0",
        "@fastify/request-context": "^5.1.0",
        "@fastify/session": "^10.7.0",
        "@fastify/static": "^7.0.4",
        "@fastify/swagger": "^8.14.0",
        "@fastify/swagger-ui": "^2.1.0",
        "@google-cloud/kms": "^4.5.0",
@ -5406,6 +5407,7 @@
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/accept-negotiator/-/accept-negotiator-1.1.0.tgz",
      "integrity": "sha512-OIHZrb2ImZ7XG85HXOONLcJWGosv7sIvM2ifAPQVhg9Lv7qdmMBNVaai4QTdyuaqbKM5eO6sLSQOYI7wEQeCJQ==",
      "license": "MIT",
      "engines": {
        "node": ">=14"
      }
@ -5545,6 +5547,7 @@
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/send/-/send-2.1.0.tgz",
      "integrity": "sha512-yNYiY6sDkexoJR0D8IDy3aRP3+L4wdqCpvx5WP+VtEU58sn7USmKynBzDQex5X42Zzvw2gNzzYgP90UfWShLFA==",
      "license": "MIT",
      "dependencies": {
        "@lukeed/ms": "^2.0.1",
        "escape-html": "~1.0.3",
@ -5563,16 +5566,85 @@
      }
    },
    "node_modules/@fastify/static": {
-      "version": "6.12.0",
+      "version": "7.0.4",
-      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
+      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-7.0.4.tgz",
-      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
+      "integrity": "sha512-p2uKtaf8BMOZWLs6wu+Ihg7bWNBdjNgCwDza4MJtTqg+5ovKmcbgbR9Xs5/smZ1YISfzKOCNYmZV8LaCj+eJ1Q==",
      "license": "MIT",
      "dependencies": {
        "@fastify/accept-negotiator": "^1.0.0",
        "@fastify/send": "^2.0.0",
        "content-disposition": "^0.5.3",
        "fastify-plugin": "^4.0.0",
-        "glob": "^8.0.1",
+        "fastq": "^1.17.0",
-        "p-limit": "^3.1.0"
+        "glob": "^10.3.4"
      }
    },
    "node_modules/@fastify/static/node_modules/brace-expansion": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0"
      }
    },
    "node_modules/@fastify/static/node_modules/glob": {
      "version": "10.4.5",
      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
      "license": "ISC",
      "dependencies": {
        "foreground-child": "^3.1.0",
        "jackspeak": "^3.1.2",
        "minimatch": "^9.0.4",
        "minipass": "^7.1.2",
        "package-json-from-dist": "^1.0.0",
        "path-scurry": "^1.11.1"
      },
      "bin": {
        "glob": "dist/esm/bin.mjs"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
    "node_modules/@fastify/static/node_modules/jackspeak": {
      "version": "3.4.3",
      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
      "license": "BlueOak-1.0.0",
      "dependencies": {
        "@isaacs/cliui": "^8.0.2"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      },
      "optionalDependencies": {
        "@pkgjs/parseargs": "^0.11.0"
      }
    },
    "node_modules/@fastify/static/node_modules/minimatch": {
      "version": "9.0.5",
      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
      "license": "ISC",
      "dependencies": {
        "brace-expansion": "^2.0.1"
      },
      "engines": {
        "node": ">=16 || 14 >=14.17"
      },
      "funding": {
        "url": "https://github.com/sponsors/isaacs"
      }
    },
    "node_modules/@fastify/static/node_modules/minipass": {
      "version": "7.1.2",
      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
      "license": "ISC",
      "engines": {
        "node": ">=16 || 14 >=14.17"
      }
    },
    "node_modules/@fastify/swagger": {
@ -5599,6 +5671,20 @@
        "yaml": "^2.2.2"
      }
    },
    "node_modules/@fastify/swagger-ui/node_modules/@fastify/static": {
      "version": "6.12.0",
      "resolved": "https://registry.npmjs.org/@fastify/static/-/static-6.12.0.tgz",
      "integrity": "sha512-KK1B84E6QD/FcQWxDI2aiUCwHxMJBI1KeCUzm1BwYpPY1b742+jeKruGHP2uOluuM6OkBPI8CIANrXcCRtC2oQ==",
      "license": "MIT",
      "dependencies": {
        "@fastify/accept-negotiator": "^1.0.0",
        "@fastify/send": "^2.0.0",
        "content-disposition": "^0.5.3",
        "fastify-plugin": "^4.0.0",
        "glob": "^8.0.1",
        "p-limit": "^3.1.0"
      }
    },
    "node_modules/@google-cloud/kms": {
      "version": "4.5.0",
      "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@ -6062,9 +6148,10 @@
      "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
    },
    "node_modules/@lukeed/ms": {
-      "version": "2.0.1",
+      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.2.tgz",
-      "integrity": "sha512-Xs/4RZltsAL7pkvaNStUQt7netTkyxrS0K+RILcVr3TRMS/ToOg4I6uNfhB9SlGsnWBym4U+EaXq0f0cEMNkHA==",
+      "integrity": "sha512-9I2Zn6+NJLfaGoz9jN3lpwDgAYvfGeNYdbAIjJOqzs4Tpc+VU3Jqq4IofSUBKajiDS8k9fZIg18/z13mpk1bsA==",
      "license": "MIT",
      "engines": {
        "node": ">=8"
      }
@ -13879,9 +13966,9 @@
      }
    },
    "node_modules/express": {
-      "version": "4.21.1",
+      "version": "4.21.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
-      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
+      "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
      "license": "MIT",
      "dependencies": {
        "accepts": "~1.3.8",
@ -13903,7 +13990,7 @@
        "methods": "~1.1.2",
        "on-finished": "2.4.1",
        "parseurl": "~1.3.3",
-        "path-to-regexp": "0.1.10",
+        "path-to-regexp": "0.1.12",
        "proxy-addr": "~2.0.7",
        "qs": "6.13.0",
        "range-parser": "~1.2.1",
@ -13918,6 +14005,10 @@
      },
      "engines": {
        "node": ">= 0.10.0"
      },
      "funding": {
        "type": "opencollective",
        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/express-session": {
@ -17388,15 +17479,16 @@
      }
    },
    "node_modules/nanoid": {
-      "version": "3.3.7",
+      "version": "3.3.8",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.8.tgz",
-      "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==",
+      "integrity": "sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==",
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/ai"
        }
      ],
      "license": "MIT",
      "bin": {
        "nanoid": "bin/nanoid.cjs"
      },
@ -18383,9 +18475,9 @@
      "license": "ISC"
    },
    "node_modules/path-to-regexp": {
-      "version": "0.1.10",
+      "version": "0.1.12",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
-      "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==",
+      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
      "license": "MIT"
    },
    "node_modules/path-type": {
--- a/backend/package.json
+++ b/backend/package.json
@ -134,6 +134,7 @@
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@google-cloud/kms": "^4.5.0",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -31,9 +31,12 @@ import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-ap
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TAuthLoginFactory } from "@app/services/auth/auth-login-service";
 import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
@ -77,6 +80,7 @@ import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
 import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
 import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { TSecretSyncServiceFactory } from "@app/services/secret-sync/secret-sync-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
@ -177,6 +181,8 @@ declare module "fastify" {
      auditLogStream: TAuditLogStreamServiceFactory;
      certificate: TCertificateServiceFactory;
      certificateTemplate: TCertificateTemplateServiceFactory;
      sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
      sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
      certificateAuthority: TCertificateAuthorityServiceFactory;
      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
      certificateEst: TCertificateEstServiceFactory;
@ -204,6 +210,8 @@ declare module "fastify" {
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
      projectTemplate: TProjectTemplateServiceFactory;
      totp: TTotpServiceFactory;
      appConnection: TAppConnectionServiceFactory;
      secretSync: TSecretSyncServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -218,6 +218,9 @@ import {
  TRateLimit,
  TRateLimitInsert,
  TRateLimitUpdate,
  TResourceMetadata,
  TResourceMetadataInsert,
  TResourceMetadataUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -317,6 +320,21 @@ import {
  TSlackIntegrations,
  TSlackIntegrationsInsert,
  TSlackIntegrationsUpdate,
  TSshCertificateAuthorities,
  TSshCertificateAuthoritiesInsert,
  TSshCertificateAuthoritiesUpdate,
  TSshCertificateAuthoritySecrets,
  TSshCertificateAuthoritySecretsInsert,
  TSshCertificateAuthoritySecretsUpdate,
  TSshCertificateBodies,
  TSshCertificateBodiesInsert,
  TSshCertificateBodiesUpdate,
  TSshCertificates,
  TSshCertificatesInsert,
  TSshCertificatesUpdate,
  TSshCertificateTemplates,
  TSshCertificateTemplatesInsert,
  TSshCertificateTemplatesUpdate,
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
@ -348,11 +366,13 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
 import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
 import {
  TExternalGroupOrgRoleMappings,
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
 import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@ -378,6 +398,31 @@ declare module "knex/types/tables" {
  interface Tables {
    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
    [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
      TSshCertificateAuthorities,
      TSshCertificateAuthoritiesInsert,
      TSshCertificateAuthoritiesUpdate
    >;
    [TableName.SshCertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
      TSshCertificateAuthoritySecrets,
      TSshCertificateAuthoritySecretsInsert,
      TSshCertificateAuthoritySecretsUpdate
    >;
    [TableName.SshCertificateTemplate]: KnexOriginal.CompositeTableType<
      TSshCertificateTemplates,
      TSshCertificateTemplatesInsert,
      TSshCertificateTemplatesUpdate
    >;
    [TableName.SshCertificate]: KnexOriginal.CompositeTableType<
      TSshCertificates,
      TSshCertificatesInsert,
      TSshCertificatesUpdate
    >;
    [TableName.SshCertificateBody]: KnexOriginal.CompositeTableType<
      TSshCertificateBodies,
      TSshCertificateBodiesInsert,
      TSshCertificateBodiesUpdate
    >;
    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
      TCertificateAuthorities,
      TCertificateAuthoritiesInsert,
@ -846,5 +891,16 @@ declare module "knex/types/tables" {
      TProjectSplitBackfillIdsInsert,
      TProjectSplitBackfillIdsUpdate
    >;
    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
      TResourceMetadata,
      TResourceMetadataInsert,
      TResourceMetadataUpdate
    >;
    [TableName.AppConnection]: KnexOriginal.CompositeTableType<
      TAppConnections,
      TAppConnectionsInsert,
      TAppConnectionsUpdate
    >;
    [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
  }
 }
--- a/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
+++ b/backend/src/db/migrations/20241216013357_ssh-mgmt.ts
@ -0,0 +1,99 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthority))) {
    await knex.schema.createTable(TableName.SshCertificateAuthority, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.string("projectId").notNullable();
      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.string("status").notNullable(); // active / disabled
      t.string("friendlyName").notNullable();
      t.string("keyAlgorithm").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificateAuthoritySecret))) {
    await knex.schema.createTable(TableName.SshCertificateAuthoritySecret, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCaId").notNullable().unique();
      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
      t.binary("encryptedPrivateKey").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificateTemplate))) {
    await knex.schema.createTable(TableName.SshCertificateTemplate, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCaId").notNullable();
      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
      t.string("status").notNullable(); // active / disabled
      t.string("name").notNullable();
      t.string("ttl").notNullable();
      t.string("maxTTL").notNullable();
      t.specificType("allowedUsers", "text[]").notNullable();
      t.specificType("allowedHosts", "text[]").notNullable();
      t.boolean("allowUserCertificates").notNullable();
      t.boolean("allowHostCertificates").notNullable();
      t.boolean("allowCustomKeyIds").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificate))) {
    await knex.schema.createTable(TableName.SshCertificate, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCaId").notNullable();
      t.foreign("sshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
      t.uuid("sshCertificateTemplateId");
      t.foreign("sshCertificateTemplateId")
        .references("id")
        .inTable(TableName.SshCertificateTemplate)
        .onDelete("SET NULL");
      t.string("serialNumber").notNullable().unique();
      t.string("certType").notNullable(); // user or host
      t.specificType("principals", "text[]").notNullable();
      t.string("keyId").notNullable();
      t.datetime("notBefore").notNullable();
      t.datetime("notAfter").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificate);
  }
  if (!(await knex.schema.hasTable(TableName.SshCertificateBody))) {
    await knex.schema.createTable(TableName.SshCertificateBody, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.timestamps(true, true, true);
      t.uuid("sshCertId").notNullable().unique();
      t.foreign("sshCertId").references("id").inTable(TableName.SshCertificate).onDelete("CASCADE");
      t.binary("encryptedCertificate").notNullable();
    });
    await createOnUpdateTrigger(knex, TableName.SshCertificateBody);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.SshCertificateBody);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateBody);
  await knex.schema.dropTableIfExists(TableName.SshCertificate);
  await dropOnUpdateTrigger(knex, TableName.SshCertificate);
  await knex.schema.dropTableIfExists(TableName.SshCertificateTemplate);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateTemplate);
  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthoritySecret);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthoritySecret);
  await knex.schema.dropTableIfExists(TableName.SshCertificateAuthority);
  await dropOnUpdateTrigger(knex, TableName.SshCertificateAuthority);
 }
--- a/backend/src/db/migrations/20241218165837_resource-metadata.ts
+++ b/backend/src/db/migrations/20241218165837_resource-metadata.ts
@ -0,0 +1,40 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      tb.string("key").notNullable();
      tb.string("value", 1020).notNullable();
      tb.uuid("orgId").notNullable();
      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      tb.uuid("userId");
      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
      tb.uuid("identityId");
      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
      tb.uuid("secretId");
      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
      tb.timestamps(true, true, true);
    });
  }
  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
  if (!hasSecretMetadataField) {
    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
      t.jsonb("secretMetadata");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
  if (hasSecretMetadataField) {
    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
      t.dropColumn("secretMetadata");
    });
  }
 }
--- a/backend/src/db/migrations/20241218181018_app-connection.ts
+++ b/backend/src/db/migrations/20241218181018_app-connection.ts
@ -0,0 +1,28 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.AppConnection))) {
    await knex.schema.createTable(TableName.AppConnection, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name", 32).notNullable();
      t.string("description");
      t.string("app").notNullable();
      t.string("method").notNullable();
      t.binary("encryptedCredentials").notNullable();
      t.integer("version").defaultTo(1).notNullable();
      t.uuid("orgId").notNullable();
      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      t.timestamps(true, true, true);
    });
    await createOnUpdateTrigger(knex, TableName.AppConnection);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.AppConnection);
  await dropOnUpdateTrigger(knex, TableName.AppConnection);
 }
--- a/backend/src/db/migrations/20250115222458_groups-unique-name.ts
+++ b/backend/src/db/migrations/20250115222458_groups-unique-name.ts
@ -0,0 +1,49 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  // find any duplicate group names within organizations
  const duplicates = await knex(TableName.Groups)
    .select("orgId", "name")
    .count("* as count")
    .groupBy("orgId", "name")
    .having(knex.raw("count(*) > 1"));
  // for each set of duplicates, update all but one with a numbered suffix
  for await (const duplicate of duplicates) {
    const groups = await knex(TableName.Groups)
      .select("id", "name")
      .where({
        orgId: duplicate.orgId,
        name: duplicate.name
      })
      .orderBy("createdAt", "asc"); // keep original name for oldest group
    // skip the first (oldest) group, rename others with numbered suffix
    for (let i = 1; i < groups.length; i += 1) {
      // eslint-disable-next-line no-await-in-loop
      await knex(TableName.Groups)
        .where("id", groups[i].id)
        .update({
          name: `${groups[i].name} (${i})`,
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore TS doesn't know about Knex's timestamp types
          updatedAt: new Date()
        });
    }
  }
  // add the unique constraint
  await knex.schema.alterTable(TableName.Groups, (t) => {
    t.unique(["orgId", "name"]);
  });
 }
 export async function down(knex: Knex): Promise<void> {
  // Remove the unique constraint
  await knex.schema.alterTable(TableName.Groups, (t) => {
    t.dropUnique(["orgId", "name"]);
  });
 }
--- a/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
+++ b/backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts
@ -0,0 +1,33 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
  await knex.schema.alterTable(TableName.Project, (t) => {
    if (!hasEnforceCapitalizationCol) {
      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
    }
    if (hasAutoCapitalizationCol) {
      t.boolean("autoCapitalization").defaultTo(false).alter();
    }
  });
 }
 export async function down(knex: Knex): Promise<void> {
  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
  await knex.schema.alterTable(TableName.Project, (t) => {
    if (hasEnforceCapitalizationCol) {
      t.dropColumn("enforceCapitalization");
    }
    if (hasAutoCapitalizationCol) {
      t.boolean("autoCapitalization").defaultTo(true).alter();
    }
  });
 }
--- a/backend/src/db/migrations/20250122055102_secret-sync.ts
+++ b/backend/src/db/migrations/20250122055102_secret-sync.ts
@ -0,0 +1,50 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.SecretSync))) {
    await knex.schema.createTable(TableName.SecretSync, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("name", 32).notNullable();
      t.string("description");
      t.string("destination").notNullable();
      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
      t.integer("version").defaultTo(1).notNullable();
      t.jsonb("destinationConfig").notNullable();
      t.jsonb("syncOptions").notNullable();
      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
      // is deleted), to preserve sync configuration
      t.string("projectId").notNullable();
      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      t.uuid("folderId");
      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
      t.uuid("connectionId").notNullable();
      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
      t.timestamps(true, true, true);
      // sync secrets to destination
      t.string("syncStatus");
      t.string("lastSyncJobId");
      t.string("lastSyncMessage");
      t.datetime("lastSyncedAt");
      // import secrets from destination
      t.string("importStatus");
      t.string("lastImportJobId");
      t.string("lastImportMessage");
      t.datetime("lastImportedAt");
      // remove secrets from destination
      t.string("removeStatus");
      t.string("lastRemoveJobId");
      t.string("lastRemoveMessage");
      t.datetime("lastRemovedAt");
    });
    await createOnUpdateTrigger(knex, TableName.SecretSync);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.SecretSync);
  await dropOnUpdateTrigger(knex, TableName.SecretSync);
 }
--- a/backend/src/db/schemas/app-connections.ts
+++ b/backend/src/db/schemas/app-connections.ts
@ -0,0 +1,27 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const AppConnectionsSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  description: z.string().nullable().optional(),
  app: z.string(),
  method: z.string(),
  encryptedCredentials: zodBuffer,
  version: z.number().default(1),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;
 export type TAppConnectionsInsert = Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>;
 export type TAppConnectionsUpdate = Partial<Omit<z.input<typeof AppConnectionsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -71,6 +71,7 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
 export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
@ -107,6 +108,11 @@ export * from "./secrets";
 export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./slack-integrations";
 export * from "./ssh-certificate-authorities";
 export * from "./ssh-certificate-authority-secrets";
 export * from "./ssh-certificate-bodies";
 export * from "./ssh-certificate-templates";
 export * from "./ssh-certificates";
 export * from "./super-admin";
 export * from "./totp-configs";
 export * from "./trusted-ips";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -2,6 +2,11 @@ import { z } from "zod";
 export enum TableName {
  Users = "users",
  SshCertificateAuthority = "ssh_certificate_authorities",
  SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
  SshCertificateTemplate = "ssh_certificate_templates",
  SshCertificate = "ssh_certificates",
  SshCertificateBody = "ssh_certificate_bodies",
  CertificateAuthority = "certificate_authorities",
  CertificateTemplateEstConfig = "certificate_template_est_configs",
  CertificateAuthorityCert = "certificate_authority_certs",
@ -75,6 +80,7 @@ export enum TableName {
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
  ResourceMetadata = "resource_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@ -124,7 +130,9 @@ export enum TableName {
  KmsKeyVersion = "kms_key_versions",
  WorkflowIntegrations = "workflow_integrations",
  SlackIntegrations = "slack_integrations",
-  ProjectSlackConfigs = "project_slack_configs"
+  ProjectSlackConfigs = "project_slack_configs",
  AppConnection = "app_connections",
  SecretSync = "secret_syncs"
 }
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@ -205,5 +213,15 @@ export enum IdentityAuthMethod {
 export enum ProjectType {
  SecretManager = "secret-manager",
  CertificateManager = "cert-manager",
-  KMS = "kms"
+  KMS = "kms",
  SSH = "ssh"
 }
 export enum ActionProjectType {
  SecretManager = ProjectType.SecretManager,
  CertificateManager = ProjectType.CertificateManager,
  KMS = ProjectType.KMS,
  SSH = ProjectType.SSH,
  // project operations that happen on all types
  Any = "any"
 }
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
  id: z.string(),
  name: z.string(),
  slug: z.string(),
-  autoCapitalization: z.boolean().default(true).nullable().optional(),
+  autoCapitalization: z.boolean().default(false).nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
@ -25,7 +25,8 @@ export const ProjectsSchema = z.object({
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
-  type: z.string()
+  type: z.string(),
  enforceCapitalization: z.boolean().default(false)
 });
 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/db/schemas/resource-metadata.ts
+++ b/backend/src/db/schemas/resource-metadata.ts
@ -0,0 +1,24 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const ResourceMetadataSchema = z.object({
  id: z.string().uuid(),
  key: z.string(),
  value: z.string(),
  orgId: z.string().uuid(),
  userId: z.string().uuid().nullable().optional(),
  identityId: z.string().uuid().nullable().optional(),
  secretId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
 export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
 export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
+++ b/backend/src/db/schemas/secret-approval-requests-secrets-v2.ts
@ -24,7 +24,8 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
  requestId: z.string().uuid(),
  op: z.string(),
  secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional(),
  secretMetadata: z.unknown().nullable().optional()
 });
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;
--- a/backend/src/db/schemas/secret-syncs.ts
+++ b/backend/src/db/schemas/secret-syncs.ts
@ -0,0 +1,40 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SecretSyncsSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  description: z.string().nullable().optional(),
  destination: z.string(),
  isAutoSyncEnabled: z.boolean().default(true),
  version: z.number().default(1),
  destinationConfig: z.unknown(),
  syncOptions: z.unknown(),
  projectId: z.string(),
  folderId: z.string().uuid().nullable().optional(),
  connectionId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  syncStatus: z.string().nullable().optional(),
  lastSyncJobId: z.string().nullable().optional(),
  lastSyncMessage: z.string().nullable().optional(),
  lastSyncedAt: z.date().nullable().optional(),
  importStatus: z.string().nullable().optional(),
  lastImportJobId: z.string().nullable().optional(),
  lastImportMessage: z.string().nullable().optional(),
  lastImportedAt: z.date().nullable().optional(),
  removeStatus: z.string().nullable().optional(),
  lastRemoveJobId: z.string().nullable().optional(),
  lastRemoveMessage: z.string().nullable().optional(),
  lastRemovedAt: z.date().nullable().optional()
 });
 export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;
 export type TSecretSyncsInsert = Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>;
 export type TSecretSyncsUpdate = Partial<Omit<z.input<typeof SecretSyncsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-certificate-authorities.ts
+++ b/backend/src/db/schemas/ssh-certificate-authorities.ts
@ -0,0 +1,24 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateAuthoritiesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  projectId: z.string(),
  status: z.string(),
  friendlyName: z.string(),
  keyAlgorithm: z.string()
 });
 export type TSshCertificateAuthorities = z.infer<typeof SshCertificateAuthoritiesSchema>;
 export type TSshCertificateAuthoritiesInsert = Omit<z.input<typeof SshCertificateAuthoritiesSchema>, TImmutableDBKeys>;
 export type TSshCertificateAuthoritiesUpdate = Partial<
  Omit<z.input<typeof SshCertificateAuthoritiesSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/ssh-certificate-authority-secrets.ts
+++ b/backend/src/db/schemas/ssh-certificate-authority-secrets.ts
@ -0,0 +1,27 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateAuthoritySecretsSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCaId: z.string().uuid(),
  encryptedPrivateKey: zodBuffer
 });
 export type TSshCertificateAuthoritySecrets = z.infer<typeof SshCertificateAuthoritySecretsSchema>;
 export type TSshCertificateAuthoritySecretsInsert = Omit<
  z.input<typeof SshCertificateAuthoritySecretsSchema>,
  TImmutableDBKeys
 >;
 export type TSshCertificateAuthoritySecretsUpdate = Partial<
  Omit<z.input<typeof SshCertificateAuthoritySecretsSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/ssh-certificate-bodies.ts
+++ b/backend/src/db/schemas/ssh-certificate-bodies.ts
@ -0,0 +1,22 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateBodiesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCertId: z.string().uuid(),
  encryptedCertificate: zodBuffer
 });
 export type TSshCertificateBodies = z.infer<typeof SshCertificateBodiesSchema>;
 export type TSshCertificateBodiesInsert = Omit<z.input<typeof SshCertificateBodiesSchema>, TImmutableDBKeys>;
 export type TSshCertificateBodiesUpdate = Partial<Omit<z.input<typeof SshCertificateBodiesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/ssh-certificate-templates.ts
