feat(secret-sync): improve hide secrets tooltip message

feat(secret-sync): minor change on docs
feat(secret-sync): improve update logic and add warning on docs for gitlab limitation on hidden variables
2025-07-25 14:07:47 +00:00 · 2025-06-25 14:10:28 -03:00 · 2025-06-25 13:57:07 -03:00 · 2025-06-25 13:51:38 -03:00 · 2025-06-25 13:33:43 -03:00 · 2025-06-25 13:17:41 -03:00
230 changed files with 9227 additions and 1053 deletions
--- a/.env.example
+++ b/.env.example
@@ -107,6 +107,10 @@ INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 #gitlab app connection
 INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID=
 INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET=
 #github radar app connection
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=
--- a/.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml
+++ b/.github/workflows/run-helm-chart-tests-infisical-standalone-postgres.yml
@@ -51,11 +51,18 @@ jobs:
            --from-literal=ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218 \
            --from-literal=SITE_URL=http://localhost:8080
      - name: Create bootstrap secret
        run: |
          kubectl create secret generic infisical-bootstrap-credentials \
            --namespace infisical-standalone-postgres \
            --from-literal=INFISICAL_ADMIN_EMAIL=admin@example.com \
            --from-literal=INFISICAL_ADMIN_PASSWORD=admin-password
      - name: Run chart-testing (install)
        run: |
          ct install \
            --config ct.yaml \
            --charts helm-charts/infisical-standalone-postgres \
            --helm-extra-args="--timeout=300s" \
-            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres" \
+            --helm-extra-set-args="--set ingress.nginx.enabled=false --set infisical.autoDatabaseSchemaMigration=false --set infisical.replicaCount=1 --set infisical.image.tag=v0.132.2-postgres --set infisical.autoBootstrap.enabled=true" \
            --namespace infisical-standalone-postgres
--- a/.infisicalignore
+++ b/.infisicalignore
@@ -45,3 +45,4 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:48
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
 frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@@ -26,6 +26,7 @@ export const mockQueue = (): TQueueServiceFactory => {
    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
    stopJobByIdPg: async () => {},
    stopRepeatableJobByJobId: async () => true,
    stopRepeatableJobByKey: async () => true
  };
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -30,6 +30,7 @@
        "@fastify/static": "^7.0.4",
        "@fastify/swagger": "^8.14.0",
        "@fastify/swagger-ui": "^2.1.0",
        "@gitbeaker/rest": "^42.5.0",
        "@google-cloud/kms": "^4.5.0",
        "@infisical/quic": "^1.0.8",
        "@node-saml/passport-saml": "^5.0.1",
@@ -7807,6 +7808,48 @@
        "p-limit": "^3.1.0"
      }
    },
    "node_modules/@gitbeaker/core": {
      "version": "42.5.0",
      "resolved": "https://registry.npmjs.org/@gitbeaker/core/-/core-42.5.0.tgz",
      "integrity": "sha512-rMWpOPaZi1iLiifnOIoVO57p2EmQQdfIwP4txqNyMvG4WjYP5Ez0U7jRD9Nra41x6K5kTPBZkuQcAdxVWRJcEQ==",
      "license": "MIT",
      "dependencies": {
        "@gitbeaker/requester-utils": "^42.5.0",
        "qs": "^6.12.2",
        "xcase": "^2.0.1"
      },
      "engines": {
        "node": ">=18.20.0"
      }
    },
    "node_modules/@gitbeaker/requester-utils": {
      "version": "42.5.0",
      "resolved": "https://registry.npmjs.org/@gitbeaker/requester-utils/-/requester-utils-42.5.0.tgz",
      "integrity": "sha512-HLdLS9LPBMVQumvroQg/4qkphLDtwDB+ygEsrD2u4oYCMUtXV4V1xaVqU4yTXjbTJ5sItOtdB43vYRkBcgueBw==",
      "license": "MIT",
      "dependencies": {
        "picomatch-browser": "^2.2.6",
        "qs": "^6.12.2",
        "rate-limiter-flexible": "^4.0.1",
        "xcase": "^2.0.1"
      },
      "engines": {
        "node": ">=18.20.0"
      }
    },
    "node_modules/@gitbeaker/rest": {
      "version": "42.5.0",
      "resolved": "https://registry.npmjs.org/@gitbeaker/rest/-/rest-42.5.0.tgz",
      "integrity": "sha512-oC5cM6jS7aFOp0luTw5mWSRuMgdxwHRLZQ/aWkI+ETMfsprR/HyxsXfljlMY/XJ/fRxTbRJiodR5Axf66WjO3w==",
      "license": "MIT",
      "dependencies": {
        "@gitbeaker/core": "^42.5.0",
        "@gitbeaker/requester-utils": "^42.5.0"
      },
      "engines": {
        "node": ">=18.20.0"
      }
    },
    "node_modules/@google-cloud/kms": {
      "version": "4.5.0",
      "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@@ -24628,6 +24671,18 @@
        "url": "https://github.com/sponsors/jonschlinkert"
      }
    },
    "node_modules/picomatch-browser": {
      "version": "2.2.6",
      "resolved": "https://registry.npmjs.org/picomatch-browser/-/picomatch-browser-2.2.6.tgz",
      "integrity": "sha512-0ypsOQt9D4e3hziV8O4elD9uN0z/jtUEfxVRtNaAAtXIyUx9m/SzlO020i8YNL2aL/E6blOvvHQcin6HZlFy/w==",
      "license": "MIT",
      "engines": {
        "node": ">=8.6"
      },
      "funding": {
        "url": "https://github.com/sponsors/jonschlinkert"
      }
    },
    "node_modules/pify": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
@@ -25562,6 +25617,12 @@
        "node": ">= 0.6"
      }
    },
    "node_modules/rate-limiter-flexible": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-4.0.1.tgz",
      "integrity": "sha512-2/dGHpDFpeA0+755oUkW+EKyklqLS9lu0go9pDsbhqQjZcxfRyJ6LA4JI0+HAdZ2bemD/oOjUeZQB2lCZqXQfQ==",
      "license": "ISC"
    },
    "node_modules/raw-body": {
      "version": "2.5.2",
      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
@@ -31039,6 +31100,12 @@
        }
      }
    },
    "node_modules/xcase": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/xcase/-/xcase-2.0.1.tgz",
      "integrity": "sha512-UmFXIPU+9Eg3E9m/728Bii0lAIuoc+6nbrNUKaRPJOFp91ih44qqGlWtxMB6kXFrRD6po+86ksHM5XHCfk6iPw==",
      "license": "MIT"
    },
    "node_modules/xml-crypto": {
      "version": "6.0.1",
      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -149,6 +149,7 @@
    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@gitbeaker/rest": "^42.5.0",
    "@google-cloud/kms": "^4.5.0",
    "@infisical/quic": "^1.0.8",
    "@node-saml/passport-saml": "^5.0.1",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -10,8 +10,8 @@ import { TAuditLogServiceFactory, TCreateAuditLogDTO } from "@app/ee/services/au
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-types";
 import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-types";
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
-import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
+import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-types";
-import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-types";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@@ -89,7 +89,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    schema: {
      querystring: z.object({
        projectSlug: z.string().trim(),
-        authorProjectMembershipId: z.string().trim().optional(),
+        authorUserId: z.string().trim().optional(),
        envSlug: z.string().trim().optional()
      }),
      response: {
@@ -143,7 +143,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    handler: async (req) => {
      const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
        projectSlug: req.query.projectSlug,
-        authorProjectMembershipId: req.query.authorProjectMembershipId,
+        authorUserId: req.query.authorUserId,
        envSlug: req.query.envSlug,
        actor: req.permission.type,
        actorId: req.permission.id,
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@@ -30,6 +30,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
        workspaceId: z.string().trim(),
        environment: z.string().trim().optional(),
        committer: z.string().trim().optional(),
        search: z.string().trim().optional(),
        status: z.nativeEnum(RequestState).optional(),
        limit: z.coerce.number().default(20),
        offset: z.coerce.number().default(0)
@@ -66,13 +67,14 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                userId: z.string().nullable().optional()
              })
              .array()
-          }).array()
+          }).array(),
          totalCount: z.number()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const approvals = await server.services.secretApprovalRequest.getSecretApprovals({
+      const { approvals, totalCount } = await server.services.secretApprovalRequest.getSecretApprovals({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@@ -80,7 +82,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
        ...req.query,
        projectId: req.query.workspaceId
      });
-      return { approvals };
+      return { approvals, totalCount };
    }
  });
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@@ -725,16 +725,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
        )
        .where(`${TableName.Environment}.projectId`, projectId)
        .where(`${TableName.AccessApprovalPolicy}.deletedAt`, null)
        .select(selectAllTableCols(TableName.AccessApprovalRequest))
        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
-        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"));
+        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"))
        .select(db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"));
      const formattedRequests = sqlNestRelationships({
        data: accessRequests,
        key: "id",
        parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc)
+          ...AccessApprovalRequestsSchema.parse(doc),
          isPolicyDeleted: Boolean(doc.policyDeletedAt)
        }),
        childrenMapper: [
          {
@@ -751,7 +752,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
        (req) =>
          !req.privilegeId &&
          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) &&
-          req.status === ApprovalStatus.PENDING
+          req.status === ApprovalStatus.PENDING &&
          !req.isPolicyDeleted
      );
      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required.
@@ -759,7 +761,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
        (req) =>
          req.privilegeId ||
          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) ||
-          req.status !== ApprovalStatus.PENDING
+          req.status !== ApprovalStatus.PENDING ||
          req.isPolicyDeleted
      );
      return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -275,7 +275,7 @@ export const accessApprovalRequestServiceFactory = ({
  const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
    projectSlug,
-    authorProjectMembershipId,
+    authorUserId,
    envSlug,
    actor,
    actorOrgId,
@@ -300,8 +300,8 @@ export const accessApprovalRequestServiceFactory = ({
    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
-    if (authorProjectMembershipId) {
+    if (authorUserId) {
-      requests = requests.filter((request) => request.requestedByUserId === actorId);
+      requests = requests.filter((request) => request.requestedByUserId === authorUserId);
    }
    if (envSlug) {
--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@@ -31,7 +31,7 @@ export type TCreateAccessApprovalRequestDTO = {
 export type TListApprovalRequestsDTO = {
  projectSlug: string;
-  authorProjectMembershipId?: string;
+  authorUserId?: string;
  envSlug?: string;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal.ts
@@ -3,9 +3,43 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { DynamicSecretLeasesSchema, TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, TOrmify } from "@app/lib/knex";
-export type TDynamicSecretLeaseDALFactory = ReturnType<typeof dynamicSecretLeaseDALFactory>;
+export interface TDynamicSecretLeaseDALFactory extends Omit<TOrmify<TableName.DynamicSecretLease>, "findById"> {
  countLeasesForDynamicSecret: (dynamicSecretId: string, tx?: Knex) => Promise<number>;
  findById: (
    id: string,
    tx?: Knex
  ) => Promise<
    | {
        dynamicSecret: {
          id: string;
          name: string;
          version: number;
          type: string;
          defaultTTL: string;
          maxTTL: string | null | undefined;
          encryptedInput: Buffer;
          folderId: string;
          status: string | null | undefined;
          statusDetails: string | null | undefined;
          createdAt: Date;
          updatedAt: Date;
        };
        version: number;
        id: string;
        createdAt: Date;
        updatedAt: Date;
        externalEntityId: string;
        expireAt: Date;
        dynamicSecretId: string;
        status?: string | null | undefined;
        config?: unknown;
        statusDetails?: string | null | undefined;
      }
    | undefined
  >;
 }
 export const dynamicSecretLeaseDALFactory = (db: TDbClient) => {
  const orm = ormify(db, TableName.DynamicSecretLease);
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue.ts
@@ -21,7 +21,12 @@ type TDynamicSecretLeaseQueueServiceFactoryDep = {
  folderDAL: Pick<TSecretFolderDALFactory, "findById">;
 };
-export type TDynamicSecretLeaseQueueServiceFactory = ReturnType<typeof dynamicSecretLeaseQueueServiceFactory>;
+export type TDynamicSecretLeaseQueueServiceFactory = {
  pruneDynamicSecret: (dynamicSecretCfgId: string) => Promise<void>;
  setLeaseRevocation: (leaseId: string, expiryAt: Date) => Promise<void>;
  unsetLeaseRevocation: (leaseId: string) => Promise<void>;
  init: () => Promise<void>;
 };
 export const dynamicSecretLeaseQueueServiceFactory = ({
  queueService,
@@ -30,55 +35,48 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
  dynamicSecretLeaseDAL,
  kmsService,
  folderDAL
-}: TDynamicSecretLeaseQueueServiceFactoryDep) => {
+}: TDynamicSecretLeaseQueueServiceFactoryDep): TDynamicSecretLeaseQueueServiceFactory => {
  const pruneDynamicSecret = async (dynamicSecretCfgId: string) => {
-    await queueService.queue(
+    await queueService.queuePg<QueueName.DynamicSecretRevocation>(
      QueueName.DynamicSecretRevocation,
      QueueJobs.DynamicSecretPruning,
      { dynamicSecretCfgId },
      {
-        jobId: dynamicSecretCfgId,
+        singletonKey: dynamicSecretCfgId,
-        backoff: {
+        retryLimit: 3,
-          type: "exponential",
+        retryBackoff: true
          delay: 3000
        },
        removeOnFail: {
          count: 3
        },
        removeOnComplete: true
      }
    );
  };
-  const setLeaseRevocation = async (leaseId: string, expiry: number) => {
+  const setLeaseRevocation = async (leaseId: string, expiryAt: Date) => {
-    await queueService.queue(
+    await queueService.queuePg<QueueName.DynamicSecretRevocation>(
      QueueName.DynamicSecretRevocation,
      QueueJobs.DynamicSecretRevocation,
      { leaseId },
      {
-        jobId: leaseId,
+        id: leaseId,
-        backoff: {
+        singletonKey: leaseId,
-          type: "exponential",
+        startAfter: expiryAt,
-          delay: 3000
+        retryLimit: 3,
-        },
+        retryBackoff: true,
-        delay: expiry,
+        retentionDays: 2
        removeOnFail: {
          count: 3
        },
        removeOnComplete: true
      }
    );
  };
  const unsetLeaseRevocation = async (leaseId: string) => {
    await queueService.stopJobById(QueueName.DynamicSecretRevocation, leaseId);
    await queueService.stopJobByIdPg(QueueName.DynamicSecretRevocation, leaseId);
  };
-  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
+  const $dynamicSecretQueueJob = async (
    jobName: string,
    jobId: string,
    data: { leaseId: string } | { dynamicSecretCfgId: string }
  ): Promise<void> => {
    try {
-      if (job.name === QueueJobs.DynamicSecretRevocation) {
+      if (jobName === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
+        const { leaseId } = data as { leaseId: string };
-        logger.info("Dynamic secret lease revocation started: ", leaseId, job.id);
+        logger.info("Dynamic secret lease revocation started: ", leaseId, jobId);
        const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
        if (!dynamicSecretLease) throw new DisableRotationErrors({ message: "Dynamic secret lease not found" });
@@ -107,9 +105,9 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
        return;
      }
-      if (job.name === QueueJobs.DynamicSecretPruning) {
+      if (jobName === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
+        const { dynamicSecretCfgId } = data as { dynamicSecretCfgId: string };
-        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, job.id);
+        logger.info("Dynamic secret pruning started: ", dynamicSecretCfgId, jobId);
        const dynamicSecretCfg = await dynamicSecretDAL.findById(dynamicSecretCfgId);
        if (!dynamicSecretCfg) throw new DisableRotationErrors({ message: "Dynamic secret not found" });
        if ((dynamicSecretCfg.status as DynamicSecretStatus) !== DynamicSecretStatus.Deleting)
@@ -150,38 +148,68 @@ export const dynamicSecretLeaseQueueServiceFactory = ({
        await dynamicSecretDAL.deleteById(dynamicSecretCfgId);
      }
-      logger.info("Finished dynamic secret job", job.id);
+      logger.info("Finished dynamic secret job", jobId);
    } catch (error) {
      logger.error(error);
-      if (job?.name === QueueJobs.DynamicSecretPruning) {
+      if (jobName === QueueJobs.DynamicSecretPruning) {
-        const { dynamicSecretCfgId } = job.data as { dynamicSecretCfgId: string };
+        const { dynamicSecretCfgId } = data as { dynamicSecretCfgId: string };
        await dynamicSecretDAL.updateById(dynamicSecretCfgId, {
          status: DynamicSecretStatus.FailedDeletion,
          statusDetails: (error as Error)?.message?.slice(0, 255)
        });
      }
-      if (job?.name === QueueJobs.DynamicSecretRevocation) {
+      if (jobName === QueueJobs.DynamicSecretRevocation) {
-        const { leaseId } = job.data as { leaseId: string };
+        const { leaseId } = data as { leaseId: string };
        await dynamicSecretLeaseDAL.updateById(leaseId, {
          status: DynamicSecretStatus.FailedDeletion,
          statusDetails: (error as Error)?.message?.slice(0, 255)
        });
      }
      if (error instanceof DisableRotationErrors) {
-        if (job.id) {
+        if (jobId) {
-          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, job.id);
+          await queueService.stopRepeatableJobByJobId(QueueName.DynamicSecretRevocation, jobId);
          await queueService.stopJobByIdPg(QueueName.DynamicSecretRevocation, jobId);
        }
      }
      // propogate to next part
      throw error;
    }
  };
  queueService.start(QueueName.DynamicSecretRevocation, async (job) => {
    await $dynamicSecretQueueJob(job.name, job.id as string, job.data);
  });
  const init = async () => {
    await queueService.startPg<QueueName.DynamicSecretRevocation>(
      QueueJobs.DynamicSecretRevocation,
      async ([job]) => {
        await $dynamicSecretQueueJob(job.name, job.id, job.data);
      },
      {
        workerCount: 5,
        pollingIntervalSeconds: 1
      }
    );
    await queueService.startPg<QueueName.DynamicSecretRevocation>(
      QueueJobs.DynamicSecretPruning,
      async ([job]) => {
        await $dynamicSecretQueueJob(job.name, job.id, job.data);
      },
      {
        workerCount: 1,
        pollingIntervalSeconds: 1
      }
    );
  };
  return {
    pruneDynamicSecret,
    setLeaseRevocation,
-    unsetLeaseRevocation
+    unsetLeaseRevocation,
    init
  };
 };
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -26,12 +26,8 @@ import { TDynamicSecretLeaseDALFactory } from "./dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "./dynamic-secret-lease-queue";
 import {
  DynamicSecretLeaseStatus,
  TCreateDynamicSecretLeaseDTO,
  TDeleteDynamicSecretLeaseDTO,
  TDetailsDynamicSecretLeaseDTO,
  TDynamicSecretLeaseConfig,
-  TListDynamicSecretLeasesDTO,
+  TDynamicSecretLeaseServiceFactory
  TRenewDynamicSecretLeaseDTO
 } from "./dynamic-secret-lease-types";
 type TDynamicSecretLeaseServiceFactoryDep = {
@@ -48,8 +44,6 @@ type TDynamicSecretLeaseServiceFactoryDep = {
  identityDAL: TIdentityDALFactory;
 };
 export type TDynamicSecretLeaseServiceFactory = ReturnType<typeof dynamicSecretLeaseServiceFactory>;
 export const dynamicSecretLeaseServiceFactory = ({
  dynamicSecretLeaseDAL,
  dynamicSecretProviders,
@@ -62,14 +56,14 @@ export const dynamicSecretLeaseServiceFactory = ({
  kmsService,
  userDAL,
  identityDAL
-}: TDynamicSecretLeaseServiceFactoryDep) => {
+}: TDynamicSecretLeaseServiceFactoryDep): TDynamicSecretLeaseServiceFactory => {
  const extractEmailUsername = (email: string) => {
    const regex = new RE2(/^([^@]+)/);
    const match = email.match(regex);
    return match ? match[1] : email;
  };
-  const create = async ({
+  const create: TDynamicSecretLeaseServiceFactory["create"] = async ({
    environmentSlug,
    path,
    name,
@@ -80,7 +74,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod,
    ttl,
    config
-  }: TCreateDynamicSecretLeaseDTO) => {
+  }) => {
    const appCfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -184,11 +178,11 @@ export const dynamicSecretLeaseServiceFactory = ({
      config
    });
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
+    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, expireAt);
    return { lease: dynamicSecretLease, dynamicSecret: dynamicSecretCfg, data };
  };
-  const renewLease = async ({
+  const renewLease: TDynamicSecretLeaseServiceFactory["renewLease"] = async ({
    ttl,
    actorAuthMethod,
    actorOrgId,
@@ -198,7 +192,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    path,
    environmentSlug,
    leaseId
-  }: TRenewDynamicSecretLeaseDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -278,7 +272,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    );
    await dynamicSecretQueueService.unsetLeaseRevocation(dynamicSecretLease.id);
-    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, Number(expireAt) - Number(new Date()));
+    await dynamicSecretQueueService.setLeaseRevocation(dynamicSecretLease.id, expireAt);
    const updatedDynamicSecretLease = await dynamicSecretLeaseDAL.updateById(dynamicSecretLease.id, {
      expireAt,
      externalEntityId: entityId
@@ -286,7 +280,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    return updatedDynamicSecretLease;
  };
-  const revokeLease = async ({
+  const revokeLease: TDynamicSecretLeaseServiceFactory["revokeLease"] = async ({
    leaseId,
    environmentSlug,
    path,
@@ -296,7 +290,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorOrgId,
    actorAuthMethod,
    isForced
-  }: TDeleteDynamicSecretLeaseDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -376,7 +370,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    return deletedDynamicSecretLease;
  };
-  const listLeases = async ({
+  const listLeases: TDynamicSecretLeaseServiceFactory["listLeases"] = async ({
    path,
