Merge pull request #3503 from Infisical/feat/add-support-for-eddsa-jwt-alg

feat: add support for eddsa jwt alg for oidc

.github/workflows/release-k8-operator-helm.yml

@@ -0,0 +1,27 @@
+name: Release K8 Operator Helm Chart
+on:
+    workflow_dispatch:
+
+jobs:
+    release-helm:
+        name: Release Helm Chart
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v2
+
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
+
+            - name: Install python
+              uses: actions/setup-python@v4
+
+            - name: Install Cloudsmith CLI
+              run: pip install --upgrade cloudsmith-cli
+
+            - name: Build and push helm package to CloudSmith
+              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_build_infisical_cli.yml

@@ -1,132 +1,153 @@
 name: Build and release CLI
 
 on:
-    workflow_dispatch:
+  workflow_dispatch:
 
-    push:
+  push:
-        # run only against tags
+    # run only against tags
-        tags:
+    tags:
-            - "infisical-cli/v*.*.*"
+      - "infisical-cli/v*.*.*"
 
 permissions:
-    contents: write
+  contents: write
 
 jobs:
-    cli-integration-tests:
+  cli-integration-tests:
-        name: Run tests before deployment
+    name: Run tests before deployment
-        uses: ./.github/workflows/run-cli-tests.yml
+    uses: ./.github/workflows/run-cli-tests.yml
-        secrets:
+    secrets:
-            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
-    npm-release:
+  npm-release:
-        runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./npm
+    needs:
+      - cli-integration-tests
+      - goreleaser
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        run: |
+          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+          echo "Version extracted: $VERSION"
+          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Print version
+        run: echo ${{ env.CLI_VERSION }}
+
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: ./npm/package-lock.json
+      - name: Install dependencies
+        working-directory: ${{ env.working-directory }}
+        run: npm install --ignore-scripts
+
+      - name: Set NPM version
+        working-directory: ${{ env.working-directory }}
+        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+      - name: Setup NPM
+        working-directory: ${{ env.working-directory }}
+        run: |
+          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
         env:
-            working-directory: ./npm
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        needs:
-            - cli-integration-tests
-            - goreleaser
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
 
-            - name: Extract version
+      - name: Pack NPM
-              run: |
+        working-directory: ${{ env.working-directory }}
-                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+        run: npm pack
-                  echo "Version extracted: $VERSION"
-                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
 
-            - name: Print version
+      - name: Publish NPM
-              run: echo ${{ env.CLI_VERSION }}
+        working-directory: ${{ env.working-directory }}
+        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
-            - name: Setup Node
+  goreleaser:
-              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+    runs-on: ubuntu-latest
-              with:
+    needs: [cli-integration-tests]
-                  node-version: 20
+    steps:
-                  cache: "npm"
+      - uses: actions/checkout@v3
-                  cache-dependency-path: ./npm/package-lock.json
+        with:
-            - name: Install dependencies
+          fetch-depth: 0
-              working-directory: ${{ env.working-directory }}
+      - name: 🐋 Login to Docker Hub
-              run: npm install --ignore-scripts
+        uses: docker/login-action@v2
-
+        with:
-            - name: Set NPM version
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
-              working-directory: ${{ env.working-directory }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
-              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+      - name: 🔧 Set up Docker Buildx
-
+        uses: docker/setup-buildx-action@v2
-            - name: Setup NPM
+      - run: git fetch --force --tags
-              working-directory: ${{ env.working-directory }}
+      - run: echo "Ref name ${{github.ref_name}}"
-              run: |
+      - uses: actions/setup-go@v3
-                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+        with:
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+          go-version: ">=1.19.3"
-
+          cache: true
-                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          cache-dependency-path: cli/go.sum
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+      - name: Setup for libssl1.0-dev
-              env:
+        run: |
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-            - name: Pack NPM
+          sudo apt update
-              working-directory: ${{ env.working-directory }}
+          sudo apt-get install -y libssl1.0-dev
-              run: npm pack
+      - name: OSXCross for CGO Support
-
+        run: |
-            - name: Publish NPM
+          mkdir ../../osxcross
-              working-directory: ${{ env.working-directory }}
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+      - uses: goreleaser/goreleaser-action@v4
-              env:
+        with:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          distribution: goreleaser-pro
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          version: v1.26.2-pro
-
+          args: release --clean
-    goreleaser:
+        env:
-        runs-on: ubuntu-latest
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-        needs: [cli-integration-tests]
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-        steps:
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-            - uses: actions/checkout@v3
+          AUR_KEY: ${{ secrets.AUR_KEY }}
-              with:
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-                  fetch-depth: 0
+      - uses: actions/setup-python@v4
-            - name: 🐋 Login to Docker Hub
+      - run: pip install --upgrade cloudsmith-cli
-              uses: docker/login-action@v2
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
-              with:
+        with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-            - name: 🔧 Set up Docker Buildx
+      - name: Install deb-s3
-              uses: docker/setup-buildx-action@v2
+        run: gem install deb-s3
-            - run: git fetch --force --tags
+      - name: Configure GPG Key
-            - run: echo "Ref name ${{github.ref_name}}"
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
-            - uses: actions/setup-go@v3
+        env:
-              with:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
-                  go-version: ">=1.19.3"
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
-                  cache: true
+      - name: Publish to CloudSmith
-                  cache-dependency-path: cli/go.sum
+        run: sh cli/upload_to_cloudsmith.sh
-            - name: Setup for libssl1.0-dev
+        env:
-              run: |
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
-                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
-                  sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
-                  sudo apt update
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-                  sudo apt-get install -y libssl1.0-dev
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-            - name: OSXCross for CGO Support
+      - name: Invalidate Cloudfront cache
-              run: |
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
-                  mkdir ../../osxcross
+        env:
-                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
-            - uses: goreleaser/goreleaser-action@v4
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
-              with:
+          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
-                  distribution: goreleaser-pro
-                  version: v1.26.2-pro
-                  args: release --clean
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-                  AUR_KEY: ${{ secrets.AUR_KEY }}
-                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-            - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
-            - name: Publish to CloudSmith
-              run: sh cli/upload_to_cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_docker_k8_operator.yaml

@@ -1,52 +1,107 @@
-name: Release image + Helm chart K8s Operator
+name: Release K8 Operator Docker Image
 on:
-  push:
+    push:
-    tags:
+        tags:
-      - "infisical-k8-operator/v*.*.*"
+            - "infisical-k8-operator/v*.*.*"
+
+permissions:
+    contents: write
+    pull-requests: write
 
 jobs:
-  release:
+    release-image:
-    runs-on: ubuntu-latest
+        name: Generate Helm Chart PR
-    steps:
+        runs-on: ubuntu-latest
-      - name: Extract version from tag
+        outputs:
-        id: extract_version
+            pr_number: ${{ steps.create-pr.outputs.pull-request-number }}
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
+        steps:
-      - uses: actions/checkout@v2
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
 
-      - name: 🔧 Set up QEMU
+            - name: Checkout code
-        uses: docker/setup-qemu-action@v1
+              uses: actions/checkout@v2
 
-      - name: 🔧 Set up Docker Buildx
+            # Dependency for helm generation
-        uses: docker/setup-buildx-action@v1
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
 
-      - name: 🐋 Login to Docker Hub
+            # Dependency for helm generation
-        uses: docker/login-action@v1
+            - name: Install Go
-        with:
+              uses: actions/setup-go@v4
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+              with:
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+                  go-version: 1.21
 
-      - name: Build and push
+            # Install binaries for helm generation
-        id: docker_build
+            - name: Install dependencies
-        uses: docker/build-push-action@v2
+              working-directory: k8-operator
-        with:
+              run: |
-          context: k8-operator
+                  make helmify
-          push: true
+                  make kustomize
-          platforms: linux/amd64,linux/arm64
+                  make controller-gen
-          tags: |
-            infisical/kubernetes-operator:latest
-            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
 
-      - name: Checkout
+            - name: Generate Helm Chart
-        uses: actions/checkout@v2
+              working-directory: k8-operator
-      - name: Install Helm
+              run: make helm
-        uses: azure/setup-helm@v3
+
-        with:
+            - name: Update Helm Chart Version
-          version: v3.10.0
+              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
-      - name: Install python
+
-        uses: actions/setup-python@v4
+            - name: Debug - Check file changes
-      - name: Install Cloudsmith CLI
+              run: |
-        run: pip install --upgrade cloudsmith-cli
+                  echo "Current git status:"
-      - name: Build and push helm package to Cloudsmith
+                  git status
-        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+                  echo ""
-        env:
+                  echo "Modified files:"
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+                  git diff --name-only
+
+                  # If there is no diff, exit with error. Version should always be changed, so if there is no diff, something is wrong and we should exit.
+                  if [ -z "$(git diff --name-only)" ]; then
+                    echo "No helm changes or version changes. Invalid release detected, Exiting."
+                    exit 1
+                  fi
+
+            - name: Create Helm Chart PR
+              id: create-pr
+              uses: peter-evans/create-pull-request@v5
+              with:
+                  token: ${{ secrets.GITHUB_TOKEN }}
+                  commit-message: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
+                  committer: GitHub <noreply@github.com>
+                  author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+                  branch: helm-update-${{ steps.extract_version.outputs.version }}
+                  delete-branch: true
+                  title: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
+                  body: |
+                      This PR updates the Helm chart to version `${{ steps.extract_version.outputs.version }}`.
+                      Additionally the helm chart has been updated to match the latest operator code changes.
+
+                      Associated Release Workflow: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+                      Once you have approved this PR, you can trigger the helm release workflow manually.
+                  base: main
+
+            - name: 🔧 Set up QEMU
+              uses: docker/setup-qemu-action@v1
+
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v1
+
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v1
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+            - name: Build and push
+              id: docker_build
+              uses: docker/build-push-action@v2
+              with:
+                  context: k8-operator
+                  push: true
+                  platforms: linux/amd64,linux/arm64
+                  tags: |
+                      infisical/kubernetes-operator:latest
+                      infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}

.goreleaser.yaml

@@ -162,6 +162,24 @@ scoop:
   description: "The official Infisical CLI"
   license: MIT
 
+winget:
+  - name: infisical
+    publisher: infisical
+    license: MIT
+    homepage: https://infisical.com
+    short_description: "The official Infisical CLI"
+    repository:
+      owner: infisical
+      name: winget-pkgs
+      branch: "infisical-{{.Version}}"
+      pull_request:
+        enabled: true
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
+
 aurs:
   - name: infisical-bin
     homepage: "https://infisical.com"

.infisicalignore

@@ -8,3 +8,19 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
+docs/cli/commands/bootstrap.mdx:jwt:86
+docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:102
+docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
+frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
+k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
+k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52
+backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts:generic-api-key:125
+frontend/src/components/permissions/AccessTree/nodes/RoleNode.tsx:generic-api-key:67
+frontend/src/components/secret-rotations-v2/RotateSecretRotationV2Modal.tsx:generic-api-key:14
+frontend/src/components/secret-rotations-v2/SecretRotationV2StatusBadge.tsx:generic-api-key:11
+frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewSecretRotationV2GeneratedCredentials.tsx:generic-api-key:23
+frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:28
+frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:65
+frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx:generic-api-key:26
+docs/documentation/platform/kms/overview.mdx:generic-api-key:281
+docs/documentation/platform/kms/overview.mdx:generic-api-key:344

README.md

@@ -50,7 +50,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Dashboard](https://infisical.com/docs/documentation/platform/project)**: Manage secrets across projects and environments (e.g. development, production, etc.) through a user-friendly interface.
 - **[Native Integrations](https://infisical.com/docs/integrations/overview)**: Sync secrets to platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and use tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)**: Keep track of every secret and project state; roll back when needed.
-- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
+- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres-credentials), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
 - **[Dynamic Secrets](https://infisical.com/docs/documentation/platform/dynamic-secrets/overview)**: Generate ephemeral secrets on-demand for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/postgresql), [MySQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/mysql), [RabbitMQ](https://infisical.com/docs/documentation/platform/dynamic-secrets/rabbit-mq), and more.
 - **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)**: Prevent secrets from leaking to git.
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.

