disable secret scanning

feat: added secret-scanning disable option

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -135,6 +135,6 @@ jobs:
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
           wait-for-service-stability: true

backend/package-lock.json

@@ -49,7 +49,7 @@
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.7",
         "nanoid": "^5.0.4",
         "nodemailer": "^6.9.9",
         "ora": "^7.0.1",
@@ -10102,9 +10102,9 @@
       }
     },
     "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.7",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.7.tgz",
+      "integrity": "sha512-KnJT8vYRcNAZv73uf9zpXqNbvBG7DJrs+1nACsjZP1HMJ1TgXEy8wnNilXAn/5i57JizXKtrUtwDB7HxT9DDpw==",
       "dependencies": {
         "denque": "^2.1.0",
         "generate-function": "^2.3.1",

backend/src/@types/fastify.d.ts

@@ -32,7 +32,7 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsIamAuthServiceFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-service";
+import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -116,7 +116,7 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      identityAwsIamAuth: TIdentityAwsIamAuthServiceFactory;
+      identityAwsAuth: TIdentityAwsAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;

backend/src/@types/knex.d.ts

@@ -59,9 +59,9 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAwsIamAuths,
-  TIdentityAwsIamAuthsInsert,
-  TIdentityAwsIamAuthsUpdate,
+  TIdentityAwsAuths,
+  TIdentityAwsAuthsInsert,
+  TIdentityAwsAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -329,10 +329,10 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
-    [TableName.IdentityAwsIamAuth]: Knex.CompositeTableType<
-      TIdentityAwsIamAuths,
-      TIdentityAwsIamAuthsInsert,
-      TIdentityAwsIamAuthsUpdate
+    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
+      TIdentityAwsAuths,
+      TIdentityAwsAuthsInsert,
+      TIdentityAwsAuthsUpdate
     >;
     [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -4,8 +4,8 @@ import { TableName } from "../schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
 
 export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsIamAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsIamAuth, (t) => {
+  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
+    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
       t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
       t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
       t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
@@ -14,16 +14,17 @@ export async function up(knex: Knex): Promise<void> {
       t.timestamps(true, true, true);
       t.uuid("identityId").notNullable().unique();
       t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
       t.string("stsEndpoint").notNullable();
       t.string("allowedPrincipalArns").notNullable();
       t.string("allowedAccountIds").notNullable();
     });
   }
 
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsIamAuth);
+  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
 }
 
 export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsIamAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsIamAuth);
+  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
 }

backend/src/db/schemas/access-approval-policies.ts

@@ -11,8 +11,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  envId: z.string().uuid(),
   secretPath: z.string().nullable().optional(),
+  envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

backend/src/db/schemas/identity-aws-auths.ts

@@ -7,7 +7,7 @@ import { z } from "zod";
 
 import { TImmutableDBKeys } from "./models";
 
-export const IdentityAwsIamAuthsSchema = z.object({
+export const IdentityAwsAuthsSchema = z.object({
   id: z.string().uuid(),
   accessTokenTTL: z.coerce.number().default(7200),
   accessTokenMaxTTL: z.coerce.number().default(7200),
@@ -16,11 +16,12 @@ export const IdentityAwsIamAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   identityId: z.string().uuid(),
+  type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
   allowedAccountIds: z.string()
 });
 
-export type TIdentityAwsIamAuths = z.infer<typeof IdentityAwsIamAuthsSchema>;
-export type TIdentityAwsIamAuthsInsert = Omit<z.input<typeof IdentityAwsIamAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAwsIamAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsIamAuthsSchema>, TImmutableDBKeys>>;
+export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
+export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -17,7 +17,7 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-aws-iam-auths";
+export * from "./identity-aws-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/models.ts

@@ -45,7 +45,7 @@ export enum TableName {
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAwsIamAuth = "identity_aws_iam_auths",
+  IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -144,5 +144,5 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   Univeral = "universal-auth",
-  AWS_IAM_AUTH = "aws-iam-auth"
+  AWS_AUTH = "aws-auth"
 }

backend/src/db/schemas/users.ts

@@ -22,7 +22,7 @@ export const UsersSchema = z.object({
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
   username: z.string(),
-  isEmailVerified: z.boolean().nullable().optional()
+  isEmailVerified: z.boolean().default(false).nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -66,10 +66,10 @@ export enum EventType {
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  LOGIN_IDENTITY_AWS_IAM_AUTH = "login-identity-aws-iam-auth",
-  ADD_IDENTITY_AWS_IAM_AUTH = "add-identity-aws-iam-auth",
-  UPDATE_IDENTITY_AWS_IAM_AUTH = "update-identity-aws-iam-auth",
-  GET_IDENTITY_AWS_IAM_AUTH = "get-identity-aws-iam-auth",
+  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
+  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
+  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -410,17 +410,17 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
-interface LoginIdentityAwsIamAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AWS_IAM_AUTH;
+interface LoginIdentityAwsAuthEvent {
+  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
-    identityAwsIamAuthId: string;
+    identityAwsAuthId: string;
     identityAccessTokenId: string;
   };
 }
 
-interface AddIdentityAwsIamAuthEvent {
-  type: EventType.ADD_IDENTITY_AWS_IAM_AUTH;
+interface AddIdentityAwsAuthEvent {
+  type: EventType.ADD_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
     stsEndpoint: string;
@@ -433,8 +433,8 @@ interface AddIdentityAwsIamAuthEvent {
   };
 }
 
-interface UpdateIdentityAwsIamAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AWS_IAM_AUTH;
+interface UpdateIdentityAwsAuthEvent {
+  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
     stsEndpoint?: string;
@@ -447,8 +447,8 @@ interface UpdateIdentityAwsIamAuthEvent {
   };
 }
 
-interface GetIdentityAwsIamAuthEvent {
-  type: EventType.GET_IDENTITY_AWS_IAM_AUTH;
+interface GetIdentityAwsAuthEvent {
+  type: EventType.GET_IDENTITY_AWS_AUTH;
   metadata: {
     identityId: string;
   };
@@ -708,10 +708,10 @@ export type Event =
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
-  | LoginIdentityAwsIamAuthEvent
-  | AddIdentityAwsIamAuthEvent
-  | UpdateIdentityAwsIamAuthEvent
-  | GetIdentityAwsIamAuthEvent
+  | LoginIdentityAwsAuthEvent
+  | AddIdentityAwsAuthEvent
+  | UpdateIdentityAwsAuthEvent
+  | GetIdentityAwsAuthEvent
   | CreateEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,15 +90,17 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    await Promise.all(
-      repositories.map(({ id, full_name }) =>
-        secretScanningQueue.startFullRepoScan({
-          organizationId: session.orgId,
-          installationId,
-          repository: { id, fullName: full_name }
-        })
-      )
-    );
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await Promise.all(
+        repositories.map(({ id, full_name }) =>
+          secretScanningQueue.startFullRepoScan({
+            organizationId: session.orgId,
+            installationId,
+            repository: { id, fullName: full_name }
+          })
+        )
+      );
+    }
     return { installatedApp };
   };
 
@@ -151,6 +153,7 @@ export const secretScanningServiceFactory = ({
   };
 
   const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
+    const appCfg = getConfig();
     const { commits, repository, installation, pusher } = payload;
     if (!commits || !repository || !installation || !pusher) {
       return;
@@ -161,13 +164,15 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    await secretScanningQueue.startPushEventScan({
-      commits,
-      pusher: { name: pusher.name, email: pusher.email },
-      repository: { fullName: repository.full_name, id: repository.id },
-      organizationId: installationLink.orgId,
-      installationId: String(installation?.id)
-    });
+    if (!appCfg.DISABLE_SECRET_SCANNING) {
+      await secretScanningQueue.startPushEventScan({
+        commits,
+        pusher: { name: pusher.name, email: pusher.email },
+        repository: { fullName: repository.full_name, id: repository.id },
+        organizationId: installationLink.orgId,
+        installationId: String(installation?.id)
+      });
+    }
   };
 
   const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {

backend/src/lib/api-docs/constants.ts

@@ -92,7 +92,7 @@ export const UNIVERSAL_AUTH = {
   }
 } as const;
 
-export const AWS_IAM_AUTH = {
+export const AWS_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login.",
     iamHttpRequestMethod: "The HTTP request method used in the signed request.",
@@ -252,6 +252,7 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
+    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -288,7 +289,8 @@ export const RAW_SECRETS = {
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    workspaceSlug:
+      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -307,6 +309,7 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
+    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -625,7 +628,8 @@ export const INTEGRATION = {
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      kmsKeyId: "The ID of the encryption key from AWS KMS.",
+      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
     }
   },
   UPDATE: {

backend/src/lib/config/env.ts

@@ -13,6 +13,10 @@ const zodStrBool = z
 const envSchema = z
   .object({
     PORT: z.coerce.number().default(4000),
+    DISABLE_SECRET_SCANNING: z
+      .enum(["true", "false"])
+      .default("false")
+      .transform((el) => el === "true"),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(

backend/src/server/plugins/maintenanceMode.ts

@@ -5,8 +5,13 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
   fastify.addHook("onRequest", async (req) => {
     const serverEnvs = getConfig();
-    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
-      throw new Error("Infisical is in maintenance mode. Please try again later.");
+    if (serverEnvs.MAINTENANCE_MODE) {
+      // skip if its universal auth login or renew
+      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
+      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
+      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
+        throw new Error("Infisical is in maintenance mode. Please try again later.");
+      }
     }
   });
 });

backend/src/server/routes/index.ts

@@ -78,8 +78,8 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { identityAwsIamAuthDALFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-dal";
-import { identityAwsIamAuthServiceFactory } from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-service";
+import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
+import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -156,7 +156,10 @@ export const registerRoutes = async (
     keyStore
   }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  const appCfg = getConfig();
+  if (!appCfg.DISABLE_SECRET_SCANNING) {
+    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
+  }
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -203,7 +206,7 @@ export const registerRoutes = async (
 
   const identityUaDAL = identityUaDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
-  const identityAwsIamAuthDAL = identityAwsIamAuthDALFactory(db);
+  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -538,8 +541,10 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService
+    snapshotService,
+    projectDAL
   });
+
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -702,9 +707,9 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
-  const identityAWSIAMAuthService = identityAwsIamAuthServiceFactory({
+  const identityAwsAuthService = identityAwsAuthServiceFactory({
     identityAccessTokenDAL,
-    identityAwsIamAuthDAL,
+    identityAwsAuthDAL,
     identityOrgMembershipDAL,
     identityDAL,
     licenseService,
@@ -779,7 +784,7 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
-    identityAwsIamAuth: identityAWSIAMAuthService,
+    identityAwsAuth: identityAwsAuthService,
     secretApprovalPolicy: sapService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,

backend/src/server/routes/v1/admin-router.ts

@@ -20,16 +20,23 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
-            z.object({ isMigrationModeOn: z.boolean() })
-          )
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
+            isMigrationModeOn: z.boolean(),
+            isSecretScanningDisabled: z.boolean()
+          })
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
-      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
+      return {
+        config: {
+          ...config,
+          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
+          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
+        }
+      };
     }
   });
 

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -1,8 +1,8 @@
 import { z } from "zod";
 
-import { IdentityAwsIamAuthsSchema } from "@app/db/schemas";
+import { IdentityAwsAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_IAM_AUTH } from "@app/lib/api-docs";
+import { AWS_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -10,22 +10,22 @@ import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import {
   validateAccountIds,
   validatePrincipalArns
-} from "@app/services/identity-aws-iam-auth/identity-aws-iam-auth-validators";
+} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
 
-export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvider) => {
+export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
-    url: "/aws-iam-auth/login",
+    url: "/aws-auth/login",
     config: {
       rateLimit: writeLimit
     },
     schema: {
-      description: "Login with AWS IAM Auth",
+      description: "Login with AWS Auth",
       body: z.object({
-        identityId: z.string().describe(AWS_IAM_AUTH.LOGIN.identityId),
-        iamHttpRequestMethod: z.string().default("POST").describe(AWS_IAM_AUTH.LOGIN.iamHttpRequestMethod),
-        iamRequestBody: z.string().describe(AWS_IAM_AUTH.LOGIN.iamRequestBody),
-        iamRequestHeaders: z.string().describe(AWS_IAM_AUTH.LOGIN.iamRequestHeaders)
+        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
+        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
+        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
+        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
       }),
       response: {
         200: z.object({
@@ -37,18 +37,18 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }
     },
     handler: async (req) => {
-      const { identityAwsIamAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAwsIamAuth.login(req.body);
+      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityAwsAuth.login(req.body);
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
         orgId: identityMembershipOrg?.orgId,
         event: {
-          type: EventType.LOGIN_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
+            identityId: identityAwsAuth.identityId,
             identityAccessTokenId: identityAccessToken.id,
-            identityAwsIamAuthId: identityAwsIamAuth.id
+            identityAwsAuthId: identityAwsAuth.id
           }
         }
       });
@@ -56,21 +56,21 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       return {
         accessToken,
         tokenType: "Bearer" as const,
-        expiresIn: identityAwsIamAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL
+        expiresIn: identityAwsAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
       };
     }
   });
 
   server.route({
     method: "POST",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Attach AWS IAM Auth configuration onto identity",
+      description: "Attach AWS Auth configuration onto identity",
       security: [
         {
           bearerAuth: []
@@ -109,12 +109,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.attachAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -125,35 +125,35 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.ADD_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.ADD_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
-            stsEndpoint: identityAwsIamAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsIamAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsIamAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsIamAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
           }
         }
       });
 
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 
   server.route({
     method: "PATCH",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Update AWS IAM Auth configuration on identity",
+      description: "Update AWS Auth configuration on identity",
       security: [
         {
           bearerAuth: []
@@ -185,12 +185,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.updateAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -201,35 +201,35 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.UPDATE_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId,
-            stsEndpoint: identityAwsIamAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsIamAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsIamAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsIamAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+            identityId: identityAwsAuth.identityId,
+            stsEndpoint: identityAwsAuth.stsEndpoint,
+            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
+            allowedAccountIds: identityAwsAuth.allowedAccountIds,
+            accessTokenTTL: identityAwsAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
           }
         }
       });
 
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 
   server.route({
     method: "GET",
-    url: "/aws-iam-auth/identities/:identityId",
+    url: "/aws-auth/identities/:identityId",
     config: {
       rateLimit: readLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Retrieve AWS IAM Auth configuration on identity",
+      description: "Retrieve AWS Auth configuration on identity",
       security: [
         {
           bearerAuth: []
@@ -240,12 +240,12 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identityAwsIamAuth: IdentityAwsIamAuthsSchema
+          identityAwsAuth: IdentityAwsAuthsSchema
         })
       }
     },
     handler: async (req) => {
-      const identityAwsIamAuth = await server.services.identityAwsIamAuth.getAwsIamAuth({
+      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
         identityId: req.params.identityId,
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -255,15 +255,15 @@ export const registerIdentityAwsIamAuthRouter = async (server: FastifyZodProvide
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
-        orgId: identityAwsIamAuth.orgId,
+        orgId: identityAwsAuth.orgId,
         event: {
-          type: EventType.GET_IDENTITY_AWS_IAM_AUTH,
+          type: EventType.GET_IDENTITY_AWS_AUTH,
           metadata: {
-            identityId: identityAwsIamAuth.identityId
+            identityId: identityAwsAuth.identityId
           }
         }
       });
-      return { identityAwsIamAuth };
+      return { identityAwsAuth };
     }
   });
 };

backend/src/server/routes/v1/index.ts

@@ -2,7 +2,7 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
-import { registerIdentityAwsIamAuthRouter } from "./identity-aws-iam-auth-router";
+import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -29,7 +29,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
-      await authRouter.register(registerIdentityAwsIamAuthRouter);
+      await authRouter.register(registerIdentityAwsAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/integration-router.ts

@@ -66,7 +66,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
           })
           .default({})
       }),
@@ -142,8 +143,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
       }),
       body: z.object({
-        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
-        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
+        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
         isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
@@ -153,7 +154,33 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .describe(INTEGRATION.UPDATE.secretPath),
         targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
         owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
+        metadata: z
+          .object({
+            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
+            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
+            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
+            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
+            secretGCPLabel: z
+              .object({
+                labelName: z.string(),
+                labelValue: z.string()
+              })
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
+            secretAWSTag: z
+              .array(
+                z.object({
+                  key: z.string(),
+                  value: z.string()
+                })
+              )
+              .optional()
+              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
+          })
+          .optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -127,6 +127,70 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/batch",
+    method: "PATCH",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      description: "Update folders by batch",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectSlug: z.string().trim().describe(FOLDERS.UPDATE.projectSlug),
+        folders: z
+          .object({
+            id: z.string().describe(FOLDERS.UPDATE.folderId),
+            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
+            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
+          })
+          .array()
+          .min(1)
+      }),
+      response: {
+        200: z.object({
+          folders: SecretFoldersSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { newFolders, oldFolders, projectId } = await server.services.folder.updateManyFolders({
+        ...req.body,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await Promise.all(
+        req.body.folders.map(async (folder, index) => {
+          await server.services.auditLog.createAuditLog({
+            ...req.auditLogInfo,
+            projectId,
+            event: {
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment: oldFolders[index].envId,
+                folderId: oldFolders[index].id,
+                folderPath: folder.path,
+                newFolderName: newFolders[index].name,
+                oldFolderName: oldFolders[index].name
+              }
+            }
+          });
+        })
+      );
+
+      return { folders: newFolders };
+    }
+  });
+
   // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     method: "DELETE",

backend/src/server/routes/v3/secret-router.ts

@@ -293,6 +293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       }),
       querystring: z.object({
         workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@@ -311,6 +312,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const { workspaceSlug } = req.query;
       let { secretPath, environment, workspaceId } = req.query;
       if (req.auth.actor === ActorType.SERVICE) {
         const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@@ -322,7 +324,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+      if (!environment) throw new BadRequestError({ message: "Missing environment" });
+      if (!workspaceId && !workspaceSlug)
+        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -331,6 +335,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         environment,
         projectId: workspaceId,
+        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -339,7 +344,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: secret.workspace,
         ...req.auditLogInfo,
         event: {
           type: EventType.GET_SECRET,
@@ -358,7 +363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId,
+          workspaceId: secret.workspace,
           environment,
           secretPath: req.query.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),

backend/src/services/identity-aws-auth/identity-aws-auth-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityAwsAuthDALFactory = ReturnType<typeof identityAwsAuthDALFactory>;
+
+export const identityAwsAuthDALFactory = (db: TDbClient) => {
+  const awsAuthOrm = ormify(db, TableName.IdentityAwsAuth);
+
+  return awsAuthOrm;
+};

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -16,48 +16,43 @@ import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityAwsIamAuthDALFactory } from "./identity-aws-iam-auth-dal";
-import { extractPrincipalArn } from "./identity-aws-iam-auth-fns";
+import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
+import { extractPrincipalArn } from "./identity-aws-auth-fns";
 import {
-  TAttachAWSIAMAuthDTO,
-  TAWSGetCallerIdentityHeaders,
-  TGetAWSIAMAuthDTO,
+  TAttachAwsAuthDTO,
+  TAwsGetCallerIdentityHeaders,
+  TGetAwsAuthDTO,
   TGetCallerIdentityResponse,
-  TLoginAWSIAMAuthDTO,
-  TUpdateAWSIAMAuthDTO
-} from "./identity-aws-iam-auth-types";
+  TLoginAwsAuthDTO,
+  TUpdateAwsAuthDTO
+} from "./identity-aws-auth-types";
 
-type TIdentityAwsIamAuthServiceFactoryDep = {
+type TIdentityAwsAuthServiceFactoryDep = {
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsIamAuthDAL: Pick<TIdentityAwsIamAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };
 
-export type TIdentityAwsIamAuthServiceFactory = ReturnType<typeof identityAwsIamAuthServiceFactory>;
+export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
 
-export const identityAwsIamAuthServiceFactory = ({
+export const identityAwsAuthServiceFactory = ({
   identityAccessTokenDAL,
-  identityAwsIamAuthDAL,
+  identityAwsAuthDAL,
   identityOrgMembershipDAL,
   identityDAL,
   licenseService,
   permissionService
-}: TIdentityAwsIamAuthServiceFactoryDep) => {
-  const login = async ({
-    identityId,
-    iamHttpRequestMethod,
-    iamRequestBody,
-    iamRequestHeaders
-  }: TLoginAWSIAMAuthDTO) => {
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.findOne({ identityId });
-    if (!identityAwsIamAuth) throw new UnauthorizedError();
+}: TIdentityAwsAuthServiceFactoryDep) => {
+  const login = async ({ identityId, iamHttpRequestMethod, iamRequestBody, iamRequestHeaders }: TLoginAwsAuthDTO) => {
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
+    if (!identityAwsAuth) throw new UnauthorizedError();
 