    name,
    actor,
@@ -385,7 +379,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorOrgId,
    environmentSlug,
    actorAuthMethod
-  }: TListDynamicSecretLeasesDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -424,7 +418,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    return dynamicSecretLeases;
  };
-  const getLeaseDetails = async ({
+  const getLeaseDetails: TDynamicSecretLeaseServiceFactory["getLeaseDetails"] = async ({
    projectSlug,
    actorOrgId,
    path,
@@ -433,7 +427,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorId,
    leaseId,
    actorAuthMethod
-  }: TDetailsDynamicSecretLeaseDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-types.ts
@@ -1,4 +1,5 @@
-import { TProjectPermission } from "@app/lib/types";
+import { TDynamicSecretLeases } from "@app/db/schemas";
 import { TDynamicSecretWithMetadata, TProjectPermission } from "@app/lib/types";
 export enum DynamicSecretLeaseStatus {
  FailedDeletion = "Failed to delete"
@@ -48,3 +49,40 @@ export type TDynamicSecretKubernetesLeaseConfig = {
 };
 export type TDynamicSecretLeaseConfig = TDynamicSecretKubernetesLeaseConfig;
 export type TDynamicSecretLeaseServiceFactory = {
  create: (arg: TCreateDynamicSecretLeaseDTO) => Promise<{
    lease: TDynamicSecretLeases;
    dynamicSecret: TDynamicSecretWithMetadata;
    data: unknown;
  }>;
  listLeases: (arg: TListDynamicSecretLeasesDTO) => Promise<TDynamicSecretLeases[]>;
  revokeLease: (arg: TDeleteDynamicSecretLeaseDTO) => Promise<TDynamicSecretLeases>;
  renewLease: (arg: TRenewDynamicSecretLeaseDTO) => Promise<TDynamicSecretLeases>;
  getLeaseDetails: (arg: TDetailsDynamicSecretLeaseDTO) => Promise<{
    dynamicSecret: {
      id: string;
      name: string;
      version: number;
      type: string;
      defaultTTL: string;
      maxTTL: string | null | undefined;
      encryptedInput: Buffer;
      folderId: string;
      status: string | null | undefined;
      statusDetails: string | null | undefined;
      createdAt: Date;
      updatedAt: Date;
    };
    version: number;
    id: string;
    createdAt: Date;
    updatedAt: Date;
    externalEntityId: string;
    expireAt: Date;
    dynamicSecretId: string;
    status?: string | null | undefined;
    config?: unknown;
    statusDetails?: string | null | undefined;
  }>;
 };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-dal.ts
@@ -10,17 +10,35 @@ import {
  selectAllTableCols,
  sqlNestRelationships,
  TFindFilter,
-  TFindOpt
+  TFindOpt,
  TOrmify
 } from "@app/lib/knex";
-import { OrderByDirection } from "@app/lib/types";
+import { OrderByDirection, TDynamicSecretWithMetadata } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
-export type TDynamicSecretDALFactory = ReturnType<typeof dynamicSecretDALFactory>;
+export interface TDynamicSecretDALFactory extends Omit<TOrmify<TableName.DynamicSecret>, "findOne"> {
  findOne: (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => Promise<TDynamicSecretWithMetadata>;
  listDynamicSecretsByFolderIds: (
    arg: {
      folderIds: string[];
      search?: string | undefined;
      limit?: number | undefined;
      offset?: number | undefined;
      orderBy?: SecretsOrderBy | undefined;
      orderDirection?: OrderByDirection | undefined;
    },
    tx?: Knex
  ) => Promise<Array<TDynamicSecretWithMetadata & { environment: string }>>;
  findWithMetadata: (
    filter: TFindFilter<TDynamicSecrets>,
    arg?: TFindOpt<TDynamicSecrets>
  ) => Promise<TDynamicSecretWithMetadata[]>;
 }
-export const dynamicSecretDALFactory = (db: TDbClient) => {
+export const dynamicSecretDALFactory = (db: TDbClient): TDynamicSecretDALFactory => {
  const orm = ormify(db, TableName.DynamicSecret);
-  const findOne = async (filter: TFindFilter<TDynamicSecrets>, tx?: Knex) => {
+  const findOne: TDynamicSecretDALFactory["findOne"] = async (filter, tx) => {
    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
      .leftJoin(
        TableName.ResourceMetadata,
@@ -55,9 +73,9 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
    return docs[0];
  };
-  const findWithMetadata = async (
+  const findWithMetadata: TDynamicSecretDALFactory["findWithMetadata"] = async (
-    filter: TFindFilter<TDynamicSecrets>,
+    filter,
-    { offset, limit, sort, tx }: TFindOpt<TDynamicSecrets> = {}
+    { offset, limit, sort, tx } = {}
  ) => {
    const query = (tx || db.replicaNode())(TableName.DynamicSecret)
      .leftJoin(
@@ -101,23 +119,9 @@ export const dynamicSecretDALFactory = (db: TDbClient) => {
  };
  // find dynamic secrets for multiple environments (folder IDs are cross env, thus need to rank for pagination)
-  const listDynamicSecretsByFolderIds = async (
+  const listDynamicSecretsByFolderIds: TDynamicSecretDALFactory["listDynamicSecretsByFolderIds"] = async (
-    {
+    { folderIds, search, limit, offset = 0, orderBy = SecretsOrderBy.Name, orderDirection = OrderByDirection.ASC },
-      folderIds,
+    tx
      search,
      limit,
      offset = 0,
      orderBy = SecretsOrderBy.Name,
      orderDirection = OrderByDirection.ASC
    }: {
      folderIds: string[];
      search?: string;
      limit?: number;
      offset?: number;
      orderBy?: SecretsOrderBy;
      orderDirection?: OrderByDirection;
    },
    tx?: Knex
  ) => {
    try {
      const query = (tx || db.replicaNode())(TableName.DynamicSecret)
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -8,7 +8,7 @@ import {
  ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
+import { OrderByDirection } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -20,17 +20,7 @@ import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/
 import { TGatewayDALFactory } from "../gateway/gateway-dal";
 import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
-import {
+import { DynamicSecretStatus, TDynamicSecretServiceFactory } from "./dynamic-secret-types";
  DynamicSecretStatus,
  TCreateDynamicSecretDTO,
  TDeleteDynamicSecretDTO,
  TDetailsDynamicSecretDTO,
  TGetDynamicSecretsCountDTO,
  TListDynamicSecretsByFolderMappingsDTO,
  TListDynamicSecretsDTO,
  TListDynamicSecretsMultiEnvDTO,
  TUpdateDynamicSecretDTO
 } from "./dynamic-secret-types";
 import { AzureEntraIDProvider } from "./providers/azure-entra-id";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./providers/models";
@@ -51,8 +41,6 @@ type TDynamicSecretServiceFactoryDep = {
  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 export type TDynamicSecretServiceFactory = ReturnType<typeof dynamicSecretServiceFactory>;
 export const dynamicSecretServiceFactory = ({
  dynamicSecretDAL,
  dynamicSecretLeaseDAL,
@@ -65,8 +53,8 @@ export const dynamicSecretServiceFactory = ({
  kmsService,
  gatewayDAL,
  resourceMetadataDAL
-}: TDynamicSecretServiceFactoryDep) => {
+}: TDynamicSecretServiceFactoryDep): TDynamicSecretServiceFactory => {
-  const create = async ({
+  const create: TDynamicSecretServiceFactory["create"] = async ({
    path,
    actor,
    name,
@@ -80,7 +68,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod,
    metadata,
    usernameTemplate
-  }: TCreateDynamicSecretDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -188,7 +176,7 @@ export const dynamicSecretServiceFactory = ({
    return dynamicSecretCfg;
  };
-  const updateByName = async ({
+  const updateByName: TDynamicSecretServiceFactory["updateByName"] = async ({
    name,
    maxTTL,
    defaultTTL,
@@ -203,7 +191,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod,
    metadata,
    usernameTemplate
-  }: TUpdateDynamicSecretDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -345,7 +333,7 @@ export const dynamicSecretServiceFactory = ({
    return updatedDynamicCfg;
  };
-  const deleteByName = async ({
+  const deleteByName: TDynamicSecretServiceFactory["deleteByName"] = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
@@ -355,7 +343,7 @@ export const dynamicSecretServiceFactory = ({
    path,
    environmentSlug,
    isForced
-  }: TDeleteDynamicSecretDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -413,7 +401,7 @@ export const dynamicSecretServiceFactory = ({
    return deletedDynamicSecretCfg;
  };
-  const getDetails = async ({
+  const getDetails: TDynamicSecretServiceFactory["getDetails"] = async ({
    name,
    projectSlug,
    path,
@@ -422,7 +410,7 @@ export const dynamicSecretServiceFactory = ({
    actorOrgId,
    actorId,
    actor
-  }: TDetailsDynamicSecretDTO) => {
+  }) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
    if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -480,7 +468,7 @@ export const dynamicSecretServiceFactory = ({
  };
  // get unique dynamic secret count across multiple envs
-  const getCountMultiEnv = async ({
+  const getCountMultiEnv: TDynamicSecretServiceFactory["getCountMultiEnv"] = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
@@ -490,7 +478,7 @@ export const dynamicSecretServiceFactory = ({
    environmentSlugs,
    search,
    isInternal
-  }: TListDynamicSecretsMultiEnvDTO) => {
+  }) => {
    if (!isInternal) {
      const { permission } = await permissionService.getProjectPermission({
        actor,
@@ -526,7 +514,7 @@ export const dynamicSecretServiceFactory = ({
  };
  // get dynamic secret count for a single env
-  const getDynamicSecretCount = async ({
+  const getDynamicSecretCount: TDynamicSecretServiceFactory["getDynamicSecretCount"] = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
@@ -535,7 +523,7 @@ export const dynamicSecretServiceFactory = ({
    environmentSlug,
    search,
    projectId
-  }: TGetDynamicSecretsCountDTO) => {
+  }) => {
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
@@ -561,7 +549,7 @@ export const dynamicSecretServiceFactory = ({
    return Number(dynamicSecretCfg[0]?.count ?? 0);
  };
-  const listDynamicSecretsByEnv = async ({
+  const listDynamicSecretsByEnv: TDynamicSecretServiceFactory["listDynamicSecretsByEnv"] = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
@@ -575,7 +563,7 @@ export const dynamicSecretServiceFactory = ({
    orderDirection = OrderByDirection.ASC,
    search,
    ...params
-  }: TListDynamicSecretsDTO) => {
+  }) => {
    let { projectId } = params;
    if (!projectId) {
@@ -619,9 +607,9 @@ export const dynamicSecretServiceFactory = ({
    });
  };
-  const listDynamicSecretsByFolderIds = async (
+  const listDynamicSecretsByFolderIds: TDynamicSecretServiceFactory["listDynamicSecretsByFolderIds"] = async (
-    { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
+    { folderMappings, filters, projectId },
-    actor: OrgServiceActor
+    actor
  ) => {
    const { permission } = await permissionService.getProjectPermission({
      actor: actor.type,
@@ -657,7 +645,7 @@ export const dynamicSecretServiceFactory = ({
  };
  // get dynamic secrets for multiple envs
-  const listDynamicSecretsByEnvs = async ({
+  const listDynamicSecretsByEnvs: TDynamicSecretServiceFactory["listDynamicSecretsByEnvs"] = async ({
    actorAuthMethod,
    actorOrgId,
    actorId,
@@ -667,7 +655,7 @@ export const dynamicSecretServiceFactory = ({
    projectId,
    isInternal,
    ...params
-  }: TListDynamicSecretsMultiEnvDTO) => {
+  }) => {
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
@@ -700,14 +688,10 @@ export const dynamicSecretServiceFactory = ({
    });
  };
-  const fetchAzureEntraIdUsers = async ({
+  const fetchAzureEntraIdUsers: TDynamicSecretServiceFactory["fetchAzureEntraIdUsers"] = async ({
    tenantId,
    applicationId,
    clientSecret
  }: {
    tenantId: string;
    applicationId: string;
    clientSecret: string;
  }) => {
    const azureEntraIdUsers = await AzureEntraIDProvider().fetchAzureEntraIdUsers(
      tenantId,
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";
-import { OrderByDirection, TProjectPermission } from "@app/lib/types";
+import { TDynamicSecrets } from "@app/db/schemas";
 import { OrderByDirection, OrgServiceActor, TDynamicSecretWithMetadata, TProjectPermission } from "@app/lib/types";
 import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
@@ -83,3 +84,27 @@ export type TListDynamicSecretsMultiEnvDTO = Omit<
 export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
  projectId: string;
 };
 export type TDynamicSecretServiceFactory = {
  create: (arg: TCreateDynamicSecretDTO) => Promise<TDynamicSecrets>;
  updateByName: (arg: TUpdateDynamicSecretDTO) => Promise<TDynamicSecrets>;
  deleteByName: (arg: TDeleteDynamicSecretDTO) => Promise<TDynamicSecrets>;
  getDetails: (arg: TDetailsDynamicSecretDTO) => Promise<TDynamicSecretWithMetadata>;
  listDynamicSecretsByEnv: (arg: TListDynamicSecretsDTO) => Promise<TDynamicSecretWithMetadata[]>;
  listDynamicSecretsByEnvs: (
    arg: TListDynamicSecretsMultiEnvDTO
  ) => Promise<Array<TDynamicSecretWithMetadata & { environment: string }>>;
  getDynamicSecretCount: (arg: TGetDynamicSecretsCountDTO) => Promise<number>;
  getCountMultiEnv: (arg: TListDynamicSecretsMultiEnvDTO) => Promise<number>;
  fetchAzureEntraIdUsers: (arg: { tenantId: string; applicationId: string; clientSecret: string }) => Promise<
    {
      name: string;
      id: string;
      email: string;
    }[]
  >;
  listDynamicSecretsByFolderIds: (
    arg: TListDynamicSecretsByFolderMappingsDTO,
    actor: OrgServiceActor
  ) => Promise<Array<TDynamicSecretWithMetadata & { environment: string; path: string }>>;
 };
--- a/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
@@ -52,9 +52,8 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
      gatewayId: string;
      targetHost: string;
      targetPort: number;
-      caCert?: string;
+      httpsAgent?: https.Agent;
      reviewTokenThroughGateway: boolean;
      enableSsl: boolean;
    },
    gatewayCallback: (host: string, port: number, httpsAgent?: https.Agent) => Promise<T>
  ): Promise<T> => {
@@ -85,10 +84,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
          key: relayDetails.privateKey.toString()
        },
        // we always pass this, because its needed for both tcp and http protocol
-        httpsAgent: new https.Agent({
+        httpsAgent: inputs.httpsAgent
          ca: inputs.caCert,
          rejectUnauthorized: inputs.enableSsl
        })
      }
    );
@@ -311,6 +307,14 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    const k8sHost = `${url.protocol}//${url.hostname}`;
    try {
      const httpsAgent =
        providerInputs.ca && providerInputs.sslEnabled
          ? new https.Agent({
              ca: providerInputs.ca,
              rejectUnauthorized: true
            })
          : undefined;
      if (providerInputs.gatewayId) {
        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
          await $gatewayProxyWrapper(
@@ -318,8 +322,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sHost,
              targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
+              httpsAgent,
              caCert: providerInputs.ca,
              reviewTokenThroughGateway: true
            },
            providerInputs.credentialType === KubernetesCredentialType.Static
@@ -332,8 +335,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sGatewayHost,
              targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
+              httpsAgent,
              caCert: providerInputs.ca,
              reviewTokenThroughGateway: false
            },
            providerInputs.credentialType === KubernetesCredentialType.Static
@@ -342,9 +344,9 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
          );
        }
      } else if (providerInputs.credentialType === KubernetesCredentialType.Static) {
-        await serviceAccountStaticCallback(k8sHost, k8sPort);
+        await serviceAccountStaticCallback(k8sHost, k8sPort, httpsAgent);
      } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort);
+        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
      }
      return true;
@@ -546,6 +548,15 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
    try {
      let tokenData;
      const httpsAgent =
        providerInputs.ca && providerInputs.sslEnabled
          ? new https.Agent({
              ca: providerInputs.ca,
              rejectUnauthorized: true
            })
          : undefined;
      if (providerInputs.gatewayId) {
        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
          tokenData = await $gatewayProxyWrapper(
@@ -553,8 +564,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sHost,
              targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
+              httpsAgent,
              caCert: providerInputs.ca,
              reviewTokenThroughGateway: true
            },
            providerInputs.credentialType === KubernetesCredentialType.Static
@@ -567,8 +577,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sGatewayHost,
              targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
+              httpsAgent,
              caCert: providerInputs.ca,
              reviewTokenThroughGateway: false
            },
            providerInputs.credentialType === KubernetesCredentialType.Static
@@ -579,8 +588,8 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
      } else {
        tokenData =
          providerInputs.credentialType === KubernetesCredentialType.Static
-            ? await tokenRequestStaticCallback(k8sHost, k8sPort)
+            ? await tokenRequestStaticCallback(k8sHost, k8sPort, httpsAgent)
-            : await serviceAccountDynamicCallback(k8sHost, k8sPort);
+            : await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
      }
      return {
@@ -684,6 +693,14 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
      const k8sPort = url.port ? Number(url.port) : 443;
      const k8sHost = `${url.protocol}//${url.hostname}`;
      const httpsAgent =
        providerInputs.ca && providerInputs.sslEnabled
          ? new https.Agent({
              ca: providerInputs.ca,
              rejectUnauthorized: true
            })
          : undefined;
      if (providerInputs.gatewayId) {
        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
          await $gatewayProxyWrapper(
@@ -691,8 +708,7 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sHost,
              targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
+              httpsAgent,
              caCert: providerInputs.ca,
              reviewTokenThroughGateway: true
            },
            serviceAccountDynamicCallback
@@ -703,15 +719,14 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
              gatewayId: providerInputs.gatewayId,
              targetHost: k8sGatewayHost,
              targetPort: k8sPort,
-              enableSsl: providerInputs.sslEnabled,
+              httpsAgent,
              caCert: providerInputs.ca,
              reviewTokenThroughGateway: false
            },
            serviceAccountDynamicCallback
          );
        }
      } else {
-        await serviceAccountDynamicCallback(k8sHost, k8sPort);
+        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
      }
    }
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -24,6 +24,7 @@ type TFindQueryFilter = {
  committer?: string;
  limit?: number;
  offset?: number;
  search?: string;
 };
 export const secretApprovalRequestDALFactory = (db: TDbClient) => {
@@ -314,7 +315,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                  .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
                  .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
            )
            .andWhere((bd) => void bd.where(`${TableName.SecretApprovalPolicy}.deletedAt`, null))
            .select("status", `${TableName.SecretApprovalRequest}.id`)
            .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
            .count("status")
@@ -340,13 +340,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
  };
  const findByProjectId = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, userId }: TFindQueryFilter,
+    { status, limit = 20, offset = 0, projectId, committer, environment, userId, search }: TFindQueryFilter,
    tx?: Knex
  ) => {
    try {
      // akhilmhdh: If ever u wanted a 1 to so many relationship connected with pagination
      // this is the place u wanna look at.
-      const query = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
+      const innerQuery = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
        .join(
@@ -435,7 +435,30 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
          db.ref("lastName").withSchema("committerUser").as("committerUserLastName")
        )
-        .orderBy("createdAt", "desc");
+        .distinctOn(`${TableName.SecretApprovalRequest}.id`)
        .as("inner");
      const query = (tx || db)
        .select("*")
        .select(db.raw("count(*) OVER() as total_count"))
        .from(innerQuery)
        .orderBy("createdAt", "desc") as typeof innerQuery;
      if (search) {
        void query.where((qb) => {
          void qb
            .whereRaw(`CONCAT_WS(' ', ??, ??) ilike ?`, [
              db.ref("firstName").withSchema("committerUser"),
              db.ref("lastName").withSchema("committerUser"),
              `%${search}%`
            ])
            .orWhereRaw(`?? ilike ?`, [db.ref("username").withSchema("committerUser"), `%${search}%`])
            .orWhereRaw(`?? ilike ?`, [db.ref("email").withSchema("committerUser"), `%${search}%`])
            .orWhereILike(`${TableName.Environment}.name`, `%${search}%`)
            .orWhereILike(`${TableName.Environment}.slug`, `%${search}%`)
            .orWhereILike(`${TableName.SecretApprovalPolicy}.secretPath`, `%${search}%`);
        });
      }
      const docs = await (tx || db)
        .with("w", query)
@@ -443,6 +466,10 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        .from<Awaited<typeof query>[number]>("w")
        .where("w.rank", ">=", offset)
        .andWhere("w.rank", "<", offset + limit);
      // @ts-expect-error knex does not infer
      const totalCount = Number(docs[0]?.total_count || 0);
      const formattedDoc = sqlNestRelationships({
        data: docs,
        key: "id",
@@ -504,23 +531,26 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          }
        ]
      });
-      return formattedDoc.map((el) => ({
+      return {
-        ...el,
+        approvals: formattedDoc.map((el) => ({
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+          ...el,
-      }));
+          policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
        })),
        totalCount
      };
    } catch (error) {
      throw new DatabaseError({ error, name: "FindSAR" });
    }
  };
  const findByProjectIdBridgeSecretV2 = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, userId }: TFindQueryFilter,
+    { status, limit = 20, offset = 0, projectId, committer, environment, userId, search }: TFindQueryFilter,
    tx?: Knex
  ) => {
    try {
      // akhilmhdh: If ever u wanted a 1 to so many relationship connected with pagination
      // this is the place u wanna look at.