backend/Dockerfile

@@ -8,7 +8,8 @@ RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
-    openssh-client
+    openssh-client \
+    openssl 
 
 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \

backend/Dockerfile.dev

@@ -19,6 +19,7 @@ RUN apt-get update && apt-get install -y \
     make \
     g++ \
     openssh-client \
+    openssl \
     curl \
     pkg-config
 

backend/Dockerfile.dev.fips

@@ -0,0 +1,85 @@
+FROM node:20-slim
+
+# ? Setup a test SoftHSM module. In production a real HSM is used.
+
+ARG SOFTHSM2_VERSION=2.5.0
+
+ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
+    SOFTHSM2_SOURCES=/tmp/softhsm2
+
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config \
+    perl \
+    wget
+
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Build and install SoftHSM2
+RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
+WORKDIR ${SOFTHSM2_SOURCES}
+
+RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
+    && sh autogen.sh \
+    && ./configure --prefix=/usr/local --disable-gost \
+    && make \
+    && make install
+
+WORKDIR /root
+RUN rm -fr ${SOFTHSM2_SOURCES}
+
+# Install pkcs11-tool
+RUN apt-get install -y opensc
+
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+    
+WORKDIR /openssl-build
+RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
+    && tar -xf openssl-3.1.2.tar.gz \
+    && cd openssl-3.1.2 \
+    && ./Configure enable-fips \
+    && make \
+    && make install_fips
+
+# ? App setup
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1
+
+WORKDIR /app
+
+COPY package.json package.json
+COPY package-lock.json package-lock.json
+
+RUN npm install
+
+COPY . .
+
+ENV HOST=0.0.0.0
+ENV OPENSSL_CONF=/app/nodejs.cnf
+ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
+
+CMD ["npm", "run", "dev:docker"]

backend/e2e-test/mocks/keystore.ts

@@ -9,6 +9,7 @@ export const mockKeyStore = (): TKeyStoreFactory => {
       store[key] = value;
       return "OK";
     },
+    setExpiry: async () => 0,
     setItemWithExpiry: async (key, value) => {
       store[key] = value;
       return "OK";

backend/e2e-test/mocks/queue.ts

@@ -11,6 +11,7 @@ export const mockQueue = (): TQueueServiceFactory => {
       job[name] = jobData;
     },
     queuePg: async () => {},
+    schedulePg: async () => {},
     initialize: async () => {},
     shutdown: async () => undefined,
     stopRepeatableJob: async () => true,

backend/nodejs.cnf

@@ -0,0 +1,16 @@
+nodejs_conf = nodejs_init
+
+.include /usr/local/ssl/fipsmodule.cnf
+
+[nodejs_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+fips = fips_sect
+
+[default_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes 

backend/package.json

@@ -89,9 +89,8 @@
     "@types/jsrp": "^0.2.6",
     "@types/libsodium-wrappers": "^0.7.13",
     "@types/lodash.isequal": "^4.5.8",
-    "@types/node": "^20.9.5",
+    "@types/node": "^20.17.30",
     "@types/nodemailer": "^6.4.14",
-    "@types/passport-github": "^1.1.12",
     "@types/passport-google-oauth20": "^2.0.14",
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
@@ -150,6 +149,7 @@
     "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
+    "@octokit/plugin-paginate-graphql": "^5.2.4",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
@@ -208,10 +208,10 @@
     "ora": "^7.0.1",
     "oracledb": "^6.4.0",
     "otplib": "^12.0.1",
-    "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
     "passport-ldapauth": "^3.0.1",
+    "passport-oauth2": "^1.8.0",
     "pg": "^8.11.3",
     "pg-boss": "^10.1.5",
     "pg-query-stream": "^4.5.3",
@@ -221,6 +221,7 @@
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
     "probot": "^13.3.8",
+    "re2": "^1.21.4",
     "safe-regex": "^2.1.1",
     "scim-patch": "^0.8.3",
     "scim2-parse-filter": "^0.2.10",

backend/src/@types/fastify.d.ts

@@ -5,6 +5,7 @@ import { Redis } from "ioredis";
 import { TUsers } from "@app/db/schemas";
 import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
 import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
+import { TAssumePrivilegeServiceFactory } from "@app/ee/services/assume-privilege/assume-privilege-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
@@ -14,6 +15,7 @@ import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dy
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
+import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
@@ -33,10 +35,12 @@ import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
+import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
+import { TSshHostServiceFactory } from "@app/ee/services/ssh-host/ssh-host-service";
 import { TTrustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TAuthMode } from "@app/server/plugins/auth/inject-identity";
 import { TApiKeyServiceFactory } from "@app/services/api-key/api-key-service";
@@ -107,12 +111,14 @@ declare module "@fastify/request-context" {
       };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
+    assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
   }
 }
 
 declare module "fastify" {
   interface Session {
     callbackPort: string;
+    isAdminLogin: boolean;
   }
 
   interface FastifyRequest {
@@ -134,8 +140,9 @@ declare module "fastify" {
     rateLimits: RateLimitConfiguration;
     // passport data
     passportUser: {
-      isUserCompleted: string;
+      isUserCompleted: boolean;
       providerAuthToken: string;
+      externalProviderAccessToken?: string;
     };
     kmipUser: {
       projectId: string;
@@ -205,6 +212,7 @@ declare module "fastify" {
       certificateTemplate: TCertificateTemplateServiceFactory;
       sshCertificateAuthority: TSshCertificateAuthorityServiceFactory;
       sshCertificateTemplate: TSshCertificateTemplateServiceFactory;
+      sshHost: TSshHostServiceFactory;
       certificateAuthority: TCertificateAuthorityServiceFactory;
       certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
       certificateEst: TCertificateEstServiceFactory;
@@ -237,6 +245,9 @@ declare module "fastify" {
       kmip: TKmipServiceFactory;
       kmipOperation: TKmipOperationServiceFactory;
       gateway: TGatewayServiceFactory;
+      secretRotationV2: TSecretRotationV2ServiceFactory;
+      assumePrivileges: TAssumePrivilegeServiceFactory;
+      githubOrgSync: TGithubOrgSyncServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -17,6 +17,9 @@ import {
   TApiKeys,
   TApiKeysInsert,
   TApiKeysUpdate,
+  TAppConnections,
+  TAppConnectionsInsert,
+  TAppConnectionsUpdate,
   TAuditLogs,
   TAuditLogsInsert,
   TAuditLogStreams,
@@ -65,6 +68,9 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalGroupOrgRoleMappings,
+  TExternalGroupOrgRoleMappingsInsert,
+  TExternalGroupOrgRoleMappingsUpdate,
   TExternalKms,
   TExternalKmsInsert,
   TExternalKmsUpdate,
@@ -77,6 +83,9 @@ import {
   TGitAppOrg,
   TGitAppOrgInsert,
   TGitAppOrgUpdate,
+  TGithubOrgSyncConfigs,
+  TGithubOrgSyncConfigsInsert,
+  TGithubOrgSyncConfigsUpdate,
   TGroupProjectMembershipRoles,
   TGroupProjectMembershipRolesInsert,
   TGroupProjectMembershipRolesUpdate,
@@ -226,6 +235,9 @@ import {
   TProjectSplitBackfillIds,
   TProjectSplitBackfillIdsInsert,
   TProjectSplitBackfillIdsUpdate,
+  TProjectSshConfigs,
+  TProjectSshConfigsInsert,
+  TProjectSshConfigsUpdate,
   TProjectsUpdate,
   TProjectTemplates,
   TProjectTemplatesInsert,
@@ -299,6 +311,12 @@ import {
   TSecretRotations,
   TSecretRotationsInsert,
   TSecretRotationsUpdate,
+  TSecretRotationsV2,
+  TSecretRotationsV2Insert,
+  TSecretRotationsV2Update,
+  TSecretRotationV2SecretMappings,
+  TSecretRotationV2SecretMappingsInsert,
+  TSecretRotationV2SecretMappingsUpdate,
   TSecrets,
   TSecretScanningGitRisks,
   TSecretScanningGitRisksInsert,
@@ -320,15 +338,27 @@ import {
   TSecretSnapshotsInsert,
   TSecretSnapshotsUpdate,
   TSecretsUpdate,
+  TSecretsV2,
+  TSecretsV2Insert,
+  TSecretsV2Update,
+  TSecretSyncs,
+  TSecretSyncsInsert,
+  TSecretSyncsUpdate,
   TSecretTagJunction,
   TSecretTagJunctionInsert,
   TSecretTagJunctionUpdate,
   TSecretTags,
   TSecretTagsInsert,
   TSecretTagsUpdate,
+  TSecretV2TagJunction,
+  TSecretV2TagJunctionInsert,
+  TSecretV2TagJunctionUpdate,
   TSecretVersions,
   TSecretVersionsInsert,
   TSecretVersionsUpdate,
+  TSecretVersionsV2,
+  TSecretVersionsV2Insert,
+  TSecretVersionsV2Update,
   TSecretVersionTagJunction,
   TSecretVersionTagJunctionInsert,
   TSecretVersionTagJunctionUpdate,
@@ -356,6 +386,15 @@ import {
   TSshCertificateTemplates,
   TSshCertificateTemplatesInsert,
   TSshCertificateTemplatesUpdate,
+  TSshHostLoginUserMappings,
+  TSshHostLoginUserMappingsInsert,
+  TSshHostLoginUserMappingsUpdate,
+  TSshHostLoginUsers,
+  TSshHostLoginUsersInsert,
+  TSshHostLoginUsersUpdate,
+  TSshHosts,
+  TSshHostsInsert,
+  TSshHostsUpdate,
   TSuperAdmin,
   TSuperAdminInsert,
   TSuperAdminUpdate,
@@ -387,24 +426,11 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
 import {
-  TExternalGroupOrgRoleMappings,
+  TSecretReminderRecipients,
-  TExternalGroupOrgRoleMappingsInsert,
+  TSecretReminderRecipientsInsert,
-  TExternalGroupOrgRoleMappingsUpdate
+  TSecretReminderRecipientsUpdate
-} from "@app/db/schemas/external-group-org-role-mappings";
+} from "@app/db/schemas/secret-reminder-recipients";
-import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
-import {
-  TSecretV2TagJunction,
-  TSecretV2TagJunctionInsert,
-  TSecretV2TagJunctionUpdate
-} from "@app/db/schemas/secret-v2-tag-junction";
-import {
-  TSecretVersionsV2,
-  TSecretVersionsV2Insert,
-  TSecretVersionsV2Update
-} from "@app/db/schemas/secret-versions-v2";
-import { TSecretsV2, TSecretsV2Insert, TSecretsV2Update } from "@app/db/schemas/secrets-v2";
 
