Addressed PR suggestions

feat(telemetry): improve Posthog org identity logic

backend/src/db/migrations/20250627010508_env-overrides.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
+  if (!hasColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.binary("encryptedEnvOverrides").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("encryptedEnvOverrides");
+    });
+  }
+}

backend/src/db/schemas/super-admin.ts

@@ -34,7 +34,8 @@ export const SuperAdminSchema = z.object({
   encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
-  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional()
+  encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
+  encryptedEnvOverrides: zodBuffer.nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/ee/routes/v1/ldap-router.ts

@@ -17,6 +17,7 @@ import { z } from "zod";
 import { LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
+import { ApiDocsTags, LdapSso } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -132,10 +133,18 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapSso],
+      description: "Get LDAP config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       querystring: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(LdapSso.GET_CONFIG.organizationId)
       }),
       response: {
         200: z.object({
@@ -172,23 +181,32 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapSso],
+      description: "Create LDAP config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       body: z.object({
-        organizationId: z.string().trim(),
-        isActive: z.boolean(),
-        url: z.string().trim(),
-        bindDN: z.string().trim(),
-        bindPass: z.string().trim(),
-        uniqueUserAttribute: z.string().trim().default("uidNumber"),
-        searchBase: z.string().trim(),
-        searchFilter: z.string().trim().default("(uid={{username}})"),
-        groupSearchBase: z.string().trim(),
+        organizationId: z.string().trim().describe(LdapSso.CREATE_CONFIG.organizationId),
+        isActive: z.boolean().describe(LdapSso.CREATE_CONFIG.isActive),
+        url: z.string().trim().describe(LdapSso.CREATE_CONFIG.url),
+        bindDN: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindDN),
+        bindPass: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindPass),
+        uniqueUserAttribute: z.string().trim().default("uidNumber").describe(LdapSso.CREATE_CONFIG.uniqueUserAttribute),
+        searchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.searchBase),
+        searchFilter: z.string().trim().default("(uid={{username}})").describe(LdapSso.CREATE_CONFIG.searchFilter),
+        groupSearchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.groupSearchBase),
         groupSearchFilter: z
           .string()
           .trim()
-          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"),
-        caCert: z.string().trim().default("")
+          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))")
+          .describe(LdapSso.CREATE_CONFIG.groupSearchFilter),
+        caCert: z.string().trim().default("").describe(LdapSso.CREATE_CONFIG.caCert)
       }),
       response: {
         200: SanitizedLdapConfigSchema
@@ -214,23 +232,31 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.LdapSso],
+      description: "Update LDAP config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       body: z
         .object({
-          isActive: z.boolean(),
-          url: z.string().trim(),
-          bindDN: z.string().trim(),
-          bindPass: z.string().trim(),
-          uniqueUserAttribute: z.string().trim(),
-          searchBase: z.string().trim(),
-          searchFilter: z.string().trim(),
-          groupSearchBase: z.string().trim(),
-          groupSearchFilter: z.string().trim(),
-          caCert: z.string().trim()
+          isActive: z.boolean().describe(LdapSso.UPDATE_CONFIG.isActive),
+          url: z.string().trim().describe(LdapSso.UPDATE_CONFIG.url),
+          bindDN: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindDN),
+          bindPass: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindPass),
+          uniqueUserAttribute: z.string().trim().describe(LdapSso.UPDATE_CONFIG.uniqueUserAttribute),
+          searchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchBase),
+          searchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchFilter),
+          groupSearchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchBase),
+          groupSearchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchFilter),
+          caCert: z.string().trim().describe(LdapSso.UPDATE_CONFIG.caCert)
         })
         .partial()
-        .merge(z.object({ organizationId: z.string() })),
+        .merge(z.object({ organizationId: z.string().trim().describe(LdapSso.UPDATE_CONFIG.organizationId) })),
       response: {
         200: SanitizedLdapConfigSchema
       }