-      const query = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
+      const innerQuery = (tx || db.replicaNode())(TableName.SecretApprovalRequest)
        .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
        .join(
@@ -609,14 +639,42 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          db.ref("firstName").withSchema("committerUser").as("committerUserFirstName"),
          db.ref("lastName").withSchema("committerUser").as("committerUserLastName")
        )
-        .orderBy("createdAt", "desc");
+        .distinctOn(`${TableName.SecretApprovalRequest}.id`)
        .as("inner");
      const query = (tx || db)
        .select("*")
        .select(db.raw("count(*) OVER() as total_count"))
        .from(innerQuery)
        .orderBy("createdAt", "desc") as typeof innerQuery;
      if (search) {
        void query.where((qb) => {
          void qb
            .whereRaw(`CONCAT_WS(' ', ??, ??) ilike ?`, [
              db.ref("firstName").withSchema("committerUser"),
              db.ref("lastName").withSchema("committerUser"),
              `%${search}%`
            ])
            .orWhereRaw(`?? ilike ?`, [db.ref("username").withSchema("committerUser"), `%${search}%`])
            .orWhereRaw(`?? ilike ?`, [db.ref("email").withSchema("committerUser"), `%${search}%`])
            .orWhereILike(`${TableName.Environment}.name`, `%${search}%`)
            .orWhereILike(`${TableName.Environment}.slug`, `%${search}%`)
            .orWhereILike(`${TableName.SecretApprovalPolicy}.secretPath`, `%${search}%`);
        });
      }
      const rankOffset = offset + 1;
      const docs = await (tx || db)
        .with("w", query)
        .select("*")
        .from<Awaited<typeof query>[number]>("w")
-        .where("w.rank", ">=", offset)
+        .where("w.rank", ">=", rankOffset)
-        .andWhere("w.rank", "<", offset + limit);
+        .andWhere("w.rank", "<", rankOffset + limit);
      // @ts-expect-error knex does not infer
      const totalCount = Number(docs[0]?.total_count || 0);
      const formattedDoc = sqlNestRelationships({
        data: docs,
        key: "id",
@@ -682,10 +740,13 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          }
        ]
      });
-      return formattedDoc.map((el) => ({
+      return {
-        ...el,
+        approvals: formattedDoc.map((el) => ({
-        policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
+          ...el,
-      }));
+          policy: { ...el.policy, approvers: el.approvers, bypassers: el.bypassers }
        })),
        totalCount
      };
    } catch (error) {
      throw new DatabaseError({ error, name: "FindSAR" });
    }
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -194,7 +194,8 @@ export const secretApprovalRequestServiceFactory = ({
    environment,
    committer,
    limit,
-    offset
+    offset,
    search
  }: TListApprovalsDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -208,6 +209,7 @@ export const secretApprovalRequestServiceFactory = ({
    });
    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
      return secretApprovalRequestDAL.findByProjectIdBridgeSecretV2({
        projectId,
@@ -216,19 +218,21 @@ export const secretApprovalRequestServiceFactory = ({
        status,
        userId: actorId,
        limit,
-        offset
+        offset,
        search
      });
    }
-    const approvals = await secretApprovalRequestDAL.findByProjectId({
+
    return secretApprovalRequestDAL.findByProjectId({
      projectId,
      committer,
      environment,
      status,
      userId: actorId,
      limit,
-      offset
+      offset,
      search
    });
    return approvals;
  };
  const getSecretApprovalDetails = async ({
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
@@ -93,6 +93,7 @@ export type TListApprovalsDTO = {
  committer?: string;
  limit?: number;
  offset?: number;
  search?: string;
 } & TProjectPermission;
 export type TSecretApprovalDetailsDTO = {
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -11,7 +11,8 @@ export const PgSqlLock = {
  OrgGatewayRootCaInit: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-root-ca:${orgId}`),
  OrgGatewayCertExchange: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-cert-exchange:${orgId}`),
  SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
-  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`)
+  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
  CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`)
 } as const;
 // all the key prefixes used must be set here to avoid conflict
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -2228,6 +2228,12 @@ export const AppConnections = {
    },
    FLYIO: {
      accessToken: "The Access Token used to access fly.io."
    },
    GITLAB: {
      instanceUrl: "The GitLab instance URL to connect with.",
      accessToken: "The Access Token used to access GitLab.",
      code: "The OAuth code to use to connect with GitLab.",
      accessTokenType: "The type of token used to connect with GitLab."
    }
  }
 };
@@ -2401,6 +2407,21 @@ export const SecretSyncs = {
    },
    FLYIO: {
      appId: "The ID of the Fly.io app to sync secrets to."
    },
    GITLAB: {
      projectId: "The GitLab Project ID to sync secrets to.",
      projectName: "The GitLab Project Name to sync secrets to.",
      groupId: "The GitLab Group ID to sync secrets to.",
      groupName: "The GitLab Group Name to sync secrets to.",
      scope: "The GitLab scope that secrets should be synced to. (default: project)",
      targetEnvironment: "The GitLab environment scope that secrets should be synced to. (default: *)",
      shouldProtectSecrets: "Whether variables should be protected",
      shouldMaskSecrets: "Whether variables should be masked in logs",
      shouldHideSecrets: "Whether variables should be hidden"
    },
    CLOUDFLARE_PAGES: {
      projectName: "The name of the Cloudflare Pages project to sync secrets to.",
      environment: "The environment of the Cloudflare Pages project to sync secrets to."
    }
  }
 };
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -247,6 +247,10 @@ const envSchema = z
    INF_APP_CONNECTION_GITHUB_RADAR_APP_ID: zpStr(z.string().optional()),
    INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET: zpStr(z.string().optional()),
    // gitlab oauth
    INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID: zpStr(z.string().optional()),
    INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET: zpStr(z.string().optional()),
    // gcp app
    INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
--- a/backend/src/lib/fn/time.ts
+++ b/backend/src/lib/fn/time.ts
@@ -19,3 +19,5 @@ export const getMinExpiresIn = (exp1: string | number, exp2: string | number): s
  return ms1 <= ms2 ? exp1 : exp2;
 };
 export const convertMsToSecond = (time: number) => time / 1000;
--- a/backend/src/lib/types/index.ts
+++ b/backend/src/lib/types/index.ts
@@ -1,3 +1,4 @@
 import { TDynamicSecrets } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 export type TGenericPermission = {
@@ -84,3 +85,7 @@ export enum QueueWorkerProfile {
  Standard = "standard",
  SecretScanning = "secret-scanning"
 }
 export interface TDynamicSecretWithMetadata extends TDynamicSecrets {
  metadata: { id: string; key: string; value: string }[];
 }
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@@ -377,6 +377,7 @@ export type TQueueServiceFactory = {
  stopRepeatableJobByKey: <T extends QueueName>(name: T, repeatJobKey: string) => Promise<boolean>;
  clearQueue: (name: QueueName) => Promise<void>;
  stopJobById: <T extends QueueName>(name: T, jobId: string) => Promise<void | undefined>;
  stopJobByIdPg: <T extends QueueName>(name: T, jobId: string) => Promise<void | undefined>;
  getRepeatableJobs: (
    name: QueueName,
    startOffset?: number,
@@ -542,6 +543,10 @@ export const queueServiceFactory = (
    return q.removeRepeatableByKey(repeatJobKey);
  };
  const stopJobByIdPg: TQueueServiceFactory["stopJobByIdPg"] = async (name, jobId) => {
    await pgBoss.deleteJob(name, jobId);
  };
  const stopJobById: TQueueServiceFactory["stopJobById"] = async (name, jobId) => {
    const q = queueContainer[name];
    const job = await q.getJob(jobId);
@@ -568,6 +573,7 @@ export const queueServiceFactory = (
    stopRepeatableJobByKey,
    clearQueue,
    stopJobById,
    stopJobByIdPg,
    getRepeatableJobs,
    startPg,
    queuePg,
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -1903,6 +1903,7 @@ export const registerRoutes = async (
  await pkiSubscriberQueue.startDailyAutoRenewalJob();
  await kmsService.startService();
  await microsoftTeamsService.start();
  await dynamicSecretQueueService.init();
  // inject all services
  server.decorate<FastifyZodProvider["services"]>("services", {
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -35,6 +35,10 @@ import {
  CamundaConnectionListItemSchema,
  SanitizedCamundaConnectionSchema
 } from "@app/services/app-connection/camunda";
 import {
  CloudflareConnectionListItemSchema,
  SanitizedCloudflareConnectionSchema
 } from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
 import {
  DatabricksConnectionListItemSchema,
  SanitizedDatabricksConnectionSchema
@@ -46,6 +50,7 @@ import {
  GitHubRadarConnectionListItemSchema,
  SanitizedGitHubRadarConnectionSchema
 } from "@app/services/app-connection/github-radar";
 import { GitLabConnectionListItemSchema, SanitizedGitLabConnectionSchema } from "@app/services/app-connection/gitlab";
 import {
  HCVaultConnectionListItemSchema,
  SanitizedHCVaultConnectionSchema
@@ -109,7 +114,9 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedOnePassConnectionSchema.options,
  ...SanitizedHerokuConnectionSchema.options,
  ...SanitizedRenderConnectionSchema.options,
-  ...SanitizedFlyioConnectionSchema.options
+  ...SanitizedFlyioConnectionSchema.options,
  ...SanitizedGitLabConnectionSchema.options,
  ...SanitizedCloudflareConnectionSchema.options
 ]);
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -139,7 +146,9 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  OnePassConnectionListItemSchema,
  HerokuConnectionListItemSchema,
  RenderConnectionListItemSchema,
-  FlyioConnectionListItemSchema
+  FlyioConnectionListItemSchema,
  GitLabConnectionListItemSchema,
  CloudflareConnectionListItemSchema
 ]);
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v1/app-connection-routers/cloudflare-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/cloudflare-connection-router.ts
@@ -0,0 +1,53 @@
 import z from "zod";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateCloudflareConnectionSchema,
  SanitizedCloudflareConnectionSchema,
  UpdateCloudflareConnectionSchema
 } from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerCloudflareConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.Cloudflare,
    server,
    sanitizedResponseSchema: SanitizedCloudflareConnectionSchema,
    createSchema: CreateCloudflareConnectionSchema,
    updateSchema: UpdateCloudflareConnectionSchema
  });
  // The below endpoints are not exposed and for Infisical App use
  server.route({
    method: "GET",
    url: `/:connectionId/cloudflare-pages-projects`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z
          .object({
            id: z.string(),
            name: z.string()
          })
          .array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const projects = await server.services.appConnection.cloudflare.listPagesProjects(connectionId, req.permission);
      return projects;
    }
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/gitlab-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/gitlab-connection-router.ts
@@ -0,0 +1,90 @@
 import z from "zod";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  CreateGitLabConnectionSchema,
  SanitizedGitLabConnectionSchema,
  TGitLabGroup,
  TGitLabProject,
  UpdateGitLabConnectionSchema
 } from "@app/services/app-connection/gitlab";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 export const registerGitLabConnectionRouter = async (server: FastifyZodProvider) => {
  registerAppConnectionEndpoints({
    app: AppConnection.GitLab,
    server,
    sanitizedResponseSchema: SanitizedGitLabConnectionSchema,
    createSchema: CreateGitLabConnectionSchema,
    updateSchema: UpdateGitLabConnectionSchema
  });
  // The below endpoints are not exposed and for Infisical App use
  server.route({
    method: "GET",
    url: `/:connectionId/projects`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z
          .object({
            id: z.string(),
            name: z.string()
          })
          .array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const projects: TGitLabProject[] = await server.services.appConnection.gitlab.listProjects(
        connectionId,
        req.permission
      );
      return projects;
    }
  });
  server.route({
    method: "GET",
    url: `/:connectionId/groups`,
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
        connectionId: z.string().uuid()
      }),
      response: {
        200: z
          .object({
            id: z.string(),
            name: z.string()
          })
          .array()
      }
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const { connectionId } = req.params;
      const groups: TGitLabGroup[] = await server.services.appConnection.gitlab.listGroups(
        connectionId,
        req.permission
      );
      return groups;
    }
  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -10,11 +10,13 @@ import { registerAzureClientSecretsConnectionRouter } from "./azure-client-secre
 import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-router";
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerCamundaConnectionRouter } from "./camunda-connection-router";
 import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 import { registerGitHubRadarConnectionRouter } from "./github-radar-connection-router";
 import { registerGitLabConnectionRouter } from "./gitlab-connection-router";
 import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHerokuConnectionRouter } from "./heroku-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
@@ -58,5 +60,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.OnePass]: registerOnePassConnectionRouter,
    [AppConnection.Heroku]: registerHerokuConnectionRouter,
    [AppConnection.Render]: registerRenderConnectionRouter,
-    [AppConnection.Flyio]: registerFlyioConnectionRouter
+    [AppConnection.Flyio]: registerFlyioConnectionRouter,
    [AppConnection.GitLab]: registerGitLabConnectionRouter,
    [AppConnection.Cloudflare]: registerCloudflareConnectionRouter
  };
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@@ -83,7 +83,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: smtpRateLimit({
        keyGenerator: (req) =>
-          (req.body as { membershipId?: string })?.membershipId?.trim().substring(0, 100) ?? req.realIp
+          (req.body as { membershipId?: string })?.membershipId?.trim().substring(0, 100) || req.realIp
      })
    },
    method: "POST",
--- a/backend/src/server/routes/v1/password-router.ts
+++ b/backend/src/server/routes/v1/password-router.ts
@@ -81,7 +81,7 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    url: "/email/password-reset",
    config: {
      rateLimit: smtpRateLimit({
-        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) ?? req.realIp
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
      })
    },
    schema: {
@@ -107,7 +107,9 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/email/password-reset-verify",
    config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
      })
    },
    schema: {
      body: z.object({
--- a/backend/src/server/routes/v1/secret-sync-routers/cloudflare-pages-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/cloudflare-pages-sync-router.ts
@@ -0,0 +1,16 @@
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
 import {
  CloudflarePagesSyncSchema,
  CreateCloudflarePagesSyncSchema,
  UpdateCloudflarePagesSyncSchema
 } from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
 export const registerCloudflarePagesSyncRouter = async (server: FastifyZodProvider) =>
  registerSyncSecretsEndpoints({
    destination: SecretSync.CloudflarePages,
    server,
    responseSchema: CloudflarePagesSyncSchema,
    createSchema: CreateCloudflarePagesSyncSchema,
    updateSchema: UpdateCloudflarePagesSyncSchema
  });
--- a/backend/src/server/routes/v1/secret-sync-routers/gitlab-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/gitlab-sync-router.ts
@@ -0,0 +1,13 @@
 import { CreateGitLabSyncSchema, GitLabSyncSchema, UpdateGitLabSyncSchema } from "@app/services/secret-sync/gitlab";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
 export const registerGitLabSyncRouter = async (server: FastifyZodProvider) =>
  registerSyncSecretsEndpoints({
    destination: SecretSync.GitLab,
    server,
    responseSchema: GitLabSyncSchema,
    createSchema: CreateGitLabSyncSchema,
    updateSchema: UpdateGitLabSyncSchema
  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -8,10 +8,12 @@ import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configurati
 import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
 import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
 import { registerCamundaSyncRouter } from "./camunda-sync-router";
 import { registerCloudflarePagesSyncRouter } from "./cloudflare-pages-sync-router";
 import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerGitLabSyncRouter } from "./gitlab-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
@@ -43,5 +45,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.OnePass]: registerOnePassSyncRouter,
  [SecretSync.Heroku]: registerHerokuSyncRouter,
  [SecretSync.Render]: registerRenderSyncRouter,
-  [SecretSync.Flyio]: registerFlyioSyncRouter
+  [SecretSync.Flyio]: registerFlyioSyncRouter,
  [SecretSync.GitLab]: registerGitLabSyncRouter,
  [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -22,10 +22,15 @@ import {
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
 import {
  CloudflarePagesSyncListItemSchema,
  CloudflarePagesSyncSchema
 } from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 import { GitLabSyncListItemSchema, GitLabSyncSchema } from "@app/services/secret-sync/gitlab";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
@@ -55,7 +60,9 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  OnePassSyncSchema,
  HerokuSyncSchema,
  RenderSyncSchema,
-  FlyioSyncSchema
+  FlyioSyncSchema,
  GitLabSyncSchema,
  CloudflarePagesSyncSchema
 ]);
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -78,7 +85,9 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  OnePassSyncListItemSchema,
  HerokuSyncListItemSchema,
  RenderSyncListItemSchema,
-  FlyioSyncListItemSchema
+  FlyioSyncListItemSchema,
  GitLabSyncListItemSchema,
  CloudflarePagesSyncListItemSchema
 ]);
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -2,7 +2,7 @@ import { z } from "zod";
 import { AuthTokenSessionsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
-import { authRateLimit, readLimit, smtpRateLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, smtpRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
 import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
@@ -13,7 +13,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    url: "/me/emails/code",
    config: {
      rateLimit: smtpRateLimit({
-        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) ?? req.realIp
+        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) || req.realIp
      })
    },
    schema: {
@@ -34,7 +34,9 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    url: "/me/emails/verify",
    config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
        keyGenerator: (req) => (req.body as { username?: string })?.username?.trim().substring(0, 100) || req.realIp
      })
    },
    schema: {
      body: z.object({
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -4,7 +4,7 @@ import { z } from "zod";
 import { SecretApprovalRequestsSchema, SecretsSchema, SecretType, ServiceTokenScopes } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, RAW_SECRETS, SECRETS } from "@app/lib/api-docs";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { secretsLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { BaseSecretNameSchema, SecretNameSchema } from "@app/server/lib/schemas";
@@ -12,7 +12,6 @@ import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations, SecretProtectionType } from "@app/services/secret/secret-types";
 import { SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
@@ -286,22 +285,17 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          environment = scope[0].environment;
          workspaceId = req.auth.serviceToken.projectId;
        }
-      } else if (req.permission.type === ActorType.IDENTITY && req.query.workspaceSlug && !workspaceId) {
+      } else {
-        const workspace = await server.services.project.getAProject({
+        const projectId = await server.services.project.extractProjectIdFromSlug({
-          filter: {
+          projectSlug: req.query.workspaceSlug,
-            type: ProjectFilterType.SLUG,
+          projectId: workspaceId,
            orgId: req.permission.orgId,
            slug: req.query.workspaceSlug
          },
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actor: req.permission.type,
          actorOrgId: req.permission.orgId
        });
-        if (!workspace) throw new NotFoundError({ message: `No project found with slug ${req.query.workspaceSlug}` });
+        workspaceId = projectId;
        workspaceId = workspace.id;
      }
      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
@@ -442,11 +436,23 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
          environment = scope[0].environment;
          workspaceId = req.auth.serviceToken.projectId;
        }
      } else {
        const projectId = await server.services.project.extractProjectIdFromSlug({
          projectSlug: workspaceSlug,
          projectId: workspaceId,
          actorId: req.permission.id,
          actorAuthMethod: req.permission.authMethod,
          actor: req.permission.type,
          actorOrgId: req.permission.orgId
        });
        workspaceId = projectId;
      }
      if (!environment) throw new BadRequestError({ message: "Missing environment" });
-      if (!workspaceId && !workspaceSlug)
+      if (!workspaceId) {
        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
      }
      const secret = await server.services.secret.getSecretByNameRaw({
        actorId: req.permission.id,
@@ -457,7 +463,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        environment,
        projectId: workspaceId,
        viewSecretValue: req.query.viewSecretValue,
        projectSlug: workspaceSlug,
        path: secretPath,
        secretName: req.params.secretName,
        type: req.query.type,
@@ -518,7 +523,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.CREATE.workspaceId),
        projectSlug: z.string().trim().optional().describe(RAW_SECRETS.CREATE.projectSlug),
        environment: z.string().trim().describe(RAW_SECRETS.CREATE.environment),
        secretPath: z
          .string()
@@ -558,13 +564,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const projectId = await server.services.project.extractProjectIdFromSlug({
        projectSlug: req.body.projectSlug,
        projectId: req.body.workspaceId,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
      });
      const secretOperation = await server.services.secret.createSecretRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        environment: req.body.environment,
        actorAuthMethod: req.permission.authMethod,
-        projectId: req.body.workspaceId,
+        projectId,
        secretPath: req.body.secretPath,
        secretName: req.params.secretName,
        type: req.body.type,
@@ -582,7 +597,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const { secret } = secretOperation;
      await server.services.auditLog.createAuditLog({
-        projectId: req.body.workspaceId,
+        projectId,
        ...req.auditLogInfo,
        event: {
          type: EventType.CREATE_SECRET,