+++ b/backend/src/db/schemas/ssh-certificate-templates.ts
@ -0,0 +1,30 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificateTemplatesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCaId: z.string().uuid(),
  status: z.string(),
  name: z.string(),
  ttl: z.string(),
  maxTTL: z.string(),
  allowedUsers: z.string().array(),
  allowedHosts: z.string().array(),
  allowUserCertificates: z.boolean(),
  allowHostCertificates: z.boolean(),
  allowCustomKeyIds: z.boolean()
 });
 export type TSshCertificateTemplates = z.infer<typeof SshCertificateTemplatesSchema>;
 export type TSshCertificateTemplatesInsert = Omit<z.input<typeof SshCertificateTemplatesSchema>, TImmutableDBKeys>;
 export type TSshCertificateTemplatesUpdate = Partial<
  Omit<z.input<typeof SshCertificateTemplatesSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/ssh-certificates.ts
+++ b/backend/src/db/schemas/ssh-certificates.ts
@ -0,0 +1,26 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const SshCertificatesSchema = z.object({
  id: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
  sshCaId: z.string().uuid(),
  sshCertificateTemplateId: z.string().uuid().nullable().optional(),
  serialNumber: z.string(),
  certType: z.string(),
  principals: z.string().array(),
  keyId: z.string(),
  notBefore: z.date(),
  notAfter: z.date()
 });
 export type TSshCertificates = z.infer<typeof SshCertificatesSchema>;
 export type TSshCertificatesInsert = Omit<z.input<typeof SshCertificatesSchema>, TImmutableDBKeys>;
 export type TSshCertificatesUpdate = Partial<Omit<z.input<typeof SshCertificatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -22,9 +22,13 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
 import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
 import { registerSshCaRouter } from "./ssh-certificate-authority-router";
 import { registerSshCertRouter } from "./ssh-certificate-router";
 import { registerSshCertificateTemplateRouter } from "./ssh-certificate-template-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
 import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";
@ -68,6 +72,15 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
    { prefix: "/pki" }
  );
  await server.register(
    async (sshRouter) => {
      await sshRouter.register(registerSshCaRouter, { prefix: "/ca" });
      await sshRouter.register(registerSshCertRouter, { prefix: "/certificates" });
      await sshRouter.register(registerSshCertificateTemplateRouter, { prefix: "/certificate-templates" });
    },
    { prefix: "/ssh" }
  );
  await server.register(
    async (ssoRouter) => {
      await ssoRouter.register(registerSamlRouter);
@ -80,6 +93,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
  await server.register(registerLdapRouter, { prefix: "/ldap" });
  await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
  await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
  await server.register(registerSecretRouter, { prefix: "/secrets" });
  await server.register(registerSecretVersionRouter, { prefix: "/secret" });
  await server.register(registerGroupRouter, { prefix: "/groups" });
  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
--- a/backend/src/ee/routes/v1/org-role-router.ts
+++ b/backend/src/ee/routes/v1/org-role-router.ts
@ -23,7 +23,8 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          "Please choose a different slug, the slug you have entered is reserved"
        ),
        name: z.string().trim(),
-        description: z.string().trim().optional(),
+        description: z.string().trim().nullish(),
        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
        permissions: z.any().array()
      }),
      response: {
@ -95,7 +96,8 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
          )
          .optional(),
        name: z.string().trim().optional(),
-        description: z.string().trim().optional(),
+        description: z.string().trim().nullish(),
        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
        permissions: z.any().array().optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@ -39,7 +39,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          )
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
@ -95,7 +95,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .describe(PROJECT_ROLE.UPDATE.slug)
          .optional(),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
        permissions: ProjectPermissionV1Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -84,7 +84,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                samlConfig.audience = `spn:${ssoConfig.issuer}`;
              }
            }
-            if (ssoConfig.authProvider === SamlProviders.GOOGLE_SAML) {
+            if (
              ssoConfig.authProvider === SamlProviders.GOOGLE_SAML ||
              ssoConfig.authProvider === SamlProviders.AUTH0_SAML
            ) {
              samlConfig.wantAssertionsSigned = false;
            }
@ -123,7 +126,10 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
              `email: ${email} firstName: ${profile.firstName as string}`
            );
-            throw new Error("Invalid saml request. Missing email or first name");
+            throw new BadRequestError({
              message:
                "Missing email or first name. Please double check your SAML attribute mapping for the selected provider."
            });
          }
          const userMetadata = Object.keys(profile.attributes || {})
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -12,6 +12,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
  UsersSchema.pick({
@ -274,6 +275,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                .extend({
                  op: z.string(),
                  tags: tagSchema,
                  secretMetadata: ResourceMetadataSchema.nullish(),
                  secret: z
                    .object({
                      id: z.string(),
@ -291,7 +293,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                      secretKey: z.string(),
                      secretValue: z.string().optional(),
                      secretComment: z.string().optional(),
-                      tags: tagSchema
+                      tags: tagSchema,
                      secretMetadata: ResourceMetadataSchema.nullish()
                    })
                    .optional()
                })
--- a/backend/src/ee/routes/v1/secret-router.ts
+++ b/backend/src/ee/routes/v1/secret-router.ts
@ -0,0 +1,71 @@
 import z from "zod";
 import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
 import { RAW_SECRETS } from "@app/lib/api-docs";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 const AccessListEntrySchema = z
  .object({
    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
    id: z.string(),
    membershipId: z.string(),
    name: z.string()
  })
  .array();
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:secretName/access-list",
    config: {
      rateLimit: readLimit
    },
    schema: {
      description: "Get list of users, machine identities, and groups with access to a secret",
      security: [
        {
          bearerAuth: []
        }
      ],
      params: z.object({
        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
      }),
      querystring: z.object({
        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
        secretPath: z
          .string()
          .trim()
          .default("/")
          .transform(removeTrailingSlash)
          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
      }),
      response: {
        200: z.object({
          groups: AccessListEntrySchema,
          identities: AccessListEntrySchema,
          users: AccessListEntrySchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { secretName } = req.params;
      const { secretPath, environment, workspaceId: projectId } = req.query;
      return server.services.secret.getSecretAccessList({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        secretPath,
        environment,
        projectId,
        secretName
      });
    }
  });
 };
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@ -1,9 +1,13 @@
 import { z } from "zod";
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import {
  SecretScanningResolvedStatus,
  SecretScanningRiskStatus
 } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -97,6 +101,45 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    }
  });
  server.route({
    url: "/organization/:organizationId/risks/export",
    method: "GET",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({
        repositoryNames: z
          .string()
          .optional()
          .nullable()
          .transform((val) => (val ? val.split(",") : undefined)),
        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
      }),
      response: {
        200: z.object({
          risks: SecretScanningGitRisksSchema.array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const risks = await server.services.secretScanning.getAllRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        orgId: req.params.organizationId,
        filter: {
          repositoryNames: req.query.repositoryNames,
          resolvedStatus: req.query.resolvedStatus
        }
      });
      return { risks };
    }
  });
  server.route({
    url: "/organization/:organizationId/risks",
    method: "GET",
@ -105,20 +148,46 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    schema: {
      params: z.object({ organizationId: z.string().trim() }),
      querystring: z.object({
        offset: z.coerce.number().min(0).default(0),
        limit: z.coerce.number().min(1).max(20000).default(100),
        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
        repositoryNames: z
          .string()
          .optional()
          .nullable()
          .transform((val) => (val ? val.split(",") : undefined)),
        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
      }),
      response: {
-        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
+        200: z.object({
          risks: SecretScanningGitRisksSchema.array(),
          totalCount: z.number(),
          repos: z.array(z.string())
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { risks } = await server.services.secretScanning.getRisksByOrg({
+      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId
+        orgId: req.params.organizationId,
        filter: {
          limit: req.query.limit,
          offset: req.query.offset,
          orderBy: req.query.orderBy,
          orderDirection: req.query.orderDirection,
          repositoryNames: req.query.repositoryNames,
          resolvedStatus: req.query.resolvedStatus
        }
      });
-      return { risks };
+      return { risks, totalCount, repos };
    }
  });
--- a/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-authority-router.ts
@ -0,0 +1,279 @@
 import { z } from "zod";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-schema";
 import { SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 export const registerSshCaRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Create SSH CA",
      body: z.object({
        projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
        friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
        keyAlgorithm: z
          .nativeEnum(CertKeyAlgorithm)
          .default(CertKeyAlgorithm.RSA_2048)
          .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm)
      }),
      response: {
        200: z.object({
          ca: sanitizedSshCa.extend({
            publicKey: z.string()
          })
        })
      }
    },
    handler: async (req) => {
      const ca = await server.services.sshCertificateAuthority.createSshCa({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.CREATE_SSH_CA,
          metadata: {
            sshCaId: ca.id,
            friendlyName: ca.friendlyName
          }
        }
      });
      return {
        ca
      };
    }
  });
  server.route({
    method: "GET",
    url: "/:sshCaId",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Get SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET.sshCaId)
      }),
      response: {
        200: z.object({
          ca: sanitizedSshCa.extend({
            publicKey: z.string()
          })
        })
      }
    },
    handler: async (req) => {
      const ca = await server.services.sshCertificateAuthority.getSshCaById({
        caId: req.params.sshCaId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.GET_SSH_CA,
          metadata: {
            sshCaId: ca.id,
            friendlyName: ca.friendlyName
          }
        }
      });
      return {
        ca
      };
    }
  });
  server.route({
    method: "GET",
    url: "/:sshCaId/public-key",
    config: {
      rateLimit: readLimit
    },
    schema: {
      description: "Get public key of SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_PUBLIC_KEY.sshCaId)
      }),
      response: {
        200: z.string()
      }
    },
    handler: async (req) => {
      const publicKey = await server.services.sshCertificateAuthority.getSshCaPublicKey({
        caId: req.params.sshCaId
      });
      return publicKey;
    }
  });
  server.route({
    method: "PATCH",
    url: "/:sshCaId",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Update SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.sshCaId)
      }),
      body: z.object({
        friendlyName: z.string().optional().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.friendlyName),
        status: z.nativeEnum(SshCaStatus).optional().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.status)
      }),
      response: {
        200: z.object({
          ca: sanitizedSshCa.extend({
            publicKey: z.string()
          })
        })
      }
    },
    handler: async (req) => {
      const ca = await server.services.sshCertificateAuthority.updateSshCaById({
        caId: req.params.sshCaId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.UPDATE_SSH_CA,
          metadata: {
            sshCaId: ca.id,
            friendlyName: ca.friendlyName,
            status: ca.status as SshCaStatus
          }
        }
      });
      return {
        ca
      };
    }
  });
  server.route({
    method: "DELETE",
    url: "/:sshCaId",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Delete SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.DELETE.sshCaId)
      }),
      response: {
        200: z.object({
          ca: sanitizedSshCa
        })
      }
    },
    handler: async (req) => {
      const ca = await server.services.sshCertificateAuthority.deleteSshCaById({
        caId: req.params.sshCaId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.DELETE_SSH_CA,
          metadata: {
            sshCaId: ca.id,
            friendlyName: ca.friendlyName
          }
        }
      });
      return {
        ca
      };
    }
  });
  server.route({
    method: "GET",
    url: "/:sshCaId/certificate-templates",
    config: {
      rateLimit: readLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Get list of certificate templates for the SSH CA",
      params: z.object({
        sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_CERTIFICATE_TEMPLATES.sshCaId)
      }),
      response: {
        200: z.object({
          certificateTemplates: sanitizedSshCertificateTemplate.array()
        })
      }
    },
    handler: async (req) => {
      const { certificateTemplates, ca } = await server.services.sshCertificateAuthority.getSshCaCertificateTemplates({
        caId: req.params.sshCaId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.GET_SSH_CA_CERTIFICATE_TEMPLATES,
          metadata: {
            sshCaId: ca.id,
            friendlyName: ca.friendlyName
          }
        }
      });
      return {
        certificateTemplates
      };
    }
  });
 };
--- a/backend/src/ee/routes/v1/ssh-certificate-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-router.ts
@ -0,0 +1,164 @@
 import ms from "ms";
 import { z } from "zod";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 export const registerSshCertRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "POST",
    url: "/sign",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Sign SSH public key",
      body: z.object({
        certificateTemplateId: z
          .string()
          .trim()
          .min(1)
          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.certificateTemplateId),
        publicKey: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.publicKey),
        certType: z
          .nativeEnum(SshCertType)
          .default(SshCertType.USER)
          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.certType),
        principals: z
          .array(z.string().transform((val) => val.trim()))
          .nonempty("Principals array must not be empty")
          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.principals),
        ttl: z
          .string()
          .refine((val) => ms(val) > 0, "TTL must be a positive number")
          .optional()
          .describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.ttl),
        keyId: z.string().trim().max(50).optional().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.keyId)
      }),
      response: {
        200: z.object({
          serialNumber: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.serialNumber),
          signedKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.SIGN_SSH_KEY.signedKey)
        })
      }
    },
    handler: async (req) => {
      const { serialNumber, signedPublicKey, certificateTemplate, ttl, keyId } =
        await server.services.sshCertificateAuthority.signSshKey({
          actor: req.permission.type,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          ...req.body
        });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.SIGN_SSH_KEY,
          metadata: {
            certificateTemplateId: certificateTemplate.id,
            certType: req.body.certType,
            principals: req.body.principals,
            ttl: String(ttl),
            keyId
          }
        }
      });
      return {
        serialNumber,
        signedKey: signedPublicKey
      };
    }
  });
  server.route({
    method: "POST",
    url: "/issue",
    config: {
      rateLimit: writeLimit
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
      description: "Issue SSH credentials (certificate + key)",
      body: z.object({
        certificateTemplateId: z
          .string()
          .trim()
          .min(1)
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certificateTemplateId),
        keyAlgorithm: z
          .nativeEnum(CertKeyAlgorithm)
          .default(CertKeyAlgorithm.RSA_2048)
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm),
        certType: z
          .nativeEnum(SshCertType)
          .default(SshCertType.USER)
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certType),
        principals: z
          .array(z.string().transform((val) => val.trim()))
          .nonempty("Principals array must not be empty")
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.principals),
        ttl: z
          .string()
          .refine((val) => ms(val) > 0, "TTL must be a positive number")
          .optional()
          .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.ttl),
        keyId: z.string().trim().max(50).optional().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyId)
      }),
      response: {
        200: z.object({
          serialNumber: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.serialNumber),
          signedKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.signedKey),
          privateKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.privateKey),
          publicKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.publicKey),
          keyAlgorithm: z
            .nativeEnum(CertKeyAlgorithm)
            .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
        })
      }
    },
    handler: async (req) => {
      const { serialNumber, signedPublicKey, privateKey, publicKey, certificateTemplate, ttl, keyId } =
        await server.services.sshCertificateAuthority.issueSshCreds({
          actor: req.permission.type,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actorOrgId: req.permission.orgId,
          ...req.body
        });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        orgId: req.permission.orgId,
        event: {
          type: EventType.ISSUE_SSH_CREDS,
          metadata: {
            certificateTemplateId: certificateTemplate.id,
            keyAlgorithm: req.body.keyAlgorithm,
            certType: req.body.certType,
            principals: req.body.principals,
            ttl: String(ttl),
            keyId
          }
        }
      });
      return {
        serialNumber,
        signedKey: signedPublicKey,
        privateKey,
        publicKey,
        keyAlgorithm: req.body.keyAlgorithm
      };
    }
  });
 };
--- a/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-template-router.ts
@ -0,0 +1,258 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
 import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
 import {
  isValidHostPattern,
  isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
 import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 export const registerSshCertificateTemplateRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
    url: "/:certificateTemplateId",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
      }),
      response: {
        200: sanitizedSshCertificateTemplate
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const certificateTemplate = await server.services.sshCertificateTemplate.getSshCertTemplate({
        id: req.params.certificateTemplateId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: certificateTemplate.projectId,
        event: {
          type: EventType.GET_SSH_CERTIFICATE_TEMPLATE,
          metadata: {
            certificateTemplateId: certificateTemplate.id
          }
        }
      });
      return certificateTemplate;
    }
  });
  server.route({
    method: "POST",
    url: "/",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z
        .object({
          sshCaId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.sshCaId),
          name: z
            .string()
            .min(1)
            .max(36)
            .refine((v) => slugify(v) === v, {
              message: "Name must be a valid slug"
            })
            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.name),
          ttl: z
            .string()
            .refine((val) => ms(val) > 0, "TTL must be a positive number")
            .default("1h")
            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.ttl),
          maxTTL: z
            .string()
            .refine((val) => ms(val) > 0, "Max TTL must be a positive number")
            .default("30d")
            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.maxTTL),
          allowedUsers: z
            .array(z.string().refine(isValidUserPattern, "Invalid user pattern"))
            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowedUsers),
          allowedHosts: z
            .array(z.string().refine(isValidHostPattern, "Invalid host pattern"))
            .describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowedHosts),
          allowUserCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowUserCertificates),
          allowHostCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowHostCertificates),
          allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
        })
        .refine((data) => ms(data.maxTTL) > ms(data.ttl), {
          message: "Max TLL must be greater than TTL",
          path: ["maxTTL"]
        }),
      response: {
        200: sanitizedSshCertificateTemplate
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { certificateTemplate, ca } = await server.services.sshCertificateTemplate.createSshCertTemplate({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        ...req.body
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: ca.projectId,
        event: {
          type: EventType.CREATE_SSH_CERTIFICATE_TEMPLATE,
          metadata: {
            certificateTemplateId: certificateTemplate.id,
            sshCaId: ca.id,
            name: certificateTemplate.name,
            ttl: certificateTemplate.ttl,
            maxTTL: certificateTemplate.maxTTL,
            allowedUsers: certificateTemplate.allowedUsers,
            allowedHosts: certificateTemplate.allowedHosts,
            allowUserCertificates: certificateTemplate.allowUserCertificates,
            allowHostCertificates: certificateTemplate.allowHostCertificates,
            allowCustomKeyIds: certificateTemplate.allowCustomKeyIds
          }
        }
      });
      return certificateTemplate;
    }
  });
  server.route({
    method: "PATCH",
    url: "/:certificateTemplateId",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      body: z.object({
        status: z.nativeEnum(SshCertTemplateStatus).optional(),
        name: z
          .string()
          .min(1)
          .max(36)
          .refine((v) => slugify(v) === v, {
            message: "Slug must be a valid slug"
          })
          .optional()
          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.name),
        ttl: z
          .string()
          .refine((val) => ms(val) > 0, "TTL must be a positive number")
          .optional()
          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.ttl),
        maxTTL: z
          .string()
          .refine((val) => ms(val) > 0, "Max TTL must be a positive number")
          .optional()
          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.maxTTL),
        allowedUsers: z
          .array(z.string().refine(isValidUserPattern, "Invalid user pattern"))
          .optional()
          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowedUsers),
        allowedHosts: z
          .array(z.string().refine(isValidHostPattern, "Invalid host pattern"))
          .optional()
          .describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowedHosts),
        allowUserCertificates: z.boolean().optional().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowUserCertificates),
        allowHostCertificates: z.boolean().optional().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowHostCertificates),
        allowCustomKeyIds: z.boolean().optional().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.allowCustomKeyIds)
      }),
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.UPDATE.certificateTemplateId)
      }),
      response: {
        200: sanitizedSshCertificateTemplate
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const { certificateTemplate, projectId } = await server.services.sshCertificateTemplate.updateSshCertTemplate({
        ...req.body,
        id: req.params.certificateTemplateId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId,
        event: {
          type: EventType.UPDATE_SSH_CERTIFICATE_TEMPLATE,
          metadata: {
            status: certificateTemplate.status as SshCertTemplateStatus,
            certificateTemplateId: certificateTemplate.id,
            sshCaId: certificateTemplate.sshCaId,
            name: certificateTemplate.name,
            ttl: certificateTemplate.ttl,
            maxTTL: certificateTemplate.maxTTL,
            allowedUsers: certificateTemplate.allowedUsers,
            allowedHosts: certificateTemplate.allowedHosts,
            allowUserCertificates: certificateTemplate.allowUserCertificates,
            allowHostCertificates: certificateTemplate.allowHostCertificates,
            allowCustomKeyIds: certificateTemplate.allowCustomKeyIds
          }
        }
      });
      return certificateTemplate;
    }
  });
  server.route({
    method: "DELETE",
    url: "/:certificateTemplateId",
    config: {
      rateLimit: writeLimit
    },
    schema: {
      params: z.object({
        certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
      }),
      response: {
        200: sanitizedSshCertificateTemplate
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const certificateTemplate = await server.services.sshCertificateTemplate.deleteSshCertTemplate({
        id: req.params.certificateTemplateId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId
      });