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsIamAuth.identityId });
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
 
-    const headers: TAWSGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
+    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
     const body: string = Buffer.from(iamRequestBody, "base64").toString();
 
     const {
@@ -68,15 +63,15 @@ export const identityAwsIamAuthServiceFactory = ({
       }
     }: { data: TGetCallerIdentityResponse } = await axios({
       method: iamHttpRequestMethod,
-      url: identityAwsIamAuth.stsEndpoint,
+      url: identityAwsAuth.stsEndpoint,
       headers,
       data: body
     });
 
-    if (identityAwsIamAuth.allowedAccountIds) {
+    if (identityAwsAuth.allowedAccountIds) {
       // validate if Account is in the list of allowed Account IDs
 
-      const isAccountAllowed = identityAwsIamAuth.allowedAccountIds
+      const isAccountAllowed = identityAwsAuth.allowedAccountIds
         .split(",")
         .map((accountId) => accountId.trim())
         .some((accountId) => accountId === Account);
@@ -84,10 +79,10 @@ export const identityAwsIamAuthServiceFactory = ({
       if (!isAccountAllowed) throw new UnauthorizedError();
     }
 
-    if (identityAwsIamAuth.allowedPrincipalArns) {
+    if (identityAwsAuth.allowedPrincipalArns) {
       // validate if Arn is in the list of allowed Principal ARNs
 
-      const isArnAllowed = identityAwsIamAuth.allowedPrincipalArns
+      const isArnAllowed = identityAwsAuth.allowedPrincipalArns
         .split(",")
         .map((principalArn) => principalArn.trim())
         .some((principalArn) => {
@@ -100,15 +95,15 @@ export const identityAwsIamAuthServiceFactory = ({
       if (!isArnAllowed) throw new UnauthorizedError();
     }
 
-    const identityAccessToken = await identityAwsIamAuthDAL.transaction(async (tx) => {
+    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
       const newToken = await identityAccessTokenDAL.create(
         {
-          identityId: identityAwsIamAuth.identityId,
+          identityId: identityAwsAuth.identityId,
           isAccessTokenRevoked: false,
-          accessTokenTTL: identityAwsIamAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityAwsIamAuth.accessTokenMaxTTL,
+          accessTokenTTL: identityAwsAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
           accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAwsIamAuth.accessTokenNumUsesLimit
+          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
         },
         tx
       );
@@ -118,7 +113,7 @@ export const identityAwsIamAuthServiceFactory = ({
     const appCfg = getConfig();
     const accessToken = jwt.sign(
       {
-        identityId: identityAwsIamAuth.identityId,
+        identityId: identityAwsAuth.identityId,
         identityAccessTokenId: identityAccessToken.id,
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
@@ -131,10 +126,10 @@ export const identityAwsIamAuthServiceFactory = ({
       }
     );
 
-    return { accessToken, identityAwsIamAuth, identityAccessToken, identityMembershipOrg };
+    return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };
   };
 
-  const attachAwsIamAuth = async ({
+  const attachAwsAuth = async ({
     identityId,
     stsEndpoint,
     allowedPrincipalArns,
@@ -147,12 +142,12 @@ export const identityAwsIamAuthServiceFactory = ({
     actorAuthMethod,
     actor,
     actorOrgId
-  }: TAttachAWSIAMAuthDTO) => {
+  }: TAttachAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
     if (identityMembershipOrg.identity.authMethod)
       throw new BadRequestError({
-        message: "Failed to add AWS IAM Auth to already configured identity"
+        message: "Failed to add AWS Auth to already configured identity"
       });
 
     if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
@@ -186,10 +181,11 @@ export const identityAwsIamAuthServiceFactory = ({
       return extractIPDetails(accessTokenTrustedIp.ipAddress);
     });
 
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.transaction(async (tx) => {
-      const doc = await identityAwsIamAuthDAL.create(
+    const identityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const doc = await identityAwsAuthDAL.create(
         {
           identityId: identityMembershipOrg.identityId,
+          type: "iam",
           stsEndpoint,
           allowedPrincipalArns,
           allowedAccountIds,
@@ -203,16 +199,16 @@ export const identityAwsIamAuthServiceFactory = ({
       await identityDAL.updateById(
         identityMembershipOrg.identityId,
         {
-          authMethod: IdentityAuthMethod.AWS_IAM_AUTH
+          authMethod: IdentityAuthMethod.AWS_AUTH
         },
         tx
       );
       return doc;
     });
-    return { ...identityAwsIamAuth, orgId: identityMembershipOrg.orgId };
+    return { ...identityAwsAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const updateAwsIamAuth = async ({
+  const updateAwsAuth = async ({
     identityId,
     stsEndpoint,
     allowedPrincipalArns,
@@ -225,20 +221,19 @@ export const identityAwsIamAuthServiceFactory = ({
     actorAuthMethod,
     actor,
     actorOrgId
-  }: TUpdateAWSIAMAuthDTO) => {
+  }: TUpdateAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_IAM_AUTH)
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
       throw new BadRequestError({
-        message: "Failed to update AWS IAM Auth"
+        message: "Failed to update AWS Auth"
       });
 
-    const identityAwsIamAuth = await identityAwsIamAuthDAL.findOne({ identityId });
+    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
 
     if (
-      (accessTokenMaxTTL || identityAwsIamAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityAwsIamAuth.accessTokenMaxTTL) >
-        (accessTokenMaxTTL || identityAwsIamAuth.accessTokenMaxTTL)
+      (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityAwsAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL)
     ) {
       throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
     }
@@ -270,7 +265,7 @@ export const identityAwsIamAuthServiceFactory = ({
       return extractIPDetails(accessTokenTrustedIp.ipAddress);
     });
 
-    const updatedAwsIamAuth = await identityAwsIamAuthDAL.updateById(identityAwsIamAuth.id, {
+    const updatedAwsAuth = await identityAwsAuthDAL.updateById(identityAwsAuth.id, {
       stsEndpoint,
       allowedPrincipalArns,
       allowedAccountIds,
@@ -282,18 +277,18 @@ export const identityAwsIamAuthServiceFactory = ({
         : undefined
     });
 
-    return { ...updatedAwsIamAuth, orgId: identityMembershipOrg.orgId };
+    return { ...updatedAwsAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const getAwsIamAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAWSIAMAuthDTO) => {
+  const getAwsAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAwsAuthDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_IAM_AUTH)
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
       throw new BadRequestError({
-        message: "The identity does not have AWS IAM Auth attached"
+        message: "The identity does not have AWS Auth attached"
       });
 
-    const awsIamIdentityAuth = await identityAwsIamAuthDAL.findOne({ identityId });
+    const awsIdentityAuth = await identityAwsAuthDAL.findOne({ identityId });
 
     const { permission } = await permissionService.getOrgPermission(
       actor,
@@ -303,13 +298,13 @@ export const identityAwsIamAuthServiceFactory = ({
       actorOrgId
     );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-    return { ...awsIamIdentityAuth, orgId: identityMembershipOrg.orgId };
+    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
   return {
     login,
-    attachAwsIamAuth,
-    updateAwsIamAuth,
-    getAwsIamAuth
+    attachAwsAuth,
+    updateAwsAuth,
+    getAwsAuth
   };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -1,13 +1,13 @@
 import { TProjectPermission } from "@app/lib/types";
 
-export type TLoginAWSIAMAuthDTO = {
+export type TLoginAwsAuthDTO = {
   identityId: string;
   iamHttpRequestMethod: string;
   iamRequestBody: string;
   iamRequestHeaders: string;
 };
 
-export type TAttachAWSIAMAuthDTO = {
+export type TAttachAwsAuthDTO = {
   identityId: string;
   stsEndpoint: string;
   allowedPrincipalArns: string;
@@ -18,7 +18,7 @@ export type TAttachAWSIAMAuthDTO = {
   accessTokenTrustedIps: { ipAddress: string }[];
 } & Omit<TProjectPermission, "projectId">;
 
-export type TUpdateAWSIAMAuthDTO = {
+export type TUpdateAwsAuthDTO = {
   identityId: string;
   stsEndpoint?: string;
   allowedPrincipalArns?: string;
@@ -29,11 +29,11 @@ export type TUpdateAWSIAMAuthDTO = {
   accessTokenTrustedIps?: { ipAddress: string }[];
 } & Omit<TProjectPermission, "projectId">;
 
-export type TGetAWSIAMAuthDTO = {
+export type TGetAwsAuthDTO = {
   identityId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TAWSGetCallerIdentityHeaders = {
+export type TAwsGetCallerIdentityHeaders = {
   "Content-Type": string;
   Host: string;
   "X-Amz-Date": string;

backend/src/services/identity-aws-iam-auth/identity-aws-iam-auth-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityAwsIamAuthDALFactory = ReturnType<typeof identityAwsIamAuthDALFactory>;
-
-export const identityAwsIamAuthDALFactory = (db: TDbClient) => {
-  const awsIamAuthOrm = ormify(db, TableName.IdentityAwsIamAuth);
-
-  return awsIamAuthOrm;
-};

backend/src/services/identity-ua/identity-ua-service.ts

@@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
   const login = async (clientId: string, clientSecret: string, ip: string) => {
     const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError();
+    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
 
@@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
     const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
       bcrypt.compareSync(clientSecret, clientSecretHash)
     );
-    if (!validClientSecretInfo) throw new UnauthorizedError();
+    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
     if (Number(clientSecretTTL) > 0) {

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -9,9 +9,12 @@
 
 import {
   CreateSecretCommand,
+  DescribeSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
   SecretsManagerClient,
+  TagResourceCommand,
+  UntagResourceCommand,
   UpdateSecretCommand
 } from "@aws-sdk/client-secrets-manager";
 import { Octokit } from "@octokit/rest";
@@ -517,20 +520,22 @@ const syncSecretsAWSParameterStore = async ({
     })
   );
 
-  // Identify secrets to delete
-  await Promise.all(
-    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case:
-        // -> delete secret
-        await ssm
-          .deleteParameter({
-            Name: awsParameterStoreSecretsObj[key].Name as string
-          })
-          .promise();
-      }
-    })
-  );
+  if (!metadata.shouldDisableDelete) {
+    // Identify secrets to delete
+    await Promise.all(
+      Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
+        if (!(key in secrets)) {
+          // case:
+          // -> delete secret
+          await ssm
+            .deleteParameter({
+              Name: awsParameterStoreSecretsObj[key].Name as string
+            })
+            .promise();
+        }
+      })
+    );
+  }
 };
 
 /**
@@ -572,6 +577,7 @@ const syncSecretsAWSSecretManager = async ({
     if (awsSecretManagerSecret?.SecretString) {
       awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
     }
+
     if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
       await secretsManager.send(
         new UpdateSecretCommand({
@@ -580,7 +586,88 @@ const syncSecretsAWSSecretManager = async ({
         })
       );
     }
+
+    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+
+    if (secretAWSTag && secretAWSTag.length) {
+      const describedSecret = await secretsManager.send(
+        // requires secretsmanager:DescribeSecret policy
+        new DescribeSecretCommand({
+          SecretId: integration.app as string
+        })
+      );
+
+      if (!describedSecret.Tags) return;
+
+      const integrationTagObj = secretAWSTag.reduce(
+        (acc, item) => {
+          acc[item.key] = item.value;
+          return acc;
+        },
+        {} as Record<string, string>
+      );
+
+      const awsTagObj = (describedSecret.Tags || []).reduce(
+        (acc, item) => {
+          if (item.Key && item.Value) {
+            acc[item.Key] = item.Value;
+          }
+          return acc;
+        },
+        {} as Record<string, string>
+      );
+
+      const tagsToUpdate: { Key: string; Value: string }[] = [];
+      const tagsToDelete: { Key: string; Value: string }[] = [];
+
+      describedSecret.Tags?.forEach((tag) => {
+        if (tag.Key && tag.Value) {
+          if (!(tag.Key in integrationTagObj)) {
+            // delete tag from AWS secret manager
+            tagsToDelete.push({
+              Key: tag.Key,
+              Value: tag.Value
+            });
+          } else if (tag.Value !== integrationTagObj[tag.Key]) {
+            // update tag in AWS secret manager
+            tagsToUpdate.push({
+              Key: tag.Key,
+              Value: integrationTagObj[tag.Key]
+            });
+          }
+        }
+      });
+
+      secretAWSTag?.forEach((tag) => {
+        if (!(tag.key in awsTagObj)) {
+          // create tag in AWS secret manager
+          tagsToUpdate.push({
+            Key: tag.key,
+            Value: tag.value
+          });
+        }
+      });
+
+      if (tagsToUpdate.length) {
+        await secretsManager.send(
+          new TagResourceCommand({
+            SecretId: integration.app as string,
+            Tags: tagsToUpdate
+          })
+        );
+      }
+
+      if (tagsToDelete.length) {
+        await secretsManager.send(
+          new UntagResourceCommand({
+            SecretId: integration.app as string,
+            TagKeys: tagsToDelete.map((tag) => tag.Key)
+          })
+        );
+      }
+    }
   } catch (err) {
+    // case when AWS manager can't find the specified secret
     if (err instanceof ResourceNotFoundException && secretsManager) {
       await secretsManager.send(
         new CreateSecretCommand({

backend/src/services/integration/integration-service.ts

@@ -103,7 +103,8 @@ export const integrationServiceFactory = ({
     owner,
     isActive,
     environment,
-    secretPath
+    secretPath,
+    metadata
   }: TUpdateIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
@@ -127,7 +128,17 @@ export const integrationServiceFactory = ({
       appId,
       targetEnvironment,
       owner,
-      secretPath
+      secretPath,
+      metadata: {
+        ...(integration.metadata as object),
+        ...metadata
+      }
+    });
+
+    await secretQueueService.syncIntegrations({
+      environment: folder.environment.slug,
+      secretPath,
+      projectId: folder.projectId
     });
 
     return updatedIntegration;

backend/src/services/integration/integration-types.ts

@@ -27,18 +27,33 @@ export type TCreateIntegrationDTO = {
       value: string;
     }[];
     kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateIntegrationDTO = {
   id: string;
-  app: string;
-  appId: string;
+  app?: string;
+  appId?: string;
   isActive?: boolean;
   secretPath: string;
   targetEnvironment: string;
   owner: string;
   environment: string;
+  metadata?: {
+    secretPrefix?: string;
+    secretSuffix?: string;
+    secretGCPLabel?: {
+      labelName: string;
+      labelValue: string;
+    };
+    secretAWSTag?: {
+      key: string;
+      value: string;
+    }[];
+    kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
+  };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteIntegrationDTO = {

backend/src/services/org/org-service.ts

@@ -546,6 +546,10 @@ export const orgServiceFactory = ({
       code
     });
 
+    await userDAL.updateById(user.id, {
+      isEmailVerified: true
+    });
+
     if (user.isAccepted) {
       // this means user has already completed signup process
       // isAccepted is set true when keys are exchanged

backend/src/services/secret-folder/secret-folder-service.ts

@@ -8,9 +8,16 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError } from "@app/lib/errors";
 
+import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
-import { TCreateFolderDTO, TDeleteFolderDTO, TGetFolderDTO, TUpdateFolderDTO } from "./secret-folder-types";
+import {
+  TCreateFolderDTO,
+  TDeleteFolderDTO,
+  TGetFolderDTO,
+  TUpdateFolderDTO,
+  TUpdateManyFoldersDTO
+} from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
 
 type TSecretFolderServiceFactoryDep = {
@@ -19,6 +26,7 @@ type TSecretFolderServiceFactoryDep = {
   folderDAL: TSecretFolderDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderVersionDAL: TSecretFolderVersionDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
 
 export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
@@ -28,7 +36,8 @@ export const secretFolderServiceFactory = ({
   snapshotService,
   permissionService,
   projectEnvDAL,
-  folderVersionDAL
+  folderVersionDAL,
+  projectDAL
 }: TSecretFolderServiceFactoryDep) => {
   const createFolder = async ({
     projectId,
@@ -116,6 +125,105 @@ export const secretFolderServiceFactory = ({
     return folder;
   };
 
+  const updateManyFolders = async ({
+    actor,
+    actorId,
+    projectSlug,
+    actorAuthMethod,
+    actorOrgId,
+    folders
+  }: TUpdateManyFoldersDTO) => {
+    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+    if (!project) {
+      throw new BadRequestError({ message: "Project not found" });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      project.id,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Edit,
+        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+      );
+    });
+
+    const result = await folderDAL.transaction(async (tx) =>
+      Promise.all(
+        folders.map(async (newFolder) => {
+          const { environment, path: secretPath, id, name } = newFolder;
+
+          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
+          if (!parentFolder) {
+            throw new BadRequestError({ message: "Secret path not found", name: "Batch update folder" });
+          }
+
+          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
+          if (!env) {
+            throw new BadRequestError({ message: "Environment not found", name: "Batch update folder" });
+          }
+          const folder = await folderDAL
+            .findOne({ envId: env.id, id, parentId: parentFolder.id })
+            // now folder api accepts id based change
+            // this is for cli backward compatiability and when cli removes this, we will remove this logic
+            .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
+
+          if (!folder) {
+            throw new BadRequestError({ message: "Folder not found" });
+          }
+          if (name !== folder.name) {
+            // ensure that new folder name is unique
+            const folderToCheck = await folderDAL.findOne({
+              name,
+              envId: env.id,
+              parentId: parentFolder.id
+            });
+
+            if (folderToCheck) {
+              throw new BadRequestError({
+                message: "Folder with specified name already exists",
+                name: "Batch update folder"
+              });
+            }
+          }
+
+          const [doc] = await folderDAL.update(
+            { envId: env.id, id: folder.id, parentId: parentFolder.id },
+            { name },
+            tx
+          );
+          await folderVersionDAL.create(
+            {
+              name: doc.name,
+              envId: doc.envId,
+              version: doc.version,
+              folderId: doc.id
+            },
+            tx
+          );
+          if (!doc) {
+            throw new BadRequestError({ message: "Folder not found", name: "Batch update folder" });
+          }
+
+          return { oldFolder: folder, newFolder: doc };
+        })
+      )
+    );
+
+    await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
+
+    return {
+      projectId: project.id,
+      newFolders: result.map((res) => res.newFolder),
+      oldFolders: result.map((res) => res.oldFolder)
+    };
+  };
+
   const updateFolder = async ({
     projectId,
     actor,
@@ -151,6 +259,21 @@ export const secretFolderServiceFactory = ({
       .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
 
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (name !== folder.name) {
+      // ensure that new folder name is unique
+      const folderToCheck = await folderDAL.findOne({
+        name,
+        envId: env.id,
+        parentId: parentFolder.id
+      });
+
+      if (folderToCheck) {
+        throw new BadRequestError({
+          message: "Folder with specified name already exists",
+          name: "Update folder"
+        });
+      }
+    }
 
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update({ envId: env.id, id: folder.id, parentId: parentFolder.id }, { name }, tx);
@@ -239,6 +362,7 @@ export const secretFolderServiceFactory = ({
   return {
     createFolder,
     updateFolder,
+    updateManyFolders,
     deleteFolder,
     getFolders
   };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -13,6 +13,16 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
+export type TUpdateManyFoldersDTO = {
+  projectSlug: string;
+  folders: {
+    environment: string;
+    path: string;
+    id: string;
+    name: string;
+  }[];
+} & Omit<TProjectPermission, "projectId">;
+
 export type TDeleteFolderDTO = {
   environment: string;
   path: string;

backend/src/services/secret/secret-service.ts

@@ -972,7 +972,8 @@ export const secretServiceFactory = ({
     path,
     actor,
     environment,
-    projectId,
+    projectId: workspaceId,
+    projectSlug,
     actorId,
     actorOrgId,
     actorAuthMethod,
@@ -980,6 +981,8 @@ export const secretServiceFactory = ({
     includeImports,
     version
   }: TGetASecretRawDTO) => {
+    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
+
     const botKey = await projectBotService.getBotKey(projectId);
     if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
 

backend/src/services/secret/secret-types.ts

@@ -152,7 +152,9 @@ export type TGetASecretRawDTO = {
   type: "shared" | "personal";
   includeImports?: boolean;
   version?: number;
-} & TProjectPermission;
+  projectSlug?: string;
+  projectId?: string;
+} & Omit<TProjectPermission, "projectId">;
 
 export type TCreateSecretRawDTO = TProjectPermission & {
   secretPath: string;

docs/documentation/getting-started/introduction.mdx

@@ -51,7 +51,7 @@ As a result, the 3 main concepts that are important to understand are:
 
 - **[Identities](/documentation/platform/identities/overview)**: users or machines with a set permissions assigned to them.
 - **[Clients](/integrations/platforms/kubernetes)**: Infisical-developed tools for managing secrets in various infrastructure components (e.g., [Kubernetes Operator](/integrations/platforms/kubernetes), [Infisical Agent](/integrations/platforms/infisical-agent), [CLI](/cli/usage), [SDKs](/sdks/overview), [API](/api-reference/overview/introduction), [Web Dashboard](/documentation/platform/organization)).
-- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, AWS IAM Auth etc.).
+- **[Authentication Methods](/documentation/platform/identities/universal-auth)**: ways for Identities to authenticate inside different clients (e.g., SAML SSO for Web Dashboard, Universal Auth for Infisical Agent, AWS Auth etc.).
 