@@ -602,7 +617,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        distinctId: getTelemetryDistinctId(req),
        properties: {
          numberOfSecrets: 1,
-          workspaceId: req.body.workspaceId,
+          workspaceId: projectId,
          environment: req.body.environment,
          secretPath: req.body.secretPath,
          channel: getUserAgentType(req.headers["user-agent"]),
@@ -633,7 +648,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretName: BaseSecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.workspaceId),
        projectSlug: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.projectSlug),
        environment: z.string().trim().describe(RAW_SECRETS.UPDATE.environment),
        secretValue: z
          .string()
@@ -679,13 +695,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const projectId = await server.services.project.extractProjectIdFromSlug({
        projectSlug: req.body.projectSlug,
        projectId: req.body.workspaceId,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
      });
      const secretOperation = await server.services.secret.updateSecretRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
        environment: req.body.environment,
-        projectId: req.body.workspaceId,
+        projectId,
        secretPath: req.body.secretPath,
        secretName: req.params.secretName,
        type: req.body.type,
@@ -707,7 +732,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const { secret } = secretOperation;
      await server.services.auditLog.createAuditLog({
-        projectId: req.body.workspaceId,
+        projectId,
        ...req.auditLogInfo,
        event: {
          type: EventType.UPDATE_SECRET,
@@ -727,7 +752,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        distinctId: getTelemetryDistinctId(req),
        properties: {
          numberOfSecrets: 1,
-          workspaceId: req.body.workspaceId,
+          workspaceId: projectId,
          environment: req.body.environment,
          secretPath: req.body.secretPath,
          channel: getUserAgentType(req.headers["user-agent"]),
@@ -757,7 +782,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
      }),
      body: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
+        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.DELETE.workspaceId),
        projectSlug: z.string().trim().optional().describe(RAW_SECRETS.DELETE.projectSlug),
        environment: z.string().trim().describe(RAW_SECRETS.DELETE.environment),
        secretPath: z
          .string()
@@ -780,13 +806,22 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const projectId = await server.services.project.extractProjectIdFromSlug({
        projectSlug: req.body.projectSlug,
        projectId: req.body.workspaceId,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
        actorOrgId: req.permission.orgId
      });
      const secretOperation = await server.services.secret.deleteSecretRaw({
        actorId: req.permission.id,
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
        environment: req.body.environment,
-        projectId: req.body.workspaceId,
+        projectId,
        secretPath: req.body.secretPath,
        secretName: req.params.secretName,
        type: req.body.type
@@ -798,7 +833,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      const { secret } = secretOperation;
      await server.services.auditLog.createAuditLog({
-        projectId: req.body.workspaceId,
+        projectId,
        ...req.auditLogInfo,
        event: {
          type: EventType.DELETE_SECRET,
@@ -817,7 +852,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        distinctId: getTelemetryDistinctId(req),
        properties: {
          numberOfSecrets: 1,
-          workspaceId: req.body.workspaceId,
+          workspaceId: projectId,
          environment: req.body.environment,
          secretPath: req.body.secretPath,
          channel: getUserAgentType(req.headers["user-agent"]),
--- a/backend/src/server/routes/v3/signup-router.ts
+++ b/backend/src/server/routes/v3/signup-router.ts
@@ -14,7 +14,7 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
    method: "POST",
    config: {
      rateLimit: smtpRateLimit({
-        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) ?? req.realIp
+        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
      })
    },
    schema: {
@@ -55,7 +55,9 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
    url: "/email/verify",
    method: "POST",
    config: {
-      rateLimit: authRateLimit
+      rateLimit: smtpRateLimit({
        keyGenerator: (req) => (req.body as { email?: string })?.email?.trim().substring(0, 100) || req.realIp
      })
    },
    schema: {
      body: z.object({
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -25,7 +25,9 @@ export enum AppConnection {
  OnePass = "1password",
  Heroku = "heroku",
  Render = "render",
-  Flyio = "flyio"
+  Flyio = "flyio",
  GitLab = "gitlab",
  Cloudflare = "cloudflare"
 }
 export enum AWSRegion {
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -51,6 +51,11 @@ import {
  validateAzureKeyVaultConnectionCredentials
 } from "./azure-key-vault";
 import { CamundaConnectionMethod, getCamundaConnectionListItem, validateCamundaConnectionCredentials } from "./camunda";
 import { CloudflareConnectionMethod } from "./cloudflare/cloudflare-connection-enum";
 import {
  getCloudflareConnectionListItem,
  validateCloudflareConnectionCredentials
 } from "./cloudflare/cloudflare-connection-fns";
 import {
  DatabricksConnectionMethod,
  getDatabricksConnectionListItem,
@@ -64,6 +69,7 @@ import {
  GitHubRadarConnectionMethod,
  validateGitHubRadarConnectionCredentials
 } from "./github-radar";
 import { getGitLabConnectionListItem, GitLabConnectionMethod, validateGitLabConnectionCredentials } from "./gitlab";
 import {
  getHCVaultConnectionListItem,
  HCVaultConnectionMethod,
@@ -128,7 +134,9 @@ export const listAppConnectionOptions = () => {
    getOnePassConnectionListItem(),
    getHerokuConnectionListItem(),
    getRenderConnectionListItem(),
-    getFlyioConnectionListItem()
+    getFlyioConnectionListItem(),
    getGitLabConnectionListItem(),
    getCloudflareConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
 };
@@ -206,7 +214,9 @@ export const validateAppConnectionCredentials = async (
    [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Heroku]: validateHerokuConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator
  };
  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -223,6 +233,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case GitHubConnectionMethod.OAuth:
    case AzureDevOpsConnectionMethod.OAuth:
    case HerokuConnectionMethod.OAuth:
    case GitLabConnectionMethod.OAuth:
      return "OAuth";
    case HerokuConnectionMethod.AuthToken:
      return "Auth Token";
@@ -241,6 +252,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case TerraformCloudConnectionMethod.ApiToken:
    case VercelConnectionMethod.ApiToken:
    case OnePassConnectionMethod.ApiToken:
    case CloudflareConnectionMethod.APIToken:
      return "API Token";
    case PostgresConnectionMethod.UsernameAndPassword:
    case MsSqlConnectionMethod.UsernameAndPassword:
@@ -318,7 +330,9 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
  [AppConnection.OnePass]: platformManagedCredentialsNotSupported,
  [AppConnection.Heroku]: platformManagedCredentialsNotSupported,
  [AppConnection.Render]: platformManagedCredentialsNotSupported,
-  [AppConnection.Flyio]: platformManagedCredentialsNotSupported
+  [AppConnection.Flyio]: platformManagedCredentialsNotSupported,
  [AppConnection.GitLab]: platformManagedCredentialsNotSupported,
  [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported
 };
 export const enterpriseAppCheck = async (
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -27,7 +27,9 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.OnePass]: "1Password",
  [AppConnection.Heroku]: "Heroku",
  [AppConnection.Render]: "Render",
-  [AppConnection.Flyio]: "Fly.io"
+  [AppConnection.Flyio]: "Fly.io",
  [AppConnection.GitLab]: "GitLab",
  [AppConnection.Cloudflare]: "Cloudflare"
 };
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -57,5 +59,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
  [AppConnection.MySql]: AppConnectionPlanType.Regular,
  [AppConnection.Heroku]: AppConnectionPlanType.Regular,
  [AppConnection.Render]: AppConnectionPlanType.Regular,
-  [AppConnection.Flyio]: AppConnectionPlanType.Regular
+  [AppConnection.Flyio]: AppConnectionPlanType.Regular,
  [AppConnection.GitLab]: AppConnectionPlanType.Regular,
  [AppConnection.Cloudflare]: AppConnectionPlanType.Regular
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -47,6 +47,8 @@ import { azureDevOpsConnectionService } from "./azure-devops/azure-devops-servic
 import { ValidateAzureKeyVaultConnectionCredentialsSchema } from "./azure-key-vault";
 import { ValidateCamundaConnectionCredentialsSchema } from "./camunda";
 import { camundaConnectionService } from "./camunda/camunda-connection-service";
 import { ValidateCloudflareConnectionCredentialsSchema } from "./cloudflare/cloudflare-connection-schema";
 import { cloudflareConnectionService } from "./cloudflare/cloudflare-connection-service";
 import { ValidateDatabricksConnectionCredentialsSchema } from "./databricks";
 import { databricksConnectionService } from "./databricks/databricks-connection-service";
 import { ValidateFlyioConnectionCredentialsSchema } from "./flyio";
@@ -56,6 +58,8 @@ import { gcpConnectionService } from "./gcp/gcp-connection-service";
 import { ValidateGitHubConnectionCredentialsSchema } from "./github";
 import { githubConnectionService } from "./github/github-connection-service";
 import { ValidateGitHubRadarConnectionCredentialsSchema } from "./github-radar";
 import { ValidateGitLabConnectionCredentialsSchema } from "./gitlab";
 import { gitlabConnectionService } from "./gitlab/gitlab-connection-service";
 import { ValidateHCVaultConnectionCredentialsSchema } from "./hc-vault";
 import { hcVaultConnectionService } from "./hc-vault/hc-vault-connection-service";
 import { ValidateHerokuConnectionCredentialsSchema } from "./heroku";
@@ -113,7 +117,9 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema,
  [AppConnection.Heroku]: ValidateHerokuConnectionCredentialsSchema,
  [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
-  [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema
+  [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
  [AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema,
  [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema
 };
 export const appConnectionServiceFactory = ({
@@ -521,6 +527,8 @@ export const appConnectionServiceFactory = ({
    onepass: onePassConnectionService(connectAppConnectionById),
    heroku: herokuConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    render: renderConnectionService(connectAppConnectionById),
-    flyio: flyioConnectionService(connectAppConnectionById)
+    flyio: flyioConnectionService(connectAppConnectionById),
    gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    cloudflare: cloudflareConnectionService(connectAppConnectionById)
  };
 };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -62,6 +62,12 @@ import {
  TCamundaConnectionInput,
  TValidateCamundaConnectionCredentialsSchema
 } from "./camunda";
 import {
  TCloudflareConnection,
  TCloudflareConnectionConfig,
  TCloudflareConnectionInput,
  TValidateCloudflareConnectionCredentialsSchema
 } from "./cloudflare/cloudflare-connection-types";
 import {
  TDatabricksConnection,
  TDatabricksConnectionConfig,
@@ -92,6 +98,12 @@ import {
  TGitHubRadarConnectionInput,
  TValidateGitHubRadarConnectionCredentialsSchema
 } from "./github-radar";
 import {
  TGitLabConnection,
  TGitLabConnectionConfig,
  TGitLabConnectionInput,
  TValidateGitLabConnectionCredentialsSchema
 } from "./gitlab";
 import {
  THCVaultConnection,
  THCVaultConnectionConfig,
@@ -182,6 +194,8 @@ export type TAppConnection = { id: string } & (
  | THerokuConnection
  | TRenderConnection
  | TFlyioConnection
  | TGitLabConnection
  | TCloudflareConnection
 );
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -216,6 +230,8 @@ export type TAppConnectionInput = { id: string } & (
  | THerokuConnectionInput
  | TRenderConnectionInput
  | TFlyioConnectionInput
  | TGitLabConnectionInput
  | TCloudflareConnectionInput
 );
 export type TSqlConnectionInput =
@@ -257,7 +273,9 @@ export type TAppConnectionConfig =
  | TOnePassConnectionConfig
  | THerokuConnectionConfig
  | TRenderConnectionConfig
-  | TFlyioConnectionConfig;
+  | TFlyioConnectionConfig
  | TGitLabConnectionConfig
  | TCloudflareConnectionConfig;
 export type TValidateAppConnectionCredentialsSchema =
  | TValidateAwsConnectionCredentialsSchema
@@ -286,7 +304,9 @@ export type TValidateAppConnectionCredentialsSchema =
  | TValidateOnePassConnectionCredentialsSchema
  | TValidateHerokuConnectionCredentialsSchema
  | TValidateRenderConnectionCredentialsSchema
-  | TValidateFlyioConnectionCredentialsSchema;
+  | TValidateFlyioConnectionCredentialsSchema
  | TValidateGitLabConnectionCredentialsSchema
  | TValidateCloudflareConnectionCredentialsSchema;
 export type TListAwsConnectionKmsKeys = {
  connectionId: string;
--- a/backend/src/services/app-connection/cloudflare/cloudflare-connection-enum.ts
+++ b/backend/src/services/app-connection/cloudflare/cloudflare-connection-enum.ts
@@ -0,0 +1,3 @@
 export enum CloudflareConnectionMethod {
  APIToken = "api-token"
 }
--- a/backend/src/services/app-connection/cloudflare/cloudflare-connection-fns.ts
+++ b/backend/src/services/app-connection/cloudflare/cloudflare-connection-fns.ts
@@ -0,0 +1,75 @@
 import { AxiosError } from "axios";
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
 import {
  TCloudflareConnection,
  TCloudflareConnectionConfig,
  TCloudflarePagesProject
 } from "./cloudflare-connection-types";
 export const getCloudflareConnectionListItem = () => {
  return {
    name: "Cloudflare" as const,
    app: AppConnection.Cloudflare as const,
    methods: Object.values(CloudflareConnectionMethod) as [CloudflareConnectionMethod.APIToken]
  };
 };
 export const listCloudflarePagesProjects = async (
  appConnection: TCloudflareConnection
 ): Promise<TCloudflarePagesProject[]> => {
  const {
    credentials: { apiToken, accountId }
  } = appConnection;
  const { data } = await request.get<{ result: { name: string; id: string }[] }>(
    `${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/accounts/${accountId}/pages/projects`,
    {
      headers: {
        Authorization: `Bearer ${apiToken}`,
        Accept: "application/json"
      }
    }
  );
  return data.result.map((a) => ({
    name: a.name,
    id: a.id
  }));
 };
 export const validateCloudflareConnectionCredentials = async (config: TCloudflareConnectionConfig) => {
  const { apiToken, accountId } = config.credentials;
  try {
    const resp = await request.get(`${IntegrationUrls.CLOUDFLARE_API_URL}/client/v4/accounts/${accountId}`, {
      headers: {
        Authorization: `Bearer ${apiToken}`,
        Accept: "application/json"
      }
    });
    if (resp.data === null) {
      throw new BadRequestError({
        message: "Unable to validate connection: Invalid API token provided."
      });
    }
  } catch (error: unknown) {
    if (error instanceof AxiosError) {
      throw new BadRequestError({
        // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
        message: `Failed to validate credentials: ${error.response?.data?.errors?.[0]?.message || error.message || "Unknown error"}`
      });
    }
    throw new BadRequestError({
      message: "Unable to validate connection: verify credentials"
    });
  }
  return config.credentials;
 };
--- a/backend/src/services/app-connection/cloudflare/cloudflare-connection-schema.ts
+++ b/backend/src/services/app-connection/cloudflare/cloudflare-connection-schema.ts
@@ -0,0 +1,74 @@
 import z from "zod";
 import { AppConnections } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  BaseAppConnectionSchema,
  GenericCreateAppConnectionFieldsSchema,
  GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 import { CloudflareConnectionMethod } from "./cloudflare-connection-enum";
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 const accountIdCharacterValidator = characterValidator([
  CharacterType.AlphaNumeric,
  CharacterType.Underscore,
  CharacterType.Hyphen
 ]);
 export const CloudflareConnectionApiTokenCredentialsSchema = z.object({
  accountId: z
    .string()
    .trim()
    .min(1, "Account ID required")
    .max(256, "Account ID cannot exceed 256 characters")
    .refine(
      (val) => accountIdCharacterValidator(val),
      "Account ID can only contain alphanumeric characters, underscores, and hyphens"
    ),
  apiToken: z.string().trim().min(1, "API token required").max(256, "API token cannot exceed 256 characters")
 });
 const BaseCloudflareConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Cloudflare) });
 export const CloudflareConnectionSchema = BaseCloudflareConnectionSchema.extend({
  method: z.literal(CloudflareConnectionMethod.APIToken),
  credentials: CloudflareConnectionApiTokenCredentialsSchema
 });
 export const SanitizedCloudflareConnectionSchema = z.discriminatedUnion("method", [
  BaseCloudflareConnectionSchema.extend({
    method: z.literal(CloudflareConnectionMethod.APIToken),
    credentials: CloudflareConnectionApiTokenCredentialsSchema.pick({ accountId: true })
  })
 ]);
 export const ValidateCloudflareConnectionCredentialsSchema = z.discriminatedUnion("method", [
  z.object({
    method: z
      .literal(CloudflareConnectionMethod.APIToken)
      .describe(AppConnections.CREATE(AppConnection.Cloudflare).method),
    credentials: CloudflareConnectionApiTokenCredentialsSchema.describe(
      AppConnections.CREATE(AppConnection.Cloudflare).credentials
    )
  })
 ]);
 export const CreateCloudflareConnectionSchema = ValidateCloudflareConnectionCredentialsSchema.and(
  GenericCreateAppConnectionFieldsSchema(AppConnection.Cloudflare)
 );
 export const UpdateCloudflareConnectionSchema = z
  .object({
    credentials: CloudflareConnectionApiTokenCredentialsSchema.optional().describe(
      AppConnections.UPDATE(AppConnection.Cloudflare).credentials
    )
  })
  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Cloudflare));
 export const CloudflareConnectionListItemSchema = z.object({
  name: z.literal("Cloudflare"),
  app: z.literal(AppConnection.Cloudflare),
  methods: z.nativeEnum(CloudflareConnectionMethod).array()
 });
--- a/backend/src/services/app-connection/cloudflare/cloudflare-connection-service.ts
+++ b/backend/src/services/app-connection/cloudflare/cloudflare-connection-service.ts
@@ -0,0 +1,30 @@
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import { listCloudflarePagesProjects } from "./cloudflare-connection-fns";
 import { TCloudflareConnection } from "./cloudflare-connection-types";
 type TGetAppConnectionFunc = (
  app: AppConnection,
  connectionId: string,
  actor: OrgServiceActor
 ) => Promise<TCloudflareConnection>;
 export const cloudflareConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
  const listPagesProjects = async (connectionId: string, actor: OrgServiceActor) => {
    const appConnection = await getAppConnection(AppConnection.Cloudflare, connectionId, actor);
    try {
      const projects = await listCloudflarePagesProjects(appConnection);
      return projects;
    } catch (error) {
      logger.error(error, "Failed to list Cloudflare Pages projects for Cloudflare connection");
      return [];
    }
  };
  return {
    listPagesProjects
  };
 };
--- a/backend/src/services/app-connection/cloudflare/cloudflare-connection-types.ts
+++ b/backend/src/services/app-connection/cloudflare/cloudflare-connection-types.ts
@@ -0,0 +1,30 @@
 import z from "zod";
 import { DiscriminativePick } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import {
  CloudflareConnectionSchema,
  CreateCloudflareConnectionSchema,
  ValidateCloudflareConnectionCredentialsSchema
 } from "./cloudflare-connection-schema";
 export type TCloudflareConnection = z.infer<typeof CloudflareConnectionSchema>;
 export type TCloudflareConnectionInput = z.infer<typeof CreateCloudflareConnectionSchema> & {
  app: AppConnection.Cloudflare;
 };
 export type TValidateCloudflareConnectionCredentialsSchema = typeof ValidateCloudflareConnectionCredentialsSchema;
 export type TCloudflareConnectionConfig = DiscriminativePick<
  TCloudflareConnectionInput,
  "method" | "app" | "credentials"
 > & {
  orgId: string;
 };
 export type TCloudflarePagesProject = {
  id: string;
  name: string;
 };
--- a/backend/src/services/app-connection/gitlab/gitlab-connection-enums.ts
+++ b/backend/src/services/app-connection/gitlab/gitlab-connection-enums.ts
@@ -0,0 +1,9 @@
 export enum GitLabConnectionMethod {
  OAuth = "oauth",
  AccessToken = "access-token"
 }
 export enum GitLabAccessTokenType {
  Project = "project",
  Personal = "personal"
 }
--- a/backend/src/services/app-connection/gitlab/gitlab-connection-fns.ts
+++ b/backend/src/services/app-connection/gitlab/gitlab-connection-fns.ts
@@ -0,0 +1,351 @@
 /* eslint-disable no-await-in-loop */
 import { GitbeakerRequestError, Gitlab } from "@gitbeaker/rest";
 import { AxiosError } from "axios";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TAppConnectionDALFactory } from "../app-connection-dal";
 import { GitLabAccessTokenType, GitLabConnectionMethod } from "./gitlab-connection-enums";
 import { TGitLabConnection, TGitLabConnectionConfig, TGitLabGroup, TGitLabProject } from "./gitlab-connection-types";
 interface GitLabOAuthTokenResponse {
  access_token: string;
  token_type: string;
  expires_in: number;
  refresh_token: string;
  created_at: number;
  scope?: string;
 }
 export const getGitLabConnectionListItem = () => {
  const { INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID } = getConfig();
  return {
    name: "GitLab" as const,
    app: AppConnection.GitLab as const,
    methods: Object.values(GitLabConnectionMethod) as [
      GitLabConnectionMethod.AccessToken,
      GitLabConnectionMethod.OAuth
    ],
    oauthClientId: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID
  };
 };
 export const getGitLabInstanceUrl = async (instanceUrl?: string) => {
  const gitLabInstanceUrl = instanceUrl ? removeTrailingSlash(instanceUrl) : IntegrationUrls.GITLAB_URL;
  await blockLocalAndPrivateIpAddresses(gitLabInstanceUrl);
  return gitLabInstanceUrl;
 };
 export const getGitLabClient = async (accessToken: string, instanceUrl?: string, isOAuth = false) => {
  const host = await getGitLabInstanceUrl(instanceUrl);
  const client = new Gitlab<true>({
    host,
    ...(isOAuth ? { oauthToken: accessToken } : { token: accessToken }),
    camelize: true
  });
  return client;
 };
 export const refreshGitLabToken = async (
  refreshToken: string,
  appId: string,
  orgId: string,
  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">,
  instanceUrl?: string
 ): Promise<string> => {
  const { INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET, SITE_URL } =
    getConfig();
  if (!INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET || !INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID || !SITE_URL) {
    throw new InternalServerError({
      message: `GitLab environment variables have not been configured`
    });
  }
  const payload = new URLSearchParams({
    grant_type: "refresh_token",
    refresh_token: refreshToken,
    client_id: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID,
    client_secret: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET,
    redirect_uri: `${SITE_URL}/organization/app-connections/gitlab/oauth/callback`
  });
  try {
    const url = await getGitLabInstanceUrl(instanceUrl);
    const { data } = await request.post<GitLabOAuthTokenResponse>(`${url}/oauth/token`, payload.toString(), {
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
        Accept: "application/json"
      }
    });
    const expiresAt = new Date(Date.now() + data.expires_in * 1000 - 600000);
    const encryptedCredentials = await encryptAppConnectionCredentials({
      credentials: {
        instanceUrl,