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: certificateTemplate.projectId,
        event: {
          type: EventType.DELETE_SSH_CERTIFICATE_TEMPLATE,
          metadata: {
            certificateTemplateId: certificateTemplate.id
          }
        }
      });
      return certificateTemplate;
    }
  });
 };
--- a/backend/src/ee/routes/v2/project-role-router.ts
+++ b/backend/src/ee/routes/v2/project-role-router.ts
@ -36,7 +36,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          )
          .describe(PROJECT_ROLE.CREATE.slug),
        name: z.string().min(1).trim().describe(PROJECT_ROLE.CREATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.CREATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.CREATE.description),
        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.CREATE.permissions)
      }),
      response: {
@ -91,7 +91,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
          .optional()
          .describe(PROJECT_ROLE.UPDATE.slug),
        name: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.name),
-        description: z.string().trim().optional().describe(PROJECT_ROLE.UPDATE.description),
+        description: z.string().trim().nullish().describe(PROJECT_ROLE.UPDATE.description),
        permissions: ProjectPermissionV2Schema.array().describe(PROJECT_ROLE.UPDATE.permissions).optional()
      }),
      response: {
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@ -87,14 +87,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -193,7 +193,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: project.id,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
    return accessApprovalPolicies;
@ -237,14 +244,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!accessApprovalPolicy) {
      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      accessApprovalPolicy.projectId,
+      projectId: accessApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@ -321,14 +328,14 @@ export const accessApprovalPolicyServiceFactory = ({
    const policy = await accessApprovalPolicyDAL.findById(policyId);
    if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      policy.projectId,
+      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
@ -372,13 +379,14 @@ export const accessApprovalPolicyServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -411,13 +419,14 @@ export const accessApprovalPolicyServiceFactory = ({
      });
    }
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      policy.projectId,
+      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
-import { ProjectMembershipRole } from "@app/db/schemas";
+import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -100,13 +100,14 @@ export const accessApprovalRequestServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -213,7 +214,7 @@ export const accessApprovalRequestServiceFactory = ({
      );
      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/project/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
      await triggerSlackNotification({
        projectId: project.id,
@ -273,13 +274,14 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
@ -318,13 +320,14 @@ export const accessApprovalRequestServiceFactory = ({
      });
    }
-    const { membership, hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      accessApprovalRequest.projectId,
+      projectId: accessApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -422,13 +425,14 @@ export const accessApprovalRequestServiceFactory = ({
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
-    const { membership } = await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      project.id,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
        }
      )
      .catch((err) => {
-        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
+        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
      });
    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
    const logStream = await auditLogStreamDAL.create({
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -100,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
      // Filter by date range
      if (startDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
      }
      if (endDate) {
-        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
+        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
      }
      // we timeout long running queries to prevent DB resource issues (2 minutes)
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
@ -26,13 +27,14 @@ export const auditLogServiceFactory = ({
  const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
    // Filter logs for specific project
    if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
-        filter.projectId,
+        projectId: filter.projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
-      );
+        actionProjectType: ActionProjectType.Any
      });
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
      // Organization-wide logs
@ -79,7 +81,8 @@ export const auditLogServiceFactory = ({
    }
    // add all cases in which project id or org id cannot be added
    if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
-      if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
+      if (!data.projectId && !data.orgId)
        throw new BadRequestError({ message: "Must specify either project id or org id" });
    }
    return auditLogQueue.pushToLog(data);
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -2,12 +2,24 @@ import {
  TCreateProjectTemplateDTO,
  TUpdateProjectTemplateDTO
 } from "@app/ee/services/project-template/project-template-types";
 import { SshCaStatus, SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
 import { SshCertTemplateStatus } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-types";
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
 import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
 import {
  TCreateSecretSyncDTO,
  TDeleteSecretSyncDTO,
  TSecretSyncRaw,
  TUpdateSecretSyncDTO
 } from "@app/services/secret-sync/secret-sync-types";
 export type TListProjectAuditLogDTO = {
  filter: {
@ -26,7 +38,7 @@ export type TListProjectAuditLogDTO = {
 export type TCreateAuditLogDTO = {
  event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
  orgId?: string;
  projectId?: string;
 } & BaseAuthData;
@ -143,6 +155,17 @@ export enum EventType {
  SECRET_APPROVAL_REQUEST = "secret-approval-request",
  SECRET_APPROVAL_CLOSED = "secret-approval-closed",
  SECRET_APPROVAL_REOPENED = "secret-approval-reopened",
  SIGN_SSH_KEY = "sign-ssh-key",
  ISSUE_SSH_CREDS = "issue-ssh-creds",
  CREATE_SSH_CA = "create-ssh-certificate-authority",
  GET_SSH_CA = "get-ssh-certificate-authority",
  UPDATE_SSH_CA = "update-ssh-certificate-authority",
  DELETE_SSH_CA = "delete-ssh-certificate-authority",
  GET_SSH_CA_CERTIFICATE_TEMPLATES = "get-ssh-certificate-authority-certificate-templates",
  CREATE_SSH_CERTIFICATE_TEMPLATE = "create-ssh-certificate-template",
  UPDATE_SSH_CERTIFICATE_TEMPLATE = "update-ssh-certificate-template",
  DELETE_SSH_CERTIFICATE_TEMPLATE = "delete-ssh-certificate-template",
  GET_SSH_CERTIFICATE_TEMPLATE = "get-ssh-certificate-template",
  CREATE_CA = "create-certificate-authority",
  GET_CA = "get-certificate-authority",
  UPDATE_CA = "update-certificate-authority",
@ -208,7 +231,24 @@ export enum EventType {
  CREATE_PROJECT_TEMPLATE = "create-project-template",
  UPDATE_PROJECT_TEMPLATE = "update-project-template",
  DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template"
+  APPLY_PROJECT_TEMPLATE = "apply-project-template",
  GET_APP_CONNECTIONS = "get-app-connections",
  GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
  GET_APP_CONNECTION = "get-app-connection",
  CREATE_APP_CONNECTION = "create-app-connection",
  UPDATE_APP_CONNECTION = "update-app-connection",
  DELETE_APP_CONNECTION = "delete-app-connection",
  CREATE_SHARED_SECRET = "create-shared-secret",
  DELETE_SHARED_SECRET = "delete-shared-secret",
  READ_SHARED_SECRET = "read-shared-secret",
  GET_SECRET_SYNCS = "get-secret-syncs",
  GET_SECRET_SYNC = "get-secret-sync",
  CREATE_SECRET_SYNC = "create-secret-sync",
  UPDATE_SECRET_SYNC = "update-secret-sync",
  DELETE_SECRET_SYNC = "delete-secret-sync",
  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets"
 }
 interface UserActorMetadata {
@ -231,6 +271,8 @@ interface ScimClientActorMetadata {}
 interface PlatformActorMetadata {}
 interface UnknownUserActorMetadata {}
 export interface UserActor {
  type: ActorType.USER;
  metadata: UserActorMetadata;
@ -246,6 +288,11 @@ export interface PlatformActor {
  metadata: PlatformActorMetadata;
 }
 export interface UnknownUserActor {
  type: ActorType.UNKNOWN_USER;
  metadata: UnknownUserActorMetadata;
 }
 export interface IdentityActor {
  type: ActorType.IDENTITY;
  metadata: IdentityActorMetadata;
@ -1206,6 +1253,117 @@ interface SecretApprovalRequest {
  };
 }
 interface SignSshKey {
  type: EventType.SIGN_SSH_KEY;
  metadata: {
    certificateTemplateId: string;
    certType: SshCertType;
    principals: string[];
    ttl: string;
    keyId: string;
  };
 }
 interface IssueSshCreds {
  type: EventType.ISSUE_SSH_CREDS;
  metadata: {
    certificateTemplateId: string;
    keyAlgorithm: CertKeyAlgorithm;
    certType: SshCertType;
    principals: string[];
    ttl: string;
    keyId: string;
  };
 }
 interface CreateSshCa {
  type: EventType.CREATE_SSH_CA;
  metadata: {
    sshCaId: string;
    friendlyName: string;
  };
 }
 interface GetSshCa {
  type: EventType.GET_SSH_CA;
  metadata: {
    sshCaId: string;
    friendlyName: string;
  };
 }
 interface UpdateSshCa {
  type: EventType.UPDATE_SSH_CA;
  metadata: {
    sshCaId: string;
    friendlyName: string;
    status: SshCaStatus;
  };
 }
 interface DeleteSshCa {
  type: EventType.DELETE_SSH_CA;
  metadata: {
    sshCaId: string;
    friendlyName: string;
  };
 }
 interface GetSshCaCertificateTemplates {
  type: EventType.GET_SSH_CA_CERTIFICATE_TEMPLATES;
  metadata: {
    sshCaId: string;
    friendlyName: string;
  };
 }
 interface CreateSshCertificateTemplate {
  type: EventType.CREATE_SSH_CERTIFICATE_TEMPLATE;
  metadata: {
    certificateTemplateId: string;
    sshCaId: string;
    name: string;
    ttl: string;
    maxTTL: string;
    allowedUsers: string[];
    allowedHosts: string[];
    allowUserCertificates: boolean;
    allowHostCertificates: boolean;
    allowCustomKeyIds: boolean;
  };
 }
 interface GetSshCertificateTemplate {
  type: EventType.GET_SSH_CERTIFICATE_TEMPLATE;
  metadata: {
    certificateTemplateId: string;
  };
 }
 interface UpdateSshCertificateTemplate {
  type: EventType.UPDATE_SSH_CERTIFICATE_TEMPLATE;
  metadata: {
    certificateTemplateId: string;
    sshCaId: string;
    name: string;
    status: SshCertTemplateStatus;
    ttl: string;
    maxTTL: string;
    allowedUsers: string[];
    allowedHosts: string[];
    allowUserCertificates: boolean;
    allowHostCertificates: boolean;
    allowCustomKeyIds: boolean;
  };
 }
 interface DeleteSshCertificateTemplate {
  type: EventType.DELETE_SSH_CERTIFICATE_TEMPLATE;
  metadata: {
    certificateTemplateId: string;
  };
 }
 interface CreateCa {
  type: EventType.CREATE_CA;
  metadata: {
@ -1742,6 +1900,149 @@ interface ApplyProjectTemplateEvent {
  };
 }
 interface GetAppConnectionsEvent {
  type: EventType.GET_APP_CONNECTIONS;
  metadata: {
    app?: AppConnection;
    count: number;
    connectionIds: string[];
  };
 }
 interface GetAvailableAppConnectionsDetailsEvent {
  type: EventType.GET_AVAILABLE_APP_CONNECTIONS_DETAILS;
  metadata: {
    app?: AppConnection;
    count: number;
    connectionIds: string[];
  };
 }
 interface GetAppConnectionEvent {
  type: EventType.GET_APP_CONNECTION;
  metadata: {
    connectionId: string;
  };
 }
 interface CreateAppConnectionEvent {
  type: EventType.CREATE_APP_CONNECTION;
  metadata: Omit<TCreateAppConnectionDTO, "credentials"> & { connectionId: string };
 }
 interface UpdateAppConnectionEvent {
  type: EventType.UPDATE_APP_CONNECTION;
  metadata: Omit<TUpdateAppConnectionDTO, "credentials"> & { connectionId: string; credentialsUpdated: boolean };
 }
 interface DeleteAppConnectionEvent {
  type: EventType.DELETE_APP_CONNECTION;
  metadata: {
    connectionId: string;
  };
 }
 interface CreateSharedSecretEvent {
  type: EventType.CREATE_SHARED_SECRET;
  metadata: {
    id: string;
    accessType: string;
    name?: string;
    expiresAfterViews?: number;
    usingPassword: boolean;
    expiresAt: string;
  };
 }
 interface DeleteSharedSecretEvent {
  type: EventType.DELETE_SHARED_SECRET;
  metadata: {
    id: string;
    name?: string;
  };
 }
 interface ReadSharedSecretEvent {
  type: EventType.READ_SHARED_SECRET;
  metadata: {
    id: string;
    name?: string;
    accessType: string;
  };
 }
 interface GetSecretSyncsEvent {
  type: EventType.GET_SECRET_SYNCS;
  metadata: {
    destination?: SecretSync;
    count: number;
    syncIds: string[];
  };
 }
 interface GetSecretSyncEvent {
  type: EventType.GET_SECRET_SYNC;
  metadata: {
    destination: SecretSync;
    syncId: string;
  };
 }
 interface CreateSecretSyncEvent {
  type: EventType.CREATE_SECRET_SYNC;
  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
 }
 interface UpdateSecretSyncEvent {
  type: EventType.UPDATE_SECRET_SYNC;
  metadata: TUpdateSecretSyncDTO;
 }
 interface DeleteSecretSyncEvent {
  type: EventType.DELETE_SECRET_SYNC;
  metadata: TDeleteSecretSyncDTO;
 }
 interface SecretSyncSyncSecretsEvent {
  type: EventType.SECRET_SYNC_SYNC_SECRETS;
  metadata: Pick<
    TSecretSyncRaw,
    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
  > & {
    syncId: string;
    syncMessage: string | null;
    jobId: string;
    jobRanAt: Date;
  };
 }
 interface SecretSyncImportSecretsEvent {
  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
  metadata: Pick<
    TSecretSyncRaw,
    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
  > & {
    syncId: string;
    importMessage: string | null;
    jobId: string;
    jobRanAt: Date;
    importBehavior: SecretSyncImportBehavior;
  };
 }
 interface SecretSyncRemoveSecretsEvent {
  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
  metadata: Pick<
    TSecretSyncRaw,
    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
  > & {
    syncId: string;
    removeMessage: string | null;
    jobId: string;
    jobRanAt: Date;
  };
 }
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@ -1837,6 +2138,17 @@ export type Event =
  | SecretApprovalClosed
  | SecretApprovalRequest
  | SecretApprovalReopened
  | SignSshKey
  | IssueSshCreds
  | CreateSshCa
  | GetSshCa
  | UpdateSshCa
  | DeleteSshCa
  | GetSshCaCertificateTemplates
  | CreateSshCertificateTemplate
  | UpdateSshCertificateTemplate
  | GetSshCertificateTemplate
  | DeleteSshCertificateTemplate
  | CreateCa
  | GetCa
  | UpdateCa
@ -1902,4 +2214,21 @@ export type Event =
  | CreateProjectTemplateEvent
  | UpdateProjectTemplateEvent
  | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent;
+  | ApplyProjectTemplateEvent
  | GetAppConnectionsEvent
  | GetAvailableAppConnectionsDetailsEvent
  | GetAppConnectionEvent
  | CreateAppConnectionEvent
  | UpdateAppConnectionEvent
  | DeleteAppConnectionEvent
  | CreateSharedSecretEvent
  | DeleteSharedSecretEvent
  | ReadSharedSecretEvent
  | GetSecretSyncsEvent
  | GetSecretSyncEvent
  | CreateSecretSyncEvent
  | UpdateSecretSyncEvent
  | DeleteSecretSyncEvent
  | SecretSyncSyncSecretsEvent
  | SecretSyncImportSecretsEvent
  | SecretSyncRemoveSecretsEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -66,13 +67,14 @@ export const certificateAuthorityCrlServiceFactory = ({
    const ca = await certificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      ca.projectId,
+      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.CertificateManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";
-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@ -67,14 +67,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -147,14 +147,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -227,14 +227,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -297,13 +297,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -339,13 +340,14 @@ export const dynamicSecretLeaseServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.Lease,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
-import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@ -73,14 +73,14 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.CreateRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -145,14 +145,14 @@ export const dynamicSecretServiceFactory = ({
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.EditRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -229,14 +229,14 @@ export const dynamicSecretServiceFactory = ({
    const projectId = project.id;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.DeleteRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -290,13 +290,14 @@ export const dynamicSecretServiceFactory = ({
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
    const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -340,13 +341,14 @@ export const dynamicSecretServiceFactory = ({
    isInternal
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
-      );
+        actionProjectType: ActionProjectType.SecretManager
      });
      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
@ -383,13 +385,14 @@ export const dynamicSecretServiceFactory = ({
    search,
    projectId
  }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -431,13 +434,14 @@ export const dynamicSecretServiceFactory = ({
      projectId = project.id;
    }
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
      subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@ -462,13 +466,14 @@ export const dynamicSecretServiceFactory = ({
    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
    actor: OrgServiceActor
  ) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
-      actor.type,
+      actor: actor.type,
-      actor.id,
+      actorId: actor.id,
      projectId,
-      actor.authMethod,
+      actorAuthMethod: actor.authMethod,
-      actor.orgId
+      actorOrgId: actor.orgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
      permission.can(
@ -507,13 +512,14 @@ export const dynamicSecretServiceFactory = ({
    ...params
  }: TListDynamicSecretsMultiEnvDTO) => {
    if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission(
+      const { permission } = await permissionService.getProjectPermission({
        actor,
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId
+        actorOrgId,
-      );
+        actionProjectType: ActionProjectType.SecretManager
      });
      // verify user has access to each env in request
      environmentSlugs.forEach((environmentSlug) =>
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@ -34,6 +34,8 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
    const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
    const db = knex({
      client: providerInputs.client,
      connection: {
@ -43,7 +45,16 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
        user: providerInputs.username,
        password: providerInputs.password,
        ssl,
-        pool: { min: 0, max: 1 }
+        pool: { min: 0, max: 1 },
        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
        options: isMsSQLClient
          ? {
              trustServerCertificate: !providerInputs.ca,
              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
            }
          : undefined
      },
      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
    });
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@ -1,7 +1,9 @@
 import { KMSServiceException } from "@aws-sdk/client-kms";
 import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -71,7 +73,16 @@ export const externalKmsServiceFactory = ({
    switch (provider.type) {
      case KmsProviders.Aws:
        {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
              throw new InternalServerError({
                message: error.message ? `AWS error: ${error.message}` : ""
              });
            }
            throw error;
          });
          // if missing kms key this generate a new kms key id and returns new provider input
          const newProviderInput = await externalKms.generateInputKmsKey();
          sanitizedProviderInput = JSON.stringify(newProviderInput);
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@ -32,7 +32,7 @@ type TGroupServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
  groupDAL: Pick<
    TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
  >;
  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
  orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@ -88,12 +88,26 @@ export const groupServiceFactory = ({
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
-    const group = await groupDAL.create({
+    const group = await groupDAL.transaction(async (tx) => {
-      name,
+      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      if (existingGroup) {
-      orgId: actorOrgId,
+        throw new BadRequestError({
-      role: isCustomRole ? OrgMembershipRole.Custom : role,
+          message: `Failed to create group with name '${name}'. Group with the same name already exists`
-      roleId: customRole?.id
+        });
      }
      const newGroup = await groupDAL.create(
        {
          name,
          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
          orgId: actorOrgId,
          role: isCustomRole ? OrgMembershipRole.Custom : role,
          roleId: customRole?.id
        },
        tx
      );
      return newGroup;
    });
    return group;
@ -145,21 +159,36 @@ export const groupServiceFactory = ({
      if (isCustomRole) customRole = customOrgRole;
    }
-    const [updatedGroup] = await groupDAL.update(
+    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      {
+      if (name) {
-        id: group.id
+        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      },
+
-      {
+        if (existingGroup && existingGroup.id !== id) {
-        name,
+          throw new BadRequestError({
-        slug: slug ? slugify(slug) : undefined,
+            message: `Failed to update group with name '${name}'. Group with the same name already exists`
-        ...(role
+          });
-          ? {
+        }
              role: customRole ? OrgMembershipRole.Custom : role,
              roleId: customRole?.id ?? null
            }
          : {})
      }
-    );
+
      const [updated] = await groupDAL.update(
        {
          id: group.id
        },
        {
          name,
          slug: slug ? slugify(slug) : undefined,
          ...(role
            ? {
                role: customRole ? OrgMembershipRole.Custom : role,
                roleId: customRole?.id ?? null
              }
            : {})
        },
        tx
      );
      return updated;
    });
    return updatedGroup;
  };
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
@ -55,24 +55,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityId,
+      actorId: identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -135,24 +137,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -215,24 +219,26 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
    );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@ -260,13 +266,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
        message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@ -294,13 +301,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@ -329,13 +337,14 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -2,6 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@ -62,25 +63,27 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityId,
+      actorId: identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -143,26 +146,28 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -242,25 +247,27 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Identity, { identityId })
    );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      ActorType.IDENTITY,
+      actor: ActorType.IDENTITY,
-      identityProjectMembership.identityId,
+      actorId: identityProjectMembership.identityId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@ -299,13 +306,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Identity, { identityId })
@ -341,13 +349,14 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      identityProjectMembership.projectId,
+      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -476,14 +476,14 @@ export const ldapConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
        });
      }
-      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@ -24,6 +24,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  rbac: false,
  customRateLimits: false,
  customAlerts: false,
  secretAccessInsights: false,
  auditLogs: false,
  auditLogsRetentionDays: 0,
  auditLogStreams: false,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -246,8 +246,7 @@ export const licenseServiceFactory = ({
  };
  const getOrgPlan = async ({ orgId, actor, actorId, actorOrgId, actorAuthMethod, projectId }: TOrgPlanDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
    const plan = await getPlan(orgId, projectId);
    return plan;
  };
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -48,6 +48,7 @@ export type TFeatureSet = {
  samlSSO: false;
  hsm: false;
  oidcSSO: false;
  secretAccessInsights: false;
  scim: false;
  ldap: false;
  groups: false;
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@ -1,4 +1,12 @@
-import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability";
+import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 import {
  CASL_ACTION_SCHEMA_ENUM,
  CASL_ACTION_SCHEMA_NATIVE_ENUM
 } from "@app/ee/services/permission/permission-schemas";
 import { PermissionConditionSchema } from "@app/ee/services/permission/permission-types";
 import { PermissionConditionOperators } from "@app/lib/casl";
 export enum OrgPermissionActions {
  Read = "read",
@ -7,6 +15,14 @@ export enum OrgPermissionActions {
  Delete = "delete"
 }
 export enum OrgPermissionAppConnectionActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  Connect = "connect"
 }
 export enum OrgPermissionAdminConsoleAction {
  AccessAllProjects = "access-all-projects"
 }
@ -27,9 +43,14 @@ export enum OrgPermissionSubjects {
  Kms = "kms",
  AdminConsole = "organization-admin-console",
  AuditLogs = "audit-logs",
-  ProjectTemplates = "project-templates"
+  ProjectTemplates = "project-templates",
  AppConnections = "app-connections"
 }
 export type AppConnectionSubjectFields = {
  connectionId: string;
 };
 export type OrgPermissionSet =
  | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
  | [OrgPermissionActions, OrgPermissionSubjects.Role]
@ -46,8 +67,109 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
  | [
      OrgPermissionAppConnectionActions,
      (
        | OrgPermissionSubjects.AppConnections
        | (ForcedSubject<OrgPermissionSubjects.AppConnections> & AppConnectionSubjectFields)
      )
    ]
  | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 const AppConnectionConditionSchema = z
  .object({
    connectionId: z.union([
      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
        })
        .partial()
    ])
  })
  .partial();
 export const OrgPermissionSchema = z.discriminatedUnion("subject", [
  z.object({
    subject: z.literal(OrgPermissionSubjects.Workspace).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_ENUM([OrgPermissionActions.Create]).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Role).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Member).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Settings).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.IncidentAccount).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Sso).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Scim).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Groups).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.SecretScanning).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Billing).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Identity).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Kms).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AppConnections).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAppConnectionActions).describe(
      "Describe what action an entity can take."