 ## How to get started with Infisical?
 

docs/documentation/platform/identities/aws-auth.mdx

@@ -1,34 +1,60 @@
 ---
-title: AWS IAM Auth
+title: AWS Auth
 description: "Learn how to authenticate with Infisical for EC2 instances, Lambda functions, and other IAM principals."
 ---
 
-**AWS IAM Auth** is an AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to access Infisical.
+**AWS Auth** is an AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to access Infisical.
+
+## Diagram
+
+The following sequence digram illustrates the AWS Auth workflow for authenticating AWS IAM principals with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+  participant AWS as AWS STS
+
+  Note over Client,Client: Step 1: Sign GetCallerIdentityQuery
+
+  Note over Client,Infis: Step 2: Login Operation
+  Client->>Infis: Send signed query details /api/v1/auth/aws-auth/login
+
+  Note over Infis,AWS: Step 3: Query verification
+  Infis->>AWS: Forward signed GetCallerIdentity query
+  AWS-->>Infis: Return IAM user/role details
+
+  Note over Infis: Step 4: Identity Property Validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 4: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
 
 ## Concept
 
-At a high-level, Infisical authenticates an IAM principal by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed IAM principal ARN) at the `/api/v1/auth/aws-iam-auth/login` endpoint. If successful,
+At a high-level, Infisical authenticates an IAM principal by verifying its identity and checking that it meets specific requirements (e.g. it is an allowed IAM principal ARN) at the `/api/v1/auth/aws-auth/login` endpoint. If successful,
 then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
 
-In AWS IAM Auth, an IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
+In AWS Auth, an IAM principal signs a `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html); this is done using the credentials from the AWS environment where the IAM principal is running.
 The query data including the request method, request body, and request headers are sent to Infisical afterwhich Infisical forwards the signed query to AWS STS API via the [sts:GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) method to verify and obtain the identity of the IAM principal.
 Once obtained, the identity information is verified against specified requirements such as if the associated IAM principal ARN is allowed to authenticate with Infisical. If all is well, Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
 
 <Note>
 We recommend using one of Infisical's clients like SDKs or the Infisical Agent
-to authenticate with Infisical using AWS IAM Auth as they handle the
+to authenticate with Infisical using AWS Auth as they handle the
 authentication process including the signed `GetCallerIdentity` query
 construction for you.
 
 Also, note that Infisical needs network-level access to send requests to the AWS STS API
-as part of the AWS IAM Auth workflow.
+as part of the AWS Auth workflow.
 
 </Note>
 
 ## Workflow
 
 In the following steps, we explore how to create and use identities for your workloads and applications on AWS to
-access the Infisical API using the AWS IAM authentication method.
+access the Infisical API using the AWS Auth authentication method.
 
 <Steps>
     <Step title="Creating an identity">
@@ -45,9 +71,9 @@ access the Infisical API using the AWS IAM authentication method.
     - Name (required): A friendly name for the identity.
     - Role (required): A role from the **Organization Roles** tab for the identity to assume. The organization role assigned will determine what organization level resources this identity can have access to.
 
-    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **AWS IAM Auth**.
+    Once you've created an identity, you'll be prompted to configure the authentication method for it. Here, select **AWS Auth**.
 
-    ![identities create iam auth method](/images/platform/identities/identities-org-create-aws-iam-auth-method.png)
+    ![identities create aws auth method](/images/platform/identities/identities-org-create-aws-auth-method.png)
 
     Here's some more guidance on each field:
 
@@ -71,7 +97,7 @@ access the Infisical API using the AWS IAM authentication method.
     ![identities project create](/images/platform/identities/identities-project-create.png)
     </Step>
     <Step title="Accessing the Infisical API with the identity">
-        To access the Infisical API as the identity, you need to construct a signed `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) and make a request to the `/api/v1/auth/aws-iam-auth/login` endpoint containing the query data
+        To access the Infisical API as the identity, you need to construct a signed `GetCallerIdentity` query using the [AWS Signature v4 algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) and make a request to the `/api/v1/auth/aws-auth/login` endpoint containing the query data
         in exchange for an access token.
 
         We provide a few code examples below of how you can authenticate with Infisical from inside a Lambda function, EC2 instance, etc. and obtain an access token to access the [Infisical API](/api-reference/overview/introduction).
@@ -119,7 +145,7 @@ access the Infisical API using the AWS IAM authentication method.
                         const identityId = "<your-identity-id>";
 
                         const { data } = await axios.post(
-                            `${infisicalUrl}/api/v1/auth/aws-iam-auth/login`,
+                            `${infisicalUrl}/api/v1/auth/aws-auth/login`,
                             {
                                 identityId,
                                 iamHttpRequestMethod: "POST",
@@ -191,7 +217,7 @@ access the Infisical API using the AWS IAM authentication method.
                         const infisicalUrl = "https://app.infisical.com"; // or your self-hosted Infisical URL
                         const identityId = "<your-identity-id>";
 
-                        const { data } = await axios.post(`${infisicalUrl}/api/v1/auth/aws-iam-auth/login`, {
+                        const { data } = await axios.post(`${infisicalUrl}/api/v1/auth/aws-auth/login`, {
                             identityId,
                             iamHttpRequestMethod: "POST",
                             iamRequestUrl: Buffer.from(iamRequestURL).toString("base64"),
@@ -239,7 +265,7 @@ access the Infisical API using the AWS IAM authentication method.
                 #### Sample request
 
                 ```bash Request
-                curl --location --request POST 'https://app.infisical.com/api/v1/auth/aws-iam-auth/login' \
+                curl --location --request POST 'https://app.infisical.com/api/v1/auth/aws-auth/login' \
                     --header 'Content-Type: application/x-www-form-urlencoded' \
                     --data-urlencode 'identityId=...' \
                     --data-urlencode 'iamHttpRequestMethod=...' \
@@ -263,7 +289,7 @@ access the Infisical API using the AWS IAM authentication method.
         </AccordionGroup>
 
         <Tip>
-            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using AWS IAM Auth as they handle the authentication process including the signed `GetCallerIdentity` query construction for you.
+            We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using AWS Auth as they handle the authentication process including the signed `GetCallerIdentity` query construction for you.
         </Tip>
 
         <Note>

docs/documentation/platform/identities/machine-identities.mdx

@@ -7,7 +7,7 @@ description: "Learn how to use Machine Identities to programmatically interact w
 
 An Infisical machine identity is an entity that represents a workload or application that require access to various resources in Infisical. This is conceptually similar to an IAM user in AWS or service account in Google Cloud Platform (GCP).
 
-Each identity must authenticate using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS IAM Auth](/documentation/platform/identities/aws-iam-auth) to get back a short-lived access token to be used in subsequent requests.
+Each identity must authenticate using a supported authentication method like [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS Auth](/documentation/platform/identities/aws-auth) to get back a short-lived access token to be used in subsequent requests.
 
 ![organization identities](/images/platform/organization/organization-machine-identities.png)
 
@@ -21,7 +21,7 @@ Key Features:
 A typical workflow for using identities consists of four steps:
 
 1. Creating the identity with a name and [role](/documentation/platform/role-based-access-controls) in Organization Access Control > Machine Identities.
-   This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS IAM Auth](/documentation/platform/identities/aws-iam-auth).
+   This step also involves configuring an authentication method for it such as [Universal Auth](/documentation/platform/identities/universal-auth) or [AWS Auth](/documentation/platform/identities/aws-auth).
 2. Adding the identity to the project(s) you want it to have access to.
 3. Authenticating the identity with the Infisical API based on the configured authentication method on it and receiving a short-lived access token back.
 4. Authenticating subsequent requests with the Infisical API using the short-lived access token.
@@ -38,7 +38,7 @@ Machine Identity support for the rest of the clients is planned to be released i
 To interact with various resources in Infisical, Machine Identities are able to authenticate using:
 
 - [Universal Auth](/documentation/platform/identities/universal-auth): A platform-agnostic authentication method that can be configured on an identity suitable to authenticate from any platform/environment.
-- [AWS IAM Auth](/documentation/platform/identities/aws-iam-auth): An AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to authenticate with Infisical.
+- [AWS Auth](/documentation/platform/identities/aws-auth): An AWS-native authentication method for IAM principals like EC2 instances or Lambda functions to authenticate with Infisical.
 
 ## FAQ
 

docs/documentation/platform/identities/universal-auth.mdx

@@ -5,6 +5,25 @@ description: "Learn how to authenticate to Infisical from any platform or enviro
 
 **Universal Auth** is a platform-agnostic authentication method that can be configured for a [machine identity](/documentation/platform/identities/machine-identities) suitable to authenticate from any platform/environment.
 
+## Diagram
+
+The following sequence digram illustrates the Universal Auth workflow for authenticating clients with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+
+  Note over Client,Infis: Step 1: Login Operation
+  Client->>Infis: Send Client ID and Client Secret
+
+  Note over Infis: Step 2: Client ID and Client Secret validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 3: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
 ## Concept
 
 In this method, Infisical authenticates an identity by verifying the credentials issued for it at the `/api/v1/auth/universal-auth/login` endpoint. If successful,
@@ -12,7 +31,7 @@ then Infisical returns a short-lived access token that can be used to make authe
 
 In Universal Auth, an identity is given a **Client ID** and one or more **Client Secret(s)**. Together, a **Client ID** and **Client Secret** can be exchanged for a short-lived access token to authenticate with the Infisical API.
 
-## Workflow
+## Guide
 
 In the following steps, we explore how to create and use identities for your workloads and applications to access the Infisical API
 using the Universal Auth authentication method.

docs/integrations/cicd/githubactions.mdx

@@ -3,9 +3,15 @@ title: "GitHub Actions"
 description: "How to sync secrets from Infisical to GitHub Actions"
 ---
 
+<Note>
+  Alternatively, you can use Infisical's official Github Action
+  [here](https://github.com/Infisical/secrets-action).
+</Note>
+
 Infisical lets you sync secrets to GitHub at the organization-level, repository-level, and repository environment-level.
 
 Prerequisites:
+
 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
 - Ensure that you have admin privileges to the repository you want to sync secrets to.
 

docs/integrations/cloud/aws-secret-manager.mdx

@@ -29,7 +29,9 @@ Prerequisites:
             "secretsmanager:GetSecretValue",
             "secretsmanager:CreateSecret",
             "secretsmanager:UpdateSecret",
+            "secretsmanager:DescribeSecret", // if you need to add tags to secrets
             "secretsmanager:TagResource", // if you need to add tags to secrets
+            "secretsmanager:UntagResource", // if you need to add tags to secrets
             "kms:ListKeys", // if you need to specify the KMS key
             "kms:ListAliases", // if you need to specify the KMS key
             "kms:Encrypt", // if you need to specify the KMS key

docs/mint.json

@@ -153,7 +153,7 @@
         "documentation/platform/auth-methods/email-password",
         "documentation/platform/token",
         "documentation/platform/identities/universal-auth",
-        "documentation/platform/identities/aws-iam-auth",
+        "documentation/platform/identities/aws-auth",
         "documentation/platform/mfa",
         {
           "group": "SSO",

frontend/src/components/navigation/NavHeader.tsx

@@ -120,7 +120,7 @@ export default function NavHeader({
             passHref
             legacyBehavior
             href={{
-              pathname: "/project/[id]/secrets/v2/[env]",
+              pathname: "/project/[id]/secrets/[env]",
               query: { id: router.query.id, env: router.query.env }
             }}
           >

frontend/src/components/v2/FontAwesomeSymbol/FontAwesomeSymbol.tsx

@@ -0,0 +1,19 @@
+import { forwardRef, HTMLAttributes } from "react";
+
+type Props = {
+  symbolName: string;
+} & HTMLAttributes<HTMLDivElement>;
+
+export const FontAwesomeSymbol = forwardRef<HTMLDivElement, Props>(
+  ({ symbolName, ...props }, ref) => {
+    return (
+      <div ref={ref} {...props}>
+        <svg className="w-inherit h-inherit">
+          <use href={`#${symbolName}`} />
+        </svg>
+      </div>
+    );
+  }
+);
+
+FontAwesomeSymbol.displayName = "FontAwesomeSymbol";

frontend/src/components/v2/FontAwesomeSymbol/index.tsx

@@ -0,0 +1 @@
+export { FontAwesomeSymbol } from "./FontAwesomeSymbol";

frontend/src/components/v2/InfisicalSecretInput/InfisicalSecretInput.tsx

@@ -1,17 +1,42 @@
-import { TextareaHTMLAttributes, useEffect, useRef, useState } from "react";
+import { forwardRef, TextareaHTMLAttributes, useCallback, useMemo, useRef, useState } from "react";
 import { faCircle, faFolder, faKey } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import * as Popover from "@radix-ui/react-popover";
-import { twMerge } from "tailwind-merge";
 
 import { useWorkspace } from "@app/context";
-import { useDebounce } from "@app/hooks";
-import { useGetFoldersByEnv, useGetProjectSecrets, useGetUserWsKey } from "@app/hooks/api";
+import { useDebounce, useToggle } from "@app/hooks";
+import { useGetProjectFolders, useGetProjectSecrets, useGetUserWsKey } from "@app/hooks/api";
 
 import { SecretInput } from "../SecretInput";
 
-const REGEX_UNCLOSED_SECRET_REFERENCE = /\${(?![^{}]*\})/g;
-const REGEX_OPEN_SECRET_REFERENCE = /\${/g;
+const getIndexOfUnclosedRefToTheLeft = (value: string, pos: number) => {
+  // take substring up to pos in order to consider edits for closed references
+  for (let i = pos; i >= 1; i -= 1) {
+    if (value[i] === "}") return -1;
+    if (value[i - 1] === "$" && value[i] === "{") {
+      return i;
+    }
+  }
+  return -1;
+};
+
+const getIndexOfUnclosedRefToTheRight = (value: string, pos: number) => {
+  // use it with above to identify an open ${
+  for (let i = pos; i < value.length; i += 1) {
+    if (value[i] === "}") return i - 1;
+  }
+  return -1;
+};
+
+const getClosingSymbol = (isSelectedSecret: boolean, isClosed: boolean) => {
+  if (!isClosed) {
+    return isSelectedSecret ? "}" : ".";
+  }
+  if (!isSelectedSecret) return ".";
+  return "";
+};
+
+const mod = (n: number, m: number) => ((n % m) + m) % m;
 
 export enum ReferenceType {
   ENVIRONMENT = "environment",
@@ -19,8 +44,9 @@ export enum ReferenceType {
   SECRET = "secret"
 }
 
-type Props = TextareaHTMLAttributes<HTMLTextAreaElement> & {
-  value?: string | null;
+type Props = Omit<TextareaHTMLAttributes<HTMLTextAreaElement>, "onChange" | "value"> & {
+  value?: string;
+  onChange: (val: string) => void;
   isImport?: boolean;
   isVisible?: boolean;
   isReadOnly?: boolean;
@@ -31,339 +57,298 @@ type Props = TextareaHTMLAttributes<HTMLTextAreaElement> & {
 };
 
 type ReferenceItem = {
-  name: string;
+  label: string;
   type: ReferenceType;
-  slug?: string;
+  slug: string;
 };
 
-export const InfisicalSecretInput = ({
-  value: propValue,
-  containerClassName,
-  secretPath: propSecretPath,
-  environment: propEnvironment,
-  onChange,
-  ...props
-}: Props) => {
-  const [inputValue, setInputValue] = useState(propValue ?? "");
-  const [isSuggestionsOpen, setIsSuggestionsOpen] = useState(false);
-  const [currentCursorPosition, setCurrentCursorPosition] = useState(0);
-  const [currentReference, setCurrentReference] = useState<string>("");
-  const [secretPath, setSecretPath] = useState<string>(propSecretPath || "/");
-  const [environment, setEnvironment] = useState<string | undefined>(propEnvironment);
-  const { currentWorkspace } = useWorkspace();
-  const workspaceId = currentWorkspace?.id || "";
-  const { data: decryptFileKey } = useGetUserWsKey(workspaceId);
-  const { data: secrets } = useGetProjectSecrets({
-    decryptFileKey: decryptFileKey!,
-    environment: environment || currentWorkspace?.environments?.[0].slug!,
-    secretPath,
-    workspaceId
-  });
-  const { folderNames: folders } = useGetFoldersByEnv({
-    path: secretPath,
-    environments: [environment || currentWorkspace?.environments?.[0].slug!],
-    projectId: workspaceId
-  });
+export const InfisicalSecretInput = forwardRef<HTMLTextAreaElement, Props>(
+  (
+    {
+      value = "",
+      onChange,
+      containerClassName,
+      secretPath: propSecretPath,
+      environment: propEnvironment,
+      ...props
+    },
+    ref
+  ) => {
+    const { currentWorkspace } = useWorkspace();
+    const workspaceId = currentWorkspace?.id || "";
+    const { data: decryptFileKey } = useGetUserWsKey(workspaceId);
 
-  const debouncedCurrentReference = useDebounce(currentReference, 100);
+    const debouncedValue = useDebounce(value, 500);
 
-  const [listReference, setListReference] = useState<ReferenceItem[]>([]);
-  const [highlightedIndex, setHighlightedIndex] = useState(-1);
-  const inputRef = useRef<HTMLTextAreaElement>(null);
-  const isPopupOpen = isSuggestionsOpen && listReference.length > 0 && currentReference.length > 0;
+    const [highlightedIndex, setHighlightedIndex] = useState(-1);
 
-  useEffect(() => {
-    setInputValue(propValue ?? "");
-  }, [propValue]);
+    const inputRef = useRef<HTMLTextAreaElement>(null);
+    const popoverContentRef = useRef<HTMLDivElement>(null);
+    const [isFocused, setIsFocused] = useToggle(false);
+    const currentCursorPosition = inputRef.current?.selectionStart || 0;
 
-  useEffect(() => {
-    let currentEnvironment = propEnvironment;
-    let currentSecretPath = propSecretPath || "/";
+    const suggestionSource = useMemo(() => {
+      const left = getIndexOfUnclosedRefToTheLeft(debouncedValue, currentCursorPosition - 1);
+      if (left === -1) return { left, value: "", predicate: "", isDeep: false };
 
-    if (!currentReference) {
-      setSecretPath(currentSecretPath);
-      setEnvironment(currentEnvironment);
-      return;
-    }
+      const suggestionSourceValue = debouncedValue.slice(left + 1, currentCursorPosition);
+      let suggestionSourceEnv: string | undefined = propEnvironment;
+      let suggestionSourceSecretPath: string | undefined = propSecretPath || "/";
 
-    const isNested = currentReference.includes(".");
+      // means its like <environment>.<folder1>.<...more folder>.secret
+      const isDeep = suggestionSourceValue.includes(".");
+      let predicate = suggestionSourceValue;
+      if (isDeep) {
+        const [envSlug, ...folderPaths] = suggestionSourceValue.split(".");
+        const isValidEnvSlug = currentWorkspace?.environments.find((e) => e.slug === envSlug);
+        suggestionSourceEnv = isValidEnvSlug ? envSlug : undefined;
+        suggestionSourceSecretPath = `/${folderPaths.slice(0, -1)?.join("/")}`;
+        predicate = folderPaths[folderPaths.length - 1];
+      }
 
-    if (isNested) {
-      const [envSlug, ...folderPaths] = currentReference.split(".");
-      const isValidEnvSlug = currentWorkspace?.environments.find((e) => e.slug === envSlug);
-      currentEnvironment = isValidEnvSlug ? envSlug : undefined;
+      return {
+        left: left + 1,
+        // the full value inside a ${<value>}
+        value: suggestionSourceValue,
+        // the final part after staging.dev.<folder1>.<predicate>
+        predicate,
+        isOpen: left !== -1,
+        isDeep,
+        environment: suggestionSourceEnv,
+        secretPath: suggestionSourceSecretPath
+      };
+    }, [debouncedValue]);
 