        tokenType: data.token_type,
        createdAt: new Date(data.created_at * 1000).toISOString(),
        refreshToken: data.refresh_token,
        accessToken: data.access_token,
        expiresAt
      },
      orgId,
      kmsService
    });
    await appConnectionDAL.updateById(appId, { encryptedCredentials });
    return data.access_token;
  } catch (error: unknown) {
    if (error instanceof AxiosError) {
      throw new BadRequestError({
        message: `Failed to refresh GitLab token: ${error.message}`
      });
    }
    throw new BadRequestError({
      message: "Unable to refresh GitLab token"
    });
  }
 };
 export const exchangeGitLabOAuthCode = async (
  code: string,
  instanceUrl?: string
 ): Promise<GitLabOAuthTokenResponse> => {
  const { INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET, SITE_URL } =
    getConfig();
  if (!INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET || !INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID || !SITE_URL) {
    throw new InternalServerError({
      message: `GitLab environment variables have not been configured`
    });
  }
  try {
    const payload = new URLSearchParams({
      grant_type: "authorization_code",
      code,
      client_id: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID,
      client_secret: INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET,
      redirect_uri: `${SITE_URL}/organization/app-connections/gitlab/oauth/callback`
    });
    const url = await getGitLabInstanceUrl(instanceUrl);
    const response = await request.post<GitLabOAuthTokenResponse>(`${url}/oauth/token`, payload.toString(), {
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
        Accept: "application/json"
      }
    });
    if (!response.data) {
      throw new InternalServerError({
        message: "Failed to exchange OAuth code: Empty response"
      });
    }
    return response.data;
  } catch (error: unknown) {
    if (error instanceof AxiosError) {
      throw new BadRequestError({
        message: `Failed to exchange OAuth code: ${error.message}`
      });
    }
    throw new BadRequestError({
      message: "Unable to exchange OAuth code"
    });
  }
 };
 export const validateGitLabConnectionCredentials = async (config: TGitLabConnectionConfig) => {
  const { credentials: inputCredentials, method } = config;
  let accessToken: string;
  let oauthData: GitLabOAuthTokenResponse | null = null;
  if (method === GitLabConnectionMethod.OAuth && "code" in inputCredentials) {
    oauthData = await exchangeGitLabOAuthCode(inputCredentials.code, inputCredentials.instanceUrl);
    accessToken = oauthData.access_token;
  } else if (method === GitLabConnectionMethod.AccessToken && "accessToken" in inputCredentials) {
    accessToken = inputCredentials.accessToken;
  } else {
    throw new BadRequestError({
      message: "Invalid credentials for the selected connection method"
    });
  }
  try {
    const client = await getGitLabClient(
      accessToken,
      inputCredentials.instanceUrl,
      method === GitLabConnectionMethod.OAuth
    );
    await client.Users.showCurrentUser();
  } catch (error: unknown) {
    logger.error(error, "Error validating GitLab connection credentials");
    if (error instanceof GitbeakerRequestError) {
      throw new BadRequestError({
        message: `Failed to validate credentials: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
      });
    }
    throw new BadRequestError({
      message: `Failed to validate credentials: ${(error as Error)?.message || "verify credentials"}`
    });
  }
  if (method === GitLabConnectionMethod.OAuth && oauthData) {
    return {
      accessToken,
      instanceUrl: inputCredentials.instanceUrl,
      refreshToken: oauthData.refresh_token,
      expiresAt: new Date(Date.now() + oauthData.expires_in * 1000 - 60000),
      tokenType: oauthData.token_type,
      createdAt: new Date(oauthData.created_at * 1000)
    };
  }
  return inputCredentials;
 };
 export const listGitLabProjects = async ({
  appConnection,
  appConnectionDAL,
  kmsService
 }: {
  appConnection: TGitLabConnection;
  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 }): Promise<TGitLabProject[]> => {
  let { accessToken } = appConnection.credentials;
  if (
    appConnection.method === GitLabConnectionMethod.OAuth &&
    appConnection.credentials.refreshToken &&
    new Date(appConnection.credentials.expiresAt) < new Date()
  ) {
    accessToken = await refreshGitLabToken(
      appConnection.credentials.refreshToken,
      appConnection.id,
      appConnection.orgId,
      appConnectionDAL,
      kmsService,
      appConnection.credentials.instanceUrl
    );
  }
  try {
    const client = await getGitLabClient(
      accessToken,
      appConnection.credentials.instanceUrl,
      appConnection.method === GitLabConnectionMethod.OAuth
    );
    const projects = await client.Projects.all({
      archived: false,
      includePendingDelete: false,
      membership: true,
      includeHidden: false,
      imported: false
    });
    return projects.map((project) => ({
      name: project.pathWithNamespace,
      id: project.id.toString()
    }));
  } catch (error: unknown) {
    if (error instanceof GitbeakerRequestError) {
      throw new BadRequestError({
        message: `Failed to fetch GitLab projects: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
      });
    }
    if (error instanceof InternalServerError) {
      throw error;
    }
    throw new InternalServerError({
      message: "Unable to fetch GitLab projects"
    });
  }
 };
 export const listGitLabGroups = async ({
  appConnection,
  appConnectionDAL,
  kmsService
 }: {
  appConnection: TGitLabConnection;
  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 }): Promise<TGitLabGroup[]> => {
  let { accessToken } = appConnection.credentials;
  if (
    appConnection.method === GitLabConnectionMethod.AccessToken &&
    appConnection.credentials.accessTokenType === GitLabAccessTokenType.Project
  ) {
    return [];
  }
  if (
    appConnection.method === GitLabConnectionMethod.OAuth &&
    appConnection.credentials.refreshToken &&
    new Date(appConnection.credentials.expiresAt) < new Date()
  ) {
    accessToken = await refreshGitLabToken(
      appConnection.credentials.refreshToken,
      appConnection.id,
      appConnection.orgId,
      appConnectionDAL,
      kmsService,
      appConnection.credentials.instanceUrl
    );
  }
  try {
    const client = await getGitLabClient(
      accessToken,
      appConnection.credentials.instanceUrl,
      appConnection.method === GitLabConnectionMethod.OAuth
    );
    const groups = await client.Groups.all({
      orderBy: "name",
      sort: "asc",
      minAccessLevel: 50
    });
    return groups.map((group) => ({
      id: group.id.toString(),
      name: group.name
    }));
  } catch (error: unknown) {
    if (error instanceof GitbeakerRequestError) {
      throw new BadRequestError({
        message: `Failed to fetch GitLab groups: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
      });
    }
    if (error instanceof InternalServerError) {
      throw error;
    }
    throw new InternalServerError({
      message: "Unable to fetch GitLab groups"
    });
  }
 };
--- a/backend/src/services/app-connection/gitlab/gitlab-connection-schemas.ts
+++ b/backend/src/services/app-connection/gitlab/gitlab-connection-schemas.ts
@@ -0,0 +1,138 @@
 import z from "zod";
 import { AppConnections } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  BaseAppConnectionSchema,
  GenericCreateAppConnectionFieldsSchema,
  GenericUpdateAppConnectionFieldsSchema
 } from "@app/services/app-connection/app-connection-schemas";
 import { GitLabAccessTokenType, GitLabConnectionMethod } from "./gitlab-connection-enums";
 export const GitLabConnectionAccessTokenCredentialsSchema = z.object({
  accessToken: z
    .string()
    .trim()
    .min(1, "Access Token required")
    .describe(AppConnections.CREDENTIALS.GITLAB.accessToken),
  instanceUrl: z
    .string()
    .trim()
    .url("Invalid Instance URL")
    .optional()
    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl),
  accessTokenType: z.nativeEnum(GitLabAccessTokenType).describe(AppConnections.CREDENTIALS.GITLAB.accessTokenType)
 });
 export const GitLabConnectionOAuthCredentialsSchema = z.object({
  code: z.string().trim().min(1, "OAuth code required").describe(AppConnections.CREDENTIALS.GITLAB.code),
  instanceUrl: z
    .string()
    .trim()
    .url("Invalid Instance URL")
    .optional()
    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl)
 });
 export const GitLabConnectionOAuthOutputCredentialsSchema = z.object({
  accessToken: z.string().trim(),
  refreshToken: z.string().trim(),
  expiresAt: z.date(),
  tokenType: z.string().optional().default("bearer"),
  createdAt: z.string().optional(),
  instanceUrl: z
    .string()
    .trim()
    .url("Invalid Instance URL")
    .optional()
    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl)
 });
 export const GitLabConnectionRefreshTokenCredentialsSchema = z.object({
  refreshToken: z.string().trim().min(1, "Refresh token required"),
  instanceUrl: z
    .string()
    .trim()
    .url("Invalid Instance URL")
    .optional()
    .describe(AppConnections.CREDENTIALS.GITLAB.instanceUrl)
 });
 const BaseGitLabConnectionSchema = BaseAppConnectionSchema.extend({
  app: z.literal(AppConnection.GitLab)
 });
 export const GitLabConnectionSchema = z.intersection(
  BaseGitLabConnectionSchema,
  z.discriminatedUnion("method", [
    z.object({
      method: z.literal(GitLabConnectionMethod.AccessToken),
      credentials: GitLabConnectionAccessTokenCredentialsSchema
    }),
    z.object({
      method: z.literal(GitLabConnectionMethod.OAuth),
      credentials: GitLabConnectionOAuthOutputCredentialsSchema
    })
  ])
 );
 export const SanitizedGitLabConnectionSchema = z.discriminatedUnion("method", [
  BaseGitLabConnectionSchema.extend({
    method: z.literal(GitLabConnectionMethod.AccessToken),
    credentials: GitLabConnectionAccessTokenCredentialsSchema.pick({
      instanceUrl: true,
      accessTokenType: true
    })
  }),
  BaseGitLabConnectionSchema.extend({
    method: z.literal(GitLabConnectionMethod.OAuth),
    credentials: GitLabConnectionOAuthOutputCredentialsSchema.pick({
      instanceUrl: true
    })
  })
 ]);
 export const ValidateGitLabConnectionCredentialsSchema = z.discriminatedUnion("method", [
  z.object({
    method: z.literal(GitLabConnectionMethod.AccessToken).describe(AppConnections.CREATE(AppConnection.GitLab).method),
    credentials: GitLabConnectionAccessTokenCredentialsSchema.describe(
      AppConnections.CREATE(AppConnection.GitLab).credentials
    )
  }),
  z.object({
    method: z.literal(GitLabConnectionMethod.OAuth).describe(AppConnections.CREATE(AppConnection.GitLab).method),
    credentials: z
      .union([
        GitLabConnectionOAuthCredentialsSchema,
        GitLabConnectionRefreshTokenCredentialsSchema,
        GitLabConnectionOAuthOutputCredentialsSchema
      ])
      .describe(AppConnections.CREATE(AppConnection.GitLab).credentials)
  })
 ]);
 export const CreateGitLabConnectionSchema = ValidateGitLabConnectionCredentialsSchema.and(
  GenericCreateAppConnectionFieldsSchema(AppConnection.GitLab)
 );
 export const UpdateGitLabConnectionSchema = z
  .object({
    credentials: z
      .union([
        GitLabConnectionAccessTokenCredentialsSchema,
        GitLabConnectionOAuthOutputCredentialsSchema,
        GitLabConnectionRefreshTokenCredentialsSchema,
        GitLabConnectionOAuthCredentialsSchema
      ])
      .optional()
      .describe(AppConnections.UPDATE(AppConnection.GitLab).credentials)
  })
  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GitLab));
 export const GitLabConnectionListItemSchema = z.object({
  name: z.literal("GitLab"),
  app: z.literal(AppConnection.GitLab),
  methods: z.nativeEnum(GitLabConnectionMethod).array(),
  oauthClientId: z.string().optional()
 });
--- a/backend/src/services/app-connection/gitlab/gitlab-connection-service.ts
+++ b/backend/src/services/app-connection/gitlab/gitlab-connection-service.ts
@@ -0,0 +1,47 @@
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TAppConnectionDALFactory } from "../app-connection-dal";
 import { AppConnection } from "../app-connection-enums";
 import { listGitLabGroups, listGitLabProjects } from "./gitlab-connection-fns";
 import { TGitLabConnection } from "./gitlab-connection-types";
 type TGetAppConnectionFunc = (
  app: AppConnection,
  connectionId: string,
  actor: OrgServiceActor
 ) => Promise<TGitLabConnection>;
 export const gitlabConnectionService = (
  getAppConnection: TGetAppConnectionFunc,
  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
 ) => {
  const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
    try {
      const appConnection = await getAppConnection(AppConnection.GitLab, connectionId, actor);
      const projects = await listGitLabProjects({ appConnection, appConnectionDAL, kmsService });
      return projects;
    } catch (error) {
      logger.error(error, `Failed to establish connection with GitLab for app ${connectionId}`);
      return [];
    }
  };
  const listGroups = async (connectionId: string, actor: OrgServiceActor) => {
    try {
      const appConnection = await getAppConnection(AppConnection.GitLab, connectionId, actor);
      const groups = await listGitLabGroups({ appConnection, appConnectionDAL, kmsService });
      return groups;
    } catch (error) {
      logger.error(error, `Failed to establish connection with GitLab for app ${connectionId}`);
      return [];
    }
  };
  return {
    listProjects,
    listGroups
  };
 };
--- a/backend/src/services/app-connection/gitlab/gitlab-connection-types.ts
+++ b/backend/src/services/app-connection/gitlab/gitlab-connection-types.ts
@@ -0,0 +1,56 @@
 import z from "zod";
 import { DiscriminativePick } from "@app/lib/types";
 import { AppConnection } from "../app-connection-enums";
 import {
  CreateGitLabConnectionSchema,
  GitLabConnectionSchema,
  ValidateGitLabConnectionCredentialsSchema
 } from "./gitlab-connection-schemas";
 export type TGitLabConnection = z.infer<typeof GitLabConnectionSchema>;
 export type TGitLabConnectionInput = z.infer<typeof CreateGitLabConnectionSchema> & {
  app: AppConnection.GitLab;
 };
 export type TValidateGitLabConnectionCredentialsSchema = typeof ValidateGitLabConnectionCredentialsSchema;
 export type TGitLabConnectionConfig = DiscriminativePick<TGitLabConnectionInput, "method" | "app" | "credentials"> & {
  orgId: string;
 };
 export type TGitLabProject = {
  name: string;
  id: string;
 };
 export type TGitLabAccessTokenCredentials = {
  accessToken: string;
  instanceUrl: string;
 };
 export type TGitLabOAuthCredentials = {
  accessToken: string;
  refreshToken: string;
  expiresAt: Date;
  tokenType?: string;
  createdAt?: Date;
  instanceUrl: string;
 };
 export type TGitLabOAuthCodeCredentials = {
  code: string;
  instanceUrl: string;
 };
 export type TGitLabRefreshTokenCredentials = {
  refreshToken: string;
  instanceUrl: string;
 };
 export interface TGitLabGroup {
  id: string;
  name: string;
 }
--- a/backend/src/services/app-connection/gitlab/index.ts
+++ b/backend/src/services/app-connection/gitlab/index.ts
@@ -0,0 +1,4 @@
 export * from "./gitlab-connection-enums";
 export * from "./gitlab-connection-fns";
 export * from "./gitlab-connection-schemas";
 export * from "./gitlab-connection-types";
--- a/backend/src/services/integration-auth/integration-list.ts
+++ b/backend/src/services/integration-auth/integration-list.ts
@@ -84,6 +84,8 @@ export enum IntegrationUrls {
  QOVERY_API_URL = "https://api.qovery.com",
  TERRAFORM_CLOUD_API_URL = "https://app.terraform.io",
  CLOUDFLARE_PAGES_API_URL = "https://api.cloudflare.com",
  // eslint-disable-next-line @typescript-eslint/no-duplicate-enum-values
  CLOUDFLARE_API_URL = "https://api.cloudflare.com",
  // eslint-disable-next-line
  CLOUDFLARE_WORKERS_API_URL = "https://api.cloudflare.com",
  BITBUCKET_API_URL = "https://api.bitbucket.org",
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@@ -42,7 +42,7 @@ import { TProjectPermission } from "@app/lib/types";
 import { TQueueServiceFactory } from "@app/queue";
 import { TPkiSubscriberDALFactory } from "@app/services/pki-subscriber/pki-subscriber-dal";
-import { ActorType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 import { TCertificateDALFactory } from "../certificate/certificate-dal";
 import { TCertificateAuthorityDALFactory } from "../certificate-authority/certificate-authority-dal";
 import { expandInternalCa } from "../certificate-authority/certificate-authority-fns";
@@ -82,6 +82,7 @@ import { assignWorkspaceKeysToMembers, bootstrapSshProject, createProjectKey } f
 import { TProjectQueueFactory } from "./project-queue";
 import { TProjectSshConfigDALFactory } from "./project-ssh-config-dal";
 import {
  ProjectFilterType,
  TCreateProjectDTO,
  TDeleteProjectDTO,
  TDeleteProjectWorkflowIntegration,
@@ -866,6 +867,39 @@ export const projectServiceFactory = ({
    });
  };
  const extractProjectIdFromSlug = async ({
    projectSlug,
    projectId,
    actorId,
    actorAuthMethod,
    actor,
    actorOrgId
  }: {
    projectSlug?: string;
    projectId?: string;
    actorId: string;
    actorAuthMethod: ActorAuthMethod;
    actor: ActorType;
    actorOrgId: string;
  }) => {
    if (projectId) return projectId;
    if (!projectSlug) throw new BadRequestError({ message: "You must provide projectSlug or workspaceId" });
    const project = await getAProject({
      filter: {
        type: ProjectFilterType.SLUG,
        orgId: actorOrgId,
        slug: projectSlug
      },
      actorId,
      actorAuthMethod,
      actor,
      actorOrgId
    });
    if (!project) throw new NotFoundError({ message: `No project found with slug ${projectSlug}` });
    return project.id;
  };
  const getProjectUpgradeStatus = async ({
    projectId,
    actor,
@@ -2006,6 +2040,7 @@ export const projectServiceFactory = ({
    getProjectSshConfig,
    updateProjectSshConfig,
    requestProjectAccess,
-    searchProjects
+    searchProjects,
    extractProjectIdFromSlug
  };
 };
--- a/backend/src/services/secret-folder/secret-folder-service.ts
+++ b/backend/src/services/secret-folder/secret-folder-service.ts
@@ -6,6 +6,7 @@ import { ActionProjectType, TSecretFoldersInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { PgSqlLock } from "@app/keystore/keystore";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { buildFolderPath } from "@app/services/secret-folder/secret-folder-fns";
@@ -83,36 +84,75 @@ export const secretFolderServiceFactory = ({
      // that is this request must be idempotent
      // so we do a tricky move. we try to find the to be created folder path if that is exactly match return that
      // else we get some path before that then we will start creating remaining folder
      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateFolder(env.id, env.projectId)]);
      const pathWithFolder = path.join(secretPath, name);
      const parentFolder = await folderDAL.findClosestFolder(projectId, environment, pathWithFolder, tx);
-      // no folder found is not possible root should be their
+
      if (!parentFolder) {
        throw new NotFoundError({
-          message: `Folder with path '${pathWithFolder}' in environment with slug '${environment}' not found`
+          message: `Parent folder for path '${pathWithFolder}' not found`
        });
      }
      // exact folder
      if (parentFolder.path === pathWithFolder) return parentFolder;
-      let parentFolderId = parentFolder.id;
+      // check if the exact folder already exists
      const existingFolder = await folderDAL.findOne(
        {
          envId: env.id,
          parentId: parentFolder.id,
          name,
          isReserved: false
        },
        tx
      );
      if (existingFolder) {
        return existingFolder;
      }
      // exact folder case
      if (parentFolder.path === pathWithFolder) {
        return parentFolder;
      }
      let currentParentId = parentFolder.id;
      // build the full path we need by processing each segment
      if (parentFolder.path !== secretPath) {
-        // this is upsert folder in a path
+        const missingSegments = secretPath.substring(parentFolder.path.length).split("/").filter(Boolean);
-        // we are not taking snapshots of this because
+
-        // snapshot will be removed from automatic for all commits to user click or cron based
+        const newFolders: TSecretFoldersInsert[] = [];
-        const missingSegment = secretPath.substring(parentFolder.path.length).split("/").filter(Boolean);
+
-        if (missingSegment.length) {
+        // process each segment sequentially
-          const newFolders: Array<TSecretFoldersInsert & { id: string }> = missingSegment.map((segment) => {
+        for await (const segment of missingSegments) {
          const existingSegment = await folderDAL.findOne(
            {
              name: segment,
              parentId: currentParentId,
              envId: env.id,
              isReserved: false
            },
            tx
          );
          if (existingSegment) {
            // use existing folder and update the path / parent
            currentParentId = existingSegment.id;
          } else {
            const newFolder = {
              name: segment,
-              parentId: parentFolderId,
+              parentId: currentParentId,
              id: uuidv4(),
              envId: env.id,
              version: 1
            };
-            parentFolderId = newFolder.id;
+
-            return newFolder;
+            currentParentId = newFolder.id;
-          });
+            newFolders.push(newFolder);
-          parentFolderId = newFolders.at(-1)?.id as string;
+          }
        }
        if (newFolders.length) {
          const docs = await folderDAL.insertMany(newFolders, tx);
          const folderVersions = await folderVersionDAL.insertMany(
            docs.map((doc) => ({
@@ -133,7 +173,7 @@ export const secretFolderServiceFactory = ({
                }
              },
              message: "Folder created",
-              folderId: parentFolderId,
+              folderId: currentParentId,
              changes: folderVersions.map((fv) => ({
                type: CommitType.ADD,
                folderVersionId: fv.id
@@ -145,9 +185,10 @@ export const secretFolderServiceFactory = ({
      }
      const doc = await folderDAL.create(
-        { name, envId: env.id, version: 1, parentId: parentFolderId, description },
+        { name, envId: env.id, version: 1, parentId: currentParentId, description },
        tx
      );
      const folderVersion = await folderVersionDAL.create(
        {
          name: doc.name,
@@ -158,6 +199,7 @@ export const secretFolderServiceFactory = ({
        },
        tx
      );
      await folderCommitService.createCommit(
        {
          actor: {
@@ -167,7 +209,7 @@ export const secretFolderServiceFactory = ({
            }
          },
          message: "Folder created",
-          folderId: parentFolderId,
+          folderId: doc.id,
          changes: [
            {
              type: CommitType.ADD,
@@ -177,6 +219,7 @@ export const secretFolderServiceFactory = ({
        },
        tx
      );
      return doc;
    });
--- a/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-constants.ts
+++ b/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-constants.ts
@@ -0,0 +1,10 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
 export const CLOUDFLARE_PAGES_SYNC_LIST_OPTION: TSecretSyncListItem = {
  name: "Cloudflare Pages",
  destination: SecretSync.CloudflarePages,
  connection: AppConnection.Cloudflare,
  canImportSecrets: false
 };
--- a/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-fns.ts
+++ b/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-fns.ts
@@ -0,0 +1,138 @@
 import { request } from "@app/lib/config/request";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { TCloudflarePagesSyncWithCredentials } from "./cloudflare-pages-types";
 const getProjectEnvironmentSecrets = async (secretSync: TCloudflarePagesSyncWithCredentials) => {
  const {
    destinationConfig,
    connection: {