    ),
    conditions: AppConnectionConditionSchema.describe(
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AdminConsole).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAdminConsoleAction).describe(
      "Describe what action an entity can take."
    )
  })
 ]);
 const buildAdminPermission = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
  // ws permissions
@ -123,6 +245,12 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionAppConnectionActions.Read, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAppConnectionActions.Create, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAppConnectionActions.Edit, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
  return rules;
@ -153,6 +281,8 @@ const buildMemberPermission = () => {
  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  return rules;
 };
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -125,6 +125,404 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };
  const getProjectGroupPermissions = async (projectId: string) => {
    try {
      const docs = await db
        .replicaNode()(TableName.GroupProjectMembership)
        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
        .join(
          TableName.GroupProjectMembershipRole,
          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
          `${TableName.GroupProjectMembership}.id`
        )
        .leftJoin<TProjectRoles>(
          { groupCustomRoles: TableName.ProjectRoles },
          `${TableName.GroupProjectMembershipRole}.customRoleId`,
          `groupCustomRoles.id`
        )
        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
        .select(
          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
          db.ref("id").withSchema(TableName.Groups).as("groupId"),
          db.ref("name").withSchema(TableName.Groups).as("groupName"),
          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
          db
            .ref("customRoleId")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("groupProjectMembershipRoleCustomRoleId"),
          db
            .ref("isTemporary")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("groupProjectMembershipRoleIsTemporary"),
          db
            .ref("temporaryMode")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("groupProjectMembershipRoleTemporaryMode"),
          db
            .ref("temporaryRange")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("groupProjectMembershipRoleTemporaryRange"),
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
        );
      const groupPermissions = sqlNestRelationships({
        data: docs,
        key: "groupId",
        parentMapper: ({ groupId, groupName, membershipId }) => ({
          groupId,
          username: groupName,
          id: membershipId
        }),
        childrenMapper: [
          {
            key: "groupProjectMembershipRoleId",
            label: "groupRoles" as const,
            mapper: ({
              groupProjectMembershipRoleId,
              groupProjectMembershipRole,
              groupProjectMembershipRolePermission,
              groupProjectMembershipRoleCustomRoleSlug,
              groupProjectMembershipRoleIsTemporary,
              groupProjectMembershipRoleTemporaryMode,
              groupProjectMembershipRoleTemporaryAccessEndTime,
              groupProjectMembershipRoleTemporaryAccessStartTime,
              groupProjectMembershipRoleTemporaryRange
            }) => ({
              id: groupProjectMembershipRoleId,
              role: groupProjectMembershipRole,
              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
              permissions: groupProjectMembershipRolePermission,
              temporaryRange: groupProjectMembershipRoleTemporaryRange,
              temporaryMode: groupProjectMembershipRoleTemporaryMode,
              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
              isTemporary: groupProjectMembershipRoleIsTemporary
            })
          }
        ]
      });
      return groupPermissions
        .map((groupPermission) => {
          if (!groupPermission) return undefined;
          const activeGroupRoles =
            groupPermission?.groupRoles?.filter(
              ({ isTemporary, temporaryAccessEndTime }) =>
                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
            ) ?? [];
          return {
            ...groupPermission,
            roles: activeGroupRoles
          };
        })
        .filter((item): item is NonNullable<typeof item> => Boolean(item));
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
    }
  };
  const getProjectUserPermissions = async (projectId: string) => {
    try {
      const docs = await db
        .replicaNode()(TableName.Users)
        .where("isGhost", "=", false)
        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
        })
        .leftJoin(
          TableName.GroupProjectMembershipRole,
          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
          `${TableName.GroupProjectMembership}.id`
        )
        .leftJoin<TProjectRoles>(
          { groupCustomRoles: TableName.ProjectRoles },
          `${TableName.GroupProjectMembershipRole}.customRoleId`,
          `groupCustomRoles.id`
        )
        .join(TableName.ProjectMembership, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
        })
        .leftJoin(
          TableName.ProjectUserMembershipRole,
          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
          `${TableName.ProjectMembership}.id`
        )
        .leftJoin(
          TableName.ProjectRoles,
          `${TableName.ProjectUserMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
        })
        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
        })
        .select(
          db.ref("id").withSchema(TableName.Users).as("userId"),
          db.ref("username").withSchema(TableName.Users).as("username"),
          // groups specific
          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
          db
            .ref("customRoleId")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("userGroupProjectMembershipRoleCustomRoleId"),
          db
            .ref("isTemporary")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("userGroupProjectMembershipRoleIsTemporary"),
          db
            .ref("temporaryMode")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("userGroupProjectMembershipRoleTemporaryMode"),
          db
            .ref("temporaryRange")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("userGroupProjectMembershipRoleTemporaryRange"),
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.GroupProjectMembershipRole)
            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
          // user specific
          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
          db
            .ref("temporaryMode")
            .withSchema(TableName.ProjectUserMembershipRole)
            .as("userProjectMembershipRoleTemporaryMode"),
          db
            .ref("isTemporary")
            .withSchema(TableName.ProjectUserMembershipRole)
            .as("userProjectMembershipRoleIsTemporary"),
          db
            .ref("temporaryRange")
            .withSchema(TableName.ProjectUserMembershipRole)
            .as("userProjectMembershipRoleTemporaryRange"),
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.ProjectUserMembershipRole)
            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.ProjectUserMembershipRole)
            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
          db
            .ref("permissions")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesPermissions"),
          db
            .ref("temporaryMode")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesTemporaryMode"),
          db
            .ref("isTemporary")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesIsTemporary"),
          db
            .ref("temporaryRange")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesTemporaryRange"),
          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
          // general
          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
          db.ref("type").withSchema(TableName.Project).as("projectType"),
          db.ref("id").withSchema(TableName.Project).as("projectId")
        );
      const userPermissions = sqlNestRelationships({
        data: docs,
        key: "userId",
        parentMapper: ({
          orgId,
          username,
          orgAuthEnforced,
          membershipId,
          groupMembershipId,
          membershipCreatedAt,
          groupMembershipCreatedAt,
          groupMembershipUpdatedAt,
          membershipUpdatedAt,
          projectType,
          userId
        }) => ({
          orgId,
          orgAuthEnforced,
          userId,
          projectId,
          username,
          projectType,
          id: membershipId || groupMembershipId,
          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
        }),
        childrenMapper: [
          {
            key: "userGroupProjectMembershipRoleId",
            label: "userGroupRoles" as const,
            mapper: ({
              userGroupProjectMembershipRoleId,
              userGroupProjectMembershipRole,
              userGroupProjectMembershipRolePermission,
              userGroupProjectMembershipRoleCustomRoleSlug,
              userGroupProjectMembershipRoleIsTemporary,
              userGroupProjectMembershipRoleTemporaryMode,
              userGroupProjectMembershipRoleTemporaryAccessEndTime,
              userGroupProjectMembershipRoleTemporaryAccessStartTime,
              userGroupProjectMembershipRoleTemporaryRange
            }) => ({
              id: userGroupProjectMembershipRoleId,
              role: userGroupProjectMembershipRole,
              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
              permissions: userGroupProjectMembershipRolePermission,
              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
              isTemporary: userGroupProjectMembershipRoleIsTemporary
            })
          },
          {
            key: "userProjectMembershipRoleId",
            label: "projectMembershipRoles" as const,
            mapper: ({
              userProjectMembershipRoleId,
              userProjectMembershipRole,
              userProjectCustomRolePermission,
              userProjectMembershipRoleIsTemporary,
              userProjectMembershipRoleTemporaryMode,
              userProjectMembershipRoleTemporaryRange,
              userProjectMembershipRoleTemporaryAccessEndTime,
              userProjectMembershipRoleTemporaryAccessStartTime,
              userProjectMembershipRoleCustomRoleSlug
            }) => ({
              id: userProjectMembershipRoleId,
              role: userProjectMembershipRole,
              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
              permissions: userProjectCustomRolePermission,
              temporaryRange: userProjectMembershipRoleTemporaryRange,
              temporaryMode: userProjectMembershipRoleTemporaryMode,
              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
              isTemporary: userProjectMembershipRoleIsTemporary
            })
          },
          {
            key: "userAdditionalPrivilegesId",
            label: "additionalPrivileges" as const,
            mapper: ({
              userAdditionalPrivilegesId,
              userAdditionalPrivilegesPermissions,
              userAdditionalPrivilegesIsTemporary,
              userAdditionalPrivilegesTemporaryMode,
              userAdditionalPrivilegesTemporaryRange,
              userAdditionalPrivilegesTemporaryAccessEndTime,
              userAdditionalPrivilegesTemporaryAccessStartTime
            }) => ({
              id: userAdditionalPrivilegesId,
              permissions: userAdditionalPrivilegesPermissions,
              temporaryRange: userAdditionalPrivilegesTemporaryRange,
              temporaryMode: userAdditionalPrivilegesTemporaryMode,
              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
              isTemporary: userAdditionalPrivilegesIsTemporary
            })
          },
          {
            key: "metadataId",
            label: "metadata" as const,
            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
              id: metadataId,
              key: metadataKey,
              value: metadataValue
            })
          }
        ]
      });
      return userPermissions
        .map((userPermission) => {
          if (!userPermission) return undefined;
          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
          // when introducting cron mode change it here
          const activeRoles =
            userPermission?.projectMembershipRoles?.filter(
              ({ isTemporary, temporaryAccessEndTime }) =>
                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
            ) ?? [];
          const activeGroupRoles =
            userPermission?.userGroupRoles?.filter(
              ({ isTemporary, temporaryAccessEndTime }) =>
                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
            ) ?? [];
          const activeAdditionalPrivileges =
            userPermission?.additionalPrivileges?.filter(
              ({ isTemporary, temporaryAccessEndTime }) =>
                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
            ) ?? [];
          return {
            ...userPermission,
            roles: [...activeRoles, ...activeGroupRoles],
            additionalPrivileges: activeAdditionalPrivileges
          };
        })
        .filter((item): item is NonNullable<typeof item> => Boolean(item));
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
    }
  };
  const getProjectPermission = async (userId: string, projectId: string) => {
    try {
      const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@ -414,6 +812,163 @@ export const permissionDALFactory = (db: TDbClient) => {
    }
  };
  const getProjectIdentityPermissions = async (projectId: string) => {
    try {
      const docs = await db
        .replicaNode()(TableName.IdentityProjectMembership)
        .join(
          TableName.IdentityProjectMembershipRole,
          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
          `${TableName.IdentityProjectMembership}.id`
        )
        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
        .leftJoin(
          TableName.ProjectRoles,
          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
          `${TableName.ProjectRoles}.id`
        )
        .leftJoin(
          TableName.IdentityProjectAdditionalPrivilege,
          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
          `${TableName.IdentityProjectMembership}.id`
        )
        .join(
          // Join the Project table to later select orgId
          TableName.Project,
          `${TableName.IdentityProjectMembership}.projectId`,
          `${TableName.Project}.id`
        )
        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
        })
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
        .select(
          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
          db.ref("id").withSchema(TableName.Identity).as("identityId"),
          db.ref("name").withSchema(TableName.Identity).as("identityName"),
          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
          db.ref("type").withSchema(TableName.Project).as("projectType"),
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
          db.ref("permissions").withSchema(TableName.ProjectRoles),
          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
          db
            .ref("temporaryMode")
            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
            .as("identityApTemporaryMode"),
          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
          db
            .ref("temporaryRange")
            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
            .as("identityApTemporaryRange"),
          db
            .ref("temporaryAccessStartTime")
            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
            .as("identityApTemporaryAccessStartTime"),
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
            .as("identityApTemporaryAccessEndTime"),
          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
        );
      const permissions = sqlNestRelationships({
        data: docs,
        key: "identityId",
        parentMapper: ({
          membershipId,
          membershipCreatedAt,
          membershipUpdatedAt,
          orgId,
          identityName,
          projectType,
          identityId
        }) => ({
          id: membershipId,
          identityId,
          username: identityName,
          projectId,
          createdAt: membershipCreatedAt,
          updatedAt: membershipUpdatedAt,
          orgId,
          projectType,
          // just a prefilled value
          orgAuthEnforced: false
        }),
        childrenMapper: [
          {
            key: "id",
            label: "roles" as const,
            mapper: (data) =>
              IdentityProjectMembershipRoleSchema.extend({
                permissions: z.unknown(),
                customRoleSlug: z.string().optional().nullable()
              }).parse(data)
          },
          {
            key: "identityApId",
            label: "additionalPrivileges" as const,
            mapper: ({
              identityApId,
              identityApPermissions,
              identityApIsTemporary,
              identityApTemporaryMode,
              identityApTemporaryRange,
              identityApTemporaryAccessEndTime,
              identityApTemporaryAccessStartTime
            }) => ({
              id: identityApId,
              permissions: identityApPermissions,
              temporaryRange: identityApTemporaryRange,
              temporaryMode: identityApTemporaryMode,
              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
              isTemporary: identityApIsTemporary
            })
          },
          {
            key: "metadataId",
            label: "metadata" as const,
            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
              id: metadataId,
              key: metadataKey,
              value: metadataValue
            })
          }
        ]
      });
      return permissions
        .map((permission) => {
          if (!permission) {
            return undefined;
          }
          // when introducting cron mode change it here
          const activeRoles = permission?.roles.filter(
            ({ isTemporary, temporaryAccessEndTime }) =>
              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
          );
          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
            ({ isTemporary, temporaryAccessEndTime }) =>
              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
          );
          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
        })
        .filter((item): item is NonNullable<typeof item> => Boolean(item));
    } catch (error) {
      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
    }
  };
  const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
    try {
      const docs = await db
@ -568,6 +1123,9 @@ export const permissionDALFactory = (db: TDbClient) => {
    getOrgPermission,
    getOrgIdentityPermission,
    getProjectPermission,
-    getProjectIdentityPermission
+    getProjectIdentityPermission,
    getProjectUserPermissions,
    getProjectIdentityPermissions,
    getProjectGroupPermissions
  };
 };
--- a/backend/src/ee/services/permission/permission-schemas.ts
+++ b/backend/src/ee/services/permission/permission-schemas.ts
@ -0,0 +1,9 @@
 import { z } from "zod";
 export const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
  z
    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
    .transform((el) => (typeof el === "string" ? [el] : el));
 export const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@ -1,3 +1,6 @@
 import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 export type TBuildProjectPermissionDTO = {
  permissions?: unknown;
  role: string;
@ -7,3 +10,34 @@ export type TBuildOrgPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
 export type TGetUserProjectPermissionArg = {
  userId: string;
  projectId: string;
  authMethod: ActorAuthMethod;
  actionProjectType: ActionProjectType;
  userOrgId?: string;
 };
 export type TGetIdentityProjectPermissionArg = {
  identityId: string;
  projectId: string;
  identityOrgId?: string;
  actionProjectType: ActionProjectType;
 };
 export type TGetServiceTokenProjectPermissionArg = {
  serviceTokenId: string;
  projectId: string;
  actorOrgId?: string;
  actionProjectType: ActionProjectType;
 };
 export type TGetProjectPermissionArg = {
  actor: ActorType;
  actorId: string;
  projectId: string;
  actorAuthMethod: ActorAuthMethod;
  actorOrgId?: string;
  actionProjectType: ActionProjectType;
 };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -4,9 +4,9 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 import {
  ActionProjectType,
  OrgMembershipRole,
  ProjectMembershipRole,
  ProjectType,
  ServiceTokenScopes,
  TIdentityProjectMemberships,
  TProjectMemberships
@ -23,7 +23,14 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
-import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
+import {
  TBuildOrgPermissionDTO,
  TBuildProjectPermissionDTO,
  TGetIdentityProjectPermissionArg,
  TGetProjectPermissionArg,
  TGetServiceTokenProjectPermissionArg,
  TGetUserProjectPermissionArg
 } from "./permission-service-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@ -193,12 +200,13 @@ export const permissionServiceFactory = ({
  };
  // user permission for a project in an organization
-  const getUserProjectPermission = async (
+  const getUserProjectPermission = async ({
-    userId: string,
+    userId,
-    projectId: string,
+    projectId,
-    authMethod: ActorAuthMethod,
+    authMethod,
-    userOrgId?: string
+    userOrgId,
-  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
+    actionProjectType
  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@ -219,6 +227,12 @@ export const permissionServiceFactory = ({
    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
      throw new BadRequestError({
        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
      });
    }
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -256,13 +270,6 @@ export const permissionServiceFactory = ({
    return {
      permission,
      membership: userProjectPermission,
      ForbidOnInvalidProjectType: (productType: ProjectType) => {
        if (productType !== userProjectPermission.projectType) {
          throw new BadRequestError({
            message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
          });
        }
      },
      hasRole: (role: string) =>
        userProjectPermission.roles.findIndex(
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@ -270,11 +277,12 @@ export const permissionServiceFactory = ({
    };
  };
-  const getIdentityProjectPermission = async (
+  const getIdentityProjectPermission = async ({
-    identityId: string,
+    identityId,
-    projectId: string,
+    projectId,
-    identityOrgId: string | undefined
+    identityOrgId,
-  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+    actionProjectType
  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission)
      throw new ForbiddenRequestError({
@ -293,6 +301,12 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }
    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
      throw new BadRequestError({
        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
      });
    }
    const rolePermissions =
      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -331,13 +345,6 @@ export const permissionServiceFactory = ({
    return {
      permission,
      membership: identityProjectPermission,
      ForbidOnInvalidProjectType: (productType: ProjectType) => {
        if (productType !== identityProjectPermission.projectType) {
          throw new BadRequestError({
            message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
          });
        }
      },
      hasRole: (role: string) =>
        identityProjectPermission.roles.findIndex(
          ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@ -345,11 +352,12 @@ export const permissionServiceFactory = ({
    };
  };
-  const getServiceTokenProjectPermission = async (
+  const getServiceTokenProjectPermission = async ({
-    serviceTokenId: string,
+    serviceTokenId,
-    projectId: string,
+    projectId,
-    actorOrgId: string | undefined
+    actorOrgId,
-  ) => {
+    actionProjectType
  }: TGetServiceTokenProjectPermissionArg) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@ -373,17 +381,16 @@ export const permissionServiceFactory = ({
      });
    }
    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
      throw new BadRequestError({
        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
      });
    }
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: undefined,
+      membership: undefined
      ForbidOnInvalidProjectType: (productType: ProjectType) => {
        if (productType !== serviceTokenProject.type) {
          throw new BadRequestError({
            message: `The project is of type ${serviceTokenProject.type}. Operations of type ${productType} are not allowed.`
          });
        }
      }
    };
  };
@ -392,7 +399,6 @@ export const permissionServiceFactory = ({
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
        membership: undefined;
        hasRole: (arg: string) => boolean;
        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      } // service token doesn't have both membership and roles
    : {
        permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
@ -402,23 +408,156 @@ export const permissionServiceFactory = ({
          roles: Array<{ role: string }>;
        };
        hasRole: (role: string) => boolean;
        ForbidOnInvalidProjectType: (type: ProjectType) => void;
      };
-  const getProjectPermission = async <T extends ActorType>(
+  const getProjectPermissions = async (projectId: string) => {
-    type: T,
+    // fetch user permissions
-    id: string,
+    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
-    projectId: string,