-      // should be based on the last valid section (with .)
-      folderPaths.pop();
-      currentSecretPath = `/${folderPaths?.join("/")}`;
-    }
-
-    setSecretPath(currentSecretPath);
-    setEnvironment(currentEnvironment);
-  }, [debouncedCurrentReference]);
-
-  useEffect(() => {
-    const currentListReference: ReferenceItem[] = [];
-    const isNested = currentReference?.includes(".");
-
-    if (!currentReference) {
-      setListReference(currentListReference);
-      return;
-    }
-
-    if (!environment) {
-      currentWorkspace?.environments.forEach((env) => {
-        currentListReference.unshift({
-          name: env.slug,
-          type: ReferenceType.ENVIRONMENT
-        });
-      });
-    } else if (isNested) {
-      folders?.forEach((folder) => {
-        currentListReference.unshift({ name: folder, type: ReferenceType.FOLDER });
-      });
-    } else if (environment) {
-      currentWorkspace?.environments.forEach((env) => {
-        currentListReference.unshift({
-          name: env.slug,
-          type: ReferenceType.ENVIRONMENT
-        });
-      });
-    }
-
-    secrets?.forEach((secret) => {
-      currentListReference.unshift({ name: secret.key, type: ReferenceType.SECRET });
+    const isPopupOpen = Boolean(suggestionSource.isOpen) && isFocused;
+    const { data: secrets } = useGetProjectSecrets({
+      decryptFileKey: decryptFileKey!,
+      environment: suggestionSource.environment || "",
+      secretPath: suggestionSource.secretPath || "",
+      workspaceId,
+      options: {
+        enabled: isPopupOpen
+      }
     });
-
-    // Get fragment inside currentReference
-    const searchFragment = isNested ? currentReference.split(".").pop() || "" : currentReference;
-    const filteredListRef = currentListReference
-      .filter((suggestionEntry) =>
-        suggestionEntry.name.toUpperCase().startsWith(searchFragment.toUpperCase())
-      )
-      .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
-
-    setListReference(filteredListRef);
-  }, [secrets, environment, debouncedCurrentReference]);
-
-  const getIndexOfUnclosedRefToTheLeft = (pos: number) => {
-    // take substring up to pos in order to consider edits for closed references
-    const unclosedReferenceIndexMatches = [
-      ...inputValue.substring(0, pos).matchAll(REGEX_UNCLOSED_SECRET_REFERENCE)
-    ].map((match) => match.index);
-
-    // find unclosed reference index less than the current cursor position
-    let indexIter = -1;
-    unclosedReferenceIndexMatches.forEach((index) => {
-      if (index !== undefined && index > indexIter && index < pos) {
-        indexIter = index;
+    const { data: folders } = useGetProjectFolders({
+      environment: suggestionSource.environment || "",
+      path: suggestionSource.secretPath || "",
+      projectId: workspaceId,
+      options: {
+        enabled: isPopupOpen
       }
     });
 
-    return indexIter;
-  };
+    const suggestions = useMemo(() => {
+      if (!isPopupOpen) return [];
+      // reset highlight whenever recomputation happens
+      setHighlightedIndex(-1);
+      const suggestionsArr: ReferenceItem[] = [];
+      const predicate = suggestionSource.predicate.toLowerCase();
 
-  const getIndexOfUnclosedRefToTheRight = (pos: number) => {
-    const unclosedReferenceIndexMatches = [...inputValue.matchAll(REGEX_OPEN_SECRET_REFERENCE)].map(
-      (match) => match.index
-    );
-
-    // find the next unclosed reference index to the right of the current cursor position
-    // this is so that we know the limitation for slicing references
-    let indexIter = Infinity;
-    unclosedReferenceIndexMatches.forEach((index) => {
-      if (index !== undefined && index > pos && index < indexIter) {
-        indexIter = index;
+      if (!suggestionSource.isDeep) {
+        // At first level only environments and secrets
+        (currentWorkspace?.environments || []).forEach(({ name, slug }) => {
+          if (name.toLowerCase().startsWith(predicate))
+            suggestionsArr.push({
+              label: name,
+              slug,
+              type: ReferenceType.ENVIRONMENT
+            });
+        });
+      } else {
+        // one deeper levels its based on an environment folders and secrets
+        (folders || []).forEach(({ name }) => {
+          if (name.toLowerCase().startsWith(predicate))
+            suggestionsArr.push({
+              label: name,
+              slug: name,
+              type: ReferenceType.FOLDER
+            });
+        });
       }
-    });
+      (secrets || []).forEach(({ key }) => {
+        if (key.toLowerCase().startsWith(predicate))
+          suggestionsArr.push({
+            label: key,
+            slug: key,
+            type: ReferenceType.SECRET
+          });
+      });
+      return suggestionsArr;
+    }, [secrets, folders, currentWorkspace?.environments, isPopupOpen, suggestionSource.value]);
 
-    return indexIter;
-  };
+    const handleSuggestionSelect = (selectIndex?: number) => {
+      const selectedSuggestion =
+        suggestions[typeof selectIndex !== "undefined" ? selectIndex : highlightedIndex];
+      if (!selectedSuggestion) {
+        return;
+      }
 
-  const handleKeyUp = (e: React.KeyboardEvent<HTMLTextAreaElement>) => {
-    // open suggestions if current position is to the right of an unclosed secret reference
-    const indexIter = getIndexOfUnclosedRefToTheLeft(currentCursorPosition);
-    if (indexIter === -1) {
-      return;
-    }
-
-    setIsSuggestionsOpen(true);
-
-    if (e.key !== "Enter") {
-      // current reference is then going to be based on the text from the closest ${ to the right
-      // until the current cursor position
-      const openReferenceValue = inputValue.slice(indexIter + 2, currentCursorPosition);
-      setCurrentReference(openReferenceValue);
-    }
-  };
-
-  const handleSuggestionSelect = (selectedIndex?: number) => {
-    const selectedSuggestion = listReference[selectedIndex ?? highlightedIndex];
-
-    if (!selectedSuggestion) {
-      return;
-    }
-
-    const leftIndexIter = getIndexOfUnclosedRefToTheLeft(currentCursorPosition);
-    const rightIndexLimit = getIndexOfUnclosedRefToTheRight(currentCursorPosition);
-
-    if (leftIndexIter === -1) {
-      return;
-    }
-
-    let newValue = "";
-    const currentOpenRef = inputValue.slice(leftIndexIter + 2, currentCursorPosition);
-    if (currentOpenRef.includes(".")) {
-      // append suggestion after last DOT (.)
-      const lastDotIndex = currentReference.lastIndexOf(".");
-      const existingPath = currentReference.slice(0, lastDotIndex);
-      const refEndAfterAppending = Math.min(
-        leftIndexIter +
-          3 +
-          existingPath.length +
-          selectedSuggestion.name.length +
-          Number(selectedSuggestion.type !== ReferenceType.SECRET),
-        rightIndexLimit - 1
+      const rightBracketIndex = getIndexOfUnclosedRefToTheRight(value, suggestionSource.left);
+      const isEnclosed = rightBracketIndex !== -1;
+      // <lhsValue>${}<rhsvalue>
+      const lhsValue = value.slice(0, suggestionSource.left);
+      const rhsValue = value.slice(
+        rightBracketIndex !== -1 ? rightBracketIndex + 1 : currentCursorPosition
+      );
+      // mid will be computed value inside the interpolation
+      const mid = suggestionSource.isDeep
+        ? `${suggestionSource.value.slice(0, -suggestionSource.predicate.length || undefined)}${selectedSuggestion.slug
+        }`
+        : selectedSuggestion.slug;
+      // whether we should append . or closing bracket on selecting suggestion
+      const closingSymbol = getClosingSymbol(
+        selectedSuggestion.type === ReferenceType.SECRET,
+        isEnclosed
       );
 
-      newValue = `${inputValue.slice(0, leftIndexIter + 2)}${existingPath}.${
-        selectedSuggestion.name
-      }${selectedSuggestion.type !== ReferenceType.SECRET ? "." : "}"}${inputValue.slice(
-        refEndAfterAppending
-      )}`;
-      const openReferenceValue = newValue.slice(leftIndexIter + 2, refEndAfterAppending);
-      setCurrentReference(openReferenceValue);
+      const newValue = `${lhsValue}${mid}${closingSymbol}${rhsValue}`;
+      onChange?.(newValue);
+      // this delay is for cursor adjustment
+      // cannot do this without a delay because what happens in onChange gets propogated after the cursor change
+      // Thus the cursor goes last to avoid that we put a slight delay on cursor change to make it happen later
+      const delay = setTimeout(() => {
+        clearTimeout(delay);
+        if (inputRef.current)
+          inputRef.current.selectionEnd =
+            lhsValue.length +
+            mid.length +
+            closingSymbol.length +
+            (isEnclosed && selectedSuggestion.type === ReferenceType.SECRET ? 1 : 0); // if secret is selected the cursor should move after the closing bracket -> }
+      }, 10);
+      setHighlightedIndex(-1); // reset highlight
+    };
 
-      // add 1 in order to prevent referenceOpen from being triggered by handleKeyUp
-      setCurrentCursorPosition(refEndAfterAppending + 1);
-    } else {
-      // append selectedSuggestion at position after unclosed ${
-      const refEndAfterAppending = Math.min(
-        selectedSuggestion.name.length +
-          leftIndexIter +
-          2 +
-          Number(selectedSuggestion.type !== ReferenceType.SECRET),
-        rightIndexLimit - 1
-      );
+    const handleKeyDown = (e: React.KeyboardEvent<HTMLTextAreaElement>) => {
+      // key operation should trigger only when popup is open
+      if (isPopupOpen) {
+        if (e.key === "ArrowDown" || (e.key === "Tab" && !e.shiftKey)) {
+          setHighlightedIndex((prevIndex) => {
+            const pos = mod(prevIndex + 1, suggestions.length);
+            popoverContentRef.current?.children?.[pos]?.scrollIntoView({
+              block: "nearest",
+              behavior: "smooth"
+            });
+            return pos;
+          });
+        } else if (e.key === "ArrowUp" || (e.key === "Tab" && e.shiftKey)) {
+          setHighlightedIndex((prevIndex) => {
+            const pos = mod(prevIndex - 1, suggestions.length);
+            popoverContentRef.current?.children?.[pos]?.scrollIntoView({
+              block: "nearest",
+              behavior: "smooth"
+            });
+            return pos;
+          });
+        } else if (e.key === "Enter" && highlightedIndex >= 0) {
+          e.preventDefault();
+          handleSuggestionSelect();
+        }
+        if (["ArrowDown", "ArrowUp", "Tab"].includes(e.key)) {
+          e.preventDefault();
+        }
+      }
+    };
 
-      newValue = `${inputValue.slice(0, leftIndexIter + 2)}${selectedSuggestion.name}${
-        selectedSuggestion.type !== ReferenceType.SECRET ? "." : "}"
-      }${inputValue.slice(refEndAfterAppending)}`;
+    const handlePopUpOpen = () => {
+      setHighlightedIndex(-1);
+    };
 
-      const openReferenceValue = newValue.slice(leftIndexIter + 2, refEndAfterAppending);
-      setCurrentReference(openReferenceValue);
-      setCurrentCursorPosition(refEndAfterAppending);
-    }
+    // to handle multiple ref for single component
+    const handleRef = useCallback((el: HTMLTextAreaElement) => {
+      // @ts-expect-error this is for multiple ref single component
+      inputRef.current = el;
+      if (ref) {
+        if (typeof ref === "function") {
+          ref(el);
+        } else {
+          // eslint-disable-next-line
+          ref.current = el;
+        }
+      }
+    }, []);
 
-    onChange?.({ target: { value: newValue } } as any);
-    setInputValue(newValue);
-    setHighlightedIndex(-1);
-    setIsSuggestionsOpen(false);
-  };
+    return (
+      <Popover.Root open={isPopupOpen} onOpenChange={handlePopUpOpen}>
+        <Popover.Trigger asChild>
+          <SecretInput
+            {...props}
+            ref={handleRef}
+            onKeyDown={handleKeyDown}
+            value={value}
+            onFocus={() => setIsFocused.on()}
+            onBlur={(evt) => {
+              // should not on blur when its mouse down selecting a item from suggestion
+              if (!(evt.relatedTarget?.getAttribute("aria-label") === "suggestion-item"))
+                setIsFocused.off();
+            }}
+            onChange={(e) => onChange?.(e.target.value)}
+            containerClassName={containerClassName}
+          />
+        </Popover.Trigger>
+        <Popover.Content
+          align="start"
+          onOpenAutoFocus={(e) => e.preventDefault()}
+          className="relative top-2 z-[100] max-h-64 overflow-auto rounded-md border border-mineshaft-600 bg-mineshaft-900 font-inter text-bunker-100 shadow-md"
+          style={{
+            width: "var(--radix-popover-trigger-width)"
+          }}
+        >
+          <div
+            className="max-w-60 h-full w-full flex-col items-center justify-center rounded-md text-white"
+            ref={popoverContentRef}
+          >
+            {suggestions.map((item, i) => {
+              let entryIcon;
+              if (item.type === ReferenceType.SECRET) {
+                entryIcon = faKey;
+              } else if (item.type === ReferenceType.ENVIRONMENT) {
+                entryIcon = faCircle;
+              } else {
+                entryIcon = faFolder;
+              }
 
-  const handleKeyDown = (e: React.KeyboardEvent<HTMLTextAreaElement>) => {
-    const mod = (n: number, m: number) => ((n % m) + m) % m;
-    if (e.key === "ArrowDown") {
-      setHighlightedIndex((prevIndex) => mod(prevIndex + 1, listReference.length));
-    } else if (e.key === "ArrowUp") {
-      setHighlightedIndex((prevIndex) => mod(prevIndex - 1, listReference.length));
-    } else if (e.key === "Enter" && highlightedIndex >= 0) {
-      handleSuggestionSelect();
-    }
-
-    if (["ArrowDown", "ArrowUp", "Enter"].includes(e.key) && isPopupOpen) {
-      e.preventDefault();
-    }
-  };
-
-  const setIsOpen = (isOpen: boolean) => {
-    setHighlightedIndex(-1);
-
-    if (isSuggestionsOpen) {
-      setIsSuggestionsOpen(isOpen);
-    }
-  };
-
-  const handleSecretChange = (e: any) => {
-    // propagate event to react-hook-form onChange
-    if (onChange) {
-      onChange(e);
-    }
-
-    setCurrentCursorPosition(inputRef.current?.selectionStart || 0);
-    setInputValue(e.target.value);
-  };
-
-  return (
-    <Popover.Root open={isPopupOpen} onOpenChange={setIsOpen}>
-      <Popover.Trigger asChild>
-        <SecretInput
-          {...props}
-          ref={inputRef}
-          onKeyDown={handleKeyDown}
-          onKeyUp={handleKeyUp}
-          value={inputValue}
-          onChange={handleSecretChange}
-          containerClassName={containerClassName}
-        />
-      </Popover.Trigger>
-      <Popover.Content
-        align="start"
-        onOpenAutoFocus={(e) => e.preventDefault()}
-        className={twMerge(
-          "relative top-2 z-[100] overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 font-inter text-bunker-100 shadow-md"
-        )}
-        style={{
-          width: "var(--radix-popover-trigger-width)",
-          maxHeight: "var(--radix-select-content-available-height)"
-        }}
-      >
-        <div className="max-w-60 h-full w-full flex-col items-center justify-center rounded-md text-white">
-          {listReference.map((item, i) => {
-            let entryIcon;
-            if (item.type === ReferenceType.SECRET) {
-              entryIcon = faKey;
-            } else if (item.type === ReferenceType.ENVIRONMENT) {
-              entryIcon = faCircle;
-            } else {
-              entryIcon = faFolder;
-            }
-
-            return (
-              <div
-                tabIndex={0}
-                role="button"
-                onMouseDown={(e) => {
-                  e.preventDefault();
-                  setHighlightedIndex(i);
-                  handleSuggestionSelect(i);
-                }}
-                style={{ pointerEvents: "auto" }}
-                className="flex items-center justify-between border-mineshaft-600 text-left"
-                key={`secret-reference-secret-${i + 1}`}
-              >
+              return (
                 <div
-                  className={`${
-                    highlightedIndex === i ? "bg-gray-600" : ""
-                  } text-md relative mb-0.5 flex w-full cursor-pointer select-none items-center justify-between rounded-md px-2 py-2 outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-500`}
+                  tabIndex={0}
+                  role="button"
+                  onKeyDown={(e) => {
+                    if (e.key === "Enter") handleSuggestionSelect(i);
+                  }}
+                  aria-label="suggestion-item"
+                  onClick={(e) => {
+                    inputRef.current?.focus();
+                    e.preventDefault();
+                    e.stopPropagation();
+                    handleSuggestionSelect(i);
+                  }}
+                  onMouseEnter={() => setHighlightedIndex(i)}
+                  style={{ pointerEvents: "auto" }}
+                  className="flex items-center justify-between border-mineshaft-600 text-left"
+                  key={`secret-reference-secret-${i + 1}`}
                 >
-                  <div className="flex w-full gap-2">
-                    <div className="flex items-center text-yellow-700">
-                      <FontAwesomeIcon
-                        icon={entryIcon}
-                        size={item.type === ReferenceType.ENVIRONMENT ? "xs" : "1x"}
-                      />
+                  <div
+                    className={`${highlightedIndex === i ? "bg-gray-600" : ""
+                      } text-md relative mb-0.5 flex w-full cursor-pointer select-none items-center justify-between rounded-md px-2 py-2 outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-500`}
+                  >
+                    <div className="flex w-full gap-2">
+                      <div className="flex items-center text-yellow-700">
+                        <FontAwesomeIcon
+                          icon={entryIcon}
+                          size={item.type === ReferenceType.ENVIRONMENT ? "xs" : "1x"}
+                        />
+                      </div>
+                      <div className="text-md w-10/12 truncate text-left">{item.label}</div>
                     </div>
-                    <div className="text-md w-10/12 truncate text-left">{item.name}</div>
                   </div>
                 </div>
-              </div>
-            );
-          })}
-        </div>
-      </Popover.Content>
-    </Popover.Root>
-  );
-};
+              );
+            })}
+          </div>
+        </Popover.Content>
+      </Popover.Root>
+    );
+  }
+);
 
 InfisicalSecretInput.displayName = "InfisicalSecretInput";

frontend/src/components/v2/NoticeBanner/NoticeBanner.tsx

@@ -0,0 +1,26 @@
+import { ReactNode } from "react";
+import { faWarning, IconDefinition } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
+
+type Props = {
+	icon?: IconDefinition;
+	title: string;
+	children: ReactNode;
+	className?: string;
+};
+
+export const NoticeBanner = ({ icon = faWarning, title, children, className }: Props) => (
+	<div
+		className={twMerge(
+			"flex w-full flex-row items-center rounded-md border border-primary-600/70 bg-primary/[.07] p-4 text-base text-white",
+			className
+		)}
+	>
+		<FontAwesomeIcon icon={icon} className="pr-6 text-4xl text-white/80" />
+		<div className="flex w-full flex-col text-sm">
+			<div className="mb-2 text-lg font-semibold">{title}</div>
+			<div>{children}</div>
+		</div>
+	</div>
+);

frontend/src/components/v2/NoticeBanner/index.tsx

@@ -0,0 +1 @@
+export { NoticeBanner } from "./NoticeBanner";

frontend/src/components/v2/SecretInput/SecretInput.tsx

@@ -41,7 +41,7 @@ const syntaxHighlight = (content?: string | null, isVisible?: boolean, isImport?
 