 declare module "knex" {
   namespace Knex {
@@ -419,6 +445,7 @@ declare module "knex/types/tables" {
   interface Tables {
     [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
     [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
+    [TableName.SshHost]: KnexOriginal.CompositeTableType<TSshHosts, TSshHostsInsert, TSshHostsUpdate>;
     [TableName.SshCertificateAuthority]: KnexOriginal.CompositeTableType<
       TSshCertificateAuthorities,
       TSshCertificateAuthoritiesInsert,
@@ -444,6 +471,16 @@ declare module "knex/types/tables" {
       TSshCertificateBodiesInsert,
       TSshCertificateBodiesUpdate
     >;
+    [TableName.SshHostLoginUser]: KnexOriginal.CompositeTableType<
+      TSshHostLoginUsers,
+      TSshHostLoginUsersInsert,
+      TSshHostLoginUsersUpdate
+    >;
+    [TableName.SshHostLoginUserMapping]: KnexOriginal.CompositeTableType<
+      TSshHostLoginUserMappings,
+      TSshHostLoginUserMappingsInsert,
+      TSshHostLoginUserMappingsUpdate
+    >;
     [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
       TCertificateAuthorities,
       TCertificateAuthoritiesInsert,
@@ -548,6 +585,11 @@ declare module "knex/types/tables" {
     [TableName.SuperAdmin]: KnexOriginal.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
     [TableName.ApiKey]: KnexOriginal.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
     [TableName.Project]: KnexOriginal.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
+    [TableName.ProjectSshConfig]: KnexOriginal.CompositeTableType<
+      TProjectSshConfigs,
+      TProjectSshConfigsInsert,
+      TProjectSshConfigsUpdate
+    >;
     [TableName.ProjectMembership]: KnexOriginal.CompositeTableType<
       TProjectMemberships,
       TProjectMembershipsInsert,
@@ -950,5 +992,25 @@ declare module "knex/types/tables" {
       TOrgGatewayConfigInsert,
       TOrgGatewayConfigUpdate
     >;
+    [TableName.SecretRotationV2]: KnexOriginal.CompositeTableType<
+      TSecretRotationsV2,
+      TSecretRotationsV2Insert,
+      TSecretRotationsV2Update
+    >;
+    [TableName.SecretRotationV2SecretMapping]: KnexOriginal.CompositeTableType<
+      TSecretRotationV2SecretMappings,
+      TSecretRotationV2SecretMappingsInsert,
+      TSecretRotationV2SecretMappingsUpdate
+    >;
+    [TableName.SecretReminderRecipients]: KnexOriginal.CompositeTableType<
+      TSecretReminderRecipients,
+      TSecretReminderRecipientsInsert,
+      TSecretReminderRecipientsUpdate
+    >;
+    [TableName.GithubOrgSyncConfig]: KnexOriginal.CompositeTableType<
+      TGithubOrgSyncConfigs,
+      TGithubOrgSyncConfigsInsert,
+      TGithubOrgSyncConfigsUpdate
+    >;
   }
 }

backend/src/db/manual-migrations/partition-audit-logs.ts

@@ -16,7 +16,7 @@ const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Dat
   const startDateStr = formatPartitionDate(startDate);
   const endDateStr = formatPartitionDate(endDate);
 
-  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;
+  const partitionName = `${TableName.AuditLog}_${startDateStr.replaceAll("-", "")}_${endDateStr.replaceAll("-", "")}`;
 
   await knex.schema.raw(
     `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`

backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts

@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem"))) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("shouldUseNewPrivilegeSystem");
+      t.string("privilegeUpgradeInitiatedByUsername");
+      t.dateTime("privilegeUpgradeInitiatedAt");
+    });
+
+    await knex(TableName.Organization).update({
+      shouldUseNewPrivilegeSystem: false
+    });
+
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("shouldUseNewPrivilegeSystem").defaultTo(true).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem")) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.dropColumn("shouldUseNewPrivilegeSystem");
+      t.dropColumn("privilegeUpgradeInitiatedByUsername");
+      t.dropColumn("privilegeUpgradeInitiatedAt");
+    });
+  }
+}

backend/src/db/migrations/20250319134021_recursive-folder-index.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
+  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
+  if (doesParentColumExist && doesNameColumnExist) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.index(["parentId", "name"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
+  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
+  if (doesParentColumExist && doesNameColumnExist) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropIndex(["parentId", "name"]);
+    });
+  }
+}

backend/src/db/migrations/20250321100157_k8s-self-reviewer-jwt.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasReviewerJwtCol = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  if (hasReviewerJwtCol) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.binary("encryptedKubernetesTokenReviewerJwt").nullable().alter();
+    });
+  }
+}
+
+export async function down(): Promise<void> {
+  // we can't make it back to non nullable, it will fail
+}

backend/src/db/migrations/20250324142102_add-self-approvals-to-secret-approval-policies.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
+    });
+  }
+  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals"))) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("allowedSelfApprovals");
+    });
+  }
+  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals")) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("allowedSelfApprovals");
+    });
+  }
+}

backend/src/db/migrations/20250324142104_app-connection-is-platform-managed-credentials-col.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AppConnection, "isPlatformManagedCredentials"))) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.boolean("isPlatformManagedCredentials").defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AppConnection, "isPlatformManagedCredentials")) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.dropColumn("isPlatformManagedCredentials");
+    });
+  }
+}

backend/src/db/migrations/20250324142105_secret-rotation-v2.ts

@@ -0,0 +1,58 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretRotationV2))) {
+    await knex.schema.createTable(TableName.SecretRotationV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("type").notNullable();
+      t.jsonb("parameters").notNullable();
+      t.jsonb("secretsMapping").notNullable();
+      t.binary("encryptedGeneratedCredentials").notNullable();
+      t.boolean("isAutoRotationEnabled").notNullable().defaultTo(true);
+      t.integer("activeIndex").notNullable().defaultTo(0);
+      t.uuid("folderId").notNullable();
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.uuid("connectionId").notNullable();
+      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
+      t.timestamps(true, true, true);
+      t.integer("rotationInterval").notNullable();
+      t.jsonb("rotateAtUtc").notNullable(); // { hours: number; minutes: number }
+      t.string("rotationStatus").notNullable();
+      t.datetime("lastRotationAttemptedAt").notNullable();
+      t.datetime("lastRotatedAt").notNullable();
+      t.binary("encryptedLastRotationMessage"); // we encrypt this because it may contain sensitive info (SQL errors showing credentials)
+      t.string("lastRotationJobId");
+      t.datetime("nextRotationAt");
+      t.boolean("isLastRotationManual").notNullable().defaultTo(true); // creation is considered a "manual" rotation
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretRotationV2);
+
+    await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
+      t.unique(["folderId", "name"]);
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretRotationV2SecretMapping))) {
+    await knex.schema.createTable(TableName.SecretRotationV2SecretMapping, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("secretId").notNullable();
+      // scott: this is deferred to block secret deletion but not prevent folder/environment/project deletion
+      // ie, if rotation is being deleted as well we permit it, otherwise throw
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).deferrable("deferred");
+      t.uuid("rotationId").notNullable();
+      t.foreign("rotationId").references("id").inTable(TableName.SecretRotationV2).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretRotationV2SecretMapping);
+  await knex.schema.dropTableIfExists(TableName.SecretRotationV2);
+  await dropOnUpdateTrigger(knex, TableName.SecretRotationV2);
+}

backend/src/db/migrations/20250326171707_folder-last-secret-modified.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.datetime("lastSecretModified");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("lastSecretModified");
+    });
+  }
+}

backend/src/db/migrations/20250402000941_add-type-to-kms-keys.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { KmsKeyUsage } from "@app/services/kms/kms-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
+
+  if (!hasKeyUsageColumn) {
+    await knex.schema.alterTable(TableName.KmsKey, (t) => {
+      t.string("keyUsage").notNullable().defaultTo(KmsKeyUsage.ENCRYPT_DECRYPT);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKeyUsageColumn = await knex.schema.hasColumn(TableName.KmsKey, "keyUsage");
+
+  if (hasKeyUsageColumn) {
+    await knex.schema.alterTable(TableName.KmsKey, (t) => {
+      t.dropColumn("keyUsage");
+    });
+  }
+}

backend/src/db/migrations/20250404022310_ssh-ca-key-source.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource"))) {
+    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
+      t.string("keySource");
+    });
+
+    // Backfilling the keySource to internal
+    await knex(TableName.SshCertificateAuthority).update({ keySource: "internal" });
+
+    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
+      t.string("keySource").notNullable().alter();
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.SshCertificate, "sshCaId")) {
+    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
+      t.uuid("sshCaId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SshCertificateAuthority, "keySource")) {
+    await knex.schema.alterTable(TableName.SshCertificateAuthority, (t) => {
+      t.dropColumn("keySource");
+    });
+  }
+}

backend/src/db/migrations/20250405185753_ssh-mgmt-v2.ts

@@ -0,0 +1,93 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SshHost))) {
+    await knex.schema.createTable(TableName.SshHost, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("hostname").notNullable();
+      t.string("userCertTtl").notNullable();
+      t.string("hostCertTtl").notNullable();
+      t.uuid("userSshCaId").notNullable();
+      t.foreign("userSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.uuid("hostSshCaId").notNullable();
+      t.foreign("hostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.unique(["projectId", "hostname"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SshHost);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshHostLoginUser))) {
+    await knex.schema.createTable(TableName.SshHostLoginUser, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshHostId").notNullable();
+      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("CASCADE");
+      t.string("loginUser").notNullable(); // e.g. ubuntu, root, ec2-user, ...
+      t.unique(["sshHostId", "loginUser"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SshHostLoginUser);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SshHostLoginUserMapping))) {
+    await knex.schema.createTable(TableName.SshHostLoginUserMapping, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("sshHostLoginUserId").notNullable();
+      t.foreign("sshHostLoginUserId").references("id").inTable(TableName.SshHostLoginUser).onDelete("CASCADE");
+      t.uuid("userId").nullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.unique(["sshHostLoginUserId", "userId"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ProjectSshConfig))) {
+    // new table to store configuration for projects of type SSH (i.e. Infisical SSH)
+    await knex.schema.createTable(TableName.ProjectSshConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("defaultUserSshCaId");
+      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+      t.uuid("defaultHostSshCaId");
+      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("CASCADE");
+    });
+    await createOnUpdateTrigger(knex, TableName.ProjectSshConfig);
+  }
+
+  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
+  if (!hasColumn) {
+    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
+      t.uuid("sshHostId").nullable();
+      t.foreign("sshHostId").references("id").inTable(TableName.SshHost).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.ProjectSshConfig);
+  await dropOnUpdateTrigger(knex, TableName.ProjectSshConfig);
+
+  await knex.schema.dropTableIfExists(TableName.SshHostLoginUserMapping);
+  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUserMapping);
+
+  await knex.schema.dropTableIfExists(TableName.SshHostLoginUser);
+  await dropOnUpdateTrigger(knex, TableName.SshHostLoginUser);
+
+  const hasColumn = await knex.schema.hasColumn(TableName.SshCertificate, "sshHostId");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.SshCertificate, (t) => {
+      t.dropColumn("sshHostId");
+    });
+  }
+
+  await knex.schema.dropTableIfExists(TableName.SshHost);
+  await dropOnUpdateTrigger(knex, TableName.SshHost);
+}

backend/src/db/migrations/20250409161555_add-dynamic-secret-to-resource-metadata.ts

@@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId"))) {
+    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
+      tb.uuid("dynamicSecretId");
+      tb.foreign("dynamicSecretId").references("id").inTable(TableName.DynamicSecret).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.ResourceMetadata, "dynamicSecretId")) {
+    await knex.schema.alterTable(TableName.ResourceMetadata, (tb) => {
+      tb.dropColumn("dynamicSecretId");
+    });
+  }
+}

backend/src/db/migrations/20250410203010_add-comment-to-access-request.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.string("note").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "note");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.dropColumn("note");
+    });
+  }
+}

backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
+      t.boolean("expiryNotificationSent").defaultTo(false);
+    });
+
+    // Update only tokens where expiresAt is before current time
+    await knex(TableName.ServiceToken)
+      .whereRaw(`${TableName.ServiceToken}."expiresAt" < NOW()`)
+      .whereNotNull("expiresAt")
+      .update({ expiryNotificationSent: true });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
+      t.dropColumn("expiryNotificationSent");
+    });
+  }
+}

backend/src/db/migrations/20250414234624_add-project-delete-protection.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.boolean("hasDeleteProtection").defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("hasDeleteProtection");
+    });
+  }
+}

backend/src/db/migrations/20250415010421_increase-certificate-altnames-character-limit.ts

@@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Certificate, (t) => {
+    t.string("altNames", 4096).alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.Certificate, (t) => {
+    t.string("altNames").alter(); // Defaults to varchar(255)
+  });
+}

backend/src/db/migrations/20250415020304_increase-kmip-certificate-altnames-character-limit.ts