backend/src/ee/routes/v1/oidc-router.ts

@@ -13,6 +13,7 @@ import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas";
 import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
+import { ApiDocsTags, OidcSSo } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -153,10 +154,18 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcSso],
+      description: "Get OIDC config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       querystring: z.object({
-        orgSlug: z.string().trim()
+        organizationId: z.string().trim().describe(OidcSSo.GET_CONFIG.organizationId)
       }),
       response: {
         200: SanitizedOidcConfigSchema.pick({
@@ -180,9 +189,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { orgSlug } = req.query;
       const oidc = await server.services.oidc.getOidc({
-        orgSlug,
+        organizationId: req.query.organizationId,
         type: "external",
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -200,8 +208,16 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcSso],
+      description: "Update OIDC config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       body: z
         .object({
           allowedEmailDomains: z
@@ -216,22 +232,26 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                 .split(",")
                 .map((id) => id.trim())
                 .join(", ");
-            }),
-          discoveryURL: z.string().trim(),
-          configurationType: z.nativeEnum(OIDCConfigurationType),
-          issuer: z.string().trim(),
-          authorizationEndpoint: z.string().trim(),
-          jwksUri: z.string().trim(),
-          tokenEndpoint: z.string().trim(),
-          userinfoEndpoint: z.string().trim(),
-          clientId: z.string().trim(),
-          clientSecret: z.string().trim(),
-          isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional(),
-          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
+            })
+            .describe(OidcSSo.UPDATE_CONFIG.allowedEmailDomains),
+          discoveryURL: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.discoveryURL),
+          configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.UPDATE_CONFIG.configurationType),
+          issuer: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.issuer),
+          authorizationEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.authorizationEndpoint),
+          jwksUri: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.jwksUri),
+          tokenEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.tokenEndpoint),
+          userinfoEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.userinfoEndpoint),
+          clientId: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientId),
+          clientSecret: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientSecret),
+          isActive: z.boolean().describe(OidcSSo.UPDATE_CONFIG.isActive),
+          manageGroupMemberships: z.boolean().optional().describe(OidcSSo.UPDATE_CONFIG.manageGroupMemberships),
+          jwtSignatureAlgorithm: z
+            .nativeEnum(OIDCJWTSignatureAlgorithm)
+            .optional()
+            .describe(OidcSSo.UPDATE_CONFIG.jwtSignatureAlgorithm)
         })
         .partial()
-        .merge(z.object({ orgSlug: z.string() })),
+        .merge(z.object({ organizationId: z.string().describe(OidcSSo.UPDATE_CONFIG.organizationId) })),
       response: {
         200: SanitizedOidcConfigSchema.pick({
           id: true,
@@ -267,8 +287,16 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.OidcSso],
+      description: "Create OIDC config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       body: z
         .object({
           allowedEmailDomains: z
@@ -283,23 +311,34 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                 .split(",")
                 .map((id) => id.trim())
                 .join(", ");
-            }),
-          configurationType: z.nativeEnum(OIDCConfigurationType),
-          issuer: z.string().trim().optional().default(""),
-          discoveryURL: z.string().trim().optional().default(""),
-          authorizationEndpoint: z.string().trim().optional().default(""),
-          jwksUri: z.string().trim().optional().default(""),
-          tokenEndpoint: z.string().trim().optional().default(""),
-          userinfoEndpoint: z.string().trim().optional().default(""),
-          clientId: z.string().trim(),
-          clientSecret: z.string().trim(),
-          isActive: z.boolean(),
-          orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false),
+            })
+            .describe(OidcSSo.CREATE_CONFIG.allowedEmailDomains),
+          configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.CREATE_CONFIG.configurationType),
+          issuer: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.issuer),
+          discoveryURL: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.discoveryURL),
+          authorizationEndpoint: z
+            .string()
+            .trim()
+            .optional()
+            .default("")
+            .describe(OidcSSo.CREATE_CONFIG.authorizationEndpoint),
+          jwksUri: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.jwksUri),
+          tokenEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.tokenEndpoint),
+          userinfoEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.userinfoEndpoint),
+          clientId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientId),
+          clientSecret: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientSecret),
+          isActive: z.boolean().describe(OidcSSo.CREATE_CONFIG.isActive),
+          organizationId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.organizationId),
+          manageGroupMemberships: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe(OidcSSo.CREATE_CONFIG.manageGroupMemberships),
           jwtSignatureAlgorithm: z
             .nativeEnum(OIDCJWTSignatureAlgorithm)
             .optional()
             .default(OIDCJWTSignatureAlgorithm.RS256)
+            .describe(OidcSSo.CREATE_CONFIG.jwtSignatureAlgorithm)
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {

backend/src/ee/routes/v1/pit-router.ts

@@ -3,11 +3,14 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { isValidFolderName } from "@app/lib/validator";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
+import { SecretNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const commitHistoryItemSchema = z.object({
   id: z.string(),
@@ -413,4 +416,140 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
       return result;
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/batch/commit",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      hide: true,
+      description: "Commit changes",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        message: z
+          .string()
+          .trim()
+          .min(1)
+          .max(255)
+          .refine((message) => message.trim() !== "", {
+            message: "Commit message cannot be empty"
+          }),
+        changes: z.object({
+          secrets: z.object({
+            create: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema,
+                  secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+                  secretComment: z.string().trim().optional().default(""),
+                  skipMultilineEncoding: z.boolean().optional(),
+                  metadata: z.record(z.string()).optional(),
+                  secretMetadata: ResourceMetadataSchema.optional(),
+                  tagIds: z.string().array().optional()
+                })
+              )
+              .optional(),
+            update: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema,
+                  newSecretName: SecretNameSchema.optional(),
+                  secretValue: z
+                    .string()
+                    .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+                    .optional(),
+                  secretComment: z.string().trim().optional().default(""),
+                  skipMultilineEncoding: z.boolean().optional(),
+                  metadata: z.record(z.string()).optional(),
+                  secretMetadata: ResourceMetadataSchema.optional(),
+                  tagIds: z.string().array().optional()
+                })
+              )
+              .optional(),
+            delete: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema
+                })
+              )
+              .optional()
+          }),
+          folders: z.object({
+            create: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  description: z.string().optional()
+                })
+              )
+              .optional(),
+            update: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  description: z.string().nullable().optional(),
+                  id: z.string()
+                })
+              )
+              .optional(),
+            delete: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  id: z.string()
+                })
+              )
+              .optional()
+          })
+        })
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      await server.services.pit.processNewCommitRaw({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        projectId: req.body.projectId,
+        environment: req.body.environment,
+        secretPath: req.body.secretPath,
+        message: req.body.message,
+        changes: {
+          secrets: req.body.changes.secrets,
+          folders: req.body.changes.folders
+        }
+      });
+      return { message: "success" };
+    }
+  });
 };

backend/src/ee/routes/v1/saml-router.ts

@@ -13,6 +13,7 @@ import { FastifyRequest } from "fastify";
 import { z } from "zod";
 