+    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
-    actorAuthMethod: ActorAuthMethod,
+      const rolePermissions =
-    actorOrgId: string | undefined
+        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-  ): Promise<TProjectPermissionRT<T>> => {
+      const additionalPrivileges =
-    switch (type) {
+        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
          role: ProjectMembershipRole.Custom,
          permissions
        })) || [];
      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
        objectify(
          userProjectPermission.metadata,
          (i) => i.key,
          (i) => i.value
        )
      );
      const interpolateRules = templatedRules(
        {
          identity: {
            id: userProjectPermission.userId,
            username: userProjectPermission.username,
            metadata: metadataKeyValuePair
          }
        },
        { data: false }
      );
      const permission = createMongoAbility<ProjectPermissionSet>(
        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
        {
          conditionsMatcher
        }
      );
      return {
        permission,
        id: userProjectPermission.userId,
        name: userProjectPermission.username,
        membershipId: userProjectPermission.id
      };
    });
    // fetch identity permissions
    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
      const rolePermissions =
        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
      const additionalPrivileges =
        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
          role: ProjectMembershipRole.Custom,
          permissions
        })) || [];
      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
        objectify(
          identityProjectPermission.metadata,
          (i) => i.key,
          (i) => i.value
        )
      );
      const interpolateRules = templatedRules(
        {
          identity: {
            id: identityProjectPermission.identityId,
            username: identityProjectPermission.username,
            metadata: metadataKeyValuePair
          }
        },
        { data: false }
      );
      const permission = createMongoAbility<ProjectPermissionSet>(
        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
        {
          conditionsMatcher
        }
      );
      return {
        permission,
        id: identityProjectPermission.identityId,
        name: identityProjectPermission.username,
        membershipId: identityProjectPermission.id
      };
    });
    // fetch group permissions
    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
      const rolePermissions =
        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
      const rules = buildProjectPermissionRules(rolePermissions);
      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
        conditionsMatcher
      });
      return {
        permission,
        id: groupProjectPermission.groupId,
        name: groupProjectPermission.username,
        membershipId: groupProjectPermission.id
      };
    });
    return {
      userPermissions,
      identityPermissions,
      groupPermissions
    };
  };
  const getProjectPermission = async <T extends ActorType>({
    actor,
    actorId,
    projectId,
    actorAuthMethod,
    actorOrgId,
    actionProjectType
  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
    switch (actor) {
      case ActorType.USER:
-        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission({
          userId: actorId,
          projectId,
          authMethod: actorAuthMethod,
          userOrgId: actorOrgId,
          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
-        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission({
          serviceTokenId: actorId,
          projectId,
          actorOrgId,
          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
-        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission({
          identityId: actorId,
          projectId,
          identityOrgId: actorOrgId,
          actionProjectType
        }) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new BadRequestError({
          message: "Invalid actor provided",
@ -455,6 +594,7 @@ export const permissionServiceFactory = ({
    getOrgPermission,
    getUserProjectPermission,
    getProjectPermission,
    getProjectPermissions,
    getOrgPermissionByRole,
    getProjectPermissionByRole,
    buildOrgPermission,
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@ -1,6 +1,10 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 import {
  CASL_ACTION_SCHEMA_ENUM,
  CASL_ACTION_SCHEMA_NATIVE_ENUM
 } from "@app/ee/services/permission/permission-schemas";
 import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@ -30,6 +34,16 @@ export enum ProjectPermissionDynamicSecretActions {
  Lease = "lease"
 }
 export enum ProjectPermissionSecretSyncActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  SyncSecrets = "sync-secrets",
  ImportSecrets = "import-secrets",
  RemoveSecrets = "remove-secrets"
 }
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@ -54,10 +68,14 @@ export enum ProjectPermissionSub {
  CertificateAuthorities = "certificate-authorities",
  Certificates = "certificates",
  CertificateTemplates = "certificate-templates",
  SshCertificateAuthorities = "ssh-certificate-authorities",
  SshCertificates = "ssh-certificates",
  SshCertificateTemplates = "ssh-certificate-templates",
  PkiAlerts = "pki-alerts",
  PkiCollections = "pki-collections",
  Kms = "kms",
-  Cmek = "cmek"
+  Cmek = "cmek",
  SecretSyncs = "secret-syncs"
 }
 export type SecretSubjectFields = {
@ -132,8 +150,12 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
  | [ProjectPermissionActions, ProjectPermissionSub.Certificates]
  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateAuthorities]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificates]
  | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@ -141,14 +163,6 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
 const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
  z
    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
    .transform((el) => (typeof el === "string" ? [el] : el));
 const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@ -338,6 +352,28 @@ const GeneralPermissionSchema = [
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z
      .literal(ProjectPermissionSub.SshCertificateAuthorities)
      .describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.SshCertificates).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z
      .literal(ProjectPermissionSub.SshCertificateTemplates)
      .describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.PkiAlerts).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
@ -364,10 +400,15 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
    inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
      "Describe what action an entity can take."
    )
  })
 ];
@ -480,7 +521,10 @@ const buildAdminPermissionRules = () => {
    ProjectPermissionSub.Certificates,
    ProjectPermissionSub.CertificateTemplates,
    ProjectPermissionSub.PkiAlerts,
-    ProjectPermissionSub.PkiCollections
+    ProjectPermissionSub.PkiCollections,
    ProjectPermissionSub.SshCertificateAuthorities,
    ProjectPermissionSub.SshCertificates,
    ProjectPermissionSub.SshCertificateTemplates
  ].forEach((el) => {
    can(
      [
@ -518,6 +562,18 @@ const buildAdminPermissionRules = () => {
    ],
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  return rules;
 };
@ -665,6 +721,11 @@ const buildMemberPermissionRules = () => {
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateAuthorities);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Create], ProjectPermissionSub.SshCertificates);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
  can(
    [
      ProjectPermissionCmekActions.Create,
@ -677,6 +738,19 @@ const buildMemberPermissionRules = () => {
    ProjectPermissionSub.Cmek
  );
  can(
    [
      ProjectPermissionSecretSyncActions.Create,
      ProjectPermissionSecretSyncActions.Edit,
      ProjectPermissionSecretSyncActions.Delete,
      ProjectPermissionSecretSyncActions.Read,
      ProjectPermissionSecretSyncActions.SyncSecrets,
      ProjectPermissionSecretSyncActions.ImportSecrets,
      ProjectPermissionSecretSyncActions.RemoveSecrets
    ],
    ProjectPermissionSub.SecretSyncs
  );
  return rules;
 };
@ -707,6 +781,10 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
  return rules;
 };
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
-import { TableName } from "@app/db/schemas";
+import { ActionProjectType, TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@ -55,21 +55,23 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    if (!projectMembership)
      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
-      projectMembership.userId,
+      actorId: projectMembership.userId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -140,21 +142,23 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
-      projectMembership.userId,
+      actorId: projectMembership.userId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    // we need to validate that the privilege given is not higher than the assigning users permission
    // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@ -224,13 +228,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
    const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
@ -260,13 +265,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
        message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
      });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
    return {
@ -286,13 +292,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    if (!projectMembership)
      throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      projectMembership.projectId,
+      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
    const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -421,14 +421,14 @@ export const samlConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
        throw new BadRequestError({
          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
        });
      }
-      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -6,7 +6,8 @@ export enum SamlProviders {
  AZURE_SAML = "azure-saml",
  JUMPCLOUD_SAML = "jumpcloud-saml",
  GOOGLE_SAML = "google-saml",
-  KEYCLOAK_SAML = "keycloak-saml"
+  KEYCLOAK_SAML = "keycloak-saml",
  AUTH0_SAML = "auth0-saml"
 }
 export type TCreateSamlCfgDTO = {
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -531,7 +531,7 @@ export const scimServiceFactory = ({
          firstName: scimUser.name.givenName,
          email: scimUser.emails[0].value,
          lastName: scimUser.name.familyName,
-          isEmailVerified: hasEmailChanged ? trustScimEmails : true
+          isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
        },
        tx
      );
@ -790,6 +790,21 @@ export const scimServiceFactory = ({
      });
    const newGroup = await groupDAL.transaction(async (tx) => {
      const conflictingGroup = await groupDAL.findOne(
        {
          name: displayName,
          orgId
        },
        tx
      );
      if (conflictingGroup) {
        throw new ScimRequestError({
          detail: `Group with name '${displayName}' already exists in the organization`,
          status: 409
        });
      }
      const group = await groupDAL.create(
        {
          name: displayName,
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
-import { ProjectType } from "@app/db/schemas";
+import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -79,14 +79,14 @@ export const secretApprovalPolicyServiceFactory = ({
    if (!groupApprovers.length && approvals > approvers.length)
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretApproval
@ -193,14 +193,14 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      secretApprovalPolicy.projectId,
+      projectId: secretApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
    const plan = await licenseService.getPlan(actorOrgId);
@ -288,14 +288,14 @@ export const secretApprovalPolicyServiceFactory = ({
    if (!sapPolicy)
      throw new NotFoundError({ message: `Secret approval policy with ID '${secretPolicyId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sapPolicy.projectId,
+      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretApproval
@ -328,13 +328,14 @@ export const secretApprovalPolicyServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
    const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
@ -372,7 +373,14 @@ export const secretApprovalPolicyServiceFactory = ({
    environment,
    secretPath
  }: TGetBoardSapDTO) => {
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
    return getSecretApprovalPolicy(projectId, environment, secretPath);
  };
@ -392,13 +400,14 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      sapPolicy.projectId,
+      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
        firstName: reviewerUser.firstName,
        projectName: project.name,
        organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
      },
      template: SmtpTemplates.SecretApprovalRequestNeedsReview
    });
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
@ -256,6 +256,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
          `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
          db.ref("id").withSchema("secVerTag")
        )
        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
        .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
        .select({
          secVerTagId: "secVerTag.id",
@ -279,6 +280,11 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
          db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
          db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
          db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
        )
        .select(
          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
        );
      const formatedDoc = sqlNestRelationships({
        data: doc,
@ -338,9 +344,19 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
                })
              }
            ]
          },
          {
            key: "metadataId",
            label: "oldSecretMetadata" as const,
            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
              id: metadataId,
              key: metadataKey,
              value: metadataValue
            })
          }
        ]
      });
      return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
        ...el,
        secret: secret?.[0],
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -1,8 +1,8 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import {
  ActionProjectType,
  ProjectMembershipRole,
  ProjectType,
  SecretEncryptionAlgo,
  SecretKeyEncoding,
  SecretType,
@ -22,6 +22,8 @@ import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
  decryptSecretWithBot,
@ -91,6 +93,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
  secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
  snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
  secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
  secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
  smtpService: Pick<TSmtpService, "sendMail">;
  userDAL: Pick<TUserDALFactory, "find" | "findOne" | "findById">;
@ -138,18 +141,20 @@ export const secretApprovalRequestServiceFactory = ({
  secretVersionV2BridgeDAL,
  secretVersionTagV2BridgeDAL,
  licenseService,
-  projectSlackConfigDAL
+  projectSlackConfigDAL,
  resourceMetadataDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    await permissionService.getProjectPermission(
+    await permissionService.getProjectPermission({
-      actor as ActorType.USER,
+      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
    return count;
@ -169,7 +174,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
+    await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SecretManager
    });
    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@ -212,13 +224,14 @@ export const secretApprovalRequestServiceFactory = ({
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@ -241,6 +254,7 @@ export const secretApprovalRequestServiceFactory = ({
        secretKey: el.key,
        id: el.id,
        version: el.version,
        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
        secretValue: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
        secretComment: el.encryptedComment
          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
@ -269,7 +283,8 @@ export const secretApprovalRequestServiceFactory = ({
              secretComment: el.secretVersion.encryptedComment
                ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
                : "",
-              tags: el.secretVersion.tags
+              tags: el.secretVersion.tags,
              secretMetadata: el.oldSecretMetadata as ResourceMetadataDTO
            }
          : undefined
      }));
@ -330,13 +345,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
      actorId,
-      secretApprovalRequest.projectId,
+      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@ -396,13 +412,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
      actorId,
-      secretApprovalRequest.projectId,
+      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      secretApprovalRequest.committerUserId !== actorId &&
@ -452,13 +469,14 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { hasRole } = await permissionService.getProjectPermission({
-      ActorType.USER,
+      actor: ActorType.USER,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@ -543,6 +561,7 @@ export const secretApprovalRequestServiceFactory = ({
          ? await fnSecretV2BridgeBulkInsert({
              tx,
              folderId,
              orgId: actorOrgId,
              inputSecrets: secretCreationCommits.map((el) => ({
                tagIds: el?.tags.map(({ id }) => id),
                version: 1,
@ -550,6 +569,7 @@ export const secretApprovalRequestServiceFactory = ({
                encryptedValue: el.encryptedValue,
                skipMultilineEncoding: el.skipMultilineEncoding,
                key: el.key,
                secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                references: el.encryptedValue
                  ? getAllSecretReferencesV2Bridge(
                      secretManagerDecryptor({
@ -559,6 +579,7 @@ export const secretApprovalRequestServiceFactory = ({
                  : [],
                type: SecretType.Shared
              })),
              resourceMetadataDAL,
              secretDAL: secretV2BridgeDAL,
              secretVersionDAL: secretVersionV2BridgeDAL,
              secretTagDAL,
@ -568,6 +589,7 @@ export const secretApprovalRequestServiceFactory = ({
        const updatedSecrets = secretUpdationCommits.length
          ? await fnSecretV2BridgeBulkUpdate({
              folderId,
              orgId: actorOrgId,
              tx,
              inputSecrets: secretUpdationCommits.map((el) => {
                const encryptedValue =
@ -592,6 +614,7 @@ export const secretApprovalRequestServiceFactory = ({
                    skipMultilineEncoding: el.skipMultilineEncoding,
                    key: el.key,
                    tags: el?.tags.map(({ id }) => id),
                    secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                    ...encryptedValue
                  }
                };
@ -599,7 +622,8 @@ export const secretApprovalRequestServiceFactory = ({
              secretDAL: secretV2BridgeDAL,
              secretVersionDAL: secretVersionV2BridgeDAL,
              secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
              resourceMetadataDAL
            })
          : [];
        const deletedSecret = secretDeletionCommits.length
@ -824,6 +848,7 @@ export const secretApprovalRequestServiceFactory = ({
    }
    await secretQueueService.syncSecrets({
      projectId,
      orgId: actorOrgId,
      secretPath: folder.path,
      environmentSlug: folder.environmentSlug,
      actorId,
@ -852,7 +877,7 @@ export const secretApprovalRequestServiceFactory = ({
          bypassReason,
          secretPath: policy.secretPath,
          environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
        },
        template: SmtpTemplates.AccessSecretRequestBypassed
      });
@ -876,14 +901,14 @@ export const secretApprovalRequestServiceFactory = ({
  }: TGenerateSecretApprovalRequestDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@ -1157,14 +1182,14 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE || actor === ActorType.Machine)
      throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
      throw new NotFoundError({
@ -1208,6 +1233,7 @@ export const secretApprovalRequestServiceFactory = ({
          ),
          skipMultilineEncoding: createdSecret.skipMultilineEncoding,
          key: createdSecret.secretKey,
          secretMetadata: createdSecret.secretMetadata,
          type: SecretType.Shared
        }))
      );
@ -1241,9 +1267,10 @@ export const secretApprovalRequestServiceFactory = ({
            type: SecretType.Shared
          }))
        );
-        if (secrets.length)
+
        if (secrets.length !== secretsWithNewName.length)
          throw new NotFoundError({
-            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+            message: `Secret does not exist: ${secrets.map((el) => el.key).join(",")}`
          });
      }
@ -1263,12 +1290,14 @@ export const secretApprovalRequestServiceFactory = ({
            reminderNote,
            secretComment,
            metadata,
-            skipMultilineEncoding
+            skipMultilineEncoding,
            secretMetadata
          }) => {
            const secretId = updatingSecretsGroupByKey[secretKey][0].id;
            if (tagIds?.length) commitTagIds[secretKey] = tagIds;
            return {
              ...latestSecretVersions[secretId],
              secretMetadata,
              key: newSecretName || secretKey,
              encryptedComment: setKnexStringValue(
                secretComment,
@ -1370,7 +1399,8 @@ export const secretApprovalRequestServiceFactory = ({
            reminderRepeatDays,
            encryptedValue,
            secretId,
-            secretVersion
+            secretVersion,
            secretMetadata
          }) => ({
            version,
            requestId: doc.id,
@ -1383,7 +1413,8 @@ export const secretApprovalRequestServiceFactory = ({
            reminderRepeatDays,
            reminderNote,
            encryptedComment,
-            key
+            key,
            secretMetadata: JSON.stringify(secretMetadata)
          })
        ),
        tx
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
@ -1,5 +1,6 @@
 import { TImmutableDBKeys, TSecretApprovalPolicies, TSecretApprovalRequestsSecrets } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations } from "@app/services/secret/secret-types";
 export enum RequestState {
@ -34,6 +35,7 @@ export type TApprovalCreateSecretV2Bridge = {
  reminderRepeatDays?: number | null;
  skipMultilineEncoding?: boolean;
  metadata?: Record<string, string>;
  secretMetadata?: ResourceMetadataDTO;
  tagIds?: string[];
 };
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@ -13,6 +13,8 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/secret-queue";
@ -56,6 +58,7 @@ type TSecretReplicationServiceFactoryDep = {
  >;
  secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
  secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
  secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
  queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
  secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
@ -121,7 +124,8 @@ export const secretReplicationServiceFactory = ({
  secretVersionV2TagBridgeDAL,
  secretVersionV2BridgeDAL,
  secretV2BridgeDAL,
-  kmsService
+  kmsService,
  resourceMetadataDAL
 }: TSecretReplicationServiceFactoryDep) => {
  const $getReplicatedSecrets = (
    botKey: string,
@ -151,8 +155,10 @@ export const secretReplicationServiceFactory = ({
  };
  const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
+    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[],
-    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
+    importedSecrets: {
      secrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[];
    }[]
  ) => {
    const deDupe = new Set<string>();
    const secrets = [...localSecrets];
@ -178,6 +184,7 @@ export const secretReplicationServiceFactory = ({
      secretPath,
      environmentSlug,
      projectId,
      orgId,
      actorId,
      actor,
      pickOnlyImportIds,
@ -222,6 +229,7 @@ export const secretReplicationServiceFactory = ({
          .map(({ folderId }) =>
            secretQueueService.replicateSecrets({
              projectId,
              orgId,
              secretPath: foldersGroupedById[folderId][0]?.path as string,
              environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
              actorId,
@ -267,6 +275,7 @@ export const secretReplicationServiceFactory = ({
          ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
          : undefined
      }));
      const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
      const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);
@ -333,13 +342,29 @@ export const secretReplicationServiceFactory = ({
              .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create
            const locallyUpdatedSecrets = sourceSecrets
-              .filter(
+              .filter(({ key, secretKey, secretValue, secretMetadata }) => {
-                ({ key, secretKey, secretValue }) =>
+                const sourceSecretMetadataJson = JSON.stringify(
                  (secretMetadata ?? []).map((entry) => ({
                    key: entry.key,
                    value: entry.value
                  }))
                );
                const destinationSecretMetadataJson = JSON.stringify(
                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretMetadata ?? []).map((entry) => ({
                    key: entry.key,
                    value: entry.value
                  }))
                );
                return (
                  destinationLocalSecretsGroupedByKey[key]?.[0] &&
                  // if key or value changed
                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