@@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
+    t.string("altNames", 4096).alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.KmipOrgServerCertificates, (t) => {
+    t.string("altNames").alter(); // Defaults to varchar(255)
+  });
+}

backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm"))) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.string("jwtSignatureAlgorithm").defaultTo(OIDCJWTSignatureAlgorithm.RS256).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropColumn("jwtSignatureAlgorithm");
+    });
+  }
+}

backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled"))) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("bypassOrgAuthEnabled").defaultTo(false).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled")) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.dropColumn("bypassOrgAuthEnabled");
+    });
+  }
+}

backend/src/db/migrations/20250419004044_secret-reminder-recipients.ts

@@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSecretReminderRecipientsTable = await knex.schema.hasTable(TableName.SecretReminderRecipients);
+
+  if (!hasSecretReminderRecipientsTable) {
+    await knex.schema.createTable(TableName.SecretReminderRecipients, (table) => {
+      table.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      table.timestamps(true, true, true);
+      table.uuid("secretId").notNullable();
+      table.uuid("userId").notNullable();
+      table.string("projectId").notNullable();
+
+      // Based on userId rather than project membership ID so we can easily extend group support in the future if need be.
+      // This does however mean we need to manually clean up once a user is removed from a project.
+      table.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      table.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      table.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+
+      table.index("secretId");
+      table.unique(["secretId", "userId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSecretReminderRecipientsTable = await knex.schema.hasTable(TableName.SecretReminderRecipients);
+
+  if (hasSecretReminderRecipientsTable) {
+    await knex.schema.dropTableIfExists(TableName.SecretReminderRecipients);
+  }
+}

backend/src/db/migrations/20250421165221_fix-identites-and-user-deletion-secret-version-reference.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
+    table.dropForeign(["userActorId"]);
+    table.dropForeign(["identityActorId"]);
+  });
+
+  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
+    table.foreign("userActorId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+
+    table.foreign("identityActorId").references("id").inTable(TableName.Identity).onDelete("SET NULL");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
+    table.dropForeign(["userActorId"]);
+    table.dropForeign(["identityActorId"]);
+  });
+
+  await knex.schema.alterTable(TableName.SecretVersionV2, (table) => {
+    table.foreign("userActorId").references("id").inTable(TableName.Users);
+
+    table.foreign("identityActorId").references("id").inTable(TableName.Identity);
+  });
+}

backend/src/db/migrations/20250425163216_ssh-nullable-ca-defaults.ts

@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { ProjectType, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDefaultUserCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultUserSshCaId");
+  const hasDefaultHostCaCol = await knex.schema.hasColumn(TableName.ProjectSshConfig, "defaultHostSshCaId");
+
+  if (hasDefaultUserCaCol && hasDefaultHostCaCol) {
+    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
+      t.dropForeign(["defaultUserSshCaId"]);
+      t.dropForeign(["defaultHostSshCaId"]);
+    });
+    await knex.schema.alterTable(TableName.ProjectSshConfig, (t) => {
+      // allow nullable (does not wipe existing values)
+      t.uuid("defaultUserSshCaId").nullable().alter();
+      t.uuid("defaultHostSshCaId").nullable().alter();
+      // re-add with SET NULL behavior (previously CASCADE)
+      t.foreign("defaultUserSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
+      t.foreign("defaultHostSshCaId").references("id").inTable(TableName.SshCertificateAuthority).onDelete("SET NULL");
+    });
+  }
+
+  // (dangtony98): backfill by adding null defaults CAs for all existing Infisical SSH projects
+  // that do not have an associated ProjectSshConfig record introduced in Infisical SSH V2.
+
+  const allProjects = await knex(TableName.Project).where("type", ProjectType.SSH).select("id");
+
+  const projectsWithConfig = await knex(TableName.ProjectSshConfig).select("projectId");
+  const projectIdsWithConfig = new Set(projectsWithConfig.map((config) => config.projectId));
+
+  const projectsNeedingConfig = allProjects.filter((project) => !projectIdsWithConfig.has(project.id));
+
+  if (projectsNeedingConfig.length > 0) {
+    const configsToInsert = projectsNeedingConfig.map((project) => ({
+      projectId: project.id,
+      defaultUserSshCaId: null,
+      defaultHostSshCaId: null,
+      createdAt: new Date(),
+      updatedAt: new Date()
+    }));
+
+    await knex.batchInsert(TableName.ProjectSshConfig, configsToInsert);
+  }
+}
+
+export async function down(): Promise<void> {}

backend/src/db/migrations/20250426044605_ssh-host-alias.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAliasColumn = await knex.schema.hasColumn(TableName.SshHost, "alias");
+  if (!hasAliasColumn) {
+    await knex.schema.alterTable(TableName.SshHost, (t) => {
+      t.string("alias").nullable();
+      t.unique(["projectId", "alias"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAliasColumn = await knex.schema.hasColumn(TableName.SshHost, "alias");
+  if (hasAliasColumn) {
+    await knex.schema.alterTable(TableName.SshHost, (t) => {
+      t.dropUnique(["projectId", "alias"]);
+      t.dropColumn("alias");
+    });
+  }
+}

backend/src/db/migrations/20250426075943_github-org-sync-config.ts

@@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasTable = await knex.schema.hasTable(TableName.GithubOrgSyncConfig);
+  if (!hasTable) {
+    await knex.schema.createTable(TableName.GithubOrgSyncConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("githubOrgName").notNullable();
+      t.boolean("isActive").defaultTo(false);
+      t.binary("encryptedGithubOrgAccessToken");
+      t.uuid("orgId").notNullable().unique();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.GithubOrgSyncConfig);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.GithubOrgSyncConfig);
+  await dropOnUpdateTrigger(knex, TableName.GithubOrgSyncConfig);
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -16,7 +16,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  deletedAt: z.date().nullable().optional(),
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/access-approval-requests.ts

@@ -17,7 +17,8 @@ export const AccessApprovalRequestsSchema = z.object({
   permissions: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  requestedByUserId: z.string().uuid()
+  requestedByUserId: z.string().uuid(),
+  note: z.string().nullable().optional()
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/app-connections.ts

@@ -19,7 +19,8 @@ export const AppConnectionsSchema = z.object({
   version: z.number().default(1),
   orgId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/db/schemas/certificates.ts

@@ -20,7 +20,7 @@ export const CertificatesSchema = z.object({
   notAfter: z.date(),
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
-  altNames: z.string().default("").nullable().optional(),
+  altNames: z.string().nullable().optional(),
   caCertId: z.string().uuid(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),

backend/src/db/schemas/github-org-sync-configs.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GithubOrgSyncConfigsSchema = z.object({
+  id: z.string().uuid(),
+  githubOrgName: z.string(),
+  isActive: z.boolean().default(false).nullable().optional(),
+  encryptedGithubOrgAccessToken: zodBuffer.nullable().optional(),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGithubOrgSyncConfigs = z.infer<typeof GithubOrgSyncConfigsSchema>;
+export type TGithubOrgSyncConfigsInsert = Omit<z.input<typeof GithubOrgSyncConfigsSchema>, TImmutableDBKeys>;
+export type TGithubOrgSyncConfigsUpdate = Partial<Omit<z.input<typeof GithubOrgSyncConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -28,7 +28,7 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNamespaces: z.string(),
   allowedNames: z.string(),
   allowedAudience: z.string(),
-  encryptedKubernetesTokenReviewerJwt: zodBuffer,
+  encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
   encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
 });
 

backend/src/db/schemas/index.ts

@@ -3,6 +3,7 @@ export * from "./access-approval-policies-approvers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
+export * from "./app-connections";
 export * from "./audit-log-streams";
 export * from "./audit-logs";
 export * from "./auth-token-sessions";
@@ -19,10 +20,12 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
 export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
+export * from "./github-org-sync-configs";
 export * from "./group-project-membership-roles";
 export * from "./group-project-memberships";
 export * from "./groups";
@@ -73,6 +76,7 @@ export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
 export * from "./project-split-backfill-ids";
+export * from "./project-ssh-configs";
 export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
@@ -97,13 +101,16 @@ export * from "./secret-references";
 export * from "./secret-references-v2";
 export * from "./secret-rotation-output-v2";
 export * from "./secret-rotation-outputs";
+export * from "./secret-rotation-v2-secret-mappings";
 export * from "./secret-rotations";
+export * from "./secret-rotations-v2";
 export * from "./secret-scanning-git-risks";
 export * from "./secret-sharing";
 export * from "./secret-snapshot-folders";
 export * from "./secret-snapshot-secrets";
 export * from "./secret-snapshot-secrets-v2";
 export * from "./secret-snapshots";
+export * from "./secret-syncs";
 export * from "./secret-tag-junction";
 export * from "./secret-tags";
 export * from "./secret-v2-tag-junction";
@@ -120,6 +127,9 @@ export * from "./ssh-certificate-authority-secrets";
 export * from "./ssh-certificate-bodies";
 export * from "./ssh-certificate-templates";
 export * from "./ssh-certificates";
+export * from "./ssh-host-login-user-mappings";
+export * from "./ssh-host-login-users";
+export * from "./ssh-hosts";
 export * from "./super-admin";
 export * from "./totp-configs";
 export * from "./trusted-ips";

backend/src/db/schemas/kmip-org-server-certificates.ts

@@ -13,7 +13,7 @@ export const KmipOrgServerCertificatesSchema = z.object({
   id: z.string().uuid(),
   orgId: z.string().uuid(),
   commonName: z.string(),
-  altNames: z.string(),
+  altNames: z.string().nullable().optional(),
   serialNumber: z.string(),
   keyAlgorithm: z.string(),
   issuedAt: z.date(),

backend/src/db/schemas/kms-keys.ts

@@ -16,7 +16,8 @@ export const KmsKeysSchema = z.object({
   name: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string().nullable().optional()
+  projectId: z.string().nullable().optional(),
+  keyUsage: z.string().default("encrypt-decrypt")
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/models.ts

@@ -2,6 +2,9 @@ import { z } from "zod";
 
 export enum TableName {
   Users = "users",
+  SshHost = "ssh_hosts",
+  SshHostLoginUser = "ssh_host_login_users",
+  SshHostLoginUserMapping = "ssh_host_login_user_mappings",
   SshCertificateAuthority = "ssh_certificate_authorities",
   SshCertificateAuthoritySecret = "ssh_certificate_authority_secrets",
   SshCertificateTemplate = "ssh_certificate_templates",
@@ -38,6 +41,7 @@ export enum TableName {
   SuperAdmin = "super_admin",
   RateLimit = "rate_limit",
   ApiKey = "api_keys",
+  ProjectSshConfig = "project_ssh_configs",
   Project = "projects",
   ProjectBot = "project_bots",
   Environment = "project_environments",
@@ -140,7 +144,11 @@ export enum TableName {
   KmipClient = "kmip_clients",
   KmipOrgConfig = "kmip_org_configs",
   KmipOrgServerCertificates = "kmip_org_server_certificates",
-  KmipClientCertificates = "kmip_client_certificates"
+  KmipClientCertificates = "kmip_client_certificates",
+  SecretRotationV2 = "secret_rotations_v2",
+  SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
+  SecretReminderRecipients = "secret_reminder_recipients",
+  GithubOrgSyncConfig = "github_org_sync_configs"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@@ -233,3 +241,8 @@ export enum ActionProjectType {
   // project operations that happen on all types
   Any = "any"
 }
+
+export enum SortDirection {
+  ASC = "asc",
+  DESC = "desc"
+}

backend/src/db/schemas/oidc-configs.ts

@@ -32,7 +32,8 @@ export const OidcConfigsSchema = z.object({
   lastUsed: z.date().nullable().optional(),
   manageGroupMemberships: z.boolean().default(false),
   encryptedOidcClientId: zodBuffer,
-  encryptedOidcClientSecret: zodBuffer
+  encryptedOidcClientSecret: zodBuffer,
+  jwtSignatureAlgorithm: z.string().default("RS256")
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/db/schemas/organizations.ts