   // akhilmhdh: Dont remove this br. I am still clueless how this works but weirdly enough
   // when break is added a line break works properly
-  return formattedContent.concat(<br />);
+  return formattedContent.concat(<br key={`secret-value-${formattedContent.length + 1}`} />);
 };
 
 type Props = TextareaHTMLAttributes<HTMLTextAreaElement> & {
@@ -90,7 +90,10 @@ export const SecretInput = forwardRef<HTMLTextAreaElement, Props>(
             aria-label="secret value"
             ref={ref}
             className={`absolute inset-0 block h-full resize-none overflow-hidden bg-transparent text-transparent no-scrollbar focus:border-0 ${commonClassName}`}
-            onFocus={() => setIsSecretFocused.on()}
+            onFocus={(evt) => {
+              onFocus?.(evt);
+              setIsSecretFocused.on();
+            }}
             disabled={isDisabled}
             spellCheck={false}
             onBlur={(evt) => {

frontend/src/components/v2/index.tsx

@@ -10,12 +10,14 @@ export * from "./Drawer";
 export * from "./Dropdown";
 export * from "./EmailServiceSetupModal";
 export * from "./EmptyState";
+export * from "./FontAwesomeSymbol";
 export * from "./FormControl";
 export * from "./HoverCardv2";
 export * from "./IconButton";
 export * from "./Input";
 export * from "./Menu";
 export * from "./Modal";
+export * from "./NoticeBanner";
 export * from "./Pagination";
 export * from "./Popoverv2";
 export * from "./SecretInput";

frontend/src/hooks/api/admin/types.ts

@@ -5,6 +5,7 @@ export type TServerConfig = {
   isMigrationModeOn?: boolean;
   trustSamlEmails: boolean;
   trustLdapEmails: boolean;
+  isSecretScanningDisabled: boolean;
 };
 
 export type TCreateAdminUserDTO = {

frontend/src/hooks/api/identities/constants.tsx

@@ -2,5 +2,5 @@ import { IdentityAuthMethod } from "./enums";
 
 export const identityAuthToNameMap: { [I in IdentityAuthMethod]: string } = {
   [IdentityAuthMethod.UNIVERSAL_AUTH]: "Universal Auth",
-  [IdentityAuthMethod.AWS_IAM_AUTH]: "AWS IAM Auth"
+  [IdentityAuthMethod.AWS_AUTH]: "AWS Auth"
 };

frontend/src/hooks/api/identities/enums.tsx

@@ -1,4 +1,4 @@
 export enum IdentityAuthMethod {
   UNIVERSAL_AUTH = "universal-auth",
-  AWS_IAM_AUTH = "aws-iam-auth"
+  AWS_AUTH = "aws-auth"
 }

frontend/src/hooks/api/identities/index.tsx

@@ -1,16 +1,18 @@
 export { identityAuthToNameMap } from "./constants";
 export { IdentityAuthMethod } from "./enums";
 export {
-  useAddIdentityAwsIamAuth,
+  useAddIdentityAwsAuth,
   useAddIdentityUniversalAuth,
   useCreateIdentity,
   useCreateIdentityUniversalAuthClientSecret,
   useDeleteIdentity,
   useRevokeIdentityUniversalAuthClientSecret,
   useUpdateIdentity,
-  useUpdateIdentityAwsIamAuth,
-  useUpdateIdentityUniversalAuth} from "./mutations";
+  useUpdateIdentityAwsAuth,
+  useUpdateIdentityUniversalAuth
+} from "./mutations";
 export {
-  useGetIdentityAwsIamAuth,
+  useGetIdentityAwsAuth,
   useGetIdentityUniversalAuth,
-  useGetIdentityUniversalAuthClientSecrets} from "./queries";
+  useGetIdentityUniversalAuthClientSecrets
+} from "./queries";

frontend/src/hooks/api/identities/mutations.tsx

@@ -5,7 +5,7 @@ import { apiRequest } from "@app/config/request";
 import { organizationKeys } from "../organization/queries";
 import { identitiesKeys } from "./queries";
 import {
-  AddIdentityAwsIamAuthDTO,
+  AddIdentityAwsAuthDTO,
   AddIdentityUniversalAuthDTO,
   ClientSecretData,
   CreateIdentityDTO,
@@ -14,11 +14,12 @@ import {
   DeleteIdentityDTO,
   DeleteIdentityUniversalAuthClientSecretDTO,
   Identity,
-  IdentityAwsIamAuth,
+  IdentityAwsAuth,
   IdentityUniversalAuth,
-  UpdateIdentityAwsIamAuthDTO,
+  UpdateIdentityAwsAuthDTO,
   UpdateIdentityDTO,
-  UpdateIdentityUniversalAuthDTO} from "./types";
+  UpdateIdentityUniversalAuthDTO
+} from "./types";
 
 export const useCreateIdentity = () => {
   const queryClient = useQueryClient();
@@ -172,9 +173,9 @@ export const useRevokeIdentityUniversalAuthClientSecret = () => {
   });
 };
 
-export const useAddIdentityAwsIamAuth = () => {
+export const useAddIdentityAwsAuth = () => {
   const queryClient = useQueryClient();
-  return useMutation<IdentityAwsIamAuth, {}, AddIdentityAwsIamAuthDTO>({
+  return useMutation<IdentityAwsAuth, {}, AddIdentityAwsAuthDTO>({
     mutationFn: async ({
       identityId,
       stsEndpoint,
@@ -186,9 +187,9 @@ export const useAddIdentityAwsIamAuth = () => {
       accessTokenTrustedIps
     }) => {
       const {
-        data: { identityAwsIamAuth }
-      } = await apiRequest.post<{ identityAwsIamAuth: IdentityAwsIamAuth }>(
-        `/api/v1/auth/aws-iam-auth/identities/${identityId}`,
+        data: { identityAwsAuth }
+      } = await apiRequest.post<{ identityAwsAuth: IdentityAwsAuth }>(
+        `/api/v1/auth/aws-auth/identities/${identityId}`,
         {
           stsEndpoint,
           allowedPrincipalArns,
@@ -200,7 +201,7 @@ export const useAddIdentityAwsIamAuth = () => {
         }
       );
 
-      return identityAwsIamAuth;
+      return identityAwsAuth;
     },
     onSuccess: (_, { organizationId }) => {
       queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));
@@ -208,9 +209,9 @@ export const useAddIdentityAwsIamAuth = () => {
   });
 };
 
-export const useUpdateIdentityAwsIamAuth = () => {
+export const useUpdateIdentityAwsAuth = () => {
   const queryClient = useQueryClient();
-  return useMutation<IdentityAwsIamAuth, {}, UpdateIdentityAwsIamAuthDTO>({
+  return useMutation<IdentityAwsAuth, {}, UpdateIdentityAwsAuthDTO>({
     mutationFn: async ({
       identityId,
       stsEndpoint,
@@ -222,9 +223,9 @@ export const useUpdateIdentityAwsIamAuth = () => {
       accessTokenTrustedIps
     }) => {
       const {
-        data: { identityAwsIamAuth }
-      } = await apiRequest.patch<{ identityAwsIamAuth: IdentityAwsIamAuth }>(
-        `/api/v1/auth/aws-iam-auth/identities/${identityId}`,
+        data: { identityAwsAuth }
+      } = await apiRequest.patch<{ identityAwsAuth: IdentityAwsAuth }>(
+        `/api/v1/auth/aws-auth/identities/${identityId}`,
         {
           stsEndpoint,
           allowedPrincipalArns,
@@ -235,7 +236,7 @@ export const useUpdateIdentityAwsIamAuth = () => {
           accessTokenTrustedIps
         }
       );
-      return identityAwsIamAuth;
+      return identityAwsAuth;
     },
     onSuccess: (_, { organizationId }) => {
       queryClient.invalidateQueries(organizationKeys.getOrgIdentityMemberships(organizationId));

frontend/src/hooks/api/identities/queries.tsx

@@ -2,14 +2,14 @@ import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
-import { ClientSecretData, IdentityAwsIamAuth,IdentityUniversalAuth } from "./types";
+import { ClientSecretData, IdentityAwsAuth, IdentityUniversalAuth } from "./types";
 
 export const identitiesKeys = {
   getIdentityUniversalAuth: (identityId: string) =>
     [{ identityId }, "identity-universal-auth"] as const,
   getIdentityUniversalAuthClientSecrets: (identityId: string) =>
     [{ identityId }, "identity-universal-auth-client-secrets"] as const,
-  getIdentityAwsIamAuth: (identityId: string) => [{ identityId }, "identity-aws-iam-auth"] as const
+  getIdentityAwsAuth: (identityId: string) => [{ identityId }, "identity-aws-auth"] as const
 };
 
 export const useGetIdentityUniversalAuth = (identityId: string) => {
@@ -42,17 +42,17 @@ export const useGetIdentityUniversalAuthClientSecrets = (identityId: string) =>
   });
 };
 
-export const useGetIdentityAwsIamAuth = (identityId: string) => {
+export const useGetIdentityAwsAuth = (identityId: string) => {
   return useQuery({
     enabled: Boolean(identityId),
-    queryKey: identitiesKeys.getIdentityAwsIamAuth(identityId),
+    queryKey: identitiesKeys.getIdentityAwsAuth(identityId),
     queryFn: async () => {
       const {
-        data: { identityAwsIamAuth }
-      } = await apiRequest.get<{ identityAwsIamAuth: IdentityAwsIamAuth }>(
-        `/api/v1/auth/aws-iam-auth/identities/${identityId}`
+        data: { identityAwsAuth }
+      } = await apiRequest.get<{ identityAwsAuth: IdentityAwsAuth }>(
+        `/api/v1/auth/aws-auth/identities/${identityId}`
       );
-      return identityAwsIamAuth;
+      return identityAwsAuth;
     }
   });
 };

frontend/src/hooks/api/identities/types.ts

@@ -113,8 +113,9 @@ export type UpdateIdentityUniversalAuthDTO = {
   }[];
 };
 
-export type IdentityAwsIamAuth = {
+export type IdentityAwsAuth = {
   identityId: string;
+  type: "iam";
   stsEndpoint: string;
   allowedPrincipalArns: string;
   allowedAccountIds: string;
@@ -124,7 +125,7 @@ export type IdentityAwsIamAuth = {
   accessTokenTrustedIps: IdentityTrustedIp[];
 };
 
-export type AddIdentityAwsIamAuthDTO = {
+export type AddIdentityAwsAuthDTO = {
   organizationId: string;
   identityId: string;
   stsEndpoint: string;
@@ -138,7 +139,7 @@ export type AddIdentityAwsIamAuthDTO = {
   }[];
 };
 
-export type UpdateIdentityAwsIamAuthDTO = {
+export type UpdateIdentityAwsAuthDTO = {
   organizationId: string;
   identityId: string;
   stsEndpoint?: string;

frontend/src/hooks/api/integrations/queries.tsx

@@ -68,6 +68,7 @@ export const useCreateIntegration = () => {
           value: string;
         }[];
         kmsKeyId?: string;
+        shouldDisableDelete?: boolean;
       };
     }) => {
       const {

frontend/src/hooks/api/secretFolders/queries.tsx

@@ -16,6 +16,7 @@ import {
   TGetFoldersByEnvDTO,
   TGetProjectFoldersDTO,
   TSecretFolder,
+  TUpdateFolderBatchDTO,
   TUpdateFolderDTO
 } from "./types";
 
@@ -190,3 +191,43 @@ export const useDeleteFolder = () => {
     }
   });
 };
+
+export const useUpdateFolderBatch = () => {
+  const queryClient = useQueryClient();
+
+  return useMutation<{}, {}, TUpdateFolderBatchDTO>({
+    mutationFn: async ({ projectSlug, folders }) => {
+      const { data } = await apiRequest.patch("/api/v1/folders/batch", {
+        projectSlug,
+        folders
+      });
+
+      return data;
+    },
+    onSuccess: (_, { projectId, folders }) => {
+      folders.forEach((folder) => {
+        queryClient.invalidateQueries(
+          folderQueryKeys.getSecretFolders({
+            projectId,
+            environment: folder.environment,
+            path: folder.path
+          })
+        );
+        queryClient.invalidateQueries(
+          secretSnapshotKeys.list({
+            workspaceId: projectId,
+            environment: folder.environment,
+            directory: folder.path
+          })
+        );
+        queryClient.invalidateQueries(
+          secretSnapshotKeys.count({
+            workspaceId: projectId,
+            environment: folder.environment,
+            directory: folder.path
+          })
+        );
+      });
+    }
+  });
+};

frontend/src/hooks/api/secretFolders/types.ts

@@ -36,3 +36,14 @@ export type TDeleteFolderDTO = {
   folderId: string;
   path?: string;
 };
+
+export type TUpdateFolderBatchDTO = {
+  projectId: string;
+  projectSlug: string;
+  folders: {
+    name: string;
+    environment: string;
+    id: string;
+    path?: string;
+  }[];
+};

frontend/src/pages/integrations/aws-parameter-store/create.tsx

@@ -89,6 +89,7 @@ export default function AWSParameterStoreCreateIntegrationPage() {
 
   const [isLoading, setIsLoading] = useState(false);
   const [shouldTag, setShouldTag] = useState(false);
+  const [shouldDisableDelete, setShouldDisableDelete] = useState(false);
   const [tagKey, setTagKey] = useState("");
   const [tagValue, setTagValue] = useState("");
   const [kmsKeyId, setKmsKeyId] = useState("");
@@ -144,7 +145,8 @@ export default function AWSParameterStoreCreateIntegrationPage() {
                 ]
               }
             : {}),
-          ...(kmsKeyId && { kmsKeyId })
+          ...(kmsKeyId && { kmsKeyId }),
+          ...(shouldDisableDelete && { shouldDisableDelete })
         }
       });
 
@@ -273,6 +275,15 @@ export default function AWSParameterStoreCreateIntegrationPage() {
               exit={{ opacity: 0, translateX: 30 }}
             >
               <div className="mt-2 ml-1">
+                <Switch
+                  id="delete-aws"
+                  onCheckedChange={() => setShouldDisableDelete(!shouldDisableDelete)}
+                  isChecked={shouldDisableDelete}
+                >
+                  Disable deleting secrets in AWS Parameter Store
+                </Switch>
+              </div>
+              <div className="mt-4 ml-1">
                 <Switch
                   id="tag-aws"
                   onCheckedChange={() => setShouldTag(!shouldTag)}

frontend/src/pages/org/[id]/overview/index.tsx

@@ -21,9 +21,7 @@ import {
   faNetworkWired,
   faPlug,
   faPlus,
-  faUserPlus,
-  faWarning,
-  faXmark
+  faUserPlus
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { yupResolver } from "@hookform/resolvers/yup";
@@ -56,7 +54,6 @@ import {
   fetchOrgUsers,
   useAddUserToWsNonE2EE,
   useCreateWorkspace,
-  useGetUserAction,
   useRegisterUserAction
 } from "@app/hooks/api";
 // import { fetchUserWsKey } from "@app/hooks/api/keys/queries";
@@ -312,9 +309,8 @@ const LearningItem = ({
         href={link}
       >
         <div
-          className={`${
-            complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
-          } mb-3 rounded-md`}
+          className={`${complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
+            } mb-3 rounded-md`}
         >
           <div
             onKeyDown={() => null}
@@ -325,11 +321,10 @@ const LearningItem = ({
                 await registerUserAction.mutateAsync(userAction);
               }
             }}
-            className={`group relative flex h-[5.5rem] w-full items-center justify-between overflow-hidden rounded-md border ${
-              complete
+            className={`group relative flex h-[5.5rem] w-full items-center justify-between overflow-hidden rounded-md border ${complete
                 ? "cursor-default border-mineshaft-900 bg-gradient-to-r from-[#0e1f01] to-mineshaft-700"
                 : "cursor-pointer border-mineshaft-600 bg-mineshaft-800 shadow-xl hover:bg-mineshaft-700"
-            } text-mineshaft-100 duration-200`}
+              } text-mineshaft-100 duration-200`}
           >
             <div className="mr-4 flex flex-row items-center">
               <FontAwesomeIcon icon={icon} className="mx-2 w-16 text-4xl" />
@@ -407,9 +402,8 @@ const LearningItemSquare = ({
       href={link}
     >
       <div
-        className={`${
-          complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
-        } w-full rounded-md`}
+        className={`${complete ? "bg-gradient-to-r from-primary-500/70 p-[0.07rem]" : ""
+          } w-full rounded-md`}
       >
         <div
           onKeyDown={() => null}
@@ -420,11 +414,10 @@ const LearningItemSquare = ({
               await registerUserAction.mutateAsync(userAction);
             }
           }}
-          className={`group relative flex w-full items-center justify-between overflow-hidden rounded-md border ${
-            complete
+          className={`group relative flex w-full items-center justify-between overflow-hidden rounded-md border ${complete
               ? "cursor-default border-mineshaft-900 bg-gradient-to-r from-[#0e1f01] to-mineshaft-700"
               : "cursor-pointer border-mineshaft-600 bg-mineshaft-800 shadow-xl hover:bg-mineshaft-700"
-          } text-mineshaft-100 duration-200`}
+            } text-mineshaft-100 duration-200`}
         >
           <div className="flex w-full flex-col items-center px-6 py-4">
             <div className="flex w-full flex-row items-start justify-between">
@@ -438,9 +431,8 @@ const LearningItemSquare = ({
                 </div>
               )}
               <div
-                className={`text-right text-sm font-normal text-mineshaft-300 ${
-                  complete ? "font-semibold text-primary" : ""
-                }`}
+                className={`text-right text-sm font-normal text-mineshaft-300 ${complete ? "font-semibold text-primary" : ""
+                  }`}
               >
                 {complete ? "Complete!" : `About ${time}`}
               </div>
@@ -480,14 +472,8 @@ const OrganizationPage = withPermission(
     const { currentOrg } = useOrganization();
     const routerOrgId = String(router.query.id);
     const orgWorkspaces = workspaces?.filter((workspace) => workspace.orgId === routerOrgId) || [];
-    
-    const addUsersToProject = useAddUserToWsNonE2EE();
 
-    const { data: updateClosed } = useGetUserAction("april_13_2024_db_update_closed");
-    const registerUserAction = useRegisterUserAction();
-    const closeUpdate = async () => {
-      await registerUserAction.mutateAsync("april_13_2024_db_update_closed");
-    };
+    const addUsersToProject = useAddUserToWsNonE2EE();
 