+                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue ||
-              )
+                    sourceSecretMetadataJson !== destinationSecretMetadataJson)
                );
              })
              .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create
            const locallyDeletedSecrets = destinationLocalSecrets
@ -387,6 +412,7 @@ export const secretReplicationServiceFactory = ({
                      op: operation,
                      requestId: approvalRequestDoc.id,
                      metadata: doc.metadata,
                      secretMetadata: JSON.stringify(doc.secretMetadata),
                      key: doc.key,
                      encryptedValue: doc.encryptedValue,
                      encryptedComment: doc.encryptedComment,
@ -406,10 +432,12 @@ export const secretReplicationServiceFactory = ({
                if (locallyCreatedSecrets.length) {
                  await fnSecretV2BridgeBulkInsert({
                    folderId: destinationReplicationFolderId,
                    orgId,
                    secretVersionDAL: secretVersionV2BridgeDAL,
                    secretDAL: secretV2BridgeDAL,
                    tx,
                    secretTagDAL,
                    resourceMetadataDAL,
                    secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                    inputSecrets: locallyCreatedSecrets.map((doc) => {
                      return {
@ -419,6 +447,7 @@ export const secretReplicationServiceFactory = ({
                        encryptedValue: doc.encryptedValue,
                        encryptedComment: doc.encryptedComment,
                        skipMultilineEncoding: doc.skipMultilineEncoding,
                        secretMetadata: doc.secretMetadata,
                        references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                      };
                    })
@ -426,10 +455,12 @@ export const secretReplicationServiceFactory = ({
                }
                if (locallyUpdatedSecrets.length) {
                  await fnSecretV2BridgeBulkUpdate({
                    orgId,
                    folderId: destinationReplicationFolderId,
                    secretVersionDAL: secretVersionV2BridgeDAL,
                    secretDAL: secretV2BridgeDAL,
                    tx,
                    resourceMetadataDAL,
                    secretTagDAL,
                    secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                    inputSecrets: locallyUpdatedSecrets.map((doc) => {
@ -445,6 +476,7 @@ export const secretReplicationServiceFactory = ({
                          encryptedValue: doc.encryptedValue as Buffer,
                          encryptedComment: doc.encryptedComment,
                          skipMultilineEncoding: doc.skipMultilineEncoding,
                          secretMetadata: doc.secretMetadata,
                          references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                        }
                      };
@ -466,6 +498,7 @@ export const secretReplicationServiceFactory = ({
              await secretQueueService.syncSecrets({
                projectId,
                orgId,
                secretPath: destinationFolder.path,
                environmentSlug: destinationFolder.environmentSlug,
                actorId,
@ -751,6 +784,7 @@ export const secretReplicationServiceFactory = ({
            await secretQueueService.syncSecrets({
              projectId,
              orgId,
              secretPath: destinationFolder.path,
              environmentSlug: destinationFolder.environmentSlug,
              actorId,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@ -180,6 +180,8 @@ export const secretRotationQueueFactory = ({
          provider.template.client === TDbProviderClients.MsSqlServer
            ? ({
                encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
                // when ca is provided use that
                trustServerCertificate: !ca,
                cryptoCredentialsDetails: ca ? { ca } : {}
              } as Record<string, unknown>)
            : undefined;
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
-import { ProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@ -53,14 +53,14 @@ export const secretRotationServiceFactory = ({
    actorAuthMethod,
    projectId
  }: TProjectPermission) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    return {
@ -82,14 +82,14 @@ export const secretRotationServiceFactory = ({
    secretPath,
    environment
  }: TCreateSecretRotationDTO) => {
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRotation
@ -191,13 +191,14 @@ export const secretRotationServiceFactory = ({
  };
  const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
@ -236,14 +237,14 @@ export const secretRotationServiceFactory = ({
        message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
      });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      doc.projectId,
+      projectId: project.id,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
    await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
    await secretRotationQueue.addToQueue(doc.id, doc.interval);
@ -254,14 +255,14 @@ export const secretRotationServiceFactory = ({
    const doc = await secretRotationDAL.findById(rotationId);
    if (!doc) throw new NotFoundError({ message: `Rotation with ID '${rotationId}' not found` });
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      doc.projectId,
+      projectId: doc.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SecretRotation
--- a/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-dal.ts
@ -1,9 +1,12 @@
-import { Knex } from "knex";
+import knex, { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName, TSecretScanningGitRisksInsert } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { SecretScanningResolvedStatus, TGetOrgRisksDTO } from "./secret-scanning-types";
 export type TSecretScanningDALFactory = ReturnType<typeof secretScanningDALFactory>;
@ -19,5 +22,70 @@ export const secretScanningDALFactory = (db: TDbClient) => {
    }
  };
-  return { ...gitRiskOrm, upsert };
+  const findByOrgId = async (orgId: string, filter: TGetOrgRisksDTO["filter"], tx?: Knex) => {
    try {
      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
        // eslint-disable-next-line func-names
        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId);
      if (filter.repositoryNames) {
        void sqlQuery.whereIn(`${TableName.SecretScanningGitRisk}.repositoryFullName`, filter.repositoryNames);
      }
      if (filter.resolvedStatus) {
        if (filter.resolvedStatus !== SecretScanningResolvedStatus.All) {
          const isResolved = filter.resolvedStatus === SecretScanningResolvedStatus.Resolved;
          void sqlQuery.where(`${TableName.SecretScanningGitRisk}.isResolved`, isResolved);
        }
      }
      // Select statements
      void sqlQuery
        .select(selectAllTableCols(TableName.SecretScanningGitRisk))
        .limit(filter.limit)
        .offset(filter.offset);
      if (filter.orderBy) {
        const orderDirection = filter.orderDirection || OrderByDirection.ASC;
        void sqlQuery.orderBy(filter.orderBy, orderDirection);
      }
      const countQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
        .count();
      const uniqueReposQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
        .distinct("repositoryFullName")
        .select("repositoryFullName");
      // we timeout long running queries to prevent DB resource issues (2 minutes)
      const docs = await sqlQuery.timeout(1000 * 120);
      const uniqueRepos = await uniqueReposQuery.timeout(1000 * 120);
      const totalCount = await countQuery;
      return {
        risks: docs,
        totalCount: Number(totalCount?.[0].count),
        repos: uniqueRepos
          .filter(Boolean)
          .map((r) => r.repositoryFullName!)
          .sort((a, b) => a.localeCompare(b))
      };
    } catch (error) {
      if (error instanceof knex.KnexTimeoutError) {
        throw new GatewayTimeoutError({
          error,
          message: "Failed to fetch secret leaks due to timeout. Add more search filters."
        });
      }
      throw new DatabaseError({ error });
    }
  };
  return { ...gitRiskOrm, upsert, findByOrgId };
 };
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -15,6 +15,7 @@ import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
  SecretScanningRiskStatus,
  TGetAllOrgRisksDTO,
  TGetOrgInstallStatusDTO,
  TGetOrgRisksDTO,
  TInstallAppSessionDTO,
@ -118,11 +119,21 @@ export const secretScanningServiceFactory = ({
    return Boolean(appInstallation);
  };
-  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId, filter }: TGetOrgRisksDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const results = await secretScanningDAL.findByOrgId(orgId, filter);
    return results;
  };
  const getAllRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetAllOrgRisksDTO) => {
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
    const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
-    return { risks };
+    return risks;
  };
  const updateRiskStatus = async ({
@ -189,6 +200,7 @@ export const secretScanningServiceFactory = ({
    linkInstallationToOrg,
    getOrgInstallationStatus,
    getRisksByOrg,
    getAllRisksByOrg,
    updateRiskStatus,
    handleRepoPushEvent,
    handleRepoDeleteEvent
--- a/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-types.ts
@ -1,4 +1,4 @@
-import { TOrgPermission } from "@app/lib/types";
+import { OrderByDirection, TOrgPermission } from "@app/lib/types";
 export enum SecretScanningRiskStatus {
  FalsePositive = "RESOLVED_FALSE_POSITIVE",
@ -7,6 +7,12 @@ export enum SecretScanningRiskStatus {
  Unresolved = "UNRESOLVED"
 }
 export enum SecretScanningResolvedStatus {
  All = "all",
  Resolved = "resolved",
  Unresolved = "unresolved"
 }
 export type TInstallAppSessionDTO = TOrgPermission;
 export type TLinkInstallSessionDTO = {
@ -16,7 +22,22 @@ export type TLinkInstallSessionDTO = {
 export type TGetOrgInstallStatusDTO = TOrgPermission;
-export type TGetOrgRisksDTO = TOrgPermission;
+type RiskFilter = {
  offset: number;
  limit: number;
  orderBy?: "createdAt" | "name";
  orderDirection?: OrderByDirection;
  repositoryNames?: string[];
  resolvedStatus?: SecretScanningResolvedStatus;
 };
 export type TGetOrgRisksDTO = {
  filter: RiskFilter;
 } & TOrgPermission;
 export type TGetAllOrgRisksDTO = {
  filter: Omit<RiskFilter, "offset" | "limit" | "orderBy" | "orderDirection">;
 } & TOrgPermission;
 export type TUpdateRiskStatusDTO = {
  riskId: string;
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
-import { ProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@ -83,13 +83,14 @@ export const secretSnapshotServiceFactory = ({
    actorAuthMethod,
    path
  }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@ -119,13 +120,14 @@ export const secretSnapshotServiceFactory = ({
    limit = 20,
    offset = 0
  }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@ -147,13 +149,14 @@ export const secretSnapshotServiceFactory = ({
  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findById(id);
    if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${id}' not found` });
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      snapshot.projectId,
+      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
    const shouldUseBridge = snapshot.projectVersion === 3;
@ -322,14 +325,14 @@ export const secretSnapshotServiceFactory = ({
    if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${snapshotId}' not found` });
    const shouldUseBridge = snapshot.projectVersion === 3;
-    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
-      snapshot.projectId,
+      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.SecretManager
-    ForbidOnInvalidProjectType(ProjectType.SecretManager);
+    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SecretRollback
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-dal.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-dal.ts
@ -0,0 +1,66 @@
 import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 export type TSshCertificateTemplateDALFactory = ReturnType<typeof sshCertificateTemplateDALFactory>;
 export const sshCertificateTemplateDALFactory = (db: TDbClient) => {
  const sshCertificateTemplateOrm = ormify(db, TableName.SshCertificateTemplate);
  const getById = async (id: string, tx?: Knex) => {
    try {
      const certTemplate = await (tx || db.replicaNode())(TableName.SshCertificateTemplate)
        .join(
          TableName.SshCertificateAuthority,
          `${TableName.SshCertificateAuthority}.id`,
          `${TableName.SshCertificateTemplate}.sshCaId`
        )
        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.SshCertificateAuthority}.projectId`)
        .where(`${TableName.SshCertificateTemplate}.id`, "=", id)
        .select(selectAllTableCols(TableName.SshCertificateTemplate))
        .select(
          db.ref("projectId").withSchema(TableName.SshCertificateAuthority),
          db.ref("friendlyName").as("caName").withSchema(TableName.SshCertificateAuthority),
          db.ref("status").as("caStatus").withSchema(TableName.SshCertificateAuthority)
        )
        .first();
      return certTemplate;
    } catch (error) {
      throw new DatabaseError({ error, name: "Get SSH certificate template by ID" });
    }
  };
  /**
   * Returns the SSH certificate template named [name] within project with id [projectId]
   */
  const getByName = async (name: string, projectId: string, tx?: Knex) => {
    try {
      const certTemplate = await (tx || db.replicaNode())(TableName.SshCertificateTemplate)
        .join(
          TableName.SshCertificateAuthority,
          `${TableName.SshCertificateAuthority}.id`,
          `${TableName.SshCertificateTemplate}.sshCaId`
        )
        .join(TableName.Project, `${TableName.Project}.id`, `${TableName.SshCertificateAuthority}.projectId`)
        .where(`${TableName.SshCertificateTemplate}.name`, "=", name)
        .where(`${TableName.Project}.id`, "=", projectId)
        .select(selectAllTableCols(TableName.SshCertificateTemplate))
        .select(
          db.ref("projectId").withSchema(TableName.SshCertificateAuthority),
          db.ref("friendlyName").as("caName").withSchema(TableName.SshCertificateAuthority),
          db.ref("status").as("caStatus").withSchema(TableName.SshCertificateAuthority)
        )
        .first();
      return certTemplate;
    } catch (error) {
      throw new DatabaseError({ error, name: "Get SSH certificate template by name" });
    }
  };
  return { ...sshCertificateTemplateOrm, getById, getByName };
 };
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-schema.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-schema.ts
@ -0,0 +1,15 @@
 import { SshCertificateTemplatesSchema } from "@app/db/schemas";
 export const sanitizedSshCertificateTemplate = SshCertificateTemplatesSchema.pick({
  id: true,
  sshCaId: true,
  status: true,
  name: true,
  ttl: true,
  maxTTL: true,
  allowedUsers: true,
  allowedHosts: true,
  allowCustomKeyIds: true,
  allowUserCertificates: true,
  allowHostCertificates: true
 });
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
@ -0,0 +1,249 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TSshCertificateAuthorityDALFactory } from "../ssh/ssh-certificate-authority-dal";
 import { TSshCertificateTemplateDALFactory } from "./ssh-certificate-template-dal";
 import {
  SshCertTemplateStatus,
  TCreateSshCertTemplateDTO,
  TDeleteSshCertTemplateDTO,
  TGetSshCertTemplateDTO,
  TUpdateSshCertTemplateDTO
 } from "./ssh-certificate-template-types";
 type TSshCertificateTemplateServiceFactoryDep = {
  sshCertificateTemplateDAL: Pick<
    TSshCertificateTemplateDALFactory,
    "transaction" | "getByName" | "create" | "updateById" | "deleteById" | "getById"
  >;
  sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findById">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 export type TSshCertificateTemplateServiceFactory = ReturnType<typeof sshCertificateTemplateServiceFactory>;
 export const sshCertificateTemplateServiceFactory = ({
  sshCertificateTemplateDAL,
  sshCertificateAuthorityDAL,
  permissionService
 }: TSshCertificateTemplateServiceFactoryDep) => {
  const createSshCertTemplate = async ({
    sshCaId,
    name,
    ttl,
    maxTTL,
    allowUserCertificates,
    allowHostCertificates,
    allowedUsers,
    allowedHosts,
    allowCustomKeyIds,
    actorId,
    actorAuthMethod,
    actor,
    actorOrgId
  }: TCreateSshCertTemplateDTO) => {
    const ca = await sshCertificateAuthorityDAL.findById(sshCaId);
    if (!ca) {
      throw new NotFoundError({
        message: `SSH CA with ID ${sshCaId} not found`
      });
    }
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificateTemplates
    );
    if (ms(ttl) > ms(maxTTL)) {
      throw new BadRequestError({
        message: "TTL cannot be greater than max TTL"
      });
    }
    const newCertificateTemplate = await sshCertificateTemplateDAL.transaction(async (tx) => {
      const existingTemplate = await sshCertificateTemplateDAL.getByName(name, ca.projectId, tx);
      if (existingTemplate) {
        throw new BadRequestError({
          message: `SSH certificate template with name ${name} already exists`
        });
      }
      const certificateTemplate = await sshCertificateTemplateDAL.create(
        {
          sshCaId,
          name,
          ttl,
          maxTTL,
          allowUserCertificates,
          allowHostCertificates,
          allowedUsers,
          allowedHosts,
          allowCustomKeyIds,
          status: SshCertTemplateStatus.ACTIVE
        },
        tx
      );
      return certificateTemplate;
    });
    return { certificateTemplate: newCertificateTemplate, ca };
  };
  const updateSshCertTemplate = async ({
    id,
    status,
    name,
    ttl,
    maxTTL,
    allowUserCertificates,
    allowHostCertificates,
    allowedUsers,
    allowedHosts,
    allowCustomKeyIds,
    actorId,
    actorAuthMethod,
    actor,
    actorOrgId
  }: TUpdateSshCertTemplateDTO) => {
    const certTemplate = await sshCertificateTemplateDAL.getById(id);
    if (!certTemplate) {
      throw new NotFoundError({
        message: `SSH certificate template with ID ${id} not found`
      });
    }
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      ProjectPermissionSub.SshCertificateTemplates
    );
    const updatedCertificateTemplate = await sshCertificateTemplateDAL.transaction(async (tx) => {
      if (name) {
        const existingTemplate = await sshCertificateTemplateDAL.getByName(name, certTemplate.projectId, tx);
        if (existingTemplate && existingTemplate.id !== id) {
          throw new BadRequestError({
            message: `SSH certificate template with name ${name} already exists`
          });
        }
      }
      if (ms(ttl || certTemplate.ttl) > ms(maxTTL || certTemplate.maxTTL)) {
        throw new BadRequestError({
          message: "TTL cannot be greater than max TTL"
        });
      }
      const certificateTemplate = await sshCertificateTemplateDAL.updateById(
        id,
        {
          status,
          name,
          ttl,
          maxTTL,
          allowUserCertificates,
          allowHostCertificates,
          allowedUsers,
          allowedHosts,
          allowCustomKeyIds
        },
        tx
      );
      return certificateTemplate;
    });
    return {
      certificateTemplate: updatedCertificateTemplate,
      projectId: certTemplate.projectId
    };
  };
  const deleteSshCertTemplate = async ({
    id,
    actorId,
    actorAuthMethod,
    actor,
    actorOrgId
  }: TDeleteSshCertTemplateDTO) => {
    const certificateTemplate = await sshCertificateTemplateDAL.getById(id);
    if (!certificateTemplate) {
      throw new NotFoundError({
        message: `SSH certificate template with ID ${id} not found`
      });
    }
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: certificateTemplate.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SshCertificateTemplates
    );
    await sshCertificateTemplateDAL.deleteById(certificateTemplate.id);
    return certificateTemplate;
  };
  const getSshCertTemplate = async ({ id, actorId, actorAuthMethod, actor, actorOrgId }: TGetSshCertTemplateDTO) => {
    const certTemplate = await sshCertificateTemplateDAL.getById(id);
    if (!certTemplate) {
      throw new NotFoundError({
        message: `SSH certificate template with ID ${id} not found`
      });
    }
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
    );
    return certTemplate;
  };
  return {
    createSshCertTemplate,
    updateSshCertTemplate,
    deleteSshCertTemplate,
    getSshCertTemplate
  };
 };
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-types.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-types.ts
@ -0,0 +1,39 @@
 import { TProjectPermission } from "@app/lib/types";
 export enum SshCertTemplateStatus {
  ACTIVE = "active",
  DISABLED = "disabled"
 }
 export type TCreateSshCertTemplateDTO = {
  sshCaId: string;
  name: string;
  ttl: string;
  maxTTL: string;
  allowUserCertificates: boolean;
  allowHostCertificates: boolean;
  allowedUsers: string[];
  allowedHosts: string[];
  allowCustomKeyIds: boolean;
 } & Omit<TProjectPermission, "projectId">;
 export type TUpdateSshCertTemplateDTO = {
  id: string;
  status?: SshCertTemplateStatus;
  name?: string;
  ttl?: string;
  maxTTL?: string;
  allowUserCertificates?: boolean;
  allowHostCertificates?: boolean;
  allowedUsers?: string[];
  allowedHosts?: string[];
  allowCustomKeyIds?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 export type TGetSshCertTemplateDTO = {
  id: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TDeleteSshCertTemplateDTO = {
  id: string;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-validators.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-validators.ts
@ -0,0 +1,14 @@
 // Validates usernames or wildcard (*)
 export const isValidUserPattern = (value: string): boolean => {
  // Matches valid Linux usernames or a wildcard (*)
  const userRegex = /^(?:\*|[a-z_][a-z0-9_-]{0,31})$/;
  return userRegex.test(value);
 };
 // Validates hostnames, wildcard domains, or IP addresses
 export const isValidHostPattern = (value: string): boolean => {
  // Matches FQDNs, wildcard domains (*.example.com), IPv4, and IPv6 addresses
  const hostRegex =
    /^(?:\*|\*\.[a-z0-9-]+(?:\.[a-z0-9-]+)*|[a-z0-9-]+(?:\.[a-z0-9-]+)*|\d{1,3}(\.\d{1,3}){3}|([a-fA-F0-9:]+:+)+[a-fA-F0-9]+(?:%[a-zA-Z0-9]+)?)$/;
  return hostRegex.test(value);
 };
--- a/backend/src/ee/services/ssh-certificate/ssh-certificate-body-dal.ts
+++ b/backend/src/ee/services/ssh-certificate/ssh-certificate-body-dal.ts
@ -0,0 +1,10 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { ormify } from "@app/lib/knex";
 export type TSshCertificateBodyDALFactory = ReturnType<typeof sshCertificateBodyDALFactory>;
 export const sshCertificateBodyDALFactory = (db: TDbClient) => {
  const sshCertificateBodyOrm = ormify(db, TableName.SshCertificateBody);
  return sshCertificateBodyOrm;
 };
--- a/backend/src/ee/services/ssh-certificate/ssh-certificate-dal.ts
+++ b/backend/src/ee/services/ssh-certificate/ssh-certificate-dal.ts
@ -0,0 +1,38 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 export type TSshCertificateDALFactory = ReturnType<typeof sshCertificateDALFactory>;
 export const sshCertificateDALFactory = (db: TDbClient) => {
  const sshCertificateOrm = ormify(db, TableName.SshCertificate);
  const countSshCertificatesInProject = async (projectId: string) => {
    try {
      interface CountResult {
        count: string;
      }
      const query = db
        .replicaNode()(TableName.SshCertificate)
        .join(
          TableName.SshCertificateAuthority,
          `${TableName.SshCertificate}.sshCaId`,
          `${TableName.SshCertificateAuthority}.id`
        )
        .join(TableName.Project, `${TableName.SshCertificateAuthority}.projectId`, `${TableName.Project}.id`)
        .where(`${TableName.Project}.id`, projectId);
      const count = await query.count("*").first();
      return parseInt((count as unknown as CountResult).count || "0", 10);
    } catch (error) {
      throw new DatabaseError({ error, name: "Count all SSH certificates in project" });
    }
  };
  return {
    ...sshCertificateOrm,
    countSshCertificatesInProject
  };
 };
--- a/backend/src/ee/services/ssh-certificate/ssh-certificate-schema.ts
+++ b/backend/src/ee/services/ssh-certificate/ssh-certificate-schema.ts
@ -0,0 +1,14 @@
 import { SshCertificatesSchema } from "@app/db/schemas";
 export const sanitizedSshCertificate = SshCertificatesSchema.pick({
  id: true,
  sshCaId: true,
  sshCertificateTemplateId: true,
  serialNumber: true,
  certType: true,
  publicKey: true,
  principals: true,
  keyId: true,
  notBefore: true,
  notAfter: true
 });
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-dal.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-dal.ts
@ -0,0 +1,10 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { ormify } from "@app/lib/knex";
 export type TSshCertificateAuthorityDALFactory = ReturnType<typeof sshCertificateAuthorityDALFactory>;
 export const sshCertificateAuthorityDALFactory = (db: TDbClient) => {
  const sshCaOrm = ormify(db, TableName.SshCertificateAuthority);
  return sshCaOrm;
 };
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts
@ -0,0 +1,376 @@
 import { execFile } from "child_process";
 import crypto from "crypto";
 import { promises as fs } from "fs";
 import ms from "ms";
 import os from "os";
 import path from "path";
 import { promisify } from "util";
 import { TSshCertificateTemplates } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import {
  isValidHostPattern,
  isValidUserPattern
 } from "../ssh-certificate-template/ssh-certificate-template-validators";
 import { SshCertType, TCreateSshCertDTO } from "./ssh-certificate-authority-types";
 const execFileAsync = promisify(execFile);
 /* eslint-disable no-bitwise */
 export const createSshCertSerialNumber = () => {
  const randomBytes = crypto.randomBytes(8); // 8 bytes = 64 bits
  randomBytes[0] &= 0x7f; // Ensure the most significant bit is 0 (to stay within unsigned range)
  return BigInt(`0x${randomBytes.toString("hex")}`).toString(10); // Convert to decimal
 };
 /**
 * Return a pair of SSH CA keys based on the specified key algorithm [keyAlgorithm].