      credentials: { apiToken, accountId }
    }
  } = secretSync;
  const secrets = (
    await request.get<{
      result: {
        deployment_configs: Record<
          string,
          {
            env_vars: Record<string, { type: "plain_text" | "secret_text"; value: string }>;
          }
        >;
      };
    }>(
      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects/${destinationConfig.projectName}`,
      {
        headers: {
          Authorization: `Bearer ${apiToken}`,
          Accept: "application/json"
        }
      }
    )
  ).data.result.deployment_configs[destinationConfig.environment].env_vars;
  return Object.entries(secrets ?? {}).map(([key, envVar]) => ({
    key,
    value: envVar.value
  }));
 };
 export const CloudflarePagesSyncFns = {
  syncSecrets: async (secretSync: TCloudflarePagesSyncWithCredentials, secretMap: TSecretMap) => {
    const {
      destinationConfig,
      connection: {
        credentials: { apiToken, accountId }
      }
    } = secretSync;
    // Create/update secret entries
    let secretEntries: [string, object | null][] = Object.entries(secretMap).map(([key, val]) => [
      key,
      { type: "secret_text", value: val.value }
    ]);
    // Handle deletions if not disabled
    if (!secretSync.syncOptions.disableSecretDeletion) {
      const existingSecrets = await getProjectEnvironmentSecrets(secretSync);
      const toDeleteKeys = existingSecrets
        .filter(
          (secret) =>
            matchesSchema(secret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema) &&
            !secretMap[secret.key]
        )
        .map((secret) => secret.key);
      const toDeleteEntries: [string, null][] = toDeleteKeys.map((key) => [key, null]);
      secretEntries = [...secretEntries, ...toDeleteEntries];
    }
    const data = {
      deployment_configs: {
        [destinationConfig.environment]: {
          env_vars: Object.fromEntries(secretEntries)
        }
      }
    };
    await request.patch(
      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects/${destinationConfig.projectName}`,
      data,
      {
        headers: {
          Authorization: `Bearer ${apiToken}`,
          Accept: "application/json"
        }
      }
    );
  },
  getSecrets: async (secretSync: TCloudflarePagesSyncWithCredentials): Promise<TSecretMap> => {
    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
  },
  removeSecrets: async (secretSync: TCloudflarePagesSyncWithCredentials, secretMap: TSecretMap) => {
    const {
      destinationConfig,
      connection: {
        credentials: { apiToken, accountId }
      }
    } = secretSync;
    const secrets = await getProjectEnvironmentSecrets(secretSync);
    const toDeleteKeys = secrets
      .filter(
        (secret) =>
          matchesSchema(secret.key, secretSync.environment?.slug || "", secretSync.syncOptions.keySchema) &&
          secret.key in secretMap
      )
      .map((secret) => secret.key);
    if (toDeleteKeys.length === 0) return;
    const secretEntries: [string, null][] = toDeleteKeys.map((key) => [key, null]);
    const data = {
      deployment_configs: {
        [destinationConfig.environment]: {
          env_vars: Object.fromEntries(secretEntries)
        }
      }
    };
    await request.patch(
      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accountId}/pages/projects/${destinationConfig.projectName}`,
      data,
      {
        headers: {
          Authorization: `Bearer ${apiToken}`,
          Accept: "application/json"
        }
      }
    );
  }
 };
--- a/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-schema.ts
+++ b/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-schema.ts
@@ -0,0 +1,53 @@
 import { z } from "zod";
 import { SecretSyncs } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import {
  BaseSecretSyncSchema,
  GenericCreateSecretSyncFieldsSchema,
  GenericUpdateSecretSyncFieldsSchema
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 const CloudflarePagesSyncDestinationConfigSchema = z.object({
  projectName: z
    .string()
    .min(1, "Project name is required")
    .describe(SecretSyncs.DESTINATION_CONFIG.CLOUDFLARE_PAGES.projectName),
  environment: z
    .string()
    .min(1, "Environment is required")
    .describe(SecretSyncs.DESTINATION_CONFIG.CLOUDFLARE_PAGES.environment)
 });
 const CloudflarePagesSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 export const CloudflarePagesSyncSchema = BaseSecretSyncSchema(
  SecretSync.CloudflarePages,
  CloudflarePagesSyncOptionsConfig
 ).extend({
  destination: z.literal(SecretSync.CloudflarePages),
  destinationConfig: CloudflarePagesSyncDestinationConfigSchema
 });
 export const CreateCloudflarePagesSyncSchema = GenericCreateSecretSyncFieldsSchema(
  SecretSync.CloudflarePages,
  CloudflarePagesSyncOptionsConfig
 ).extend({
  destinationConfig: CloudflarePagesSyncDestinationConfigSchema
 });
 export const UpdateCloudflarePagesSyncSchema = GenericUpdateSecretSyncFieldsSchema(
  SecretSync.CloudflarePages,
  CloudflarePagesSyncOptionsConfig
 ).extend({
  destinationConfig: CloudflarePagesSyncDestinationConfigSchema.optional()
 });
 export const CloudflarePagesSyncListItemSchema = z.object({
  name: z.literal("Cloudflare Pages"),
  connection: z.literal(AppConnection.Cloudflare),
  destination: z.literal(SecretSync.CloudflarePages),
  canImportSecrets: z.literal(false)
 });
--- a/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-types.ts
+++ b/backend/src/services/secret-sync/cloudflare-pages/cloudflare-pages-types.ts
@@ -0,0 +1,19 @@
 import z from "zod";
 import { TCloudflareConnection } from "@app/services/app-connection/cloudflare/cloudflare-connection-types";
 import {
  CloudflarePagesSyncListItemSchema,
  CloudflarePagesSyncSchema,
  CreateCloudflarePagesSyncSchema
 } from "./cloudflare-pages-schema";
 export type TCloudflarePagesSyncListItem = z.infer<typeof CloudflarePagesSyncListItemSchema>;
 export type TCloudflarePagesSync = z.infer<typeof CloudflarePagesSyncSchema>;
 export type TCloudflarePagesSyncInput = z.infer<typeof CreateCloudflarePagesSyncSchema>;
 export type TCloudflarePagesSyncWithCredentials = TCloudflarePagesSync & {
  connection: TCloudflareConnection;
 };
--- a/backend/src/services/secret-sync/gitlab/gitlab-sync-constants.ts
+++ b/backend/src/services/secret-sync/gitlab/gitlab-sync-constants.ts
@@ -0,0 +1,10 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
 export const GITLAB_SYNC_LIST_OPTION: TSecretSyncListItem = {
  name: "GitLab",
  destination: SecretSync.GitLab,
  connection: AppConnection.GitLab,
  canImportSecrets: false
 };
--- a/backend/src/services/secret-sync/gitlab/gitlab-sync-enums.ts
+++ b/backend/src/services/secret-sync/gitlab/gitlab-sync-enums.ts
@@ -0,0 +1,4 @@
 export enum GitLabSyncScope {
  Project = "project",
  Group = "group"
 }
--- a/backend/src/services/secret-sync/gitlab/gitlab-sync-fns.ts
+++ b/backend/src/services/secret-sync/gitlab/gitlab-sync-fns.ts
@@ -0,0 +1,452 @@
 /* eslint-disable no-await-in-loop */
 import { GitbeakerRequestError } from "@gitbeaker/rest";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import {
  getGitLabClient,
  GitLabConnectionMethod,
  refreshGitLabToken,
  TGitLabConnection
 } from "@app/services/app-connection/gitlab";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TGitLabSyncWithCredentials, TGitLabVariable } from "@app/services/secret-sync/gitlab/gitlab-sync-types";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
 import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
 import { GitLabSyncScope } from "./gitlab-sync-enums";
 interface TGitLabVariablePayload {
  key?: string;
  value: string;
  variable_type?: "env_var" | "file";
  environment_scope?: string;
  protected?: boolean;
  masked?: boolean;
  masked_and_hidden?: boolean;
  description?: string;
 }
 interface TGitLabVariableCreate extends TGitLabVariablePayload {
  key: string;
 }
 interface TGitLabVariableUpdate extends Omit<TGitLabVariablePayload, "key"> {}
 type TGitLabSyncFactoryDeps = {
  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
 const getValidAccessToken = async (
  connection: TGitLabConnection,
  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
 ): Promise<string> => {
  if (
    connection.method === GitLabConnectionMethod.OAuth &&
    connection.credentials.refreshToken &&
    new Date(connection.credentials.expiresAt) < new Date()
  ) {
    const accessToken = await refreshGitLabToken(
      connection.credentials.refreshToken,
      connection.id,
      connection.orgId,
      appConnectionDAL,
      kmsService,
      connection.credentials.instanceUrl
    );
    return accessToken;
  }
  return connection.credentials.accessToken;
 };
 const getGitLabVariables = async ({
  accessToken,
  connection,
  scope,
  resourceId,
  targetEnvironment
 }: {
  accessToken: string;
  connection: TGitLabConnection;
  scope: GitLabSyncScope;
  resourceId: string;
  targetEnvironment?: string;
 }): Promise<TGitLabVariable[]> => {
  try {
    const client = await getGitLabClient(
      accessToken,
      connection.credentials.instanceUrl,
      connection.method === GitLabConnectionMethod.OAuth
    );
    let variables: TGitLabVariable[] = [];
    if (scope === GitLabSyncScope.Project) {
      variables = await client.ProjectVariables.all(resourceId);
    } else {
      variables = await client.GroupVariables.all(resourceId);
    }
    if (targetEnvironment) {
      variables = variables.filter((v) => v.environmentScope === targetEnvironment);
    }
    return variables;
  } catch (error) {
    if (error instanceof GitbeakerRequestError) {
      throw new SecretSyncError({
        error: new Error(
          `Failed to fetch variables: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
        )
      });
    }
    throw new SecretSyncError({
      error
    });
  }
 };
 const createGitLabVariable = async ({
  accessToken,
  connection,
  scope,
  resourceId,
  variable
 }: {
  accessToken: string;
  connection: TGitLabConnection;
  scope: GitLabSyncScope;
  resourceId: string;
  variable: TGitLabVariableCreate;
 }): Promise<void> => {
  try {
    const client = await getGitLabClient(
      accessToken,
      connection.credentials.instanceUrl,
      connection.method === GitLabConnectionMethod.OAuth
    );
    const payload = {
      key: variable.key,
      value: variable.value,
      variableType: "env_var",
      environmentScope: variable.environment_scope || "*",
      protected: variable.protected || false,
      masked: variable.masked || false,
      masked_and_hidden: variable.masked_and_hidden || false,
      raw: false
    };
    if (scope === GitLabSyncScope.Project) {
      await client.ProjectVariables.create(resourceId, payload.key, payload.value, {
        variableType: "env_var",
        environmentScope: payload.environmentScope,
        protected: payload.protected,
        masked: payload.masked,
        masked_and_hidden: payload.masked_and_hidden,
        raw: false
      });
    } else {
      await client.GroupVariables.create(resourceId, payload.key, payload.value, {
        variableType: "env_var",
        environmentScope: payload.environmentScope,
        protected: payload.protected,
        masked: payload.masked,
        ...(payload.masked_and_hidden && { masked_and_hidden: payload.masked_and_hidden }),
        raw: false
      });
    }
  } catch (error) {
    if (error instanceof GitbeakerRequestError) {
      throw new SecretSyncError({
        error: new Error(
          `Failed to create variable: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
        ),
        secretKey: variable.key
      });
    }
    throw new SecretSyncError({
      error,
      secretKey: variable.key
    });
  }
 };
 const updateGitLabVariable = async ({
  accessToken,
  connection,
  scope,
  resourceId,
  key,
  variable,
  targetEnvironment
 }: {
  accessToken: string;
  connection: TGitLabConnection;
  scope: GitLabSyncScope;
  resourceId: string;
  key: string;
  variable: TGitLabVariableUpdate;
  targetEnvironment?: string;
 }): Promise<void> => {
  try {
    const client = await getGitLabClient(
      accessToken,
      connection.credentials.instanceUrl,
      connection.method === GitLabConnectionMethod.OAuth
    );
    const options = {
      ...(variable.environment_scope && { environmentScope: variable.environment_scope }),
      ...(variable.protected !== undefined && { protected: variable.protected }),
      ...(variable.masked !== undefined && { masked: variable.masked })
    };
    if (targetEnvironment) {
      options.environmentScope = targetEnvironment;
    }
    if (scope === GitLabSyncScope.Project) {
      await client.ProjectVariables.edit(resourceId, key, variable.value, {
        ...options,
        filter: { environment_scope: targetEnvironment || "*" }
      });
    } else {
      await client.GroupVariables.edit(resourceId, key, variable.value, {
        ...options,
        filter: { environment_scope: targetEnvironment || "*" }
      });
    }
  } catch (error) {
    if (error instanceof GitbeakerRequestError) {
      throw new SecretSyncError({
        error: new Error(
          `Failed to update variable: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
        ),
        secretKey: key
      });
    }
    throw new SecretSyncError({
      error,
      secretKey: key
    });
  }
 };
 const deleteGitLabVariable = async ({
  accessToken,
  connection,
  scope,
  resourceId,
  key,
  targetEnvironment,
  allVariables
 }: {
  accessToken: string;
  connection: TGitLabConnection;
  scope: GitLabSyncScope;
  resourceId: string;
  key: string;
  targetEnvironment?: string;
  allVariables?: TGitLabVariable[];
 }): Promise<void> => {
  if (allVariables && !allVariables.find((v) => v.key === key)) {
    return;
  }
  try {
    const client = await getGitLabClient(
      accessToken,
      connection.credentials.instanceUrl,
      connection.method === GitLabConnectionMethod.OAuth
    );
    const options: { filter?: { environment_scope: string } } = {};
    if (targetEnvironment) {
      options.filter = { environment_scope: targetEnvironment || "*" };
    }
    if (scope === GitLabSyncScope.Project) {
      await client.ProjectVariables.remove(resourceId, key, options);
    } else {
      await client.GroupVariables.remove(resourceId, key);
    }
  } catch (error: unknown) {
    if (error instanceof GitbeakerRequestError) {
      throw new SecretSyncError({
        error: new Error(
          `Failed to delete variable: ${error.message ?? "Unknown error"}${error.cause?.description && error.message !== "Unauthorized" ? `. Cause: ${error.cause.description}` : ""}`
        ),
        secretKey: key
      });
    }
    throw new SecretSyncError({
      error,
      secretKey: key
    });
  }
 };
 export const GitLabSyncFns = {
  syncSecrets: async (
    secretSync: TGitLabSyncWithCredentials,
    secretMap: TSecretMap,
    { appConnectionDAL, kmsService }: TGitLabSyncFactoryDeps
  ): Promise<void> => {
    const { connection, environment, destinationConfig } = secretSync;
    const { scope, targetEnvironment } = destinationConfig;
    const resourceId = scope === GitLabSyncScope.Project ? destinationConfig.projectId : destinationConfig.groupId;
    const accessToken = await getValidAccessToken(connection, appConnectionDAL, kmsService);
    try {
      const currentVariables = await getGitLabVariables({
        accessToken,
        connection,
        scope,
        resourceId,
        targetEnvironment
      });
      const currentVariableMap = new Map(currentVariables.map((v) => [v.key, v]));
      for (const [key, { value }] of Object.entries(secretMap)) {
        if (value?.length < 8 && destinationConfig.shouldMaskSecrets) {
          throw new SecretSyncError({
            message: `Secret ${key} is too short to be masked. GitLab requires a minimum of 8 characters for masked secrets.`,
            secretKey: key
          });
        }
        try {
          const existingVariable = currentVariableMap.get(key);
          if (existingVariable) {
            if (
              existingVariable.value !== value ||
              existingVariable.environmentScope !== targetEnvironment ||
              existingVariable.protected !== destinationConfig.shouldProtectSecrets ||
              existingVariable.masked !== destinationConfig.shouldMaskSecrets
            ) {
              await updateGitLabVariable({
                accessToken,
                connection,
                scope,
                resourceId,
                key,
                variable: {
                  value,
                  environment_scope: targetEnvironment,
                  protected: destinationConfig.shouldProtectSecrets,
                  masked: destinationConfig.shouldMaskSecrets || existingVariable.hidden
                },
                targetEnvironment
              });
            }
          } else {
            await createGitLabVariable({
              accessToken,
              connection,
              scope,
              resourceId,
              variable: {
                key,
                value,
                variable_type: "env_var",
                environment_scope: targetEnvironment || "*",
                protected: destinationConfig.shouldProtectSecrets || false,
                masked: destinationConfig.shouldMaskSecrets || false,
                masked_and_hidden: destinationConfig.shouldHideSecrets || false
              }
            });
          }
        } catch (error) {
          throw new SecretSyncError({
            error,
            secretKey: key
          });
        }
      }
      if (!secretSync.syncOptions.disableSecretDeletion) {
        for (const variable of currentVariables) {
          try {
            const shouldDelete =
              matchesSchema(variable.key, environment?.slug || "", secretSync.syncOptions.keySchema) &&
              !(variable.key in secretMap);
            if (shouldDelete) {
              await deleteGitLabVariable({
                accessToken,
                connection,
                scope,
                resourceId,
                key: variable.key,
                targetEnvironment
              });
            }
          } catch (error) {
            throw new SecretSyncError({
              error,
              secretKey: variable.key
            });
          }
        }
      }
    } catch (error) {
      if (error instanceof SecretSyncError) {
        throw error;
      }
      throw new SecretSyncError({
        message: "Failed to sync secrets",
        error
      });
    }
  },
  removeSecrets: async (
    secretSync: TGitLabSyncWithCredentials,
    secretMap: TSecretMap,
    { appConnectionDAL, kmsService }: TGitLabSyncFactoryDeps
  ): Promise<void> => {
    const { connection, destinationConfig } = secretSync;
    const { scope, targetEnvironment } = destinationConfig;
    const resourceId = scope === GitLabSyncScope.Project ? destinationConfig.projectId : destinationConfig.groupId;
    const accessToken = await getValidAccessToken(connection, appConnectionDAL, kmsService);
    const allVariables = await getGitLabVariables({
      accessToken,
      connection,
      scope,
      resourceId,
      targetEnvironment
    });
    for (const key of Object.keys(secretMap)) {
      try {
        await deleteGitLabVariable({
          accessToken,
          connection,
          scope,
          resourceId,
          key,
          targetEnvironment,
          allVariables
        });
      } catch (error) {
        throw new SecretSyncError({
          error,
          secretKey: key
        });
      }
    }
  },
  getSecrets: async (secretSync: TGitLabSyncWithCredentials): Promise<TSecretMap> => {
    throw new Error(`${SECRET_SYNC_NAME_MAP[secretSync.destination]} does not support importing secrets.`);
  }
 };
--- a/backend/src/services/secret-sync/gitlab/gitlab-sync-schemas.ts
+++ b/backend/src/services/secret-sync/gitlab/gitlab-sync-schemas.ts
@@ -0,0 +1,97 @@
 import { z } from "zod";
 import { SecretSyncs } from "@app/lib/api-docs";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import {
  BaseSecretSyncSchema,
  GenericCreateSecretSyncFieldsSchema,
  GenericUpdateSecretSyncFieldsSchema
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 import { GitLabSyncScope } from "./gitlab-sync-enums";
 const GitLabSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
  z.object({
    scope: z.literal(GitLabSyncScope.Project).describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.scope),
    projectId: z.string().min(1, "Project ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.projectId),
    projectName: z
      .string()
      .min(1, "Project name is required")
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.projectName),
    targetEnvironment: z
      .string()
      .optional()
      .default("*")
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.targetEnvironment),
    shouldProtectSecrets: z
      .boolean()
      .optional()
      .default(false)
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldProtectSecrets),
    shouldMaskSecrets: z
      .boolean()
      .optional()
      .default(false)
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldMaskSecrets),
    shouldHideSecrets: z
      .boolean()
      .optional()
      .default(false)
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldHideSecrets)
  }),
  z.object({
    scope: z.literal(GitLabSyncScope.Group).describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.scope),
    groupId: z.string().min(1, "Group ID is required").describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.groupId),
    groupName: z.string().min(1, "Group name is required").describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.groupName),
    targetEnvironment: z
      .string()
      .optional()
      .default("*")
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.targetEnvironment),
    shouldProtectSecrets: z
      .boolean()
      .optional()
      .default(false)
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldProtectSecrets),
    shouldMaskSecrets: z
      .boolean()
      .optional()
      .default(false)
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldMaskSecrets),
    shouldHideSecrets: z
      .boolean()
      .optional()
      .default(false)
      .describe(SecretSyncs.DESTINATION_CONFIG.GITLAB.shouldHideSecrets)
  })
 ]);
 const GitLabSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
 export const GitLabSyncSchema = BaseSecretSyncSchema(SecretSync.GitLab, GitLabSyncOptionsConfig).extend({
  destination: z.literal(SecretSync.GitLab),
  destinationConfig: GitLabSyncDestinationConfigSchema
 });
 export const CreateGitLabSyncSchema = GenericCreateSecretSyncFieldsSchema(
  SecretSync.GitLab,
  GitLabSyncOptionsConfig
 ).extend({
  destinationConfig: GitLabSyncDestinationConfigSchema
 });
 export const UpdateGitLabSyncSchema = GenericUpdateSecretSyncFieldsSchema(
  SecretSync.GitLab,
  GitLabSyncOptionsConfig
 ).extend({
  destinationConfig: GitLabSyncDestinationConfigSchema.optional()
 });
 export const GitLabSyncListItemSchema = z.object({
  name: z.literal("GitLab"),
  connection: z.literal(AppConnection.GitLab),
  destination: z.literal(SecretSync.GitLab),
  canImportSecrets: z.literal(false)
 });
--- a/backend/src/services/secret-sync/gitlab/gitlab-sync-types.ts
+++ b/backend/src/services/secret-sync/gitlab/gitlab-sync-types.ts
@@ -0,0 +1,58 @@
 import { z } from "zod";
 import { TGitLabConnection } from "@app/services/app-connection/gitlab";
 import { CreateGitLabSyncSchema, GitLabSyncListItemSchema, GitLabSyncSchema } from "./gitlab-sync-schemas";
 export type TGitLabSync = z.infer<typeof GitLabSyncSchema>;
 export type TGitLabSyncInput = z.infer<typeof CreateGitLabSyncSchema>;
 export type TGitLabSyncListItem = z.infer<typeof GitLabSyncListItemSchema>;
 export type TGitLabSyncWithCredentials = TGitLabSync & {
  connection: TGitLabConnection;
 };
 export type TGitLabVariable = {
  key: string;
  value: string;
  protected: boolean;
  masked: boolean;
  environmentScope?: string;
  hidden?: boolean;
 };
 export type TGitLabVariableCreate = {
  key: string;
  value: string;