     const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
       "addNewWs",
@@ -594,31 +580,6 @@ const OrganizationPage = withPermission(
           </div>
         )}
         <div className="mb-4 flex flex-col items-start justify-start px-6 py-6 pb-0 text-3xl">
-        {(window.location.origin.includes("https://app.infisical.com") || window.location.origin.includes("http://localhost:8080")) && (
-        <div
-            className={`${
-              !updateClosed ? "block" : "hidden"
-            } mb-4 flex w-full flex-row items-center rounded-md border border-primary-600 bg-primary/10 p-2 text-base text-white`}
-          >
-            <FontAwesomeIcon icon={faWarning} className="p-6 text-4xl text-primary" />
-            <div className="text-sm">
-              <span className="text-lg font-semibold">Scheduled maintenance on May 11th 2024 </span>{" "}
-              <br />
-              Infisical will undergo scheduled maintenance for approximately 2 hour on Saturday, May 11th, 11am EST. During these hours, read
-              operations to Infisical will continue to function normally but no resources will be editable. 
-              No action is required on your end — your applications will continue to fetch secrets.
-              <br />
-            </div>
-            <button
-              type="button"
-              onClick={() => closeUpdate()}
-              aria-label="close"
-              className="flex h-full items-start text-mineshaft-100 duration-200 hover:text-red-400"
-            >
-              <FontAwesomeIcon icon={faXmark} />
-            </button>
-          </div>)}
-          
           <p className="mr-4 font-semibold text-white">Projects</p>
           <div className="mt-6 flex w-full flex-row">
             <Input
@@ -748,95 +709,94 @@ const OrganizationPage = withPermission(
           new Date().getTime() - new Date(user?.createdAt).getTime() <
           30 * 24 * 60 * 60 * 1000
         ) && (
-          <div className="mb-4 flex flex-col items-start justify-start px-6 pb-0 text-3xl">
-            <p className="mr-4 mb-4 font-semibold text-white">Onboarding Guide</p>
-            <div className="mb-3 grid w-full grid-cols-1 gap-3 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
-              <LearningItemSquare
-                text="Watch Infisical demo"
-                subText="Set up Infisical in 3 min."
-                complete={hasUserClickedIntro}
-                icon={faHandPeace}
-                time="3 min"
-                userAction="intro_cta_clicked"
-                link="https://www.youtube.com/watch?v=PK23097-25I"
-              />
-              {orgWorkspaces.length !== 0 && (
-                <>
-                  <LearningItemSquare
-                    text="Add your secrets"
-                    subText="Drop a .env file or type your secrets."
-                    complete={hasUserPushedSecrets}
-                    icon={faPlus}
-                    time="1 min"
-                    userAction="first_time_secrets_pushed"
-                    link={`/project/${orgWorkspaces[0]?.id}/secrets/overview`}
-                  />
-                  <LearningItemSquare
-                    text="Invite your teammates"
-                    subText="Infisical is better used as a team."
-                    complete={usersInOrg}
-                    icon={faUserPlus}
-                    time="2 min"
-                    link={`/org/${router.query.id}/members?action=invite`}
-                  />
-                </>
-              )}
-              <div className="block xl:hidden 2xl:block">
+            <div className="mb-4 flex flex-col items-start justify-start px-6 pb-0 text-3xl">
+              <p className="mr-4 mb-4 font-semibold text-white">Onboarding Guide</p>
+              <div className="mb-3 grid w-full grid-cols-1 gap-3 lg:grid-cols-2 xl:grid-cols-3 2xl:grid-cols-4">
                 <LearningItemSquare
-                  text="Join Infisical Slack"
-                  subText="Have any questions? Ask us!"
-                  complete={hasUserClickedSlack}
-                  icon={faSlack}
-                  time="1 min"
-                  userAction="slack_cta_clicked"
-                  link="https://infisical.com/slack"
+                  text="Watch Infisical demo"
+                  subText="Set up Infisical in 3 min."
+                  complete={hasUserClickedIntro}
+                  icon={faHandPeace}
+                  time="3 min"
+                  userAction="intro_cta_clicked"
+                  link="https://www.youtube.com/watch?v=PK23097-25I"
                 />
+                {orgWorkspaces.length !== 0 && (
+                  <>
+                    <LearningItemSquare
+                      text="Add your secrets"
+                      subText="Drop a .env file or type your secrets."
+                      complete={hasUserPushedSecrets}
+                      icon={faPlus}
+                      time="1 min"
+                      userAction="first_time_secrets_pushed"
+                      link={`/project/${orgWorkspaces[0]?.id}/secrets/overview`}
+                    />
+                    <LearningItemSquare
+                      text="Invite your teammates"
+                      subText="Infisical is better used as a team."
+                      complete={usersInOrg}
+                      icon={faUserPlus}
+                      time="2 min"
+                      link={`/org/${router.query.id}/members?action=invite`}
+                    />
+                  </>
+                )}
+                <div className="block xl:hidden 2xl:block">
+                  <LearningItemSquare
+                    text="Join Infisical Slack"
+                    subText="Have any questions? Ask us!"
+                    complete={hasUserClickedSlack}
+                    icon={faSlack}
+                    time="1 min"
+                    userAction="slack_cta_clicked"
+                    link="https://infisical.com/slack"
+                  />
+                </div>
               </div>
-            </div>
-            {orgWorkspaces.length !== 0 && (
-              <div className="group relative mb-3 flex h-full w-full cursor-default flex-col items-center justify-between overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-800 pl-2 pr-2 pt-4 pb-2 text-mineshaft-100 shadow-xl duration-200">
-                <div className="mb-4 flex w-full flex-row items-center pr-4">
-                  <div className="mr-4 flex w-full flex-row items-center">
-                    <FontAwesomeIcon icon={faNetworkWired} className="mx-2 w-16 text-4xl" />
-                    {false && (
-                      <div className="absolute left-12 top-10 flex h-7 w-7 items-center justify-center rounded-full bg-bunker-500 p-2 group-hover:bg-mineshaft-700">
-                        <FontAwesomeIcon
-                          icon={faCheckCircle}
-                          className="h-5 w-5 text-4xl text-green"
-                        />
-                      </div>
-                    )}
-                    <div className="flex flex-col items-start pl-0.5">
-                      <div className="mt-0.5 text-xl font-semibold">Inject secrets locally</div>
-                      <div className="text-sm font-normal">
-                        Replace .env files with a more secure and efficient alternative.
+              {orgWorkspaces.length !== 0 && (
+                <div className="group relative mb-3 flex h-full w-full cursor-default flex-col items-center justify-between overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-800 pl-2 pr-2 pt-4 pb-2 text-mineshaft-100 shadow-xl duration-200">
+                  <div className="mb-4 flex w-full flex-row items-center pr-4">
+                    <div className="mr-4 flex w-full flex-row items-center">
+                      <FontAwesomeIcon icon={faNetworkWired} className="mx-2 w-16 text-4xl" />
+                      {false && (
+                        <div className="absolute left-12 top-10 flex h-7 w-7 items-center justify-center rounded-full bg-bunker-500 p-2 group-hover:bg-mineshaft-700">
+                          <FontAwesomeIcon
+                            icon={faCheckCircle}
+                            className="h-5 w-5 text-4xl text-green"
+                          />
+                        </div>
+                      )}
+                      <div className="flex flex-col items-start pl-0.5">
+                        <div className="mt-0.5 text-xl font-semibold">Inject secrets locally</div>
+                        <div className="text-sm font-normal">
+                          Replace .env files with a more secure and efficient alternative.
+                        </div>
                       </div>
                     </div>
+                    <div
+                      className={`w-28 pr-4 text-right text-sm font-semibold ${false && "text-green"
+                        }`}
+                    >
+                      About 2 min
+                    </div>
                   </div>
-                  <div
-                    className={`w-28 pr-4 text-right text-sm font-semibold ${
-                      false && "text-green"
-                    }`}
-                  >
-                    About 2 min
-                  </div>
+                  <TabsObject />
+                  {false && <div className="absolute bottom-0 left-0 h-1 w-full bg-green" />}
                 </div>
-                <TabsObject />
-                {false && <div className="absolute bottom-0 left-0 h-1 w-full bg-green" />}
-              </div>
-            )}
-            {orgWorkspaces.length !== 0 && (
-              <LearningItem
-                text="Integrate Infisical with your infrastructure"
-                subText="Connect Infisical to various 3rd party services and platforms."
-                complete={false}
-                icon={faPlug}
-                time="15 min"
-                link="https://infisical.com/docs/integrations/overview"
-              />
-            )}
-          </div>
-        )}
+              )}
+              {orgWorkspaces.length !== 0 && (
+                <LearningItem
+                  text="Integrate Infisical with your infrastructure"
+                  subText="Connect Infisical to various 3rd party services and platforms."
+                  complete={false}
+                  icon={faPlug}
+                  time="15 min"
+                  link="https://infisical.com/docs/integrations/overview"
+                />
+              )}
+            </div>
+          )}
         <Modal
           isOpen={popUp.addNewWs.isOpen}
           onOpenChange={(isModalOpen) => {

frontend/src/pages/org/[id]/secret-scanning/index.tsx

@@ -3,8 +3,8 @@ import Head from "next/head";
 import { useRouter } from "next/router";
 
 import { OrgPermissionCan } from "@app/components/permissions";
-import { Button } from "@app/components/v2";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context";
+import { Button, NoticeBanner } from "@app/components/v2";
+import { OrgPermissionActions, OrgPermissionSubjects, useServerConfig } from "@app/context";
 import { withPermission } from "@app/hoc";
 import { SecretScanningLogsTable } from "@app/views/SecretScanning/components";
 
@@ -17,6 +17,7 @@ const SecretScanning = withPermission(
     const router = useRouter();
     const queryParams = router.query;
     const [integrationEnabled, setIntegrationStatus] = useState(false);
+    const { config } = useServerConfig();
 
     useEffect(() => {
       const linkInstallation = async () => {
@@ -69,6 +70,11 @@ const SecretScanning = withPermission(
             <div className="mb-6 text-lg text-mineshaft-300">
               Automatically monitor your GitHub activity and prevent secret leaks
             </div>
+            {config.isSecretScanningDisabled && (
+              <NoticeBanner title="Secret scanning is in maintenance" className="mb-4">
+                We are working on improving the performance of secret scanning due to increased usage.
+              </NoticeBanner>
+            )}
             <div className="relative mb-6 flex justify-between rounded-md border border-mineshaft-600 bg-mineshaft-800 p-6">
               <div className="flex flex-col items-start">
                 <div className="mb-1 flex flex-row">
@@ -110,7 +116,7 @@ const SecretScanning = withPermission(
                         colorSchema="primary"
                         onClick={generateNewIntegrationSession}
                         className="h-min py-2"
-                        isDisabled={!isAllowed}
+                        isDisabled={!isAllowed || config.isSecretScanningDisabled}
                       >
                         Integrate with GitHub
                       </Button>

frontend/src/styles/globals.css

@@ -45,6 +45,14 @@ html {
     width: 1%;
     white-space: nowrap;
   }
+
+  .w-inherit {
+    width: inherit;
+  }
+
+  .h-inherit {
+    height: inherit;
+  }
 }
 
 @layer components {

frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAuthMethodModal.tsx

@@ -14,7 +14,7 @@ import {
 import { IdentityAuthMethod } from "@app/hooks/api/identities";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
-import { IdentityAwsIamAuthForm } from "./IdentityAwsIamAuthForm";
+import { IdentityAwsAuthForm } from "./IdentityAwsAuthForm";
 import { IdentityUniversalAuthForm } from "./IdentityUniversalAuthForm";
 
 type Props = {
@@ -28,7 +28,7 @@ type Props = {
 
 const identityAuthMethods = [
   { label: "Universal Auth", value: IdentityAuthMethod.UNIVERSAL_AUTH },
-  { label: "AWS IAM Auth", value: IdentityAuthMethod.AWS_IAM_AUTH }
+  { label: "AWS Auth", value: IdentityAuthMethod.AWS_AUTH }
 ];
 
 const schema = yup
@@ -66,9 +66,9 @@ export const IdentityAuthMethodModal = ({ popUp, handlePopUpOpen, handlePopUpTog
 
   const renderIdentityAuthForm = () => {
     switch (identityAuthMethodData?.authMethod ?? authMethod) {
-      case IdentityAuthMethod.AWS_IAM_AUTH: {
+      case IdentityAuthMethod.AWS_AUTH: {
         return (
-          <IdentityAwsIamAuthForm
+          <IdentityAwsAuthForm
             handlePopUpOpen={handlePopUpOpen}
             handlePopUpToggle={handlePopUpToggle}
             identityAuthMethodData={identityAuthMethodData}

frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentityAwsAuthForm.tsx

@@ -9,9 +9,9 @@ import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, IconButton, Input } from "@app/components/v2";
 import { useOrganization, useSubscription } from "@app/context";
 import {
-  useAddIdentityAwsIamAuth,
-  useGetIdentityAwsIamAuth,
-  useUpdateIdentityAwsIamAuth
+  useAddIdentityAwsAuth,
+  useGetIdentityAwsAuth,
+  useUpdateIdentityAwsAuth
 } from "@app/hooks/api";
 import { IdentityAuthMethod } from "@app/hooks/api/identities";
 import { IdentityTrustedIp } from "@app/hooks/api/identities/types";
@@ -52,7 +52,7 @@ type Props = {
   };
 };
 
-export const IdentityAwsIamAuthForm = ({
+export const IdentityAwsAuthForm = ({
   handlePopUpOpen,
   handlePopUpToggle,
   identityAuthMethodData
@@ -61,10 +61,10 @@ export const IdentityAwsIamAuthForm = ({
   const orgId = currentOrg?.id || "";
   const { subscription } = useSubscription();
 
-  const { mutateAsync: addMutateAsync } = useAddIdentityAwsIamAuth();
-  const { mutateAsync: updateMutateAsync } = useUpdateIdentityAwsIamAuth();
+  const { mutateAsync: addMutateAsync } = useAddIdentityAwsAuth();
+  const { mutateAsync: updateMutateAsync } = useUpdateIdentityAwsAuth();
 
-  const { data } = useGetIdentityAwsIamAuth(identityAuthMethodData?.identityId ?? "");
+  const { data } = useGetIdentityAwsAuth(identityAuthMethodData?.identityId ?? "");
 
   const {
     control,

frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx

@@ -8,6 +8,7 @@ import {
   DropdownMenuItem,
   DropdownMenuLabel,
   DropdownMenuTrigger,
+  FontAwesomeSymbol,
   FormControl,
   IconButton,
   Input,
@@ -19,6 +20,7 @@ import {
   TextArea,
   Tooltip
 } from "@app/components/v2";
+import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import {
   ProjectPermissionActions,
   ProjectPermissionSub,
@@ -29,20 +31,6 @@ import { useToggle } from "@app/hooks";
 import { DecryptedSecret } from "@app/hooks/api/secrets/types";
 import { WsTag } from "@app/hooks/api/types";
 import { subject } from "@casl/ability";
-import { faCheckCircle } from "@fortawesome/free-regular-svg-icons";
-import {
-  faCheck,
-  faClock,
-  faClose,
-  faCodeBranch,
-  faComment,
-  faCopy,
-  faEllipsis,
-  faKey,
-  faTag,
-  faTags
-} from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { AnimatePresence, motion } from "framer-motion";
 import { memo, useEffect } from "react";
@@ -50,7 +38,12 @@ import { Controller, useFieldArray, useForm } from "react-hook-form";
 import { twMerge } from "tailwind-merge";
 
 import { CreateReminderForm } from "./CreateReminderForm";
-import { formSchema, SecretActionType, TFormSchema } from "./SecretListView.utils";
+import {
+  FontAwesomeSpriteName,
+  formSchema,
+  SecretActionType,
+  TFormSchema
+} from "./SecretListView.utils";
 
 type Props = {
   secret: DecryptedSecret;
@@ -206,7 +199,6 @@ export const SecretItem = memo(
             }
           }}
         />
-
         <form onSubmit={handleSubmit(handleFormSubmit)}>
           <div
             className={twMerge(
@@ -227,9 +219,12 @@ export const SecretItem = memo(
                   onCheckedChange={() => onToggleSecretSelect(secret.id)}
                   className={twMerge("ml-3 hidden group-hover:flex", isSelected && "flex")}
                 />
-                <FontAwesomeIcon
-                  icon={faKey}
-                  className={twMerge("ml-3 block group-hover:hidden", isSelected && "hidden")}
+                <FontAwesomeSymbol
+                  className={twMerge(
+                    "ml-3 block h-3.5 w-3.5 group-hover:hidden",
+                    isSelected && "hidden"
+                  )}
+                  symbolName={FontAwesomeSpriteName.SecretKey}
                 />
               </div>
               <div className="flex h-11 w-80 flex-shrink-0 items-center px-4 py-2">
@@ -278,10 +273,12 @@ export const SecretItem = memo(
                     key="secret-value"
                     control={control}
                     render={({ field }) => (
-                      <SecretInput
+                      <InfisicalSecretInput
                         isReadOnly={isReadOnly}
                         key="secret-value"
                         isVisible={isVisible}
+                        environment={environment}
+                        secretPath={secretPath}
                         {...field}
                         containerClassName="py-1.5 rounded-md transition-all group-hover:mr-2"
                       />
@@ -297,7 +294,14 @@ export const SecretItem = memo(
                       className="w-0 overflow-hidden p-0 group-hover:mr-2 group-hover:w-5"
                       onClick={copyTokenToClipboard}
                     >
-                      <FontAwesomeIcon icon={isSecValueCopied ? faCheck : faCopy} />
+                      <FontAwesomeSymbol
+                        className="h-3.5 w-3"
+                        symbolName={
+                          isSecValueCopied
+                            ? FontAwesomeSpriteName.Check
+                            : FontAwesomeSpriteName.ClipboardCopy
+                        }
+                      />
                     </IconButton>
                   </Tooltip>
                   <DropdownMenu>
@@ -318,7 +322,10 @@ export const SecretItem = memo(
                             isDisabled={!isAllowed}
                           >
                             <Tooltip content="Tags">
-                              <FontAwesomeIcon icon={faTags} />
+                              <FontAwesomeSymbol
+                                className="h-3.5 w-3.5"
+                                symbolName={FontAwesomeSpriteName.Tags}
+                              />
                             </Tooltip>
                           </IconButton>
                         </DropdownMenuTrigger>
@@ -334,7 +341,14 @@ export const SecretItem = memo(
                           <DropdownMenuItem
                             onClick={() => handleTagSelect(tag)}
                             key={`${secret.id}-${tagId}`}
-                            icon={isTagSelected && <FontAwesomeIcon icon={faCheckCircle} />}
+                            icon={
+                              isTagSelected && (
+                                <FontAwesomeSymbol
+                                  symbolName={FontAwesomeSpriteName.CheckedCircle}
+                                  className="h-3 w-3"
+                                />
+                              )
+                            }
                             iconPos="right"
                           >
                             <div className="flex items-center">
@@ -353,7 +367,12 @@ export const SecretItem = memo(
                           className="w-full"
                           colorSchema="primary"
                           variant="outline_bg"
-                          leftIcon={<FontAwesomeIcon icon={faTag} />}
+                          leftIcon={
+                            <FontAwesomeSymbol
+                              symbolName={FontAwesomeSpriteName.Tags}
+                              className="h-3 w-3"
+                            />
+                          }
                           onClick={onCreateTag}
                         >
                           Create a tag
@@ -379,7 +398,10 @@ export const SecretItem = memo(
                           isOverriden && "w-5 text-primary"
                         )}
                       >
-                        <FontAwesomeIcon icon={faCodeBranch} />
+                        <FontAwesomeSymbol
+                          symbolName={FontAwesomeSpriteName.Override}
+                          className="h-3.5 w-3.5"
+                        />
                       </IconButton>
                     )}
                   </ProjectPermissionCan>
@@ -393,6 +415,7 @@ export const SecretItem = memo(
                       variant="plain"
                       size="md"
                       ariaLabel="add-reminder"
+                      onClick={() => setCreateReminderFormOpen.on()}
                     >
                       <Tooltip
                         content={
@@ -404,9 +427,9 @@ export const SecretItem = memo(
                             : "Reminder"
                         }
                       >
-                        <FontAwesomeIcon
-                          onClick={() => setCreateReminderFormOpen.on()}
-                          icon={faClock}
+                        <FontAwesomeSymbol
+                          className="h-3.5 w-3.5"
+                          symbolName={FontAwesomeSpriteName.Clock}
                         />
                       </Tooltip>
                     </IconButton>
@@ -430,7 +453,10 @@ export const SecretItem = memo(
                             isDisabled={!isAllowed}
                           >
                             <Tooltip content="Comment">
-                              <FontAwesomeIcon icon={faComment} />
+                              <FontAwesomeSymbol
+                                className="h-3.5 w-3.5"
+                                symbolName={FontAwesomeSpriteName.Comment}
+                              />
                             </Tooltip>
                           </IconButton>
                         </PopoverTrigger>
@@ -466,10 +492,13 @@ export const SecretItem = memo(
                         ariaLabel="more"
                         variant="plain"
                         size="md"
-                        className="p-0 opacity-0 group-hover:opacity-100"
+                        className="p-0 opacity-0 group-hover:opacity-100 h-5 w-4"
                         onClick={() => onDetailViewSecret(secret)}
                       >
-                        <FontAwesomeIcon icon={faEllipsis} size="lg" />
+                        <FontAwesomeSymbol
+                          symbolName={FontAwesomeSpriteName.More}
+                          className="h-5 w-4"
+                        />
                       </IconButton>
                     </Tooltip>
                     <ProjectPermissionCan
@@ -488,7 +517,10 @@ export const SecretItem = memo(
                           onClick={() => onDeleteSecret(secret)}
                           isDisabled={!isAllowed}
                         >
-                          <FontAwesomeIcon icon={faClose} size="lg" />
+                          <FontAwesomeSymbol
+                            symbolName={FontAwesomeSpriteName.Close}
+                            className="h-5 w-4"
+                          />
                         </IconButton>
                       )}
                     </ProjectPermissionCan>
@@ -516,10 +548,12 @@ export const SecretItem = memo(
                         {isSubmitting ? (
                           <Spinner className="m-0 h-4 w-4 p-0" />
                         ) : (
-                          <FontAwesomeIcon
-                            icon={faCheck}
-                            size="lg"
-                            className={twMerge("text-primary", errors.key && "text-mineshaft-300")}
+                          <FontAwesomeSymbol
+                            symbolName={FontAwesomeSpriteName.Check}
+                            className={twMerge(
+                              "h-4 w-4 text-primary",
+                              errors.key && "text-mineshaft-300"
+                            )}
                           />
                         )}
                       </IconButton>
@@ -536,7 +570,10 @@ export const SecretItem = memo(
                         onClick={() => reset()}
                         isDisabled={isSubmitting}
                       >
-                        <FontAwesomeIcon icon={faClose} size="lg" />
+                        <FontAwesomeSymbol
+                          symbolName={FontAwesomeSpriteName.Close}
+                          className="h-4 w-4 text-primary"
+                        />
                       </IconButton>
                     </Tooltip>
                   </motion.div>

frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.tsx

@@ -1,4 +1,5 @@
 import { useCallback } from "react";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { useQueryClient } from "@tanstack/react-query";
 import { twMerge } from "tailwind-merge";
 