 * We use this function because the key format generated by `ssh-keygen` is unique.
 */
 export const createSshKeyPair = async (keyAlgorithm: CertKeyAlgorithm) => {
  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "ssh-key-"));
  const privateKeyFile = path.join(tempDir, "id_key");
  const publicKeyFile = `${privateKeyFile}.pub`;
  let keyType: string;
  let keyBits: string;
  switch (keyAlgorithm) {
    case CertKeyAlgorithm.RSA_2048:
      keyType = "rsa";
      keyBits = "2048";
      break;
    case CertKeyAlgorithm.RSA_4096:
      keyType = "rsa";
      keyBits = "4096";
      break;
    case CertKeyAlgorithm.ECDSA_P256:
      keyType = "ecdsa";
      keyBits = "256";
      break;
    case CertKeyAlgorithm.ECDSA_P384:
      keyType = "ecdsa";
      keyBits = "384";
      break;
    default:
      throw new BadRequestError({
        message: "Failed to produce SSH CA key pair generation command due to unrecognized key algorithm"
      });
  }
  try {
    // Generate the SSH key pair
    // The "-N ''" sets an empty passphrase
    // The keys are created in the temporary directory
    await execFileAsync("ssh-keygen", ["-t", keyType, "-b", keyBits, "-f", privateKeyFile, "-N", ""]);
    // Read the generated keys
    const publicKey = await fs.readFile(publicKeyFile, "utf8");
    const privateKey = await fs.readFile(privateKeyFile, "utf8");
    return { publicKey, privateKey };
  } finally {
    // Cleanup the temporary directory and all its contents
    await fs.rm(tempDir, { recursive: true, force: true }).catch(() => {});
  }
 };
 /**
 * Return the SSH public key for the given SSH private key.
 */
 export const getSshPublicKey = async (privateKey: string) => {
  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "ssh-key-"));
  const privateKeyFile = path.join(tempDir, "id_key");
  try {
    await fs.writeFile(privateKeyFile, privateKey, { mode: 0o600 });
    // Run ssh-keygen to extract the public key
    const { stdout } = await execFileAsync("ssh-keygen", ["-y", "-f", privateKeyFile], { encoding: "utf8" });
    return stdout.trim();
  } finally {
    // Ensure that files and the temporary directory are cleaned up
    await fs.rm(tempDir, { recursive: true, force: true }).catch(() => {});
  }
 };
 /**
 * Validate the requested SSH certificate type based on the SSH certificate template configuration.
 */
 export const validateSshCertificateType = (template: TSshCertificateTemplates, certType: SshCertType) => {
  if (!template.allowUserCertificates && certType === SshCertType.USER) {
    throw new BadRequestError({ message: "Failed to validate user certificate type due to template restriction" });
  }
  if (!template.allowHostCertificates && certType === SshCertType.HOST) {
    throw new BadRequestError({ message: "Failed to validate host certificate type due to template restriction" });
  }
 };
 /**
 * Validate the requested SSH certificate principals based on the SSH certificate template configuration.
 */
 export const validateSshCertificatePrincipals = (
  certType: SshCertType,
  template: TSshCertificateTemplates,
  principals: string[]
 ) => {
  /**
   * Validate and sanitize a principal string
   */
  const validatePrincipal = (principal: string) => {
    const sanitized = principal.trim();
    // basic checks for empty or control characters
    if (sanitized.length === 0) {
      throw new BadRequestError({
        message: "Principal cannot be an empty string."
      });
    }
    if (/\r|\n|\t|\0/.test(sanitized)) {
      throw new BadRequestError({
        message: `Principal '${sanitized}' contains invalid whitespace or control characters.`
      });
    }
    // disallow whitespace anywhere
    if (/\s/.test(sanitized)) {
      throw new BadRequestError({
        message: `Principal '${sanitized}' cannot contain whitespace.`
      });
    }
    // restrict allowed characters to letters, digits, dot, underscore, and hyphen
    if (!/^[A-Za-z0-9._-]+$/.test(sanitized)) {
      throw new BadRequestError({
        message: `Principal '${sanitized}' contains invalid characters. Allowed: alphanumeric, '.', '_', '-'.`
      });
    }
    // disallow leading hyphen to avoid potential argument-like inputs
    if (sanitized.startsWith("-")) {
      throw new BadRequestError({
        message: `Principal '${sanitized}' cannot start with a hyphen.`
      });
    }
    // length restriction (adjust as needed)
    if (sanitized.length > 64) {
      throw new BadRequestError({
        message: `Principal '${sanitized}' is too long.`
      });
    }
    return sanitized;
  };
  // Sanitize and validate all principals using the helper
  const sanitizedPrincipals = principals.map(validatePrincipal);
  switch (certType) {
    case SshCertType.USER: {
      if (template.allowedUsers.length === 0) {
        throw new BadRequestError({
          message: "No allowed users are configured in the SSH certificate template."
        });
      }
      const allowsAllUsers = template.allowedUsers.includes("*") ?? false;
      sanitizedPrincipals.forEach((principal) => {
        if (principal === "*") {
          throw new BadRequestError({
            message: `Principal '*' is not allowed for user certificates.`
          });
        }
        if (allowsAllUsers && !isValidUserPattern(principal)) {
          throw new BadRequestError({
            message: `Principal '${principal}' does not match a valid user pattern.`
          });
        }
        if (!allowsAllUsers && !template.allowedUsers.includes(principal)) {
          throw new BadRequestError({
            message: `Principal '${principal}' is not in the list of allowed users.`
          });
        }
      });
      break;
    }
    case SshCertType.HOST: {
      if (template.allowedHosts.length === 0) {
        throw new BadRequestError({
          message: "No allowed hosts are configured in the SSH certificate template."
        });
      }
      const allowsAllHosts = template.allowedHosts.includes("*") ?? false;
      sanitizedPrincipals.forEach((principal) => {
        if (principal.includes("*")) {
          throw new BadRequestError({
            message: `Principal '${principal}' with wildcards is not allowed for host certificates.`
          });
        }
        if (allowsAllHosts && !isValidHostPattern(principal)) {
          throw new BadRequestError({
            message: `Principal '${principal}' does not match a valid host pattern.`
          });
        }
        if (
          !allowsAllHosts &&
          !template.allowedHosts.some((allowedHost) => {
            if (allowedHost.startsWith("*.")) {
              const baseDomain = allowedHost.slice(2); // Remove the leading "*."
              return principal.endsWith(`.${baseDomain}`);
            }
            return principal === allowedHost;
          })
        ) {
          throw new BadRequestError({
            message: `Principal '${principal}' is not in the list of allowed hosts or domains.`
          });
        }
      });
      break;
    }
    default:
      throw new BadRequestError({
        message: "Failed to validate SSH certificate principals due to unrecognized requested certificate type"
      });
  }
 };
 /**
 * Validate the requested SSH certificate TTL based on the SSH certificate template configuration.
 */
 export const validateSshCertificateTtl = (template: TSshCertificateTemplates, ttl?: string) => {
  if (!ttl) {
    // use default template ttl
    return Math.ceil(ms(template.ttl) / 1000);
  }
  if (ms(ttl) > ms(template.maxTTL)) {
    throw new BadRequestError({
      message: "Failed TTL validation due to TTL being greater than configured max TTL on template"
    });
  }
  return Math.ceil(ms(ttl) / 1000);
 };
 /**
 * Validate the requested SSH certificate key ID to ensure
 * that it only contains alphanumeric characters with no spaces.
 */
 export const validateSshCertificateKeyId = (keyId: string) => {
  const regex = /^[A-Za-z0-9-]+$/;
  if (!regex.test(keyId)) {
    throw new BadRequestError({
      message:
        "Failed to validate Key ID because it can only contain alphanumeric characters and hyphens, with no spaces."
    });
  }
  if (keyId.length > 50) {
    throw new BadRequestError({
      message: "keyId can only be up to 50 characters long."
    });
  }
 };
 /**
 * Validate the format of the SSH public key
 */
 const validateSshPublicKey = async (publicKey: string) => {
  const validPrefixes = ["ssh-rsa", "ssh-ed25519", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384"];
  const startsWithValidPrefix = validPrefixes.some((prefix) => publicKey.startsWith(`${prefix} `));
  if (!startsWithValidPrefix) {
    throw new BadRequestError({ message: "Failed to validate SSH public key format: unsupported key type." });
  }
  // write the key to a temp file and run `ssh-keygen -l -f`
  // check to see if OpenSSH can read/interpret the public key
  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "ssh-pubkey-"));
  const pubKeyFile = path.join(tempDir, "key.pub");
  try {
    await fs.writeFile(pubKeyFile, publicKey, { mode: 0o600 });
    await execFileAsync("ssh-keygen", ["-l", "-f", pubKeyFile]);
  } catch (error) {
    throw new BadRequestError({
      message: "Failed to validate SSH public key format: could not be parsed."
    });
  } finally {
    await fs.rm(tempDir, { recursive: true, force: true }).catch(() => {});
  }
 };
 /**
 * Create an SSH certificate for a user or host.
 */
 export const createSshCert = async ({
  template,
  caPrivateKey,
  clientPublicKey,
  keyId,
  principals,
  requestedTtl,
  certType
 }: TCreateSshCertDTO) => {
  // validate if the requested [certType] is allowed under the template configuration
  validateSshCertificateType(template, certType);
  // validate if the requested [principals] are valid for the given [certType] under the template configuration
  validateSshCertificatePrincipals(certType, template, principals);
  // validate if the requested TTL is valid under the template configuration
  const ttl = validateSshCertificateTtl(template, requestedTtl);
  validateSshCertificateKeyId(keyId);
  await validateSshPublicKey(clientPublicKey);
  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "ssh-cert-"));
  const publicKeyFile = path.join(tempDir, "user_key.pub");
  const privateKeyFile = path.join(tempDir, "ca_key");
  const signedPublicKeyFile = path.join(tempDir, "user_key-cert.pub");
  const serialNumber = createSshCertSerialNumber();
  // Build `ssh-keygen` arguments for signing
  // Using an array avoids shell injection issues
  const sshKeygenArgs = [
    certType === "host" ? "-h" : null, // host certificate if needed
    "-s",
    privateKeyFile, // path to SSH CA private key
    "-I",
    keyId, // identity (key ID)
    "-n",
    principals.join(","), // principals
    "-V",
    `+${ttl}s`, // validity (TTL in seconds)
    "-z",
    serialNumber, // serial number
    publicKeyFile // public key file to sign
  ].filter(Boolean) as string[];
  try {
    // Write public and private keys to the temp directory
    await fs.writeFile(publicKeyFile, clientPublicKey, { mode: 0o600 });
    await fs.writeFile(privateKeyFile, caPrivateKey, { mode: 0o600 });
    // Execute the signing process
    await execFileAsync("ssh-keygen", sshKeygenArgs, { encoding: "utf8" });
    // Read the signed public key from the generated cert file
    const signedPublicKey = await fs.readFile(signedPublicKeyFile, "utf8");
    return { serialNumber, signedPublicKey, ttl };
  } finally {
    // Cleanup the temporary directory and all its contents
    await fs.rm(tempDir, { recursive: true, force: true }).catch(() => {});
  }
 };
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-schema.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-schema.ts
@ -0,0 +1,9 @@
 import { SshCertificateAuthoritiesSchema } from "@app/db/schemas";
 export const sanitizedSshCa = SshCertificateAuthoritiesSchema.pick({
  id: true,
  projectId: true,
  friendlyName: true,
  status: true,
  keyAlgorithm: true
 });
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-secret-dal.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-secret-dal.ts
@ -0,0 +1,10 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { ormify } from "@app/lib/knex";
 export type TSshCertificateAuthoritySecretDALFactory = ReturnType<typeof sshCertificateAuthoritySecretDALFactory>;
 export const sshCertificateAuthoritySecretDALFactory = (db: TDbClient) => {
  const sshCaSecretOrm = ormify(db, TableName.SshCertificateAuthoritySecret);
  return sshCaSecretOrm;
 };
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
@ -0,0 +1,523 @@
 import { ForbiddenError } from "@casl/ability";
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
 import { TSshCertificateAuthoritySecretDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-secret-dal";
 import { TSshCertificateBodyDALFactory } from "@app/ee/services/ssh-certificate/ssh-certificate-body-dal";
 import { TSshCertificateDALFactory } from "@app/ee/services/ssh-certificate/ssh-certificate-dal";
 import { TSshCertificateTemplateDALFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-dal";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { SshCertTemplateStatus } from "../ssh-certificate-template/ssh-certificate-template-types";
 import { createSshCert, createSshKeyPair, getSshPublicKey } from "./ssh-certificate-authority-fns";
 import {
  SshCaStatus,
  TCreateSshCaDTO,
  TDeleteSshCaDTO,
  TGetSshCaCertificateTemplatesDTO,
  TGetSshCaDTO,
  TGetSshCaPublicKeyDTO,
  TIssueSshCredsDTO,
  TSignSshKeyDTO,
  TUpdateSshCaDTO
 } from "./ssh-certificate-authority-types";
 type TSshCertificateAuthorityServiceFactoryDep = {
  sshCertificateAuthorityDAL: Pick<
    TSshCertificateAuthorityDALFactory,
    "transaction" | "create" | "findById" | "updateById" | "deleteById" | "findOne"
  >;
  sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "create" | "findOne">;
  sshCertificateTemplateDAL: Pick<TSshCertificateTemplateDALFactory, "find" | "getById">;
  sshCertificateDAL: Pick<TSshCertificateDALFactory, "create" | "transaction">;
  sshCertificateBodyDAL: Pick<TSshCertificateBodyDALFactory, "create">;
  kmsService: Pick<
    TKmsServiceFactory,
    "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey" | "getOrgKmsKeyId" | "createCipherPairWithDataKey"
  >;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 export type TSshCertificateAuthorityServiceFactory = ReturnType<typeof sshCertificateAuthorityServiceFactory>;
 export const sshCertificateAuthorityServiceFactory = ({
  sshCertificateAuthorityDAL,
  sshCertificateAuthoritySecretDAL,
  sshCertificateTemplateDAL,
  sshCertificateDAL,
  sshCertificateBodyDAL,
  kmsService,
  permissionService
 }: TSshCertificateAuthorityServiceFactoryDep) => {
  /**
   * Generates a new SSH CA
   */
  const createSshCa = async ({
    projectId,
    friendlyName,
    keyAlgorithm,
    actorId,
    actorAuthMethod,
    actor,
    actorOrgId
  }: TCreateSshCaDTO) => {
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificateAuthorities
    );
    const newCa = await sshCertificateAuthorityDAL.transaction(async (tx) => {
      const ca = await sshCertificateAuthorityDAL.create(
        {
          projectId,
          friendlyName,
          status: SshCaStatus.ACTIVE,
          keyAlgorithm
        },
        tx
      );
      const { publicKey, privateKey } = await createSshKeyPair(keyAlgorithm);
      const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
        type: KmsDataKey.SecretManager,
        projectId
      });
      await sshCertificateAuthoritySecretDAL.create(
        {
          sshCaId: ca.id,
          encryptedPrivateKey: secretManagerEncryptor({ plainText: Buffer.from(privateKey, "utf8") }).cipherTextBlob
        },
        tx
      );
      return { ...ca, publicKey };
    });
    return newCa;
  };
  /**
   * Return SSH CA with id [caId]
   */
  const getSshCaById = async ({ caId, actor, actorId, actorAuthMethod, actorOrgId }: TGetSshCaDTO) => {
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateAuthorities
    );
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: ca.id });
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: ca.projectId
    });
    const decryptedCaPrivateKey = secretManagerDecryptor({
      cipherTextBlob: sshCaSecret.encryptedPrivateKey
    });
    const publicKey = await getSshPublicKey(decryptedCaPrivateKey.toString("utf-8"));
    return { ...ca, publicKey };
  };
  /**
   * Return public key of SSH CA with id [caId]
   */
  const getSshCaPublicKey = async ({ caId }: TGetSshCaPublicKeyDTO) => {
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: ca.id });
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: ca.projectId
    });
    const decryptedCaPrivateKey = secretManagerDecryptor({
      cipherTextBlob: sshCaSecret.encryptedPrivateKey
    });
    const publicKey = await getSshPublicKey(decryptedCaPrivateKey.toString("utf-8"));
    return publicKey;
  };
  /**
   * Update SSH CA with id [caId]
   * Note: Used to enable/disable CA
   */
  const updateSshCaById = async ({
    caId,
    friendlyName,
    status,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TUpdateSshCaDTO) => {
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      ProjectPermissionSub.SshCertificateAuthorities
    );
    const updatedCa = await sshCertificateAuthorityDAL.updateById(caId, { friendlyName, status });
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: ca.id });
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: ca.projectId
    });
    const decryptedCaPrivateKey = secretManagerDecryptor({
      cipherTextBlob: sshCaSecret.encryptedPrivateKey
    });
    const publicKey = await getSshPublicKey(decryptedCaPrivateKey.toString("utf-8"));
    return { ...updatedCa, publicKey };
  };
  /**
   * Delete SSH CA with id [caId]
   */
  const deleteSshCaById = async ({ caId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteSshCaDTO) => {
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
      ProjectPermissionSub.SshCertificateAuthorities
    );
    const deletedCa = await sshCertificateAuthorityDAL.deleteById(caId);
    return deletedCa;
  };
  /**
   * Return SSH certificate and corresponding new SSH public-private key pair where
   * SSH public key is signed using CA behind SSH certificate with name [templateName].