  variable_type?: "env_var" | "file";
  protected?: boolean;
  masked?: boolean;
  raw?: boolean;
  environment_scope?: string;
  description?: string;
 };
 export type TGitLabVariableUpdate = {
  value: string;
  variable_type?: "env_var" | "file";
  protected?: boolean;
  masked?: boolean;
  raw?: boolean;
  environment_scope?: string;
  description?: string | null;
 };
 export type TGitLabListVariables = {
  accessToken: string;
  projectId: string;
  environmentScope?: string;
 };
 export type TGitLabCreateVariable = TGitLabListVariables & {
  variable: TGitLabVariableCreate;
 };
 export type TGitLabUpdateVariable = TGitLabListVariables & {
  key: string;
  variable: TGitLabVariableUpdate;
 };
--- a/backend/src/services/secret-sync/gitlab/index.ts
+++ b/backend/src/services/secret-sync/gitlab/index.ts
@@ -0,0 +1,4 @@
 export * from "./gitlab-sync-constants";
 export * from "./gitlab-sync-fns";
 export * from "./gitlab-sync-schemas";
 export * from "./gitlab-sync-types";
--- a/backend/src/services/secret-sync/secret-sync-enums.ts
+++ b/backend/src/services/secret-sync/secret-sync-enums.ts
@@ -18,7 +18,9 @@ export enum SecretSync {
  OnePass = "1password",
  Heroku = "heroku",
  Render = "render",
-  Flyio = "flyio"
+  Flyio = "flyio",
  GitLab = "gitlab",
  CloudflarePages = "cloudflare-pages"
 }
 export enum SecretSyncInitialSyncBehavior {
--- a/backend/src/services/secret-sync/secret-sync-fns.ts
+++ b/backend/src/services/secret-sync/secret-sync-fns.ts
@@ -29,9 +29,12 @@ import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFact
 import { AZURE_DEVOPS_SYNC_LIST_OPTION, azureDevOpsSyncFactory } from "./azure-devops";
 import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
 import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
 import { CLOUDFLARE_PAGES_SYNC_LIST_OPTION } from "./cloudflare-pages/cloudflare-pages-constants";
 import { CloudflarePagesSyncFns } from "./cloudflare-pages/cloudflare-pages-fns";
 import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
 import { GITLAB_SYNC_LIST_OPTION, GitLabSyncFns } from "./gitlab";
 import { HC_VAULT_SYNC_LIST_OPTION, HCVaultSyncFns } from "./hc-vault";
 import { HEROKU_SYNC_LIST_OPTION, HerokuSyncFns } from "./heroku";
 import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
@@ -63,7 +66,9 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
  [SecretSync.OnePass]: ONEPASS_SYNC_LIST_OPTION,
  [SecretSync.Heroku]: HEROKU_SYNC_LIST_OPTION,
  [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
-  [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION
+  [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
  [SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
  [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION
 };
 export const listSecretSyncOptions = () => {
@@ -227,6 +232,10 @@ export const SecretSyncFns = {
        return RenderSyncFns.syncSecrets(secretSync, schemaSecretMap);
      case SecretSync.Flyio:
        return FlyioSyncFns.syncSecrets(secretSync, schemaSecretMap);
      case SecretSync.GitLab:
        return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
      case SecretSync.CloudflarePages:
        return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
      default:
        throw new Error(
          `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -313,6 +322,12 @@ export const SecretSyncFns = {
      case SecretSync.Flyio:
        secretMap = await FlyioSyncFns.getSecrets(secretSync);
        break;
      case SecretSync.GitLab:
        secretMap = await GitLabSyncFns.getSecrets(secretSync);
        break;
      case SecretSync.CloudflarePages:
        secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
        break;
      default:
        throw new Error(
          `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -386,6 +401,10 @@ export const SecretSyncFns = {
        return RenderSyncFns.removeSecrets(secretSync, schemaSecretMap);
      case SecretSync.Flyio:
        return FlyioSyncFns.removeSecrets(secretSync, schemaSecretMap);
      case SecretSync.GitLab:
        return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
      case SecretSync.CloudflarePages:
        return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
      default:
        throw new Error(
          `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
--- a/backend/src/services/secret-sync/secret-sync-maps.ts
+++ b/backend/src/services/secret-sync/secret-sync-maps.ts
@@ -21,7 +21,9 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
  [SecretSync.OnePass]: "1Password",
  [SecretSync.Heroku]: "Heroku",
  [SecretSync.Render]: "Render",
-  [SecretSync.Flyio]: "Fly.io"
+  [SecretSync.Flyio]: "Fly.io",
  [SecretSync.GitLab]: "GitLab",
  [SecretSync.CloudflarePages]: "Cloudflare Pages"
 };
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -44,7 +46,9 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
  [SecretSync.OnePass]: AppConnection.OnePass,
  [SecretSync.Heroku]: AppConnection.Heroku,
  [SecretSync.Render]: AppConnection.Render,
-  [SecretSync.Flyio]: AppConnection.Flyio
+  [SecretSync.Flyio]: AppConnection.Flyio,
  [SecretSync.GitLab]: AppConnection.GitLab,
  [SecretSync.CloudflarePages]: AppConnection.Cloudflare
 };
 export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@@ -67,5 +71,7 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
  [SecretSync.OnePass]: SecretSyncPlanType.Regular,
  [SecretSync.Heroku]: SecretSyncPlanType.Regular,
  [SecretSync.Render]: SecretSyncPlanType.Regular,
-  [SecretSync.Flyio]: SecretSyncPlanType.Regular
+  [SecretSync.Flyio]: SecretSyncPlanType.Regular,
  [SecretSync.GitLab]: SecretSyncPlanType.Regular,
  [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular
 };
--- a/backend/src/services/secret-sync/secret-sync-types.ts
+++ b/backend/src/services/secret-sync/secret-sync-types.ts
@@ -72,8 +72,15 @@ import {
  TAzureKeyVaultSyncListItem,
  TAzureKeyVaultSyncWithCredentials
 } from "./azure-key-vault";
 import {
  TCloudflarePagesSync,
  TCloudflarePagesSyncInput,
  TCloudflarePagesSyncListItem,
  TCloudflarePagesSyncWithCredentials
 } from "./cloudflare-pages/cloudflare-pages-types";
 import { TFlyioSync, TFlyioSyncInput, TFlyioSyncListItem, TFlyioSyncWithCredentials } from "./flyio/flyio-sync-types";
 import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
 import { TGitLabSync, TGitLabSyncInput, TGitLabSyncListItem, TGitLabSyncWithCredentials } from "./gitlab";
 import {
  THCVaultSync,
  THCVaultSyncInput,
@@ -127,7 +134,9 @@ export type TSecretSync =
  | TOnePassSync
  | THerokuSync
  | TRenderSync
-  | TFlyioSync;
+  | TFlyioSync
  | TGitLabSync
  | TCloudflarePagesSync;
 export type TSecretSyncWithCredentials =
  | TAwsParameterStoreSyncWithCredentials
@@ -149,7 +158,9 @@ export type TSecretSyncWithCredentials =
  | TOnePassSyncWithCredentials
  | THerokuSyncWithCredentials
  | TRenderSyncWithCredentials
-  | TFlyioSyncWithCredentials;
+  | TFlyioSyncWithCredentials
  | TGitLabSyncWithCredentials
  | TCloudflarePagesSyncWithCredentials;
 export type TSecretSyncInput =
  | TAwsParameterStoreSyncInput
@@ -171,7 +182,9 @@ export type TSecretSyncInput =
  | TOnePassSyncInput
  | THerokuSyncInput
  | TRenderSyncInput
-  | TFlyioSyncInput;
+  | TFlyioSyncInput
  | TGitLabSyncInput
  | TCloudflarePagesSyncInput;
 export type TSecretSyncListItem =
  | TAwsParameterStoreSyncListItem
@@ -193,7 +206,9 @@ export type TSecretSyncListItem =
  | TOnePassSyncListItem
  | THerokuSyncListItem
  | TRenderSyncListItem
-  | TFlyioSyncListItem;
+  | TFlyioSyncListItem
  | TGitLabSyncListItem
  | TCloudflarePagesSyncListItem;
 export type TSyncOptionsConfig = {
  canImportSecrets: boolean;
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@@ -1543,9 +1543,8 @@ export const secretServiceFactory = ({
    actor,
    environment,
    viewSecretValue,
-    projectId: workspaceId,
+    projectId,
    expandSecretReferences,
    projectSlug,
    actorId,
    actorOrgId,
    actorAuthMethod,
@@ -1553,7 +1552,6 @@ export const secretServiceFactory = ({
    includeImports,
    version
  }: TGetASecretRawDTO) => {
    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
    if (shouldUseSecretV2Bridge) {
      const secret = await secretV2BridgeService.getSecretByName({
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@@ -229,8 +229,7 @@ export type TGetASecretRawDTO = {
  type: "shared" | "personal";
  includeImports?: boolean;
  version?: number;
-  projectSlug?: string;
+  projectId: string;
  projectId?: string;
 } & Omit<TProjectPermission, "projectId">;
 export type TGetASecretByIdRawDTO = {
--- a/cli/go.mod
+++ b/cli/go.mod
@@ -40,6 +40,9 @@ require (
 	golang.org/x/term v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.31.4
 	k8s.io/apimachinery v0.31.4
 	k8s.io/client-go v0.31.4
 )
 require (
@@ -70,16 +73,25 @@ require (
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/errors v0.20.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20250302191652-9094ed2288e7 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -90,17 +102,23 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/muesli/mango v0.1.0 // indirect
 	github.com/muesli/mango-pflag v0.1.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.22.2 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
@@ -117,6 +135,7 @@ require (
 	github.com/tetratelabs/wazero v1.9.0 // indirect
 	github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 // indirect
 	github.com/wlynxg/anet v0.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
@@ -127,18 +146,26 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/api v0.188.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect
 	google.golang.org/grpc v1.64.1 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 require (
--- a/cli/go.sum
+++ b/cli/go.sum
@@ -134,6 +134,8 @@ github.com/denisbrodbeck/machineid v1.0.1 h1:geKr9qtkB876mXguW2X6TU4ZynleN6ezuMS
 github.com/denisbrodbeck/machineid v1.0.1/go.mod h1:dJUwb7PTidGDeYyUBmXZ2GphQBbjJCrnectwCyxcUSI=
 github.com/dvsekhvalnov/jose2go v1.6.0 h1:Y9gnSnP4qEI0+/uQkHvFXeD2PLPJeXEL+ySMEA2EjTY=
 github.com/dvsekhvalnov/jose2go v1.6.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -152,6 +154,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gitleaks/go-gitdiff v0.9.1 h1:ni6z6/3i9ODT685OLCTf+s/ERlWUNWQF4x1pvoNICw0=
 github.com/gitleaks/go-gitdiff v0.9.1/go.mod h1:pKz0X4YzCKZs30BL+weqBIG7mx0jl4tF1uXV9ZyNvrA=
@@ -165,8 +169,16 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8=
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-resty/resty/v2 v2.16.5 h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM=
 github.com/go-resty/resty/v2 v2.16.5/go.mod h1:hkJtXbA2iKHzJheXYvQ8snQES5ZLGKMwQ07xAwp/fiA=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -174,6 +186,7 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -211,6 +224,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -222,9 +237,12 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -298,7 +316,11 @@ github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BA
 github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
@@ -308,6 +330,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -318,6 +341,8 @@ github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -346,8 +371,12 @@ github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
 github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
@@ -365,7 +394,8 @@ github.com/muesli/roff v0.1.0 h1:YD0lalCotmYuF5HhZliKWlIx7IEhiXeSfq7hNjFqGF8=
 github.com/muesli/roff v0.1.0/go.mod h1:pjAHQM9hdUUwm/krAfrLGgJkXJ+YuhtsfZ42kieB2Ig=
 github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
 github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
@@ -406,8 +436,8 @@ github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po=
 github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
@@ -467,6 +497,8 @@ github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 h1:OvLBa8S
 github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52/go.mod h1:jMeV4Vpbi8osrE/pKUxRZkVaA0EX7NZN0A9/oRzgpgY=
 github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
 github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
@@ -596,8 +628,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -610,8 +642,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -693,8 +725,8 @@ golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -863,14 +895,17 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -890,6 +925,27 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.31.4 h1:I2QNzitPVsPeLQvexMEsj945QumYraqv9m74isPDKhM=
 k8s.io/api v0.31.4/go.mod h1:d+7vgXLvmcdT1BCo79VEgJxHHryww3V5np2OYTr6jdw=
 k8s.io/apimachinery v0.31.4 h1:8xjE2C4CzhYVm9DGf60yohpNUh5AEBnPxCryPBECmlM=
 k8s.io/apimachinery v0.31.4/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/client-go v0.31.4 h1:t4QEXt4jgHIkKKlx06+W3+1JOwAFU/2OPiOo7H92eRQ=
 k8s.io/client-go v0.31.4/go.mod h1:kvuMro4sFYIa8sulL5Gi5GFqUPvfH2O/dXuKstbaaeg=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
 sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
--- a/cli/packages/api/api.go
+++ b/cli/packages/api/api.go
@@ -631,8 +631,8 @@ func CallGatewayHeartBeatV1(httpClient *resty.Client) error {
 	return nil
 }
-func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRequest) (map[string]interface{}, error) {
+func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRequest) (BootstrapInstanceResponse, error) {
-	var resBody map[string]interface{}
+	var resBody BootstrapInstanceResponse
 	response, err := httpClient.
 		R().
 		SetResult(&resBody).
@@ -641,11 +641,11 @@ func CallBootstrapInstance(httpClient *resty.Client, request BootstrapInstanceRe
 		Post(fmt.Sprintf("%v/v1/admin/bootstrap", request.Domain))
 	if err != nil {
-		return nil, NewGenericRequestError(operationCallBootstrapInstance, err)
+		return BootstrapInstanceResponse{}, NewGenericRequestError(operationCallBootstrapInstance, err)
 	}
 	if response.IsError() {
-		return nil, NewAPIErrorWithResponse(operationCallBootstrapInstance, response, nil)
+		return BootstrapInstanceResponse{}, NewAPIErrorWithResponse(operationCallBootstrapInstance, response, nil)
 	}
 	return resBody, nil
--- a/cli/packages/api/model.go
+++ b/cli/packages/api/model.go
@@ -655,3 +655,35 @@ type BootstrapInstanceRequest struct {
 	Organization string `json:"organization"`
 	Domain       string `json:"domain"`
 }
 type BootstrapInstanceResponse struct {
 	Message      string                `json:"message"`
 	Identity     BootstrapIdentity     `json:"identity"`
 	Organization BootstrapOrganization `json:"organization"`
 	User         BootstrapUser         `json:"user"`
 }
 type BootstrapIdentity struct {
 	ID          string                       `json:"id"`
 	Name        string                       `json:"name"`
 	Credentials BootstrapIdentityCredentials `json:"credentials"`
 }
 type BootstrapIdentityCredentials struct {
 	Token string `json:"token"`
 }
 type BootstrapOrganization struct {
 	ID   string `json:"id"`
 	Name string `json:"name"`
 	Slug string `json:"slug"`
 }
 type BootstrapUser struct {
 	ID         string `json:"id"`
 	Email      string `json:"email"`
 	FirstName  string `json:"firstName"`
 	LastName   string `json:"lastName"`
 	Username   string `json:"username"`
 	SuperAdmin bool   `json:"superAdmin"`
 }
--- a/cli/packages/cmd/bootstrap.go
+++ b/cli/packages/cmd/bootstrap.go
@@ -4,16 +4,127 @@ Copyright (c) 2023 Infisical Inc.
 package cmd
 import (
 	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"text/template"
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 )
 // handleK8SecretOutput processes the k8-secret output type by creating a Kubernetes secret
 func handleK8SecretOutput(bootstrapResponse api.BootstrapInstanceResponse, k8SecretTemplate, k8SecretName, k8SecretNamespace string) error {
 	// Create in-cluster config
 	config, err := rest.InClusterConfig()
 	if err != nil {
 		return fmt.Errorf("failed to create in-cluster config: %v", err)
 	}
 	// Create Kubernetes client
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		return fmt.Errorf("failed to create Kubernetes client: %v", err)
 	}
 	// Parse and execute the template to render the data/stringData section
 	tmpl, err := template.New("k8-secret-template").Funcs(template.FuncMap{
 		"encodeBase64": func(s string) string {
 			return base64.StdEncoding.EncodeToString([]byte(s))
 		},
 	}).Parse(k8SecretTemplate)
 	if err != nil {
 		return fmt.Errorf("failed to parse output template: %v", err)
 	}
 	var renderedDataSection bytes.Buffer
 	err = tmpl.Execute(&renderedDataSection, bootstrapResponse)
 	if err != nil {
 		return fmt.Errorf("failed to execute output template: %v", err)
 	}
 	// Parse the rendered template as JSON to validate it's valid
 	var dataSection map[string]interface{}
 	if err := json.Unmarshal(renderedDataSection.Bytes(), &dataSection); err != nil {
 		return fmt.Errorf("template output is not valid JSON: %v", err)
 	}
 	// Prepare the secret data and stringData maps
 	secretData := make(map[string][]byte)
 	secretStringData := make(map[string]string)
 	// Process the dataSection to separate data and stringData
 	if data, exists := dataSection["data"]; exists {
 		if dataMap, ok := data.(map[string]interface{}); ok {
 			for key, value := range dataMap {
 				if strValue, ok := value.(string); ok {
 					secretData[key] = []byte(strValue)
 				}
 			}
 		}
 	}
 	if stringData, exists := dataSection["stringData"]; exists {
 		if stringDataMap, ok := stringData.(map[string]interface{}); ok {
 			for key, value := range stringDataMap {
 				if strValue, ok := value.(string); ok {
 					secretStringData[key] = strValue
 				}
 			}
 		}
 	}
 	// Create the Kubernetes secret object
 	k8sSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      k8SecretName,
 			Namespace: k8SecretNamespace,
 		},
 		Type:       corev1.SecretTypeOpaque,
 		Data:       secretData,
 		StringData: secretStringData,
 	}
 	ctx := context.Background()
 	secretsClient := clientset.CoreV1().Secrets(k8SecretNamespace)
 	// Check if secret already exists
 	existingSecret, err := secretsClient.Get(ctx, k8SecretName, metav1.GetOptions{})
 	if err != nil {
 		if errors.IsNotFound(err) {
 			// Secret doesn't exist, create it
 			_, err = secretsClient.Create(ctx, k8sSecret, metav1.CreateOptions{})
 			if err != nil {
 				return fmt.Errorf("failed to create Kubernetes secret: %v", err)
 			}
 			log.Info().Msgf("Successfully created Kubernetes secret '%s' in namespace '%s'", k8SecretName, k8SecretNamespace)
 		} else {
 			return fmt.Errorf("failed to check if Kubernetes secret exists: %v", err)
 		}
 	} else {
 		// Secret exists, update it
 		k8sSecret.ObjectMeta.ResourceVersion = existingSecret.ObjectMeta.ResourceVersion
 		_, err = secretsClient.Update(ctx, k8sSecret, metav1.UpdateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to update Kubernetes secret: %v", err)
 		}
 		log.Info().Msgf("Successfully updated Kubernetes secret '%s' in namespace '%s'", k8SecretName, k8SecretNamespace)
 	}
 	return nil
 }
 var bootstrapCmd = &cobra.Command{
 	Use:                   "bootstrap",
 	Short:                 "Used to bootstrap your Infisical instance",
@@ -23,7 +134,7 @@ var bootstrapCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		email, _ := cmd.Flags().GetString("email")
 		if email == "" {
-			if envEmail, ok := os.LookupEnv("INFISICAL_ADMIN_EMAIL"); ok {
+			if envEmail, ok := os.LookupEnv(util.INFISICAL_BOOTSTRAP_EMAIL_NAME); ok {
 				email = envEmail
 			}
 		}
@@ -35,7 +146,7 @@ var bootstrapCmd = &cobra.Command{
 		password, _ := cmd.Flags().GetString("password")
 		if password == "" {
-			if envPassword, ok := os.LookupEnv("INFISICAL_ADMIN_PASSWORD"); ok {
+			if envPassword, ok := os.LookupEnv(util.INFISICAL_BOOTSTRAP_PASSWORD_NAME); ok {
 				password = envPassword
 			}
 		}
@@ -47,7 +158,7 @@ var bootstrapCmd = &cobra.Command{
 		organization, _ := cmd.Flags().GetString("organization")
 		if organization == "" {
-			if envOrganization, ok := os.LookupEnv("INFISICAL_ADMIN_ORGANIZATION"); ok {
+			if envOrganization, ok := os.LookupEnv(util.INFISICAL_BOOTSTRAP_ORGANIZATION_NAME); ok {
 				organization = envOrganization
 			}
 		}
@@ -69,11 +180,56 @@ var bootstrapCmd = &cobra.Command{
 			return
 		}
 		outputType, err := cmd.Flags().GetString("output")
 		if err != nil {
 			log.Error().Msgf("Failed to get output type: %v", err)
 			return
 		}
 		k8SecretTemplate, err := cmd.Flags().GetString("k8-secret-template")
 		if err != nil {
 			log.Error().Msgf("Failed to get k8-secret-template: %v", err)
 		}
 		k8SecretName, err := cmd.Flags().GetString("k8-secret-name")
 		if err != nil {
 			log.Error().Msgf("Failed to get k8-secret-name: %v", err)
 		}
 		k8SecretNamespace, err := cmd.Flags().GetString("k8-secret-namespace")
 		if err != nil {
 			log.Error().Msgf("Failed to get k8-secret-namespace: %v", err)
 		}
 		if outputType == "k8-secret" {
 			if k8SecretTemplate == "" {
 				log.Error().Msg("k8-secret-template is required when using k8-secret output type")
 				return
 			}
 			if k8SecretName == "" {
 				log.Error().Msg("k8-secret-name is required when using k8-secret output type")
 				return
 			}
 			if k8SecretNamespace == "" {
 				log.Error().Msg("k8-secret-namespace is required when using k8-secret output type")
 				return
 			}
 		}
 		httpClient, err := util.GetRestyClientWithCustomHeaders()
 		if err != nil {
 			log.Error().Msgf("Failed to get resty client with custom headers: %v", err)
 			return
 		}
 		ignoreIfBootstrapped, err := cmd.Flags().GetBool("ignore-if-bootstrapped")
 		if err != nil {
 			log.Error().Msgf("Failed to get ignore-if-bootstrapped flag: %v", err)
 			return
 		}
 		httpClient.SetHeader("Accept", "application/json")
 		bootstrapResponse, err := api.CallBootstrapInstance(httpClient, api.BootstrapInstanceRequest{
@@ -84,16 +240,26 @@ var bootstrapCmd = &cobra.Command{
 		})
 		if err != nil {
-			log.Error().Msgf("Failed to bootstrap instance: %v", err)
+			if !ignoreIfBootstrapped {
 				log.Error().Msgf("Failed to bootstrap instance: %v", err)
 			}
 			return
 		}
-		responseJSON, err := json.MarshalIndent(bootstrapResponse, "", "  ")
+		if outputType == "k8-secret" {
-		if err != nil {
+			if err := handleK8SecretOutput(bootstrapResponse, k8SecretTemplate, k8SecretName, k8SecretNamespace); err != nil {
-			log.Fatal().Msgf("Failed to convert response to JSON: %v", err)
+				log.Error().Msgf("Failed to handle k8-secret output: %v", err)
-			return
+				return
 			}
 		} else {
 			responseJSON, err := json.MarshalIndent(bootstrapResponse, "", "  ")
 			if err != nil {
 				log.Fatal().Msgf("Failed to convert response to JSON: %v", err)
 				return
 			}
 			fmt.Println(string(responseJSON))
 		}
 		fmt.Println(string(responseJSON))
 	},
 }
@@ -102,6 +268,10 @@ func init() {
 	bootstrapCmd.Flags().String("email", "", "The desired email address of the instance admin")
 	bootstrapCmd.Flags().String("password", "", "The desired password of the instance admin")
 	bootstrapCmd.Flags().String("organization", "", "The name of the organization to create for the instance")
-
+	bootstrapCmd.Flags().String("output", "", "The type of output to use for the bootstrap command (json or k8-secret)")
 	bootstrapCmd.Flags().Bool("ignore-if-bootstrapped", false, "Whether to continue on error if the instance has already been bootstrapped")
 	bootstrapCmd.Flags().String("k8-secret-template", "{\"data\":{\"token\":\"{{.Identity.Credentials.Token}}\"}}", "The template to use for rendering the Kubernetes secret (entire secret JSON)")
 	bootstrapCmd.Flags().String("k8-secret-namespace", "", "The namespace to create the Kubernetes secret in")
 	bootstrapCmd.Flags().String("k8-secret-name", "", "The name of the Kubernetes secret to create")
 	rootCmd.AddCommand(bootstrapCmd)
 }
--- a/cli/packages/util/constants.go
+++ b/cli/packages/util/constants.go
@@ -10,6 +10,10 @@ const (
 	INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN_NAME = "INFISICAL_UNIVERSAL_AUTH_ACCESS_TOKEN"
 	INFISICAL_VAULT_FILE_PASSPHRASE_ENV_NAME   = "INFISICAL_VAULT_FILE_PASSPHRASE" // This works because we've forked the keyring package and added support for this env variable. This explains why you won't find any occurrences of it in the CLI codebase.