@@ -23,7 +23,12 @@ export const OrganizationsSchema = z.object({
   defaultMembershipRole: z.string().default("member"),
   enforceMfa: z.boolean().default(false),
   selectedMfaMethod: z.string().nullable().optional(),
-  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
+  secretShareSendToAnyone: z.boolean().default(true).nullable().optional(),
+  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional(),
+  shouldUseNewPrivilegeSystem: z.boolean().default(true),
+  privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
+  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
+  bypassOrgAuthEnabled: z.boolean().default(false)
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/project-ssh-configs.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectSshConfigsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  projectId: z.string(),
+  defaultUserSshCaId: z.string().uuid().nullable().optional(),
+  defaultHostSshCaId: z.string().uuid().nullable().optional()
+});
+
+export type TProjectSshConfigs = z.infer<typeof ProjectSshConfigsSchema>;
+export type TProjectSshConfigsInsert = Omit<z.input<typeof ProjectSshConfigsSchema>, TImmutableDBKeys>;
+export type TProjectSshConfigsUpdate = Partial<Omit<z.input<typeof ProjectSshConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/projects.ts

@@ -26,7 +26,8 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
   type: z.string(),
-  enforceCapitalization: z.boolean().default(false)
+  enforceCapitalization: z.boolean().default(false),
+  hasDeleteProtection: z.boolean().default(true).nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/resource-metadata.ts

@@ -16,7 +16,8 @@ export const ResourceMetadataSchema = z.object({
   identityId: z.string().uuid().nullable().optional(),
   secretId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  dynamicSecretId: z.string().uuid().nullable().optional()
 });
 
 export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -16,7 +16,8 @@ export const SecretApprovalPoliciesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  deletedAt: z.date().nullable().optional(),
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/secret-folders.ts

@@ -16,7 +16,8 @@ export const SecretFoldersSchema = z.object({
   envId: z.string().uuid(),
   parentId: z.string().uuid().nullable().optional(),
   isReserved: z.boolean().default(false).nullable().optional(),
-  description: z.string().nullable().optional()
+  description: z.string().nullable().optional(),
+  lastSecretModified: z.date().nullable().optional()
 });
 
 export type TSecretFolders = z.infer<typeof SecretFoldersSchema>;

backend/src/db/schemas/secret-reminder-recipients.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretReminderRecipientsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  secretId: z.string().uuid(),
+  userId: z.string().uuid(),
+  projectId: z.string()
+});
+
+export type TSecretReminderRecipients = z.infer<typeof SecretReminderRecipientsSchema>;
+export type TSecretReminderRecipientsInsert = Omit<z.input<typeof SecretReminderRecipientsSchema>, TImmutableDBKeys>;
+export type TSecretReminderRecipientsUpdate = Partial<
+  Omit<z.input<typeof SecretReminderRecipientsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-rotation-v2-secret-mappings.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretRotationV2SecretMappingsSchema = z.object({
+  id: z.string().uuid(),
+  secretId: z.string().uuid(),
+  rotationId: z.string().uuid()
+});
+
+export type TSecretRotationV2SecretMappings = z.infer<typeof SecretRotationV2SecretMappingsSchema>;
+export type TSecretRotationV2SecretMappingsInsert = Omit<
+  z.input<typeof SecretRotationV2SecretMappingsSchema>,
+  TImmutableDBKeys
+>;
+export type TSecretRotationV2SecretMappingsUpdate = Partial<
+  Omit<z.input<typeof SecretRotationV2SecretMappingsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-rotations-v2.ts

@@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretRotationsV2Schema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  type: z.string(),
+  parameters: z.unknown(),
+  secretsMapping: z.unknown(),
+  encryptedGeneratedCredentials: zodBuffer,
+  isAutoRotationEnabled: z.boolean().default(true),
+  activeIndex: z.number().default(0),
+  folderId: z.string().uuid(),
+  connectionId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  rotationInterval: z.number(),
+  rotateAtUtc: z.unknown(),
+  rotationStatus: z.string(),
+  lastRotationAttemptedAt: z.date(),
+  lastRotatedAt: z.date(),
+  encryptedLastRotationMessage: zodBuffer.nullable().optional(),
+  lastRotationJobId: z.string().nullable().optional(),
+  nextRotationAt: z.date().nullable().optional(),
+  isLastRotationManual: z.boolean().default(true)
+});
+
+export type TSecretRotationsV2 = z.infer<typeof SecretRotationsV2Schema>;
+export type TSecretRotationsV2Insert = Omit<z.input<typeof SecretRotationsV2Schema>, TImmutableDBKeys>;
+export type TSecretRotationsV2Update = Partial<Omit<z.input<typeof SecretRotationsV2Schema>, TImmutableDBKeys>>;

backend/src/db/schemas/service-tokens.ts

@@ -21,7 +21,8 @@ export const ServiceTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   createdBy: z.string(),
-  projectId: z.string()
+  projectId: z.string(),
+  expiryNotificationSent: z.boolean().default(false).nullable().optional()
 });
 
 export type TServiceTokens = z.infer<typeof ServiceTokensSchema>;

backend/src/db/schemas/ssh-certificate-authorities.ts

@@ -14,7 +14,8 @@ export const SshCertificateAuthoritiesSchema = z.object({
   projectId: z.string(),
   status: z.string(),
   friendlyName: z.string(),
-  keyAlgorithm: z.string()
+  keyAlgorithm: z.string(),
+  keySource: z.string()
 });
 
 export type TSshCertificateAuthorities = z.infer<typeof SshCertificateAuthoritiesSchema>;

backend/src/db/schemas/ssh-certificates.ts

@@ -11,14 +11,15 @@ export const SshCertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  sshCaId: z.string().uuid(),
+  sshCaId: z.string().uuid().nullable().optional(),
   sshCertificateTemplateId: z.string().uuid().nullable().optional(),
   serialNumber: z.string(),
   certType: z.string(),
   principals: z.string().array(),
   keyId: z.string(),
   notBefore: z.date(),
-  notAfter: z.date()
+  notAfter: z.date(),
+  sshHostId: z.string().uuid().nullable().optional()
 });
 
 export type TSshCertificates = z.infer<typeof SshCertificatesSchema>;

backend/src/db/schemas/ssh-host-login-user-mappings.ts

@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SshHostLoginUserMappingsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  sshHostLoginUserId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional()
+});
+
+export type TSshHostLoginUserMappings = z.infer<typeof SshHostLoginUserMappingsSchema>;
+export type TSshHostLoginUserMappingsInsert = Omit<z.input<typeof SshHostLoginUserMappingsSchema>, TImmutableDBKeys>;
+export type TSshHostLoginUserMappingsUpdate = Partial<
+  Omit<z.input<typeof SshHostLoginUserMappingsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/ssh-host-login-users.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SshHostLoginUsersSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  sshHostId: z.string().uuid(),
+  loginUser: z.string()
+});
+
+export type TSshHostLoginUsers = z.infer<typeof SshHostLoginUsersSchema>;
+export type TSshHostLoginUsersInsert = Omit<z.input<typeof SshHostLoginUsersSchema>, TImmutableDBKeys>;
+export type TSshHostLoginUsersUpdate = Partial<Omit<z.input<typeof SshHostLoginUsersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/ssh-hosts.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SshHostsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  projectId: z.string(),
+  hostname: z.string(),
+  userCertTtl: z.string(),
+  hostCertTtl: z.string(),
+  userSshCaId: z.string().uuid(),
+  hostSshCaId: z.string().uuid(),
+  alias: z.string().nullable().optional()
+});
+
+export type TSshHosts = z.infer<typeof SshHostsSchema>;
+export type TSshHostsInsert = Omit<z.input<typeof SshHostsSchema>, TImmutableDBKeys>;
+export type TSshHostsUpdate = Partial<Omit<z.input<typeof SshHostsSchema>, TImmutableDBKeys>>;

backend/src/ee/routes/est/certificate-est-router.ts

@@ -16,7 +16,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
       // for CSRs sent in PEM, we leave them as is
       // for CSRs sent in base64, we preprocess them to remove new lines and spaces
       if (!csrBody.includes("BEGIN CERTIFICATE REQUEST")) {
-        csrBody = csrBody.replace(/\n/g, "").replace(/ /g, "");
+        csrBody = csrBody.replaceAll("\n", "").replaceAll(" ", "");
       }
 
       done(null, csrBody);

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -29,7 +29,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({
@@ -147,7 +148,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).optional(),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -22,7 +22,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
       body: z.object({
         permissions: z.any().array(),
         isTemporary: z.boolean(),
-        temporaryRange: z.string().optional()
+        temporaryRange: z.string().optional(),
+        note: z.string().max(255).optional()
       }),
       querystring: z.object({
         projectSlug: z.string().trim()
@@ -43,7 +44,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         projectSlug: req.query.projectSlug,
         temporaryRange: req.body.temporaryRange,
-        isTemporary: req.body.isTemporary
+        isTemporary: req.body.isTemporary,
+        note: req.body.note
       });
       return { approval: request };
     }
@@ -110,7 +112,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              deletedAt: z.date().nullish(),
+              allowedSelfApprovals: z.boolean()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/assume-privilege-router.ts

@@ -0,0 +1,124 @@
+import { requestContext } from "@fastify/request-context";
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAssumePrivilegeRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/:projectId/assume-privileges",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string()
+      }),
+      body: z.object({
+        actorType: z.enum([ActorType.USER, ActorType.IDENTITY]),
+        actorId: z.string()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req, res) => {
+      if (req.auth.authMode === AuthMode.JWT) {
+        const payload = await server.services.assumePrivileges.assumeProjectPrivileges({
+          targetActorType: req.body.actorType,
+          targetActorId: req.body.actorId,
+          projectId: req.params.projectId,
+          actorPermissionDetails: req.permission,
+          tokenVersionId: req.auth.tokenVersionId
+        });
+
+        const appCfg = getConfig();
+        void res.setCookie("infisical-project-assume-privileges", payload.assumePrivilegesToken, {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: appCfg.HTTPS_ENABLED,
+          maxAge: 3600 // 1 hour in seconds
+        });
+
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          orgId: req.permission.orgId,
+          event: {
+            type: EventType.PROJECT_ASSUME_PRIVILEGE_SESSION_START,
+            metadata: {
+              projectId: req.params.projectId,
+              requesterEmail: req.auth.user.username,
+              requesterId: req.auth.user.id,
+              targetActorType: req.body.actorType,
+              targetActorId: req.body.actorId,
+              duration: "1hr"
+            }
+          }
+        });
+
+        return { message: "Successfully assumed role" };
+      }
+
+      throw new BadRequestError({ message: "Invalid auth mode" });
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:projectId/assume-privileges",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req, res) => {
+      const assumedPrivilegeDetails = requestContext.get("assumedPrivilegeDetails");
+      if (req.auth.authMode === AuthMode.JWT && assumedPrivilegeDetails) {
+        const appCfg = getConfig();
+        void res.setCookie("infisical-project-assume-privileges", "", {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: appCfg.HTTPS_ENABLED,
+          expires: new Date(0)
+        });
+
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          orgId: req.permission.orgId,
+          event: {
+            type: EventType.PROJECT_ASSUME_PRIVILEGE_SESSION_END,
+            metadata: {
+              projectId: req.params.projectId,
+              requesterEmail: req.auth.user.username,
+              requesterId: req.auth.user.id,
+              targetActorId: assumedPrivilegeDetails.actorId,
+              targetActorType: assumedPrivilegeDetails.actorType
+            }
+          }
+        });
+        return { message: "Successfully exited assumed role" };
+      }
+
+      throw new BadRequestError({ message: "Invalid auth mode" });
+    }
+  });
+};

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
-import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
+import { ApiDocsTags, DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -18,6 +18,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       body: z.object({
         dynamicSecretName: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.dynamicSecretName).toLowerCase(),
         projectSlug: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.CREATE.projectSlug),
@@ -65,6 +67,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.DELETE.leaseId)
       }),
@@ -107,6 +111,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.RENEW.leaseId)
       }),
@@ -160,6 +166,8 @@ export const registerDynamicSecretLeaseRouter = async (server: FastifyZodProvide
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         leaseId: z.string().min(1).describe(DYNAMIC_SECRET_LEASES.GET_BY_LEASEID.leaseId)
       }),