   */
  const issueSshCreds = async ({
    certificateTemplateId,
    keyAlgorithm,
    certType,
    principals,
    ttl: requestedTtl,
    keyId: requestedKeyId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TIssueSshCredsDTO) => {
    const sshCertificateTemplate = await sshCertificateTemplateDAL.getById(certificateTemplateId);
    if (!sshCertificateTemplate) {
      throw new NotFoundError({
        message: "No SSH certificate template found with specified name"
      });
    }
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificates
    );
    if (sshCertificateTemplate.caStatus === SshCaStatus.DISABLED) {
      throw new BadRequestError({
        message: "SSH CA is disabled"
      });
    }
    if (sshCertificateTemplate.status === SshCertTemplateStatus.DISABLED) {
      throw new BadRequestError({
        message: "SSH certificate template is disabled"
      });
    }
    // set [keyId] depending on if [allowCustomKeyIds] is true or false
    const keyId = sshCertificateTemplate.allowCustomKeyIds
      ? requestedKeyId ?? `${actor}-${actorId}`
      : `${actor}-${actorId}`;
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: sshCertificateTemplate.sshCaId });
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: sshCertificateTemplate.projectId
    });
    const decryptedCaPrivateKey = secretManagerDecryptor({
      cipherTextBlob: sshCaSecret.encryptedPrivateKey
    });
    // create user key pair
    const { publicKey, privateKey } = await createSshKeyPair(keyAlgorithm);
    const { serialNumber, signedPublicKey, ttl } = await createSshCert({
      template: sshCertificateTemplate,
      caPrivateKey: decryptedCaPrivateKey.toString("utf8"),
      clientPublicKey: publicKey,
      keyId,
      principals,
      requestedTtl,
      certType
    });
    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: sshCertificateTemplate.projectId
    });
    const encryptedCertificate = secretManagerEncryptor({
      plainText: Buffer.from(signedPublicKey, "utf8")
    }).cipherTextBlob;
    await sshCertificateDAL.transaction(async (tx) => {
      const cert = await sshCertificateDAL.create(
        {
          sshCaId: sshCertificateTemplate.sshCaId,
          sshCertificateTemplateId: sshCertificateTemplate.id,
          serialNumber,
          certType,
          principals,
          keyId,
          notBefore: new Date(),
          notAfter: new Date(Date.now() + ttl * 1000)
        },
        tx
      );
      await sshCertificateBodyDAL.create(
        {
          sshCertId: cert.id,
          encryptedCertificate
        },
        tx
      );
    });
    return {
      serialNumber,
      signedPublicKey,
      privateKey,
      publicKey,
      certificateTemplate: sshCertificateTemplate,
      ttl,
      keyId
    };
  };
  /**
   * Return SSH certificate by signing SSH public key [publicKey]
   * using CA behind SSH certificate template with name [templateName]
   */
  const signSshKey = async ({
    certificateTemplateId,
    publicKey,
    certType,
    principals,
    ttl: requestedTtl,
    keyId: requestedKeyId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TSignSshKeyDTO) => {
    const sshCertificateTemplate = await sshCertificateTemplateDAL.getById(certificateTemplateId);
    if (!sshCertificateTemplate) {
      throw new NotFoundError({
        message: "No SSH certificate template found with specified name"
      });
    }
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
      ProjectPermissionSub.SshCertificates
    );
    if (sshCertificateTemplate.caStatus === SshCaStatus.DISABLED) {
      throw new BadRequestError({
        message: "SSH CA is disabled"
      });
    }
    if (sshCertificateTemplate.status === SshCertTemplateStatus.DISABLED) {
      throw new BadRequestError({
        message: "SSH certificate template is disabled"
      });
    }
    // set [keyId] depending on if [allowCustomKeyIds] is true or false
    const keyId = sshCertificateTemplate.allowCustomKeyIds
      ? requestedKeyId ?? `${actor}-${actorId}`
      : `${actor}-${actorId}`;
    const sshCaSecret = await sshCertificateAuthoritySecretDAL.findOne({ sshCaId: sshCertificateTemplate.sshCaId });
    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: sshCertificateTemplate.projectId
    });
    const decryptedCaPrivateKey = secretManagerDecryptor({
      cipherTextBlob: sshCaSecret.encryptedPrivateKey
    });
    const { serialNumber, signedPublicKey, ttl } = await createSshCert({
      template: sshCertificateTemplate,
      caPrivateKey: decryptedCaPrivateKey.toString("utf8"),
      clientPublicKey: publicKey,
      keyId,
      principals,
      requestedTtl,
      certType
    });
    const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.SecretManager,
      projectId: sshCertificateTemplate.projectId
    });
    const encryptedCertificate = secretManagerEncryptor({
      plainText: Buffer.from(signedPublicKey, "utf8")
    }).cipherTextBlob;
    await sshCertificateDAL.transaction(async (tx) => {
      const cert = await sshCertificateDAL.create(
        {
          sshCaId: sshCertificateTemplate.sshCaId,
          sshCertificateTemplateId: sshCertificateTemplate.id,
          serialNumber,
          certType,
          principals,
          keyId,
          notBefore: new Date(),
          notAfter: new Date(Date.now() + ttl * 1000)
        },
        tx
      );
      await sshCertificateBodyDAL.create(
        {
          sshCertId: cert.id,
          encryptedCertificate
        },
        tx
      );
    });
    return { serialNumber, signedPublicKey, certificateTemplate: sshCertificateTemplate, ttl, keyId };
  };
  const getSshCaCertificateTemplates = async ({
    caId,
    actor,
    actorId,
    actorAuthMethod,
    actorOrgId
  }: TGetSshCaCertificateTemplatesDTO) => {
    const ca = await sshCertificateAuthorityDAL.findById(caId);
    if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
      actorOrgId,
      actionProjectType: ActionProjectType.SSH
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Read,
      ProjectPermissionSub.SshCertificateTemplates
    );
    const certificateTemplates = await sshCertificateTemplateDAL.find({ sshCaId: caId });
    return {
      certificateTemplates,
      ca
    };
  };
  return {
    issueSshCreds,
    signSshKey,
    createSshCa,
    getSshCaById,
    getSshCaPublicKey,
    updateSshCaById,
    deleteSshCaById,
    getSshCaCertificateTemplates
  };
 };
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-types.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-types.ts
@ -0,0 +1,68 @@
 import { TSshCertificateTemplates } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 export enum SshCaStatus {
  ACTIVE = "active",
  DISABLED = "disabled"
 }
 export enum SshCertType {
  USER = "user",
  HOST = "host"
 }
 export type TCreateSshCaDTO = {
  friendlyName: string;
  keyAlgorithm: CertKeyAlgorithm;
 } & TProjectPermission;
 export type TGetSshCaDTO = {
  caId: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TGetSshCaPublicKeyDTO = {
  caId: string;
 };
 export type TUpdateSshCaDTO = {
  caId: string;
  friendlyName?: string;
  status?: SshCaStatus;
 } & Omit<TProjectPermission, "projectId">;
 export type TDeleteSshCaDTO = {
  caId: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TIssueSshCredsDTO = {
  certificateTemplateId: string;
  keyAlgorithm: CertKeyAlgorithm;
  certType: SshCertType;
  principals: string[];
  ttl?: string;
  keyId?: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TSignSshKeyDTO = {
  certificateTemplateId: string;
  publicKey: string;
  certType: SshCertType;
  principals: string[];
  ttl?: string;
  keyId?: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TGetSshCaCertificateTemplatesDTO = {
  caId: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TCreateSshCertDTO = {
  template: TSshCertificateTemplates;
  caPrivateKey: string;
  clientPublicKey: string;
  keyId: string;
  principals: string[];
  requestedTtl?: string;
  certType: SshCertType;
 };
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@ -1,5 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectPermission } from "@app/lib/types";
@ -27,13 +28,14 @@ export const trustedIpServiceFactory = ({
  projectDAL
 }: TTrustedIpServiceFactoryDep) => {
  const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
      projectId
@ -51,13 +53,14 @@ export const trustedIpServiceFactory = ({
    comment,
    isActive
  }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
@ -96,13 +99,14 @@ export const trustedIpServiceFactory = ({
    comment,
    trustedIpId
  }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
@ -141,13 +145,14 @@ export const trustedIpServiceFactory = ({
    actorAuthMethod,
    trustedIpId
  }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId
+      actorOrgId,
-    );
+      actionProjectType: ActionProjectType.Any
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
    const project = await projectDAL.findById(projectId);
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@ -23,6 +23,8 @@ export const KeyStorePrefixes = {
    `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
  SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
    `sync-integration-last-run-${projectId}-${environmentSlug}-${secretPath}` as const,
  SecretSyncLock: (syncId: string) => `secret-sync-mutex-${syncId}` as const,
  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
  IdentityAccessTokenStatusUpdate: (identityAccessTokenId: string) =>
    `identity-access-token-status:${identityAccessTokenId}`,
  ServiceTokenStatusUpdate: (serviceTokenId: string) => `service-token-status:${serviceTokenId}`
@ -30,6 +32,7 @@ export const KeyStorePrefixes = {
 export const KeyStoreTtls = {
  SetSyncSecretIntegrationLastRunTimestampInSeconds: 60,
  SetSecretSyncLastRunTimestampInSeconds: 60,
  AccessTokenStatusUpdateInSeconds: 120
 };
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -1,3 +1,8 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "@app/services/app-connection/app-connection-maps";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_CONNECTION_MAP, SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 export const GROUPS = {
  CREATE: {
    name: "The name of the group to create.",
@ -471,7 +476,7 @@ export const PROJECTS = {
  },
  ADD_GROUP_TO_PROJECT: {
    projectId: "The ID of the project to add the group to.",
-    groupId: "The ID of the group to add to the project.",
+    groupIdOrName: "The ID or name of the group to add to the project.",
    role: "The role for the group to assume in the project."
  },
  UPDATE_GROUP_IN_PROJECT: {
@ -492,6 +497,17 @@ export const PROJECTS = {
  LIST_INTEGRATION_AUTHORIZATION: {
    workspaceId: "The ID of the project to list integration auths for."
  },
  LIST_SSH_CAS: {
    projectId: "The ID of the project to list SSH CAs for."
  },
  LIST_SSH_CERTIFICATES: {
    projectId: "The ID of the project to list SSH certificates for.",
    offset: "The offset to start from. If you enter 10, it will start from the 10th SSH certificate.",
    limit: "The number of SSH certificates to return."
  },
  LIST_SSH_CERTIFICATE_TEMPLATES: {
    projectId: "The ID of the project to list SSH certificate templates for."
  },
  LIST_CAS: {
    slug: "The slug of the project to list CAs for.",
    status: "The status of the CA to filter by.",
@ -727,6 +743,12 @@ export const RAW_SECRETS = {
    workspaceId: "The ID of the project where the secret is located.",
    environment: "The slug of the environment where the the secret is located.",
    secretPath: "The folder path where the secret is located."
  },
  GET_ACCESS_LIST: {
    secretName: "The name of the secret to get the access list for.",
    workspaceId: "The ID of the project where the secret is located.",
    environment: "The slug of the environment where the the secret is located.",
    secretPath: "The folder path where the secret is located."
  }
 } as const;
@ -1126,6 +1148,7 @@ export const INTEGRATION = {
      shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
      secretGCPLabel: "The label for GCP secrets.",
      secretAWSTag: "The tags for AWS secrets.",
      azureLabel: "Define which label to assign to secrets created in Azure App Configuration.",
      githubVisibility:
        "Define where the secrets from the Github Integration should be visible. Option 'selected' lets you directly define which repositories to sync secrets to.",
      githubVisibilityRepoIds:
@ -1135,7 +1158,8 @@ export const INTEGRATION = {
      shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
      shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
      shouldEnableDelete: "The flag to enable deletion of secrets.",
-      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy.",
      metadataSyncMode: "The mode for syncing metadata to external system"
    }
  },
  UPDATE: {
@ -1186,6 +1210,84 @@ export const AUDIT_LOG_STREAMS = {
  }
 };
 export const SSH_CERTIFICATE_AUTHORITIES = {
  CREATE: {
    projectId: "The ID of the project to create the SSH CA in.",
    friendlyName: "A friendly name for the SSH CA.",
    keyAlgorithm: "The type of public key algorithm and size, in bits, of the key pair for the SSH CA."
  },
  GET: {
    sshCaId: "The ID of the SSH CA to get."
  },
  GET_PUBLIC_KEY: {
    sshCaId: "The ID of the SSH CA to get the public key for."
  },
  UPDATE: {
    sshCaId: "The ID of the SSH CA to update.",
    friendlyName: "A friendly name for the SSH CA to update to.",
    status: "The status of the SSH CA to update to. This can be one of active or disabled."
  },
  DELETE: {
    sshCaId: "The ID of the SSH CA to delete."
  },
  GET_CERTIFICATE_TEMPLATES: {
    sshCaId: "The ID of the SSH CA to get the certificate templates for."
  },
  SIGN_SSH_KEY: {
    certificateTemplateId: "The ID of the SSH certificate template to sign the SSH public key with.",
    publicKey: "The SSH public key to sign.",
    certType: "The type of certificate to issue. This can be one of user or host.",
    principals: "The list of principals (usernames, hostnames) to include in the certificate.",
    ttl: "The time to live for the certificate such as 1m, 1h, 1d, ... If not specified, the default TTL for the template will be used.",
    keyId: "The key ID to include in the certificate. If not specified, a default key ID will be generated.",
    serialNumber: "The serial number of the issued SSH certificate.",
    signedKey: "The SSH certificate or signed SSH public key."
  },
  ISSUE_SSH_CREDENTIALS: {
    certificateTemplateId: "The ID of the SSH certificate template to issue the SSH credentials with.",
    keyAlgorithm: "The type of public key algorithm and size, in bits, of the key pair for the SSH CA.",
    certType: "The type of certificate to issue. This can be one of user or host.",
    principals: "The list of principals (usernames, hostnames) to include in the certificate.",
    ttl: "The time to live for the certificate such as 1m, 1h, 1d, ... If not specified, the default TTL for the template will be used.",
    keyId: "The key ID to include in the certificate. If not specified, a default key ID will be generated.",
    serialNumber: "The serial number of the issued SSH certificate.",
    signedKey: "The SSH certificate or signed SSH public key.",
    privateKey: "The private key corresponding to the issued SSH certificate.",
    publicKey: "The public key of the issued SSH certificate."
  }
 };
 export const SSH_CERTIFICATE_TEMPLATES = {
  GET: {
    certificateTemplateId: "The ID of the SSH certificate template to get."
  },
  CREATE: {
    sshCaId: "The ID of the SSH CA to associate the certificate template with.",
    name: "The name of the certificate template.",
    ttl: "The default time to live for issued certificates such as 1m, 1h, 1d, 1y, ...",
    maxTTL: "The maximum time to live for issued certificates such as 1m, 1h, 1d, 1y, ...",
    allowedUsers: "The list of allowed users for certificates issued under this template.",
    allowedHosts: "The list of allowed hosts for certificates issued under this template.",
    allowUserCertificates: "Whether or not to allow user certificates to be issued under this template.",
    allowHostCertificates: "Whether or not to allow host certificates to be issued under this template.",
    allowCustomKeyIds: "Whether or not to allow custom key IDs for certificates issued under this template."
  },
  UPDATE: {
    certificateTemplateId: "The ID of the SSH certificate template to update.",
    name: "The name of the certificate template.",
    ttl: "The default time to live for issued certificates such as 1m, 1h, 1d, 1y, ...",
    maxTTL: "The maximum time to live for issued certificates such as 1m, 1h, 1d, 1y, ...",
    allowedUsers: "The list of allowed users for certificates issued under this template.",
    allowedHosts: "The list of allowed hosts for certificates issued under this template.",
    allowUserCertificates: "Whether or not to allow user certificates to be issued under this template.",
    allowHostCertificates: "Whether or not to allow host certificates to be issued under this template.",
    allowCustomKeyIds: "Whether or not to allow custom key IDs for certificates issued under this template."
  },
  DELETE: {
    certificateTemplateId: "The ID of the SSH certificate template to delete."
  }
 };
 export const CERTIFICATE_AUTHORITIES = {
  CREATE: {
    projectSlug: "Slug of the project to create the CA in.",
@ -1515,3 +1617,111 @@ export const ProjectTemplates = {
    templateId: "The ID of the project template to be deleted."
  }
 };
 export const AppConnections = {
  GET_BY_ID: (app: AppConnection) => ({
    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`
  }),
  GET_BY_NAME: (app: AppConnection) => ({
    connectionName: `The name of the ${APP_CONNECTION_NAME_MAP[app]} Connection to retrieve.`
  }),
  CREATE: (app: AppConnection) => {
    const appName = APP_CONNECTION_NAME_MAP[app];
    return {
      name: `The name of the ${appName} Connection to create. Must be slug-friendly.`,
      description: `An optional description for the ${appName} Connection.`,
      credentials: `The credentials used to connect with ${appName}.`,
      method: `The method used to authenticate with ${appName}.`
    };
  },
  UPDATE: (app: AppConnection) => {
    const appName = APP_CONNECTION_NAME_MAP[app];
    return {
      connectionId: `The ID of the ${appName} Connection to be updated.`,
      name: `The updated name of the ${appName} Connection. Must be slug-friendly.`,
      description: `The updated description of the ${appName} Connection.`,
      credentials: `The credentials used to connect with ${appName}.`,
      method: `The method used to authenticate with ${appName}.`
    };
  },
  DELETE: (app: AppConnection) => ({
    connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
  })
 };
 export const SecretSyncs = {
  LIST: (destination?: SecretSync) => ({
    projectId: `The ID of the project to list ${destination ? SECRET_SYNC_NAME_MAP[destination] : "Secret"} Syncs from.`
  }),
  GET_BY_ID: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`
  }),
  GET_BY_NAME: (destination: SecretSync) => ({
    syncName: `The name of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to retrieve.`,
    projectId: `The ID of the project the ${SECRET_SYNC_NAME_MAP[destination]} Sync is associated with.`
  }),
  CREATE: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
      name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
      description: `An optional description for the ${destinationName} Sync.`,
      projectId: "The ID of the project to create the sync in.",
      environment: `The slug of the project environment to sync secrets from.`,
      secretPath: `The folder path to sync secrets from.`,
      connectionId: `The ID of the ${
        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
      } Connection to use for syncing.`,
      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
      syncOptions: "Optional parameters to modify how secrets are synced."
    };
  },
  UPDATE: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
      syncId: `The ID of the ${destinationName} Sync to be updated.`,
      connectionId: `The updated ID of the ${
        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
      } Connection to use for syncing.`,
      name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
      environment: `The updated slug of the project environment to sync secrets from.`,
      secretPath: `The updated folder path to sync secrets from.`,
      description: `The updated description of the ${destinationName} Sync.`,
      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
      syncOptions: "Optional parameters to modify how secrets are synced."
    };
  },
  DELETE: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`,
    removeSecrets: `Whether previously synced secrets should be removed prior to deletion.`
  }),
  SYNC_SECRETS: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
  }),
  IMPORT_SECRETS: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger importing secrets for.`,
    importBehavior: `Specify whether Infisical should prioritize secret values from Infisical or ${SECRET_SYNC_NAME_MAP[destination]}.`
  }),
  REMOVE_SECRETS: (destination: SecretSync) => ({
    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger removing secrets for.`
  }),
  SYNC_OPTIONS: (destination: SecretSync) => {
    const destinationName = SECRET_SYNC_NAME_MAP[destination];
    return {
      INITIAL_SYNC_BEHAVIOR: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
      PREPEND_PREFIX: `Optionally prepend a prefix to your secrets' keys when syncing to ${destinationName}.`,
      APPEND_SUFFIX: `Optionally append a suffix to your secrets' keys when syncing to ${destinationName}.`
    };
  },
  DESTINATION_CONFIG: {
    AWS_PARAMETER_STORE: {
      REGION: "The AWS region to sync secrets to.",
      PATH: "The Parameter Store path to sync secrets to."
    },
    GITHUB: {
      ORG: "The name of the GitHub organization.",
      OWNER: "The name of the GitHub account owner of the repository.",
      REPO: "The name of the GitHub repository.",
      ENV: "The name of the GitHub environment."
    }
  }
 };
--- a/Show More
+++ b/Show More