 	INFISICAL_BOOTSTRAP_EMAIL_NAME        = "INFISICAL_ADMIN_EMAIL"
 	INFISICAL_BOOTSTRAP_PASSWORD_NAME     = "INFISICAL_ADMIN_PASSWORD"
 	INFISICAL_BOOTSTRAP_ORGANIZATION_NAME = "INFISICAL_ADMIN_ORGANIZATION"
 	VAULT_BACKEND_AUTO_MODE = "auto"
 	VAULT_BACKEND_FILE_MODE = "file"
@@ -47,6 +51,11 @@ const (
 	INFISICAL_BACKUP_SECRET                = "infisical-backup-secrets" // akhilmhdh: @depreciated remove in version v0.30
 	INFISICAL_BACKUP_SECRET_ENCRYPTION_KEY = "infisical-backup-secret-encryption-key"
 	KUBERNETES_SERVICE_HOST_ENV_NAME        = "KUBERNETES_SERVICE_HOST"
 	KUBERNETES_SERVICE_PORT_HTTPS_ENV_NAME  = "KUBERNETES_SERVICE_PORT_HTTPS"
 	KUBERNETES_SERVICE_ACCOUNT_CA_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH   = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 )
 var (
--- a/docs/api-reference/endpoints/app-connections/cloudflare/available.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/available.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Available"
 openapi: "GET /api/v1/app-connections/cloudflare/available"
 ---
--- a/docs/api-reference/endpoints/app-connections/cloudflare/create.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/create.mdx
@@ -0,0 +1,10 @@
 ---
 title: "Create"
 openapi: "POST /api/v1/app-connections/cloudflare"
 ---
 <Note>
  Check out the configuration docs for [Cloudflare
  Connections](/integrations/app-connections/cloudflare) to learn how to obtain
  the required credentials.
 </Note>
--- a/docs/api-reference/endpoints/app-connections/cloudflare/delete.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/delete.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Delete"
 openapi: "DELETE /api/v1/app-connections/cloudflare/{connectionId}"
 ---
--- a/docs/api-reference/endpoints/app-connections/cloudflare/get-by-id.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/get-by-id.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Get by ID"
 openapi: "GET /api/v1/app-connections/cloudflare/{connectionId}"
 ---
--- a/docs/api-reference/endpoints/app-connections/cloudflare/get-by-name.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/get-by-name.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Get by Name"
 openapi: "GET /api/v1/app-connections/cloudflare/connection-name/{connectionName}"
 ---
--- a/docs/api-reference/endpoints/app-connections/cloudflare/list.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/list.mdx
@@ -0,0 +1,4 @@
 ---
 title: "List"
 openapi: "GET /api/v1/app-connections/cloudflare"
 ---
--- a/docs/api-reference/endpoints/app-connections/cloudflare/update.mdx
+++ b/docs/api-reference/endpoints/app-connections/cloudflare/update.mdx
@@ -0,0 +1,10 @@
 ---
 title: "Update"
 openapi: "PATCH /api/v1/app-connections/cloudflare/{connectionId}"
 ---
 <Note>
  Check out the configuration docs for [Cloudflare
  Connections](/integrations/app-connections/cloudflare) to learn how to obtain
  the required credentials.
 </Note>
--- a/docs/api-reference/endpoints/app-connections/gitlab/available.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/available.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Available"
 openapi: "GET /api/v1/app-connections/gitlab/available"
 ---
--- a/docs/api-reference/endpoints/app-connections/gitlab/create.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/create.mdx
@@ -0,0 +1,10 @@
 ---
 title: "Create"
 openapi: "POST /api/v1/app-connections/gitlab"
 ---
 <Note>
    Gitlab OAuth Connections must be created through the Infisical UI.
    Check out the configuration docs for [Gitlab OAuth Connections](/integrations/app-connections/gitlab) for a step-by-step
    guide.
 </Note>
--- a/docs/api-reference/endpoints/app-connections/gitlab/delete.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/delete.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Delete"
 openapi: "DELETE /api/v1/app-connections/gitlab/{connectionId}"
 ---
--- a/docs/api-reference/endpoints/app-connections/gitlab/get-by-id.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/get-by-id.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Get by ID"
 openapi: "GET /api/v1/app-connections/gitlab/{connectionId}"
 ---
--- a/docs/api-reference/endpoints/app-connections/gitlab/get-by-name.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/get-by-name.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Get by Name"
 openapi: "GET /api/v1/app-connections/gitlab/connection-name/{connectionName}"
 ---
--- a/docs/api-reference/endpoints/app-connections/gitlab/list.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/list.mdx
@@ -0,0 +1,4 @@
 ---
 title: "List"
 openapi: "GET /api/v1/app-connections/gitlab"
 ---
--- a/docs/api-reference/endpoints/app-connections/gitlab/update.mdx
+++ b/docs/api-reference/endpoints/app-connections/gitlab/update.mdx
@@ -0,0 +1,10 @@
 ---
 title: "Update"
 openapi: "PATCH /api/v1/app-connections/gitlab/{connectionId}"
 ---
 <Note>
    Gitlab OAuth Connections must be updated through the Infisical UI.
    Check out the configuration docs for [Gitlab OAuth Connections](/integrations/app-connections/gitlab) for a step-by-step
    guide.
 </Note>
--- a/docs/api-reference/endpoints/secret-syncs/cloudflare-pages/create.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/cloudflare-pages/create.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Create"
 openapi: "POST /api/v1/secret-syncs/cloudflare-pages"
 ---
--- a/docs/api-reference/endpoints/secret-syncs/cloudflare-pages/delete.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/cloudflare-pages/delete.mdx
@@ -0,0 +1,4 @@
 ---
 title: "Delete"
 openapi: "DELETE /api/v1/secret-syncs/cloudflare-pages/{syncId}"
 ---
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
carlosmonastyrski	f0b9d3c816	feat(secret-sync): improve hide secrets tooltip message	2025-06-25 14:10:28 -03:00
carlosmonastyrski	ea393d144a	feat(secret-sync): minor change on docs	2025-06-25 13:57:07 -03:00
carlosmonastyrski	c4c0f86598	feat(secret-sync): improve update logic and add warning on docs for gitlab limitation on hidden variables	2025-06-25 13:51:38 -03:00
carlosmonastyrski	c95680b95d	feat(secret-sync): type fix	2025-06-25 13:33:43 -03:00
carlosmonastyrski	70ea761375	feat(secret-sync): fix update masked_and_hidden field to not be sent unless it's true	2025-06-25 13:17:41 -03:00
carlosmonastyrski	0366e58a5b	Type fix	2025-06-25 00:24:24 -03:00
carlosmonastyrski	18e733c71f	feat(secret-sync): minor fixes	2025-06-25 00:16:44 -03:00
carlosmonastyrski	070982081c	Merge remote-tracking branch 'origin/main' into feat/gitlabSecretSync	2025-06-24 22:42:28 -03:00
carlosmonastyrski	f462c3f85d	feat(secret-sync): minor fixes	2025-06-24 21:38:33 -03:00
carlosmonastyrski	c505c5877f	feat(secret-sync): updated docs	2025-06-24 18:11:18 -03:00
Maidul Islam	b59fa14bb6	Merge pull request #3818 from Infisical/feat/cli-bootstrap-create-k8-secret feat: added auto-bootstrap support to helm	2025-06-24 17:03:13 -04:00
carlosmonastyrski	d4bf8a33dc	feat(secret-sync): rework GitLab secret-sync to add group variables	2025-06-24 18:01:32 -03:00
Sheen	0eb36d7e35	misc: final doc changes	2025-06-24 20:56:06 +00:00
Sheen Capadngan	ae2da0066a	misc: add helm chart auto bootstrap to methods	2025-06-25 04:40:07 +08:00
Sheen Capadngan	1d7da56b40	misc: used kubernetes client	2025-06-25 02:38:51 +08:00
Sheen	3d2465ae41	Merge pull request #3825 from Infisical/feat/add-cloudflare-app-connection-and-sync feat: added cloudflare app connection and secret sync	2025-06-25 00:44:58 +08:00
carlosmonastyrski	f4f34802bc	Merge pull request #3816 from Infisical/fix/addProjectSlugToSecretsV3 Add projectSlug parameter on secrets v3 endpoints	2025-06-24 13:28:23 -03:00
Daniel Hougaard	59cc857aef	fix: further improve inconsistencies	2025-06-24 19:37:32 +04:00
Daniel Hougaard	a6713b2f76	Merge pull request #3846 from Infisical/daniel/multiple-folders fix(folders): duplicate folders	2025-06-24 19:04:26 +04:00
Daniel Hougaard	3c9a7c77ff	chore: re-add comment	2025-06-24 18:58:03 +04:00
Daniel Hougaard	f1bfea61d0	fix: replace keystore lock with postgres lock	2025-06-24 18:54:18 +04:00
Sheen	144ad2f25f	misc: added image for generated token	2025-06-24 14:51:11 +00:00
carlosmonastyrski	43e0d400f9	feat(secret-sync): add Gitlab PR comments suggestions	2025-06-24 10:05:46 -03:00
Sheen Capadngan	02a2309953	misc: added note for bootstrap output flag	2025-06-24 18:26:17 +08:00
Sheen Capadngan	f1587d8375	misc: addressed comments	2025-06-24 18:18:07 +08:00
carlosmonastyrski	42aaddccd5	Lint fix	2025-06-23 23:13:29 -03:00
carlosmonastyrski	39abeaaab5	Small fix on workspaceId variable definition on secret-router	2025-06-23 23:05:12 -03:00
Daniel Hougaard	b336c0c3d6	Update secret-folder-service.ts	2025-06-24 03:33:45 +04:00
Daniel Hougaard	305f2d79de	remove unused path	2025-06-24 03:32:18 +04:00
Daniel Hougaard	d4a6faa92c	fix(folders): multiple folders being created	2025-06-24 03:24:47 +04:00
carlosmonastyrski	4800e9c36e	Address PR comments	2025-06-23 17:45:21 -03:00
Sheen	842a2e9a06	Merge pull request #3834 from Infisical/misc/add-self-serve-for-github-app-connection-setup misc: add self-serve for github app connection setup	2025-06-24 02:45:51 +08:00
Akhil Mohan	de81d2d380	Merge pull request #3833 from akhilmhdh/feat/pg-queue feat: migrated dynamic secret to pg queue and corrected service layer	2025-06-23 23:51:06 +05:30
=	f5d769fa05	feat: addressed review comments	2025-06-23 23:38:07 +05:30
Scott Wilson	b3ace353ce	Merge pull request #3843 from Infisical/email-verify-more-aggressive-rate-limit improvement(verify-endpoints): add more aggressive rate limiting to verify endpoints	2025-06-23 10:43:25 -07:00
x032205	48353ab201	Merge pull request #3842 from Infisical/sort-tax-id-dropdown sort tax ID dropdown	2025-06-23 13:40:01 -04:00
Scott Wilson	2137d13157	improve key check operator	2025-06-23 10:36:09 -07:00
Scott Wilson	647e13d654	improvement: add more aggressive rate limiting to verify endpoints	2025-06-23 10:27:36 -07:00
x032205	bb2a933a39	sort tax ID dropdown	2025-06-23 13:26:54 -04:00
Daniel Hougaard	6f75debb9c	Merge pull request #3841 from Infisical/daniel/fix-k8s-dynamic-secret-without-gateway fix(dynamic-secrets/k8s): fix for SSL when not using gateway	2025-06-23 21:26:20 +04:00
Daniel Hougaard	90588bc3c9	fix(dynamic-secrets/k8s): fix for SSL when not using gateway	2025-06-23 21:18:15 +04:00
Sheen	4a09fc5e63	Merge pull request #3840 from Infisical/doc/added-architecture-doc-for-cloud doc: architecture for US and EU cloud	2025-06-24 00:53:54 +08:00
Sheen Capadngan	f0ec8c883f	misc: addressed comments	2025-06-24 00:52:18 +08:00
Sheen Capadngan	8024d7448f	misc: updated docs json	2025-06-23 22:18:50 +08:00
Sheen Capadngan	c65b79e00d	Merge remote-tracking branch 'origin/main' into feat/add-cloudflare-app-connection-and-sync	2025-06-23 22:16:09 +08:00
carlosmonastyrski	c305ddd463	feat(secret-sync): Gitlab PR suggestions	2025-06-23 10:52:59 -03:00
Sheen Capadngan	b30706607f	misc: changed from for to of	2025-06-23 21:13:59 +08:00
Sheen Capadngan	2a3d19dcb2	misc: finalized title	2025-06-23 19:31:19 +08:00
Sheen Capadngan	b4ff620b44	doc: removed specifics	2025-06-23 19:28:05 +08:00
Sheen Capadngan	23f1888123	misc: added mention of separated AWS accounts	2025-06-23 19:16:08 +08:00
Sheen Capadngan	7764f63299	misc: made terms consistent	2025-06-23 19:12:09 +08:00
Sheen Capadngan	cb3365afd4	misc: removed troubleshooting section	2025-06-23 19:08:36 +08:00
Sheen Capadngan	58705ffc3f	doc: removed duplicate permission block	2025-06-23 19:03:50 +08:00
Sheen Capadngan	67e57d8993	doc: added mention of NAT	2025-06-23 19:00:45 +08:00
Sheen Capadngan	90ff13a6b5	doc: architecture for US and EU cloud	2025-06-23 18:49:26 +08:00
Maidul Islam	36145a15c1	Merge pull request #3838 from Infisical/docs-update upgrade mintlify docs	2025-06-23 03:38:53 -04:00
Vladyslav Matsiiako	4f64ed6b42	upgrade mintlify docs	2025-06-22 17:25:17 -07:00
carlosmonastyrski	27cb686216	feat(secret-sync): Fix frontend file names	2025-06-20 21:26:12 -03:00
carlosmonastyrski	e201d77a8f	feat(secret-sync): Add gitlab secret sync	2025-06-20 21:13:14 -03:00
Scott Wilson	d47959ca83	Merge pull request #3822 from Infisical/approval-ui-revisions improvements(approval-workflows): Improve Approval Workflow Tables and Add Additional Functionality	2025-06-20 15:25:19 -07:00
Scott Wilson	3b2953ca58	chore: revert license	2025-06-20 12:37:24 -07:00
Scott Wilson	1daa503e0e	improvement: add space to users/groups list label	2025-06-20 12:34:20 -07:00
Scott Wilson	d69e8d2a8d	deconflict merge	2025-06-20 12:33:37 -07:00
Scott Wilson	7c7af347fc	improvements: address feedback and fix bugs	2025-06-20 12:25:28 -07:00
Akhil Mohan	e5a967b918	Update license-fns.ts	2025-06-20 23:50:03 +05:30
=	3cfe2223b6	feat: migrated dynamic secret to pg queue and corrected service layer types to non infer version	2025-06-20 23:32:40 +05:30
Sheen Capadngan	a43d4fd430	addressed greptie	2025-06-20 21:02:09 +08:00
Sheen Capadngan	80b6fb677c	misc: addressed url issue	2025-06-20 20:52:00 +08:00
Sheen Capadngan	5bc8acd0a7	doc: added api references	2025-06-20 20:46:31 +08:00
Sheen	2575845df7	misc: added images to secret sync doc	2025-06-20 12:36:39 +00:00
Sheen Capadngan	641d58c157	misc: addressed sync overflow issue	2025-06-20 20:23:03 +08:00
Sheen Capadngan	430f5d516c	misc: text updates to secret sync	2025-06-20 20:20:10 +08:00
Sheen Capadngan	5cec194e74	misc: initial cloudflare pages sync doc	2025-06-20 20:17:02 +08:00
Sheen Capadngan	5ede4f6f4b	misc: added placeholder for account ID	2025-06-20 20:08:07 +08:00
Sheen	4d3581f835	doc: added assets for app connection	2025-06-20 12:07:21 +00:00
Sheen Capadngan	665f7fa5c3	misc: updated account ID	2025-06-20 19:50:03 +08:00
Sheen Capadngan	9f4b1d2565	image path updates	2025-06-20 19:42:22 +08:00
Sheen Capadngan	59e2a20180	misc: addressed minor issues	2025-06-20 19:39:33 +08:00
Sheen Capadngan	4fee5a5839	doc: added initial app connection doc	2025-06-20 19:36:27 +08:00
Sheen Capadngan	61e245ea58	Merge remote-tracking branch 'origin/main' into feat/add-cloudflare-app-connection-and-sync	2025-06-20 19:24:45 +08:00
Sheen Capadngan	57e97a146b	feat: cloudflare pages secret sync	2025-06-20 03:43:36 +08:00
Sheen Capadngan	d2c7ed62d0	feat: added cloudflare app connection	2025-06-20 01:16:56 +08:00
Scott Wilson	7e9743b4c2	improvement: standardize and update server side pagination for change requests	2025-06-19 09:39:42 -07:00
Scott Wilson	34cf544b3a	fix: correct empty state/search logic	2025-06-19 09:39:42 -07:00
Scott Wilson	12fd063cd5	improvements: minor ui adjustments/additions and pagination for access request table	2025-06-19 09:39:42 -07:00
Scott Wilson	8fb6063686	improvement: better badge color	2025-06-19 09:39:42 -07:00
Scott Wilson	459b262865	improvements: improve approval tables UI and add additional functionality	2025-06-19 09:39:42 -07:00
Sheen Capadngan	470d7cca6a	misc: updated chart version	2025-06-19 20:57:42 +08:00
Sheen Capadngan	8e3918ada3	misc: addressed tag issue for CLI	2025-06-19 20:20:53 +08:00
Sheen Capadngan	bd54054bc3	misc: enabled auto bootstrap for check	2025-06-19 03:53:57 +08:00
Sheen Capadngan	cfe51d4a52	misc: improved template dcs	2025-06-19 03:50:56 +08:00
Sheen Capadngan	9cdd7380df	misc: greptie	2025-06-19 02:30:26 +08:00
Sheen Capadngan	07d491acd1	misc: corrected template doc	2025-06-19 02:26:13 +08:00
Sheen Capadngan	3276853427	misc: added helm support for auto bootstrap	2025-06-19 02:12:08 +08:00
carlosmonastyrski	a8eb72a8c5	Fix type issue	2025-06-18 14:48:29 -03:00
Sheen Capadngan	2b8220a71b	feat: added support for outputting bootstrap credentials to k8 secret	2025-06-19 01:43:47 +08:00
carlosmonastyrski	f76d3e2a14	Add projectSlug parameter on secrets v3 endpoints	2025-06-18 14:35:49 -03:00