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/providers/models";
-import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
+import { ApiDocsTags, DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
@@ -11,6 +11,7 @@ import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -20,6 +21,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       body: z.object({
         projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.CREATE.projectSlug),
         provider: DynamicSecretProviderSchema.describe(DYNAMIC_SECRETS.CREATE.provider),
@@ -48,7 +51,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
           .nullable(),
         path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
         environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
-        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name)
+        name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name),
+        metadata: ResourceMetadataSchema.optional()
       }),
       response: {
         200: z.object({
@@ -109,6 +113,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.UPDATE.name)
       }),
@@ -143,7 +149,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
                 ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
             })
             .nullable(),
-          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional()
+          newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional(),
+          metadata: ResourceMetadataSchema.optional()
         })
       }),
       response: {
@@ -176,6 +183,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         name: z.string().toLowerCase().describe(DYNAMIC_SECRETS.DELETE.name)
       }),
@@ -212,6 +221,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
         name: z.string().min(1).describe(DYNAMIC_SECRETS.GET_BY_NAME.name)
       }),
@@ -238,6 +249,7 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
         name: req.params.name,
         ...req.query
       });
+
       return { dynamicSecret: dynamicSecretCfg };
     }
   });
@@ -249,6 +261,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       querystring: z.object({
         projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST.projectSlug),
         path: z.string().trim().default("/").transform(removeTrailingSlash).describe(DYNAMIC_SECRETS.LIST.path),
@@ -280,18 +294,20 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.DynamicSecrets],
       params: z.object({
-        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.name)
+        name: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.name)
       }),
       querystring: z.object({
-        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.projectSlug),
+        projectSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.projectSlug),
         path: z
           .string()
           .trim()
           .default("/")
           .transform(removeTrailingSlash)
-          .describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.path),
+          .describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.path),
-        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEAES_BY_NAME.environmentSlug)
+        environmentSlug: z.string().min(1).describe(DYNAMIC_SECRETS.LIST_LEASES_BY_NAME.environmentSlug)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/github-org-sync-router.ts

@@ -0,0 +1,129 @@
+import { z } from "zod";
+
+import { GithubOrgSyncConfigsSchema } from "@app/db/schemas";
+import { CharacterType, zodValidateCharacters } from "@app/lib/validator/validate-string";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const SanitizedGithubOrgSyncSchema = GithubOrgSyncConfigsSchema.pick({
+  isActive: true,
+  id: true,
+  createdAt: true,
+  updatedAt: true,
+  orgId: true,
+  githubOrgName: true
+});
+
+const githubOrgNameValidator = zodValidateCharacters([CharacterType.AlphaNumeric, CharacterType.Hyphen]);
+export const registerGithubOrgSyncRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    url: "/",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z.object({
+        githubOrgName: githubOrgNameValidator(z.string().trim(), "GitHub Org Name"),
+        githubOrgAccessToken: z.string().trim().max(1000).optional(),
+        isActive: z.boolean().default(false)
+      }),
+      response: {
+        200: z.object({
+          githubOrgSyncConfig: SanitizedGithubOrgSyncSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const githubOrgSyncConfig = await server.services.githubOrgSync.createGithubOrgSync({
+        orgPermission: req.permission,
+        githubOrgName: req.body.githubOrgName,
+        githubOrgAccessToken: req.body.githubOrgAccessToken,
+        isActive: req.body.isActive
+      });
+
+      return { githubOrgSyncConfig };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "PATCH",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      body: z
+        .object({
+          githubOrgName: githubOrgNameValidator(z.string().trim(), "GitHub Org Name"),
+          githubOrgAccessToken: z.string().trim().max(1000),
+          isActive: z.boolean()
+        })
+        .partial(),
+      response: {
+        200: z.object({
+          githubOrgSyncConfig: SanitizedGithubOrgSyncSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const githubOrgSyncConfig = await server.services.githubOrgSync.updateGithubOrgSync({
+        orgPermission: req.permission,
+        githubOrgName: req.body.githubOrgName,
+        githubOrgAccessToken: req.body.githubOrgAccessToken,
+        isActive: req.body.isActive
+      });
+
+      return { githubOrgSyncConfig };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "DELETE",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      response: {
+        200: z.object({
+          githubOrgSyncConfig: SanitizedGithubOrgSyncSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const githubOrgSyncConfig = await server.services.githubOrgSync.deleteGithubOrgSync({
+        orgPermission: req.permission
+      });
+
+      return { githubOrgSyncConfig };
+    }
+  });
+
+  server.route({
+    url: "/",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      response: {
+        200: z.object({
+          githubOrgSyncConfig: SanitizedGithubOrgSyncSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const githubOrgSyncConfig = await server.services.githubOrgSync.getGithubOrgSync({
+        orgPermission: req.permission
+      });
+
+      return { githubOrgSyncConfig };
+    }
+  });
+};

backend/src/ee/routes/v1/group-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { GroupsSchema, OrgMembershipRole, UsersSchema } from "@app/db/schemas";
 import { EFilterReturnedUsers } from "@app/ee/services/group/group-types";
-import { GROUPS } from "@app/lib/api-docs";
+import { ApiDocsTags, GROUPS } from "@app/lib/api-docs";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -13,6 +13,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       body: z.object({
         name: z.string().trim().min(1).max(50).describe(GROUPS.CREATE.name),
         slug: slugSchema({ min: 5, max: 36 }).optional().describe(GROUPS.CREATE.slug),
@@ -40,6 +42,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
       }),
@@ -65,6 +69,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       response: {
         200: GroupsSchema.array()
       }
@@ -87,6 +93,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "PATCH",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.UPDATE.id)
       }),
@@ -120,6 +128,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     method: "DELETE",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.DELETE.id)
       }),
@@ -145,6 +155,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     url: "/:id/users",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.LIST_USERS.id)
       }),
@@ -194,6 +206,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     url: "/:id/users/:username",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.ADD_USER.id),
         username: z.string().trim().describe(GROUPS.ADD_USER.username)
@@ -227,6 +241,8 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     url: "/:id/users/:username",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
       params: z.object({
         id: z.string().trim().describe(GROUPS.DELETE_USER.id),
         username: z.string().trim().describe(GROUPS.DELETE_USER.username)

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
-import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
+import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -25,6 +25,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Create a permanent or a non expiry specific privilege for identity.",
       security: [
         {
@@ -85,6 +87,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Create a temporary or a expiring specific privilege for identity.",
       security: [
         {
@@ -157,6 +161,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Update a specific privilege of an identity.",
       security: [
         {
@@ -240,6 +246,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Delete a specific privilege of an identity.",
       security: [
         {
@@ -279,6 +287,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "Retrieve details of a specific privilege by privilege slug.",
       security: [
         {
@@ -319,6 +329,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV1],
       description: "List of a specific privilege of an identity in a project.",
       security: [
         {

backend/src/ee/routes/v1/index.ts

@@ -2,12 +2,14 @@ import { registerProjectTemplateRouter } from "@app/ee/routes/v1/project-templat
 
 import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
 import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
+import { registerAssumePrivilegeRouter } from "./assume-privilege-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerCaCrlRouter } from "./certificate-authority-crl-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
 import { registerGatewayRouter } from "./gateway-router";
+import { registerGithubOrgSyncRouter } from "./github-org-sync-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerKmipRouter } from "./kmip-router";
@@ -32,6 +34,7 @@ import { registerSnapshotRouter } from "./snapshot-router";
 import { registerSshCaRouter } from "./ssh-certificate-authority-router";
 import { registerSshCertRouter } from "./ssh-certificate-router";
 import { registerSshCertificateTemplateRouter } from "./ssh-certificate-template-router";
+import { registerSshHostRouter } from "./ssh-host-router";
 import { registerTrustedIpRouter } from "./trusted-ip-router";
 import { registerUserAdditionalPrivilegeRouter } from "./user-additional-privilege-router";
 
@@ -44,6 +47,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
       await projectRouter.register(registerProjectRoleRouter);
       await projectRouter.register(registerProjectRouter);
       await projectRouter.register(registerTrustedIpRouter);
+      await projectRouter.register(registerAssumePrivilegeRouter);
     },
     { prefix: "/workspace" }
   );
@@ -69,6 +73,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   );
 
   await server.register(registerGatewayRouter, { prefix: "/gateways" });
+  await server.register(registerGithubOrgSyncRouter, { prefix: "/github-org-sync-config" });
 
   await server.register(
     async (pkiRouter) => {
@@ -82,6 +87,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
       await sshRouter.register(registerSshCaRouter, { prefix: "/ca" });
       await sshRouter.register(registerSshCertRouter, { prefix: "/certificates" });
       await sshRouter.register(registerSshCertificateTemplateRouter, { prefix: "/certificate-templates" });
+      await sshRouter.register(registerSshHostRouter, { prefix: "/hosts" });
     },
     { prefix: "/ssh" }
   );

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -2,7 +2,7 @@ import z from "zod";
 
 import { KmsKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { SymmetricKeyAlgorithm } from "@app/lib/crypto/cipher";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -74,7 +74,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
     schema: {
       description: "KMIP endpoint for creating managed objects",
       body: z.object({
-        algorithm: z.nativeEnum(SymmetricEncryption)
+        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
       }),
       response: {
         200: KmsKeysSchema
@@ -433,7 +433,7 @@ export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         key: z.string(),
         name: z.string(),
-        algorithm: z.nativeEnum(SymmetricEncryption)
+        algorithm: z.nativeEnum(SymmetricKeyAlgorithm)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/ldap-router.ts

@@ -61,8 +61,8 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           if (ldapConfig.groupSearchBase) {
             const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
             const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
-              .replace(/{{\.Username}}/g, user.uid)
+              .replaceAll("{{.Username}}", user.uid)
-              .replace(/{{\.UserDN}}/g, user.dn);
+              .replaceAll("{{.UserDN}}", user.dn);
 
             if (!isValidLdapFilter(groupSearchFilter)) {
               throw new Error("Generated LDAP search filter is invalid.");

backend/src/ee/routes/v1/oidc-router.ts

@@ -12,7 +12,7 @@ import RedisStore from "connect-redis";
 import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas";
-import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
+import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,7 +30,8 @@ const SanitizedOidcConfigSchema = OidcConfigsSchema.pick({
   orgId: true,
   isActive: true,
   allowedEmailDomains: true,
-  manageGroupMemberships: true
+  manageGroupMemberships: true,
+  jwtSignatureAlgorithm: true
 });
 
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
@@ -136,11 +137,12 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     url: "/login/error",
     method: "GET",
     handler: async (req, res) => {
+      const failureMessage = req.session.get<any>("messages");
       await req.session.destroy();
 
       return res.status(500).send({
         error: "Authentication error",
-        details: req.query
+        details: failureMessage ?? req.query
       });
     }
   });
@@ -169,7 +171,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           isActive: true,
           orgId: true,
           allowedEmailDomains: true,
-          manageGroupMemberships: true
+          manageGroupMemberships: true,
+          jwtSignatureAlgorithm: true
         }).extend({
           clientId: z.string(),
           clientSecret: z.string()
@@ -224,7 +227,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional()
+          manageGroupMemberships: z.boolean().optional(),
+          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
         })
         .partial()
         .merge(z.object({ orgSlug: z.string() })),
@@ -291,7 +295,11 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
           orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false)
+          manageGroupMemberships: z.boolean().optional().default(false),
+          jwtSignatureAlgorithm: z
+            .nativeEnum(OIDCJWTSignatureAlgorithm)
+            .optional()
+            .default(OIDCJWTSignatureAlgorithm.RS256)
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {

backend/src/ee/routes/v1/project-role-router.ts

@@ -1,7 +1,7 @@
 import { packRules } from "@casl/ability/extra";
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import {
   backfillPermissionV1SchemaToV2Schema,
   ProjectPermissionV1Schema
@@ -245,13 +245,22 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           data: z.object({
-            membership: ProjectMembershipsSchema.extend({
+            membership: z.object({
+              id: z.string(),
               roles: z
                 .object({
                   role: z.string()
                 })
                 .array()
             }),
+            assumedPrivilegeDetails: z
+              .object({
+                actorId: z.string(),
+                actorType: z.string(),
+                actorName: z.string(),
+                actorEmail: z.string().optional()
+              })
+              .optional(),
             permissions: z.any().array()
           })
         })
@@ -259,14 +268,20 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { permissions, membership } = await server.services.projectRole.getUserPermission(
+      const { permissions, membership, assumedPrivilegeDetails } = await server.services.projectRole.getUserPermission(
         req.permission.id,
         req.params.projectId,
         req.permission.authMethod,
         req.permission.orgId
       );
 