@@ -17,6 +18,7 @@ import { useSelectedSecretActions, useSelectedSecrets } from "../../SecretMainPa
 import { Filter, GroupBy, SortDir } from "../../SecretMainPage.types";
 import { SecretDetailSidebar } from "./SecretDetaiSidebar";
 import { SecretItem } from "./SecretItem";
+import { FontAwesomeSpriteSymbols } from "./SecretListView.utils";
 
 type Props = {
   secrets?: DecryptedSecret[];
@@ -89,7 +91,6 @@ export const SecretListView = ({
   isVisible,
   isProtectedBranch = false
 }: Props) => {
-  
   const queryClient = useQueryClient();
   const { popUp, handlePopUpToggle, handlePopUpOpen, handlePopUpClose } = usePopUp([
     "deleteSecret",
@@ -341,6 +342,13 @@ export const SecretListView = ({
               >
                 {namespace}
               </div>
+              {FontAwesomeSpriteSymbols.map(({ icon, symbol }) => (
+                <FontAwesomeIcon
+                  icon={icon}
+                  symbol={symbol}
+                  key={`font-awesome-svg-spritie-${symbol}`}
+                />
+              ))}
               {filteredSecrets.map((secret) => (
                 <SecretItem
                   environment={environment}

frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.utils.ts

@@ -1,4 +1,16 @@
 /* eslint-disable no-nested-ternary */
+import { faCheckCircle } from "@fortawesome/free-regular-svg-icons";
+import {
+  faCheck,
+  faClock,
+  faClose,
+  faCodeBranch,
+  faComment,
+  faCopy,
+  faEllipsis,
+  faKey,
+  faTags
+} from "@fortawesome/free-solid-svg-icons";
 import { z } from "zod";
 
 export enum SecretActionType {
@@ -41,3 +53,31 @@ export const formSchema = z.object({
 });
 
 export type TFormSchema = z.infer<typeof formSchema>;
+
+export enum FontAwesomeSpriteName {
+  SecretKey = "secret-key",
+  Check = "check",
+  ClipboardCopy = "clipboard-copy",
+  Tags = "secret-tags",
+  Clock = "reminder-clock",
+  Comment = "comment",
+  More = "more",
+  Override = "secret-override",
+  Close = "close",
+  CheckedCircle = "check-circle"
+}
+
+// this is an optimization technique
+// https://docs.fontawesome.com/web/add-icons/svg-symbols
+export const FontAwesomeSpriteSymbols = [
+  { icon: faKey, symbol: FontAwesomeSpriteName.SecretKey },
+  { icon: faCheck, symbol: FontAwesomeSpriteName.Check },
+  { icon: faCopy, symbol: FontAwesomeSpriteName.ClipboardCopy },
+  { icon: faTags, symbol: FontAwesomeSpriteName.Tags },
+  { icon: faClock, symbol: FontAwesomeSpriteName.Clock },
+  { icon: faComment, symbol: FontAwesomeSpriteName.Comment },
+  { icon: faEllipsis, symbol: FontAwesomeSpriteName.More },
+  { icon: faCodeBranch, symbol: FontAwesomeSpriteName.Override },
+  { icon: faClose, symbol: FontAwesomeSpriteName.Close },
+  { icon: faCheckCircle, symbol: FontAwesomeSpriteName.CheckedCircle }
+];

frontend/src/views/SecretOverviewPage/SecretOverviewPage.tsx

@@ -47,6 +47,7 @@ import {
   ProjectPermissionActions,
   ProjectPermissionSub,
   useOrganization,
+  useProjectPermission,
   useWorkspace
 } from "@app/context";
 import { usePopUp } from "@app/hooks";
@@ -61,6 +62,9 @@ import {
   useGetUserWsKey,
   useUpdateSecretV3
 } from "@app/hooks/api";
+import { useUpdateFolderBatch } from "@app/hooks/api/secretFolders/queries";
+import { TUpdateFolderBatchDTO } from "@app/hooks/api/secretFolders/types";
+import { TSecretFolder } from "@app/hooks/api/types";
 import { ProjectVersion } from "@app/hooks/api/workspace/types";
 
 import { FolderForm } from "../SecretMainPage/components/ActionBar/FolderForm";
@@ -87,6 +91,7 @@ export const SecretOverviewPage = () => {
   const parentTableRef = useRef<HTMLTableElement>(null);
   const [expandableTableWidth, setExpandableTableWidth] = useState(0);
   const [sortDir, setSortDir] = useState<"asc" | "desc">("asc");
+  const { permission } = useProjectPermission();
 
   useEffect(() => {
     if (parentTableRef.current) {
@@ -201,11 +206,13 @@ export const SecretOverviewPage = () => {
   const { mutateAsync: updateSecretV3 } = useUpdateSecretV3();
   const { mutateAsync: deleteSecretV3 } = useDeleteSecretV3();
   const { mutateAsync: createFolder } = useCreateFolder();
+  const { mutateAsync: updateFolderBatch } = useUpdateFolderBatch();
 
   const { handlePopUpOpen, handlePopUpToggle, handlePopUpClose, popUp } = usePopUp([
     "addSecretsInAllEnvs",
     "addFolder",
-    "misc"
+    "misc",
+    "updateFolder"
   ] as const);
 
   const handleFolderCreate = async (folderName: string) => {
@@ -236,6 +243,59 @@ export const SecretOverviewPage = () => {
     }
   };
 
+  const handleFolderUpdate = async (newFolderName: string) => {
+    const { name: oldFolderName } = popUp.updateFolder.data as TSecretFolder;
+
+    const updatedFolders: TUpdateFolderBatchDTO["folders"] = [];
+    userAvailableEnvs.forEach((env) => {
+      if (
+        permission.can(
+          ProjectPermissionActions.Edit,
+          subject(ProjectPermissionSub.Secrets, { environment: env.slug, secretPath })
+        )
+      ) {
+        const folder = getFolderByNameAndEnv(oldFolderName, env.slug);
+        if (folder) {
+          updatedFolders.push({
+            environment: env.slug,
+            name: newFolderName,
+            id: folder.id,
+            path: secretPath
+          });
+        }
+      }
+    });
+
+    if (updatedFolders.length === 0) {
+      createNotification({
+        type: "info",
+        text: "You don't have access to rename selected folder"
+      });
+
+      handlePopUpClose("updateFolder");
+      return;
+    }
+
+    try {
+      await updateFolderBatch({
+        projectSlug,
+        folders: updatedFolders,
+        projectId: workspaceId
+      });
+      createNotification({
+        type: "success",
+        text: "Successfully renamed folder across environments"
+      });
+    } catch (err) {
+      createNotification({
+        type: "error",
+        text: "Failed to rename folder across environments"
+      });
+    } finally {
+      handlePopUpClose("updateFolder");
+    }
+  };
+
   const handleSecretCreate = async (env: string, key: string, value: string) => {
     try {
       // create folder if not existing
@@ -726,6 +786,9 @@ export const SecretOverviewPage = () => {
                       environments={visibleEnvs}
                       key={`overview-${folderName}-${index + 1}`}
                       onClick={handleFolderClick}
+                      onToggleFolderEdit={(name: string) =>
+                        handlePopUpOpen("updateFolder", { name })
+                      }
                     />
                   ))}
                 {!isTableLoading &&
@@ -800,6 +863,18 @@ export const SecretOverviewPage = () => {
           <FolderForm onCreateFolder={handleFolderCreate} />
         </ModalContent>
       </Modal>
+      <Modal
+        isOpen={popUp.updateFolder.isOpen}
+        onOpenChange={(isOpen) => handlePopUpToggle("updateFolder", isOpen)}
+      >
+        <ModalContent title="Edit Folder Name">
+          <FolderForm
+            isEdit
+            defaultFolderName={(popUp.updateFolder?.data as Pick<TSecretFolder, "name">)?.name}
+            onUpdateFolder={handleFolderUpdate}
+          />
+        </ModalContent>
+      </Modal>
     </>
   );
 };

frontend/src/views/SecretOverviewPage/components/SecretOverviewFolderRow/SecretOverviewFolderRow.tsx

@@ -1,8 +1,8 @@
-import { faCheck, faFolder, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { faCheck, faFolder, faPencil, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { twMerge } from "tailwind-merge";
 
-import { Checkbox, Td, Tr } from "@app/components/v2";
+import { Checkbox, IconButton, Td, Tr } from "@app/components/v2";
 
 type Props = {
   folderName: string;
@@ -11,6 +11,7 @@ type Props = {
   onClick: (path: string) => void;
   isSelected: boolean;
   onToggleFolderSelect: (folderName: string) => void;
+  onToggleFolderEdit: (name: string) => void;
 };
 
 export const SecretOverviewFolderRow = ({
@@ -19,6 +20,7 @@ export const SecretOverviewFolderRow = ({
   isFolderPresentInEnv,
   isSelected,
   onToggleFolderSelect,
+  onToggleFolderEdit,
   onClick
 }: Props) => {
   return (
@@ -43,6 +45,18 @@ export const SecretOverviewFolderRow = ({
             />
           </div>
           <div>{folderName}</div>
+          <IconButton
+            ariaLabel="edit-folder"
+            variant="plain"
+            size="sm"
+            className="p-0 opacity-0 group-hover:opacity-100"
+            onClick={(e) => {
+              onToggleFolderEdit(folderName);
+              e.stopPropagation();
+            }}
+          >
+            <FontAwesomeIcon icon={faPencil} size="sm" />
+          </IconButton>
         </div>
       </Td>
       {environments.map(({ slug }, i) => {

pg-migrator/.gitignore

@@ -1 +0,0 @@
-db

pg-migrator/package.json

@@ -1,33 +0,0 @@
-{
-  "name": "pg-migrator",
-  "version": "1.0.0",
-  "description": "",
-  "main": "index.js",
-  "scripts": {
-    "migration": "tsx src/index.ts",
-    "rollback": "tsx src/rollback.ts",
-    "migrate:audit-log": "tsx src/audit-log-migrator.ts"
-  },
-  "author": "",
-  "license": "ISC",
-  "devDependencies": {
-    "@types/node": "^20.11.0",
-    "@types/prompt-sync": "^4.2.3",
-    "@types/uuid": "^9.0.7",
-    "tsx": "^4.7.0",
-    "typescript": "^5.3.3"
-  },
-  "dependencies": {
-    "@casl/ability": "^6.5.0",
-    "@sindresorhus/slugify": "^2.2.1",
-    "dotenv": "^16.3.1",
-    "knex": "^3.1.0",
-    "level": "^8.0.0",
-    "mongoose": "^8.0.4",
-    "nanoid": "^5.0.4",
-    "pg": "^8.11.3",
-    "prompt-sync": "^4.2.0",
-    "uuid": "^9.0.1",
-    "zod": "^3.22.4"
-  }
-}

pg-migrator/src/@types/knex.d.ts

@@ -1,451 +0,0 @@
-import { Knex } from "knex";
-
-import {
-  TableName,
-  TApiKeys,
-  TApiKeysInsert,
-  TApiKeysUpdate,
-  TAuditLogs,
-  TAuditLogsInsert,
-  TAuditLogsUpdate,
-  TAuthTokens,
-  TAuthTokenSessions,
-  TAuthTokenSessionsInsert,
-  TAuthTokenSessionsUpdate,
-  TAuthTokensInsert,
-  TAuthTokensUpdate,
-  TBackupPrivateKey,
-  TBackupPrivateKeyInsert,
-  TBackupPrivateKeyUpdate,
-  TGitAppInstallSessions,
-  TGitAppInstallSessionsInsert,
-  TGitAppInstallSessionsUpdate,
-  TGitAppOrg,
-  TGitAppOrgInsert,
-  TGitAppOrgUpdate,
-  TIdentities,
-  TIdentitiesInsert,
-  TIdentitiesUpdate,
-  TIdentityAccessTokens,
-  TIdentityAccessTokensInsert,
-  TIdentityAccessTokensUpdate,
-  TIdentityOrgMemberships,
-  TIdentityOrgMembershipsInsert,
-  TIdentityOrgMembershipsUpdate,
-  TIdentityProjectMemberships,
-  TIdentityProjectMembershipsInsert,
-  TIdentityProjectMembershipsUpdate,
-  TIdentityUaClientSecrets,
-  TIdentityUaClientSecretsInsert,
-  TIdentityUaClientSecretsUpdate,
-  TIdentityUniversalAuths,
-  TIdentityUniversalAuthsInsert,
-  TIdentityUniversalAuthsUpdate,
-  TIncidentContacts,
-  TIncidentContactsInsert,
-  TIncidentContactsUpdate,
-  TIntegrationAuths,
-  TIntegrationAuthsInsert,
-  TIntegrationAuthsUpdate,
-  TIntegrations,
-  TIntegrationsInsert,
-  TIntegrationsUpdate,
-  TOrganizations,
-  TOrganizationsInsert,
-  TOrganizationsUpdate,
-  TOrgBots,
-  TOrgBotsInsert,
-  TOrgBotsUpdate,
-  TOrgMemberships,
-  TOrgMembershipsInsert,
-  TOrgMembershipsUpdate,
-  TOrgRoles,
-  TOrgRolesInsert,
-  TOrgRolesUpdate,
-  TProjectBots,
-  TProjectBotsInsert,
-  TProjectBotsUpdate,
-  TProjectEnvironments,
-  TProjectEnvironmentsInsert,
-  TProjectEnvironmentsUpdate,
-  TProjectKeys,
-  TProjectKeysInsert,
-  TProjectKeysUpdate,
-  TProjectMemberships,
-  TProjectMembershipsInsert,
-  TProjectMembershipsUpdate,
-  TProjectRoles,
-  TProjectRolesInsert,
-  TProjectRolesUpdate,
-  TProjects,
-  TProjectsInsert,
-  TProjectsUpdate,
-  TSamlConfigs,
-  TSamlConfigsInsert,
-  TSamlConfigsUpdate,
-  TSecretApprovalPolicies,
-  TSecretApprovalPoliciesApprovers,
-  TSecretApprovalPoliciesApproversInsert,
-  TSecretApprovalPoliciesApproversUpdate,
-  TSecretApprovalPoliciesInsert,
-  TSecretApprovalPoliciesUpdate,
-  TSecretApprovalRequests,
-  TSecretApprovalRequestSecretTags,
-  TSecretApprovalRequestSecretTagsInsert,
-  TSecretApprovalRequestSecretTagsUpdate,
-  TSecretApprovalRequestsInsert,
-  TSecretApprovalRequestsReviewers,
-  TSecretApprovalRequestsReviewersInsert,
-  TSecretApprovalRequestsReviewersUpdate,
-  TSecretApprovalRequestsSecrets,
-  TSecretApprovalRequestsSecretsInsert,
-  TSecretApprovalRequestsSecretsUpdate,
-  TSecretApprovalRequestsUpdate,
-  TSecretBlindIndexes,
-  TSecretBlindIndexesInsert,
-  TSecretBlindIndexesUpdate,
-  TSecretFolders,
-  TSecretFoldersInsert,
-  TSecretFoldersUpdate,
-  TSecretFolderVersions,
-  TSecretFolderVersionsInsert,
-  TSecretFolderVersionsUpdate,
-  TSecretImports,
-  TSecretImportsInsert,
-  TSecretImportsUpdate,
-  TSecretRotationOutputs,
-  TSecretRotationOutputsInsert,
-  TSecretRotationOutputsUpdate,
-  TSecretRotations,
-  TSecretRotationsInsert,
-  TSecretRotationsUpdate,
-  TSecrets,
-  TSecretScanningGitRisks,
-  TSecretScanningGitRisksInsert,
-  TSecretScanningGitRisksUpdate,
-  TSecretsInsert,
-  TSecretSnapshotFolders,
-  TSecretSnapshotFoldersInsert,
-  TSecretSnapshotFoldersUpdate,
-  TSecretSnapshots,
-  TSecretSnapshotSecrets,
-  TSecretSnapshotSecretsInsert,
-  TSecretSnapshotSecretsUpdate,
-  TSecretSnapshotsInsert,
-  TSecretSnapshotsUpdate,
-  TSecretsUpdate,
-  TSecretTagJunction,
-  TSecretTagJunctionInsert,
-  TSecretTagJunctionUpdate,
-  TSecretTags,
-  TSecretTagsInsert,
-  TSecretTagsUpdate,
-  TSecretVersions,
-  TSecretVersionsInsert,
-  TSecretVersionsUpdate,
-  TSecretVersionTagJunction,
-  TSecretVersionTagJunctionInsert,
-  TSecretVersionTagJunctionUpdate,
-  TServiceTokens,
-  TServiceTokensInsert,
-  TServiceTokensUpdate,
-  TSuperAdmin,
-  TSuperAdminInsert,
-  TSuperAdminUpdate,
-  TTrustedIps,
-  TTrustedIpsInsert,
-  TTrustedIpsUpdate,
-  TUserActions,
-  TUserActionsInsert,
-  TUserActionsUpdate,
-  TUserEncryptionKeys,
-  TUserEncryptionKeysInsert,
-  TUserEncryptionKeysUpdate,
-  TUsers,
-  TUsersInsert,
-  TUsersUpdate,
-  TWebhooks,
-  TWebhooksInsert,
-  TWebhooksUpdate,
-} from "../schemas";
-
-declare module "knex/types/tables" {
-  interface Tables {
-    [TableName.Users]: Knex.CompositeTableType<
-      TUsers,
-      TUsersInsert,
-      TUsersUpdate
-    >;
-    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
-      TUserEncryptionKeys,
-      TUserEncryptionKeysInsert,
-      TUserEncryptionKeysUpdate
-    >;
-    [TableName.AuthTokens]: Knex.CompositeTableType<
-      TAuthTokens,
-      TAuthTokensInsert,
-      TAuthTokensUpdate
-    >;
-    [TableName.AuthTokenSession]: Knex.CompositeTableType<
-      TAuthTokenSessions,
-      TAuthTokenSessionsInsert,
-      TAuthTokenSessionsUpdate
-    >;
-    [TableName.BackupPrivateKey]: Knex.CompositeTableType<
-      TBackupPrivateKey,
-      TBackupPrivateKeyInsert,
-      TBackupPrivateKeyUpdate
-    >;
-    [TableName.Organization]: Knex.CompositeTableType<
-      TOrganizations,
-      TOrganizationsInsert,
-      TOrganizationsUpdate
-    >;
-    [TableName.OrgMembership]: Knex.CompositeTableType<
-      TOrgMemberships,
-      TOrgMembershipsInsert,
-      TOrgMembershipsUpdate
-    >;
-    [TableName.OrgRoles]: Knex.CompositeTableType<
-      TOrgRoles,
-      TOrgRolesInsert,
-      TOrgRolesUpdate
-    >;
-    [TableName.IncidentContact]: Knex.CompositeTableType<
-      TIncidentContacts,
-      TIncidentContactsInsert,
-      TIncidentContactsUpdate
-    >;
-    [TableName.UserAction]: Knex.CompositeTableType<
-      TUserActions,
-      TUserActionsInsert,
-      TUserActionsUpdate
-    >;
-    [TableName.SuperAdmin]: Knex.CompositeTableType<
-      TSuperAdmin,
-      TSuperAdminInsert,
-      TSuperAdminUpdate
-    >;
-    [TableName.ApiKey]: Knex.CompositeTableType<
-      TApiKeys,
-      TApiKeysInsert,
-      TApiKeysUpdate
-    >;
-    [TableName.Project]: Knex.CompositeTableType<
-      TProjects,
-      TProjectsInsert,
-      TProjectsUpdate
-    >;
-    [TableName.ProjectMembership]: Knex.CompositeTableType<
-      TProjectMemberships,
-      TProjectMembershipsInsert,
-      TProjectMembershipsUpdate
-    >;
-    [TableName.Environment]: Knex.CompositeTableType<
-      TProjectEnvironments,
-      TProjectEnvironmentsInsert,
-      TProjectEnvironmentsUpdate
-    >;
-    [TableName.ProjectBot]: Knex.CompositeTableType<
-      TProjectBots,
-      TProjectBotsInsert,
-      TProjectBotsUpdate
-    >;
-    [TableName.ProjectRoles]: Knex.CompositeTableType<
-      TProjectRoles,
-      TProjectRolesInsert,
-      TProjectRolesUpdate
-    >;
-    [TableName.ProjectKeys]: Knex.CompositeTableType<
-      TProjectKeys,
-      TProjectKeysInsert,
-      TProjectKeysUpdate
-    >;
-    [TableName.Secret]: Knex.CompositeTableType<
-      TSecrets,
-      TSecretsInsert,
-      TSecretsUpdate
-    >;
-    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
-      TSecretBlindIndexes,
-      TSecretBlindIndexesInsert,
-      TSecretBlindIndexesUpdate
-    >;
-    [TableName.SecretVersion]: Knex.CompositeTableType<
-      TSecretVersions,
-      TSecretVersionsInsert,
-      TSecretVersionsUpdate
-    >;
-    [TableName.SecretFolder]: Knex.CompositeTableType<
-      TSecretFolders,
-      TSecretFoldersInsert,
-      TSecretFoldersUpdate
-    >;
-    [TableName.SecretFolderVersion]: Knex.CompositeTableType<
-      TSecretFolderVersions,
-      TSecretFolderVersionsInsert,
-      TSecretFolderVersionsUpdate
-    >;
-    [TableName.SecretTag]: Knex.CompositeTableType<
-      TSecretTags,
-      TSecretTagsInsert,
-      TSecretTagsUpdate
-    >;
-    [TableName.SecretImport]: Knex.CompositeTableType<
-      TSecretImports,
-      TSecretImportsInsert,
-      TSecretImportsUpdate
-    >;
-    [TableName.Integration]: Knex.CompositeTableType<
-      TIntegrations,
-      TIntegrationsInsert,
-      TIntegrationsUpdate
-    >;
-    [TableName.Webhook]: Knex.CompositeTableType<
-      TWebhooks,
-      TWebhooksInsert,
-      TWebhooksUpdate
-    >;
-    [TableName.ServiceToken]: Knex.CompositeTableType<
-      TServiceTokens,
-      TServiceTokensInsert,
-      TServiceTokensUpdate
-    >;
-    [TableName.IntegrationAuth]: Knex.CompositeTableType<
-      TIntegrationAuths,
-      TIntegrationAuthsInsert,
-      TIntegrationAuthsUpdate
-    >;
-    [TableName.Identity]: Knex.CompositeTableType<
-      TIdentities,
-      TIdentitiesInsert,
-      TIdentitiesUpdate
-    >;
-    [TableName.IdentityUniversalAuth]: Knex.CompositeTableType<
-      TIdentityUniversalAuths,
-      TIdentityUniversalAuthsInsert,
-      TIdentityUniversalAuthsUpdate
-    >;
-    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
-      TIdentityUaClientSecrets,
-      TIdentityUaClientSecretsInsert,
-      TIdentityUaClientSecretsUpdate
-    >;
-    [TableName.IdentityAccessToken]: Knex.CompositeTableType<
-      TIdentityAccessTokens,
-      TIdentityAccessTokensInsert,
-      TIdentityAccessTokensUpdate
-    >;
-    [TableName.IdentityOrgMembership]: Knex.CompositeTableType<
-      TIdentityOrgMemberships,
-      TIdentityOrgMembershipsInsert,
-      TIdentityOrgMembershipsUpdate
-    >;
-    [TableName.IdentityProjectMembership]: Knex.CompositeTableType<
-      TIdentityProjectMemberships,
-      TIdentityProjectMembershipsInsert,
-      TIdentityProjectMembershipsUpdate
-    >;
-    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
-      TSecretApprovalPolicies,
-      TSecretApprovalPoliciesInsert,
-      TSecretApprovalPoliciesUpdate
-    >;
-    [TableName.SecretApprovalPolicyApprover]: Knex.CompositeTableType<
-      TSecretApprovalPoliciesApprovers,
-      TSecretApprovalPoliciesApproversInsert,
-      TSecretApprovalPoliciesApproversUpdate
-    >;
-    [TableName.SecretApprovalRequest]: Knex.CompositeTableType<
-      TSecretApprovalRequests,
-      TSecretApprovalRequestsInsert,
-      TSecretApprovalRequestsUpdate
-    >;
-    [TableName.SecretApprovalRequestReviewer]: Knex.CompositeTableType<
-      TSecretApprovalRequestsReviewers,
-      TSecretApprovalRequestsReviewersInsert,
-      TSecretApprovalRequestsReviewersUpdate
-    >;
-    [TableName.SecretApprovalRequestSecret]: Knex.CompositeTableType<
-      TSecretApprovalRequestsSecrets,
-      TSecretApprovalRequestsSecretsInsert,
-      TSecretApprovalRequestsSecretsUpdate
-    >;
-    [TableName.SecretApprovalRequestSecretTag]: Knex.CompositeTableType<
-      TSecretApprovalRequestSecretTags,
-      TSecretApprovalRequestSecretTagsInsert,
-      TSecretApprovalRequestSecretTagsUpdate
-    >;
-    [TableName.SecretRotation]: Knex.CompositeTableType<
-      TSecretRotations,
-      TSecretRotationsInsert,
-      TSecretRotationsUpdate
-    >;
-    [TableName.SecretRotationOutput]: Knex.CompositeTableType<
-      TSecretRotationOutputs,
-      TSecretRotationOutputsInsert,
-      TSecretRotationOutputsUpdate
-    >;
-    [TableName.Snapshot]: Knex.CompositeTableType<
-      TSecretSnapshots,
-      TSecretSnapshotsInsert,
-      TSecretSnapshotsUpdate
-    >;
-    [TableName.SnapshotSecret]: Knex.CompositeTableType<
-      TSecretSnapshotSecrets,
-      TSecretSnapshotSecretsInsert,
-      TSecretSnapshotSecretsUpdate
-    >;
-    [TableName.SnapshotFolder]: Knex.CompositeTableType<
-      TSecretSnapshotFolders,
-      TSecretSnapshotFoldersInsert,
-      TSecretSnapshotFoldersUpdate
-    >;
-    [TableName.SamlConfig]: Knex.CompositeTableType<
-      TSamlConfigs,
-      TSamlConfigsInsert,
-      TSamlConfigsUpdate
-    >;
-    [TableName.OrgBot]: Knex.CompositeTableType<
-      TOrgBots,
-      TOrgBotsInsert,
-      TOrgBotsUpdate
-    >;
-    [TableName.AuditLog]: Knex.CompositeTableType<
-      TAuditLogs,
-      TAuditLogsInsert,
-      TAuditLogsUpdate
-    >;
-    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
-      TGitAppInstallSessions,
-      TGitAppInstallSessionsInsert,
-      TGitAppInstallSessionsUpdate
-    >;
-    [TableName.GitAppOrg]: Knex.CompositeTableType<
-      TGitAppOrg,
-      TGitAppOrgInsert,
-      TGitAppOrgUpdate
-    >;
-    [TableName.SecretScanningGitRisk]: Knex.CompositeTableType<
-      TSecretScanningGitRisks,
-      TSecretScanningGitRisksInsert,
-      TSecretScanningGitRisksUpdate
-    >;
-    [TableName.TrustedIps]: Knex.CompositeTableType<
-      TTrustedIps,
-      TTrustedIpsInsert,
-      TTrustedIpsUpdate
-    >;
-    // Junction tables
-    [TableName.JnSecretTag]: Knex.CompositeTableType<
-      TSecretTagJunction,
-      TSecretTagJunctionInsert,
-      TSecretTagJunctionUpdate
-    >;
-    [TableName.SecretVersionTag]: Knex.CompositeTableType<
-      TSecretVersionTagJunction,
-      TSecretVersionTagJunctionInsert,
-      TSecretVersionTagJunctionUpdate
-    >;
-  }
-}