-      return { data: { permissions, membership } };
+      return {
+        data: {
+          permissions,
+          membership,
+          assumedPrivilegeDetails
+        }
+      };
     }
   });
 };

backend/src/ee/routes/v1/project-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { AuditLogsSchema, SecretSnapshotsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
-import { AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, AUDIT_LOGS, PROJECTS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -17,6 +17,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
       description: "Return project secret snapshots ids",
       security: [
         {

backend/src/ee/routes/v1/project-template-router.ts

@@ -5,7 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
-import { ProjectTemplates } from "@app/lib/api-docs";
+import { ApiDocsTags, ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -101,6 +101,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
       response: {
         200: z.object({
@@ -137,6 +139,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
       description: "Get a project template by ID.",
       params: z.object({
         templateId: z.string().uuid()
@@ -176,6 +180,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
       description: "Create a project template.",
       body: z.object({
         name: slugSchema({ field: "name" })
@@ -219,6 +225,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
       description: "Update a project template.",
       params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.UPDATE.templateId) }),
       body: z.object({
@@ -269,6 +277,8 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectTemplates],
       description: "Delete a project template.",
       params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
 

backend/src/ee/routes/v1/saml-router.ts

@@ -223,12 +223,18 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         samlConfigId: z.string().trim()
       })
     },
-    preValidation: passport.authenticate("saml", {
+    preValidation: passport.authenticate(
-      session: false,
+      "saml",
-      failureFlash: true,
+      {
-      failureRedirect: "/login/provider/error"
+        session: false
-      // this is due to zod type difference
+      },
-    }) as any,
+      async (req, res, err, user) => {
+        if (err) {
+          throw new BadRequestError({ message: `Saml authentication failed. ${err?.message}`, error: err });
+        }
+        req.passportUser = user as { isUserCompleted: boolean; providerAuthToken: string };
+      }
+    ) as any, // this is due to zod type difference
     handler: (req, res) => {
       if (req.passportUser.isUserCompleted) {
         return res.redirect(

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -35,7 +35,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({
@@ -85,7 +86,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .nullable()
           .transform((val) => (val ? removeTrailingSlash(val) : val))
           .transform((val) => (val === "" ? "/" : val)),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
+        enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -49,7 +49,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              deletedAt: z.date().nullish(),
+              allowedSelfApprovals: z.boolean()
             }),
             committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -267,7 +268,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 approvers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
                 enforcementLevel: z.string(),
-                deletedAt: z.date().nullish()
+                deletedAt: z.date().nullish(),
+                allowedSelfApprovals: z.boolean()
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
@@ -275,8 +277,10 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema
-                .omit({ _id: true, environment: true, workspace: true, type: true, version: true })
+                .omit({ _id: true, environment: true, workspace: true, type: true, version: true, secretValue: true })
                 .extend({
+                  secretValue: z.string().optional(),
+                  isRotatedSecret: z.boolean().optional(),
                   op: z.string(),
                   tags: SanitizedTagSchema.array().optional(),
                   secretMetadata: ResourceMetadataSchema.nullish(),

backend/src/ee/routes/v1/secret-rotation-provider-router.ts

@@ -23,7 +23,8 @@ export const registerSecretRotationProviderRouter = async (server: FastifyZodPro
               title: z.string(),
               image: z.string().optional(),
               description: z.string().optional(),
-              template: z.any()
+              template: z.any(),
+              isDeprecated: z.boolean().optional()
             })
             .array()
         })

backend/src/ee/routes/v1/snapshot-router.ts

@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { SecretSnapshotsSchema } from "@app/db/schemas";
-import { PROJECTS } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedTagSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
@@ -33,7 +33,8 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
               .extend({
                 secretValueHidden: z.boolean(),
                 secretId: z.string(),
-                tags: SanitizedTagSchema.array()
+                tags: SanitizedTagSchema.array(),
+                isRotatedSecret: z.boolean().optional()
               })
               .array(),
             folderVersion: z.object({ id: z.string(), name: z.string() }).array(),
@@ -64,6 +65,8 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.Projects],
       description: "Roll back project secrets to those captured in a secret snapshot version.",
       security: [
         {

backend/src/ee/routes/v1/ssh-certificate-authority-router.ts

@@ -1,14 +1,15 @@
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { normalizeSshPrivateKey } from "@app/ee/services/ssh/ssh-certificate-authority-fns";
 import { sanitizedSshCa } from "@app/ee/services/ssh/ssh-certificate-authority-schema";
-import { SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
+import { SshCaKeySource, SshCaStatus } from "@app/ee/services/ssh/ssh-certificate-authority-types";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
 import { sanitizedSshCertificateTemplate } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-schema";
-import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 
 export const registerSshCaRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -19,15 +20,37 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Create SSH CA",
-      body: z.object({
+      body: z
-        projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
+        .object({
-        friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
+          projectId: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.projectId),
-        keyAlgorithm: z
+          friendlyName: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.friendlyName),
-          .nativeEnum(CertKeyAlgorithm)
+          keyAlgorithm: z
-          .default(CertKeyAlgorithm.RSA_2048)
+            .nativeEnum(SshCertKeyAlgorithm)
-          .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm)
+            .default(SshCertKeyAlgorithm.ED25519)
-      }),
+            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keyAlgorithm),
+          publicKey: z.string().trim().optional().describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.publicKey),
+          privateKey: z
+            .string()
+            .trim()
+            .optional()
+            .transform((val) => (val ? normalizeSshPrivateKey(val) : undefined))
+            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.privateKey),
+          keySource: z
+            .nativeEnum(SshCaKeySource)
+            .default(SshCaKeySource.INTERNAL)
+            .describe(SSH_CERTIFICATE_AUTHORITIES.CREATE.keySource)
+        })
+        .refine((data) => data.keySource === SshCaKeySource.INTERNAL || (!!data.publicKey && !!data.privateKey), {
+          message: "publicKey and privateKey are required when keySource is external",
+          path: ["publicKey"]
+        })
+        .refine((data) => data.keySource === SshCaKeySource.EXTERNAL || !!data.keyAlgorithm, {
+          message: "keyAlgorithm is required when keySource is internal",
+          path: ["keyAlgorithm"]
+        }),
       response: {
         200: z.object({
           ca: sanitizedSshCa.extend({
@@ -71,6 +94,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Get SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET.sshCaId)
@@ -117,6 +142,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Get public key of SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_PUBLIC_KEY.sshCaId)
@@ -142,6 +169,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Update SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.UPDATE.sshCaId)
@@ -195,6 +224,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Delete SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.DELETE.sshCaId)
@@ -240,6 +271,8 @@ export const registerSshCaRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateAuthorities],
       description: "Get list of certificate templates for the SSH CA",
       params: z.object({
         sshCaId: z.string().trim().describe(SSH_CERTIFICATE_AUTHORITIES.GET_CERTIFICATE_TEMPLATES.sshCaId)

backend/src/ee/routes/v1/ssh-certificate-router.ts

@@ -2,12 +2,14 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SshCertType } from "@app/ee/services/ssh/ssh-certificate-authority-types";
-import { SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { ApiDocsTags, SSH_CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerSshCertRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -18,6 +20,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificates],
       description: "Sign SSH public key",
       body: z.object({
         certificateTemplateId: z
@@ -73,6 +77,16 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SignSshKey,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          certificateTemplateId: req.body.certificateTemplateId,
+          principals: req.body.principals,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         serialNumber,
         signedKey: signedPublicKey
@@ -88,6 +102,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificates],
       description: "Issue SSH credentials (certificate + key)",
       body: z.object({
         certificateTemplateId: z
@@ -96,8 +112,8 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
           .min(1)
           .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.certificateTemplateId),
         keyAlgorithm: z
-          .nativeEnum(CertKeyAlgorithm)
+          .nativeEnum(SshCertKeyAlgorithm)
-          .default(CertKeyAlgorithm.RSA_2048)
+          .default(SshCertKeyAlgorithm.ED25519)
           .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm),
         certType: z
           .nativeEnum(SshCertType)
@@ -121,7 +137,7 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
           privateKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.privateKey),
           publicKey: z.string().describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.publicKey),
           keyAlgorithm: z
-            .nativeEnum(CertKeyAlgorithm)
+            .nativeEnum(SshCertKeyAlgorithm)
             .describe(SSH_CERTIFICATE_AUTHORITIES.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
         })
       }
@@ -152,6 +168,16 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueSshCreds,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          certificateTemplateId: req.body.certificateTemplateId,
+          principals: req.body.principals,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         serialNumber,
         signedKey: signedPublicKey,

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -8,7 +8,7 @@ import {
   isValidHostPattern,
   isValidUserPattern
 } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-validators";
-import { SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
+import { ApiDocsTags, SSH_CERTIFICATE_TEMPLATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -22,6 +22,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
       params: z.object({
         certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.GET.certificateTemplateId)
       }),
@@ -61,6 +63,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
       body: z
         .object({
           sshCaId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.sshCaId),
@@ -92,8 +96,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowHostCertificates: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowHostCertificates),
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
-        .refine((data) => ms(data.maxTTL) > ms(data.ttl), {
+        .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TLL must be greater than TTL",
+          message: "Max TLL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {
@@ -141,6 +145,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
       body: z.object({
         status: z.nativeEnum(SshCertTemplateStatus).optional(),
         name: z
@@ -224,6 +230,8 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SshCertificateTemplates],
       params: z.object({
         certificateTemplateId: z.string().describe(SSH_CERTIFICATE_TEMPLATES.DELETE.certificateTemplateId)
       }),

backend/src/ee/routes/v1/ssh-host-router.ts

@@ -0,0 +1,451 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { loginMappingSchema, sanitizedSshHost } from "@app/ee/services/ssh-host/ssh-host-schema";
+import { isValidHostname } from "@app/ee/services/ssh-host/ssh-host-validators";
+import { SSH_HOSTS } from "@app/lib/api-docs";
+import { ms } from "@app/lib/ms";
+import { publicSshCaLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
+
+export const registerSshHostRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.array(
+          sanitizedSshHost.extend({
+            loginMappings: z.array(loginMappingSchema)
+          })
+        )
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const hosts = await server.services.sshHost.listSshHosts({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return hosts;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:sshHostId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.GET.sshHostId)
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const host = await server.services.sshHost.getSshHost({
+        sshHostId: req.params.sshHostId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.GET_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Add an SSH Host",
+      body: z.object({
+        projectId: z.string().describe(SSH_HOSTS.CREATE.projectId),
+        hostname: z
+          .string()
+          .min(1)
+          .trim()
+          .refine((v) => isValidHostname(v), {
+            message: "Hostname must be a valid hostname"
+          })
+          .describe(SSH_HOSTS.CREATE.hostname),
+        alias: slugSchema({ min: 0, max: 64, field: "alias" }).describe(SSH_HOSTS.CREATE.alias).default(""),
+        userCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .default("8h")
+          .describe(SSH_HOSTS.CREATE.userCertTtl),
+        hostCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .default("1y")
+          .describe(SSH_HOSTS.CREATE.hostCertTtl),
+        loginMappings: z.array(loginMappingSchema).default([]).describe(SSH_HOSTS.CREATE.loginMappings),
+        userSshCaId: z.string().describe(SSH_HOSTS.CREATE.userSshCaId).optional(),
+        hostSshCaId: z.string().describe(SSH_HOSTS.CREATE.hostSshCaId).optional()
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const host = await server.services.sshHost.createSshHost({
+        ...req.body,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.CREATE_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname,
+            alias: host.alias ?? null,
+            userCertTtl: host.userCertTtl,
+            hostCertTtl: host.hostCertTtl,
+            loginMappings: host.loginMappings,
+            userSshCaId: host.userSshCaId,
+            hostSshCaId: host.hostSshCaId
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:sshHostId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update SSH Host",
+      params: z.object({
+        sshHostId: z.string().trim().describe(SSH_HOSTS.UPDATE.sshHostId)
+      }),
+      body: z.object({
+        hostname: z
+          .string()
+          .trim()
+          .min(1)
+          .refine((v) => isValidHostname(v), {
+            message: "Hostname must be a valid hostname"
+          })
+          .optional()
+          .describe(SSH_HOSTS.UPDATE.hostname),
+        alias: slugSchema({ min: 0, max: 64, field: "alias" }).describe(SSH_HOSTS.UPDATE.alias).optional(),
+        userCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .optional()
+          .describe(SSH_HOSTS.UPDATE.userCertTtl),
+        hostCertTtl: z
+          .string()
+          .refine((val) => ms(val) > 0, "TTL must be a positive number")
+          .optional()
+          .describe(SSH_HOSTS.UPDATE.hostCertTtl),
+        loginMappings: z.array(loginMappingSchema).optional().describe(SSH_HOSTS.UPDATE.loginMappings)
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    handler: async (req) => {
+      const host = await server.services.sshHost.updateSshHost({
+        sshHostId: req.params.sshHostId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.UPDATE_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname,
+            alias: host.alias,
+            userCertTtl: host.userCertTtl,
+            hostCertTtl: host.hostCertTtl,
+            loginMappings: host.loginMappings,
+            userSshCaId: host.userSshCaId,
+            hostSshCaId: host.hostSshCaId
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:sshHostId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.DELETE.sshHostId)
+      }),
+      response: {
+        200: sanitizedSshHost.extend({
+          loginMappings: z.array(loginMappingSchema)
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const host = await server.services.sshHost.deleteSshHost({
+        sshHostId: req.params.sshHostId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: host.projectId,
+        event: {
+          type: EventType.DELETE_SSH_HOST,
+          metadata: {
+            sshHostId: host.id,
+            hostname: host.hostname
+          }
+        }
+      });
+
+      return host;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:sshHostId/issue-user-cert",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      description: "Issue SSH certificate for user",
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.sshHostId)
+      }),
+      body: z.object({
+        loginUser: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.loginUser)
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.serialNumber),
+          signedKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.signedKey),
+          privateKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.privateKey),
+          publicKey: z.string().describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.publicKey),
+          keyAlgorithm: z.nativeEnum(SshCertKeyAlgorithm).describe(SSH_HOSTS.ISSUE_SSH_CREDENTIALS.keyAlgorithm)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { serialNumber, signedPublicKey, privateKey, publicKey, keyAlgorithm, host, principals } =
+        await server.services.sshHost.issueSshHostUserCert({
+          sshHostId: req.params.sshHostId,
+          loginUser: req.body.loginUser,
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.ISSUE_SSH_HOST_USER_CERT,
+          metadata: {
+            sshHostId: req.params.sshHostId,
+            hostname: host.hostname,
+            loginUser: req.body.loginUser,
+            principals,
+            ttl: host.userCertTtl
+          }
+        }
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueSshHostUserCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          sshHostId: req.params.sshHostId,
+          hostname: host.hostname,
+          principals,
+          ...req.auditLogInfo
+        }
+      });
+
+      return {
+        serialNumber,
+        signedKey: signedPublicKey,
+        privateKey,
+        publicKey,
+        keyAlgorithm
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/:sshHostId/issue-host-cert",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Issue SSH certificate for host",
+      params: z.object({
+        sshHostId: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.sshHostId)
+      }),
+      body: z.object({
+        publicKey: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.publicKey)
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.serialNumber),
+          signedKey: z.string().describe(SSH_HOSTS.ISSUE_HOST_CERT.signedKey)
+        })
+      }
+    },
+    handler: async (req) => {
+      const { host, principals, serialNumber, signedPublicKey } = await server.services.sshHost.issueSshHostHostCert({
+        sshHostId: req.params.sshHostId,
+        publicKey: req.body.publicKey,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.ISSUE_SSH_HOST_HOST_CERT,
+          metadata: {
+            sshHostId: req.params.sshHostId,
+            hostname: host.hostname,
+            principals,
+            serialNumber,
+            ttl: host.hostCertTtl
+          }
+        }
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueSshHostHostCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          sshHostId: req.params.sshHostId,
+          hostname: host.hostname,
+          principals,
+          ...req.auditLogInfo
+        }
+      });
+
+      return {
+        serialNumber,
+        signedKey: signedPublicKey
+      };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:sshHostId/user-ca-public-key",
+    config: {
+      rateLimit: publicSshCaLimit
+    },
+    schema: {
+      description: "Get public key of the user SSH CA linked to the host",
+      params: z.object({
+        sshHostId: z.string().trim().describe(SSH_HOSTS.GET_USER_CA_PUBLIC_KEY.sshHostId)
+      }),
+      response: {
+        200: z.string().describe(SSH_HOSTS.GET_USER_CA_PUBLIC_KEY.publicKey)
+      }
+    },
+    handler: async (req) => {
+      const publicKey = await server.services.sshHost.getSshHostUserCaPk(req.params.sshHostId);
+      return publicKey;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:sshHostId/host-ca-public-key",
+    config: {
+      rateLimit: publicSshCaLimit
+    },
+    schema: {
+      description: "Get public key of the host SSH CA linked to the host",
+      params: z.object({
+        sshHostId: z.string().trim().describe(SSH_HOSTS.GET_HOST_CA_PUBLIC_KEY.sshHostId)
+      }),
+      response: {
+        200: z.string().describe(SSH_HOSTS.GET_HOST_CA_PUBLIC_KEY.publicKey)
+      }
+    },
+    handler: async (req) => {
+      const publicKey = await server.services.sshHost.getSshHostHostCaPk(req.params.sshHostId);
+      return publicKey;
+    }
+  });
+};

backend/src/ee/routes/v2/identity-project-additional-privilege-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-types";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
+import { ApiDocsTags, IDENTITY_ADDITIONAL_PRIVILEGE_V2 } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -21,6 +21,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Add an additional privilege for identity.",
       security: [
         {
@@ -84,6 +86,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Update a specific identity privilege.",
       security: [
         {
@@ -148,6 +152,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Delete the specified identity privilege.",
       security: [
         {
@@ -183,6 +189,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Retrieve details of a specific privilege by id.",
       security: [
         {
@@ -218,6 +226,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "Retrieve details of a specific privilege by slug.",
       security: [
         {
@@ -258,6 +268,8 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.IdentitySpecificPrivilegesV2],
       description: "List privileges for the specified identity by project.",
       security: [
         {

backend/src/ee/routes/v2/index.ts

@@ -1,3 +1,8 @@
+import {
+  registerSecretRotationV2Router,
+  SECRET_ROTATION_REGISTER_ROUTER_MAP
+} from "@app/ee/routes/v2/secret-rotation-v2-routers";
+
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerProjectRoleRouter } from "./project-role-router";
 
@@ -13,4 +18,17 @@ export const registerV2EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerIdentityProjectAdditionalPrivilegeRouter, {
     prefix: "/identity-project-additional-privilege"
   });
+
+  await server.register(
+    async (secretRotationV2Router) => {
+      // register generic secret rotation endpoints
+      await secretRotationV2Router.register(registerSecretRotationV2Router);
+
+      // register service specific secret rotation endpoints (secret-rotations/postgres-credentials, etc.)
+      for await (const [type, router] of Object.entries(SECRET_ROTATION_REGISTER_ROUTER_MAP)) {
+        await secretRotationV2Router.register(router, { prefix: `/${type}` });
+      }
+    },
+    { prefix: "/secret-rotations" }
+  );
 };

backend/src/ee/routes/v2/project-role-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ProjectMembershipRole, ProjectRolesSchema } from "@app/db/schemas";
 import { checkForInvalidPermissionCombination } from "@app/ee/services/permission/permission-fns";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { PROJECT_ROLE } from "@app/lib/api-docs";
+import { ApiDocsTags, PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -20,6 +20,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
       description: "Create a project role",
       security: [
         {
@@ -75,6 +77,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
       description: "Update a project role",
       security: [
         {
@@ -130,6 +134,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
       description: "Delete a project role",
       security: [
         {
@@ -166,6 +172,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
       description: "List project role",
       security: [
         {
@@ -204,6 +212,8 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       rateLimit: readLimit
     },
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.ProjectRoles],
       params: z.object({
         projectId: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.projectId),
         roleSlug: z.string().trim().describe(PROJECT_ROLE.GET_ROLE_BY_SLUG.roleSlug)

backend/src/ee/routes/v2/secret-rotation-v2-routers/auth0-client-secret-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  Auth0ClientSecretRotationGeneratedCredentialsSchema,
+  Auth0ClientSecretRotationSchema,
+  CreateAuth0ClientSecretRotationSchema,
+  UpdateAuth0ClientSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerAuth0ClientSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.Auth0ClientSecret,
+    server,
+    responseSchema: Auth0ClientSecretRotationSchema,
+    createSchema: CreateAuth0ClientSecretRotationSchema,
+    updateSchema: UpdateAuth0ClientSecretRotationSchema,
+    generatedCredentialsSchema: Auth0ClientSecretRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/aws-iam-user-secret-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  AwsIamUserSecretRotationGeneratedCredentialsSchema,
+  AwsIamUserSecretRotationSchema,
+  CreateAwsIamUserSecretRotationSchema,
+  UpdateAwsIamUserSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerAwsIamUserSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.AwsIamUserSecret,
+    server,
+    responseSchema: AwsIamUserSecretRotationSchema,
+    createSchema: CreateAwsIamUserSecretRotationSchema,
+    updateSchema: UpdateAwsIamUserSecretRotationSchema,
+    generatedCredentialsSchema: AwsIamUserSecretRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -0,0 +1,20 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerAuth0ClientSecretRotationRouter } from "./auth0-client-secret-rotation-router";
+import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-rotation-router";
+import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
+import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
+import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
+
+export * from "./secret-rotation-v2-router";
+
+export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
+  SecretRotation,
+  (server: FastifyZodProvider) => Promise<void>
+> = {
+  [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
+  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
+  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
+  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
+  [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter
+};

backend/src/ee/routes/v2/secret-rotation-v2-routers/ldap-password-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateLdapPasswordRotationSchema,
+  LdapPasswordRotationGeneratedCredentialsSchema,
+  LdapPasswordRotationSchema,
+  UpdateLdapPasswordRotationSchema
+} from "@app/ee/services/secret-rotation-v2/ldap-password";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerLdapPasswordRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.LdapPassword,
+    server,
+    responseSchema: LdapPasswordRotationSchema,
+    createSchema: CreateLdapPasswordRotationSchema,
+    updateSchema: UpdateLdapPasswordRotationSchema,
+    generatedCredentialsSchema: LdapPasswordRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/mssql-credentials-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateMsSqlCredentialsRotationSchema,
+  MsSqlCredentialsRotationSchema,
+  UpdateMsSqlCredentialsRotationSchema
+} from "@app/ee/services/secret-rotation-v2/mssql-credentials";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerMsSqlCredentialsRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.MsSqlCredentials,
+    server,
+    responseSchema: MsSqlCredentialsRotationSchema,
+    createSchema: CreateMsSqlCredentialsRotationSchema,
+    updateSchema: UpdateMsSqlCredentialsRotationSchema,
+    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/postgres-credentials-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreatePostgresCredentialsRotationSchema,
+  PostgresCredentialsRotationSchema,
+  UpdatePostgresCredentialsRotationSchema
+} from "@app/ee/services/secret-rotation-v2/postgres-credentials";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerPostgresCredentialsRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.PostgresCredentials,
+    server,
+    responseSchema: PostgresCredentialsRotationSchema,
+    createSchema: CreatePostgresCredentialsRotationSchema,
+    updateSchema: UpdatePostgresCredentialsRotationSchema,
+    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
+  });