pg-migrator/src/folder.ts

@@ -1,36 +0,0 @@
-import { TFolderSchema } from "./models";
-
-export const folderBfsTraversal = async (
-  root: TFolderSchema,
-  callback: (
-    data: TFolderSchema & { parentId: string | null },
-  ) => void | Promise<void>,
-) => {
-  const queue = [root];
-  while (queue.length) {
-    const folder = queue.pop() as TFolderSchema & { parentId: null };
-    callback(folder);
-    queue.push(
-      ...folder.children.map((el) => ({
-        ...el,
-        parentId: folder.id,
-      })),
-    );
-  }
-};
-
-export const flattenFolders = (folders: TFolderSchema) => {
-  const flattened: {
-    id: string;
-    parentId: string | null;
-    name: string;
-    version: number;
-  }[] = [];
-  
-  if(!folders) return []
-
-  folderBfsTraversal(folders, ({ name, version, parentId, id }) => {
-    flattened.push({ name, version, parentId, id });
-  });
-  return flattened;
-};

pg-migrator/src/migrations/20231128072457_user.ts

@@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import {
-  createOnUpdateTrigger,
-  createUpdateAtTriggerFunction,
-  dropOnUpdateTrigger,
-  dropUpdatedAtTriggerFunction
-} from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.Users);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.Users, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("email").notNullable();
-      t.specificType("authMethods", "text[]");
-      t.boolean("superAdmin").defaultTo(false);
-      t.string("firstName");
-      t.string("lastName");
-      t.boolean("isAccepted").defaultTo(false);
-      t.boolean("isMfaEnabled").defaultTo(false);
-      t.specificType("mfaMethods", "text[]");
-      t.jsonb("devices");
-      t.timestamps(true, true, true);
-    });
-  }
-  // this is a one time function
-  await createUpdateAtTriggerFunction(knex);
-  await createOnUpdateTrigger(knex, TableName.Users);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Users);
-  await dropOnUpdateTrigger(knex, TableName.Users);
-  await dropUpdatedAtTriggerFunction(knex);
-}

pg-migrator/src/migrations/20231128092347_user-encryption-key.ts

@@ -1,31 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.UserEncryptionKey);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.UserEncryptionKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("clientPublicKey");
-      t.text("serverPrivateKey");
-      t.integer("encryptionVersion").defaultTo(2);
-      t.text("protectedKey");
-      t.text("protectedKeyIV");
-      t.text("protectedKeyTag");
-      t.text("publicKey").notNullable();
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.text("salt").notNullable();
-      t.text("verifier").notNullable();
-      // one to one relationship
-      t.uuid("userId").notNullable().unique();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.UserEncryptionKey);
-}

pg-migrator/src/migrations/20231129072939_auth-token.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.AuthTokens);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.AuthTokens, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("type").notNullable();
-      t.string("phoneNumber");
-      t.string("tokenHash").notNullable();
-      t.integer("triesLeft");
-      t.datetime("expiresAt").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuthTokens);
-}

pg-migrator/src/migrations/20231130072734_auth-token-session.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.AuthTokenSession);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.AuthTokenSession, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("ip").notNullable();
-      t.string("userAgent");
-      t.integer("refreshVersion").notNullable().defaultTo(1);
-      t.integer("accessVersion").notNullable().defaultTo(1);
-      t.datetime("lastUsed").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.AuthTokenSession);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AuthTokenSession);
-  await dropOnUpdateTrigger(knex, TableName.AuthTokenSession);
-}

pg-migrator/src/migrations/20231201151432_backup-key.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesTableExist = await knex.schema.hasTable(TableName.BackupPrivateKey);
-  if (!doesTableExist) {
-    await knex.schema.createTable(TableName.BackupPrivateKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedPrivateKey").notNullable();
-      t.text("iv").notNullable();
-      t.text("tag").notNullable();
-      t.string("algorithm").notNullable();
-      t.string("keyEncoding").notNullable();
-      t.text("salt").notNullable();
-      t.text("verifier").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable().unique();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.BackupPrivateKey);
-}

pg-migrator/src/migrations/20231204092737_organization.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.Organization);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.Organization, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("customerId");
-      t.string("slug").notNullable();
-      // does not need update trigger we will do it manually
-      t.unique("slug");
-      t.timestamps(true, true, true);
-    });
-    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
-      t.uuid("orgId");
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.Organization);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AuthTokens, "orgId")) {
-    await knex.schema.alterTable(TableName.AuthTokens, (t) => {
-      t.dropColumn("orgId");
-    });
-  }
-  await knex.schema.dropTableIfExists(TableName.Organization);
-  await dropOnUpdateTrigger(knex, TableName.Organization);
-}

pg-migrator/src/migrations/20231204092747_org-membership.ts

@@ -1,48 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { OrgMembershipStatus } from "../schemas/models";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isOrgRolePresent = await knex.schema.hasTable(TableName.OrgRoles);
-  if (!isOrgRolePresent) {
-    await knex.schema.createTable(TableName.OrgRoles, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("description");
-      t.string("slug").notNullable();
-      t.jsonb("permissions").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-
-  const isOrgTablePresent = await knex.schema.hasTable(TableName.OrgMembership);
-  if (!isOrgTablePresent) {
-    await knex.schema.createTable(TableName.OrgMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      t.string("status").notNullable().defaultTo(OrgMembershipStatus.Invited);
-      t.string("inviteEmail");
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.OrgMembership);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.OrgMembership);
-  await knex.schema.dropTableIfExists(TableName.OrgRoles);
-  await dropOnUpdateTrigger(knex, TableName.OrgMembership);
-}

pg-migrator/src/migrations/20231205151331_incident-contact.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.IncidentContact);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.IncidentContact, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("email").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.IncidentContact);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IncidentContact);
-  await dropOnUpdateTrigger(knex, TableName.IncidentContact);
-}

pg-migrator/src/migrations/20231207055643_user-action.ts

@@ -1,20 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.UserAction);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.UserAction, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("action").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.UserAction);
-}

pg-migrator/src/migrations/20231207055701_super-admin.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.SuperAdmin, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.boolean("initialized").defaultTo(false);
-      t.boolean("allowSignUp").defaultTo(true);
-      t.timestamps(true, true, true);
-    });
-  }
-  // this is a one time function
-  await createOnUpdateTrigger(knex, TableName.SuperAdmin);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SuperAdmin);
-  await dropOnUpdateTrigger(knex, TableName.SuperAdmin);
-}

pg-migrator/src/migrations/20231207105059_api-key.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  const isTablePresent = await knex.schema.hasTable(TableName.ApiKey);
-  if (!isTablePresent) {
-    await knex.schema.createTable(TableName.ApiKey, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.datetime("lastUsed");
-      t.datetime("expiresAt");
-      t.string("secretHash").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ApiKey);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ApiKey);
-  await dropOnUpdateTrigger(knex, TableName.ApiKey);
-}

pg-migrator/src/migrations/20231212110939_project.ts

@@ -1,62 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Project))) {
-    await knex.schema.createTable(TableName.Project, (t) => {
-      t.string("id", 36).primary().defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.boolean("autoCapitalization").defaultTo(true);
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.unique(["orgId", "slug"]);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Project);
-  // environments
-  if (!(await knex.schema.hasTable(TableName.Environment))) {
-    await knex.schema.createTable(TableName.Environment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.integer("position").notNullable();
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      // this will ensure ever env has its position
-      t.unique(["projectId", "position"], {
-        indexName: "env_pos_composite_uniqe",
-        deferrable: "deferred"
-      });
-      t.timestamps(true, true, true);
-    });
-  }
-  // project key
-  if (!(await knex.schema.hasTable(TableName.ProjectKeys))) {
-    await knex.schema.createTable(TableName.ProjectKeys, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedKey").notNullable();
-      t.text("nonce").notNullable();
-      t.uuid("receiverId").notNullable();
-      t.foreign("receiverId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.uuid("senderId");
-      // if sender is deleted just don't do anything to this record
-      t.foreign("senderId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ProjectKeys);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.Environment);
-  await knex.schema.dropTableIfExists(TableName.ProjectKeys);
-  await knex.schema.dropTableIfExists(TableName.Project);
-  await dropOnUpdateTrigger(knex, TableName.ProjectKeys);
-  await dropOnUpdateTrigger(knex, TableName.Project);
-}

pg-migrator/src/migrations/20231212110946_project-membership.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ProjectRoles))) {
-    await knex.schema.createTable(TableName.ProjectRoles, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("description");
-      t.string("slug").notNullable();
-      t.jsonb("permissions").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ProjectMembership))) {
-    await knex.schema.createTable(TableName.ProjectMembership, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("role").notNullable();
-      // does not need update trigger we will do it manually
-      t.timestamps(true, true, true);
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      // until role is changed/removed the role should not deleted
-      t.uuid("roleId");
-      t.foreign("roleId").references("id").inTable(TableName.ProjectRoles);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.ProjectMembership);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ProjectMembership);
-  await knex.schema.dropTableIfExists(TableName.ProjectRoles);
-  await dropOnUpdateTrigger(knex, TableName.ProjectMembership);
-}

pg-migrator/src/migrations/20231218092441_secret-folder.ts

@@ -1,42 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretFolder))) {
-    await knex.schema.createTable(TableName.SecretFolder, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").defaultTo(1);
-      t.timestamps(true, true, true);
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("parentId");
-      t.foreign("parentId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretFolder);
-
-  if (!(await knex.schema.hasTable(TableName.SecretFolderVersion))) {
-    await knex.schema.createTable(TableName.SecretFolderVersion, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("version").defaultTo(1);
-      t.timestamps(true, true, true);
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("folderId").notNullable();
-      // t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.SecretFolderVersion);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretFolderVersion);
-  await knex.schema.dropTableIfExists(TableName.SecretFolder);
-  await dropOnUpdateTrigger(knex, TableName.SecretFolder);
-  await dropOnUpdateTrigger(knex, TableName.SecretFolderVersion);
-}

pg-migrator/src/migrations/20231218092508_secret-import.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretImport))) {
-    await knex.schema.createTable(TableName.SecretImport, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1);
-      t.string("importPath").notNullable();
-      t.uuid("importEnv").notNullable();
-      t.foreign("importEnv").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.integer("position").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
-      t.unique(["folderId", "position"], {
-        indexName: "import_pos_composite_uniqe",
-        deferrable: "deferred"
-      });
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretImport);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretImport);
-  await dropOnUpdateTrigger(knex, TableName.SecretImport);
-}

pg-migrator/src/migrations/20231218092517_secret-tag.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretTag))) {
-    await knex.schema.createTable(TableName.SecretTag, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.string("slug").notNullable();
-      t.string("color");
-      t.timestamps(true, true, true);
-      t.uuid("createdBy");
-      t.foreign("createdBy").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretTag);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretTag);
-  await dropOnUpdateTrigger(knex, TableName.SecretTag);
-}

pg-migrator/src/migrations/20231218103423_secret.ts

@@ -1,93 +0,0 @@
-import { Knex } from "knex";
-
-import {
-  SecretEncryptionAlgo,
-  SecretKeyEncoding,
-  SecretType,
-  TableName,
-} from "../schemas";
-import {
-  createJunctionTable,
-  createOnUpdateTrigger,
-  dropOnUpdateTrigger,
-} from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretBlindIndex))) {
-    await knex.schema.createTable(TableName.SecretBlindIndex, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.text("encryptedSaltCipherText").notNullable();
-      t.text("saltIV").notNullable();
-      t.text("saltTag").notNullable();
-      t.string("algorithm")
-        .notNullable()
-        .defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.string("projectId").notNullable().unique();
-      t.foreign("projectId")
-        .references("id")
-        .inTable(TableName.Project)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretBlindIndex);
-
-  if (!(await knex.schema.hasTable(TableName.Secret))) {
-    await knex.schema.createTable(TableName.Secret, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("type").notNullable().defaultTo(SecretType.Shared);
-      // t.text("secretKeyHash").notNullable();
-      // t.text("secretValueHash");
-      // t.text("secretCommentHash");
-      // this is required but for backward compatiability we are making it nullable
-      t.text("secretBlindIndex");
-      t.text("secretKeyCiphertext").notNullable();
-      t.text("secretKeyIV").notNullable();
-      t.text("secretKeyTag").notNullable();
-      t.text("secretValueCiphertext").notNullable();
-      t.text("secretValueIV").notNullable(); // symmetric encryption
-      t.text("secretValueTag").notNullable();
-      t.text("secretCommentCiphertext");
-      t.text("secretCommentIV");
-      t.text("secretCommentTag");
-      t.string("secretReminderNote");
-      t.integer("secretReminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.string("algorithm")
-        .notNullable()
-        .defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.jsonb("metadata");
-      t.uuid("userId");
-      t.foreign("userId")
-        .references("id")
-        .inTable(TableName.Users)
-        .onDelete("CASCADE");
-      t.uuid("folderId").notNullable();
-      t.foreign("folderId")
-        .references("id")
-        .inTable(TableName.SecretFolder)
-        .onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.Secret);
-  // many to many relation between tags
-  await createJunctionTable(
-    knex,
-    TableName.JnSecretTag,
-    TableName.Secret,
-    TableName.SecretTag,
-  );
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretBlindIndex);
-  await dropOnUpdateTrigger(knex, TableName.SecretBlindIndex);
-
-  await knex.schema.dropTableIfExists(TableName.JnSecretTag);
-  await knex.schema.dropTableIfExists(TableName.Secret);
-  await dropOnUpdateTrigger(knex, TableName.Secret);
-}

pg-migrator/src/migrations/20231220052508_secret-version.ts

@@ -1,53 +0,0 @@
-import { Knex } from "knex";
-
-import { SecretEncryptionAlgo, SecretKeyEncoding, SecretType, TableName } from "../schemas";
-import { createJunctionTable, createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretVersion))) {
-    await knex.schema.createTable(TableName.SecretVersion, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.integer("version").defaultTo(1).notNullable();
-      t.string("type").notNullable().defaultTo(SecretType.Shared);
-      t.text("secretBlindIndex");
-      t.text("secretKeyCiphertext").notNullable();
-      t.text("secretKeyIV").notNullable();
-      t.text("secretKeyTag").notNullable();
-      t.text("secretValueCiphertext").notNullable();
-      t.text("secretValueIV").notNullable(); // symmetric encryption
-      t.text("secretValueTag").notNullable();
-      t.text("secretCommentCiphertext");
-      t.text("secretCommentIV");
-      t.text("secretCommentTag");
-      t.string("secretReminderNote");
-      t.integer("secretReminderRepeatDays");
-      t.boolean("skipMultilineEncoding").defaultTo(false);
-      t.string("algorithm").notNullable().defaultTo(SecretEncryptionAlgo.AES_256_GCM);
-      t.string("keyEncoding").notNullable().defaultTo(SecretKeyEncoding.UTF8);
-      t.jsonb("metadata");
-      // to avoid orphan rows
-      t.uuid("envId");
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.uuid("secretId").notNullable();
-      t.uuid("folderId").notNullable();
-      // t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("SET NULL");
-      t.uuid("userId");
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.SecretVersion);
-  // many to many relation between tags
-  await createJunctionTable(
-    knex,
-    TableName.SecretVersionTag,
-    TableName.SecretVersion,
-    TableName.SecretTag
-  );
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretVersionTag);
-  await knex.schema.dropTableIfExists(TableName.SecretVersion);
-  await dropOnUpdateTrigger(knex, TableName.SecretVersion);
-}