 import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types";
+import { ApiDocsTags, SamlSso } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -149,8 +150,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
             firstName,
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,
-            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
+            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider,
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId,
             metadata: userMetadata
           });
           cb(null, { isUserCompleted, providerAuthToken });
@@ -262,25 +263,31 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SamlSso],
+      description: "Get SAML config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       querystring: z.object({
-        organizationId: z.string().trim()
+        organizationId: z.string().trim().describe(SamlSso.GET_CONFIG.organizationId)
       }),
       response: {
-        200: z
-          .object({
-            id: z.string(),
-            organization: z.string(),
-            orgId: z.string(),
-            authProvider: z.string(),
-            isActive: z.boolean(),
-            entryPoint: z.string(),
-            issuer: z.string(),
-            cert: z.string(),
-            lastUsed: z.date().nullable().optional()
-          })
-          .optional()
+        200: z.object({
+          id: z.string(),
+          organization: z.string(),
+          orgId: z.string(),
+          authProvider: z.string(),
+          isActive: z.boolean(),
+          entryPoint: z.string(),
+          issuer: z.string(),
+          cert: z.string(),
+          lastUsed: z.date().nullable().optional()
+        })
       }
     },
     handler: async (req) => {
@@ -302,15 +309,23 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SamlSso],
+      description: "Create SAML config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       body: z.object({
-        organizationId: z.string(),
-        authProvider: z.nativeEnum(SamlProviders),
-        isActive: z.boolean(),
-        entryPoint: z.string(),
-        issuer: z.string(),
-        cert: z.string()
+        organizationId: z.string().trim().describe(SamlSso.CREATE_CONFIG.organizationId),
+        authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.CREATE_CONFIG.authProvider),
+        isActive: z.boolean().describe(SamlSso.CREATE_CONFIG.isActive),
+        entryPoint: z.string().trim().describe(SamlSso.CREATE_CONFIG.entryPoint),
+        issuer: z.string().trim().describe(SamlSso.CREATE_CONFIG.issuer),
+        cert: z.string().trim().describe(SamlSso.CREATE_CONFIG.cert)
       }),
       response: {
         200: SanitizedSamlConfigSchema
@@ -341,18 +356,26 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: writeLimit
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
+      hide: false,
+      tags: [ApiDocsTags.SamlSso],
+      description: "Update SAML config",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
       body: z
         .object({
-          authProvider: z.nativeEnum(SamlProviders),
-          isActive: z.boolean(),
-          entryPoint: z.string(),
-          issuer: z.string(),
-          cert: z.string()
+          authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.UPDATE_CONFIG.authProvider),
+          isActive: z.boolean().describe(SamlSso.UPDATE_CONFIG.isActive),
+          entryPoint: z.string().trim().describe(SamlSso.UPDATE_CONFIG.entryPoint),
+          issuer: z.string().trim().describe(SamlSso.UPDATE_CONFIG.issuer),
+          cert: z.string().trim().describe(SamlSso.UPDATE_CONFIG.cert)
         })
         .partial()
-        .merge(z.object({ organizationId: z.string() })),
+        .merge(z.object({ organizationId: z.string().trim().describe(SamlSso.UPDATE_CONFIG.organizationId) })),
       response: {
         200: SanitizedSamlConfigSchema
       }

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -107,34 +107,26 @@ export const oidcConfigServiceFactory = ({
   kmsService
 }: TOidcConfigServiceFactoryDep) => {
   const getOidc = async (dto: TGetOidcCfgDTO) => {
-    const org = await orgDAL.findOne({ slug: dto.orgSlug });
-    if (!org) {
+    const oidcCfg = await oidcConfigDAL.findOne({
+      orgId: dto.organizationId
+    });
+    if (!oidcCfg) {
       throw new NotFoundError({
-        message: `Organization with slug '${dto.orgSlug}' not found`,
-        name: "OrgNotFound"
+        message: `OIDC configuration for organization with ID '${dto.organizationId}' not found`
       });
     }
+
     if (dto.type === "external") {
       const { permission } = await permissionService.getOrgPermission(
         dto.actor,
         dto.actorId,
-        org.id,
+        dto.organizationId,
         dto.actorAuthMethod,
         dto.actorOrgId
       );
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
     }
 
-    const oidcCfg = await oidcConfigDAL.findOne({
-      orgId: org.id
-    });
-
-    if (!oidcCfg) {
-      throw new NotFoundError({
-        message: `OIDC configuration for organization with slug '${dto.orgSlug}' not found`
-      });
-    }
-
     const { decryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
       orgId: oidcCfg.orgId
@@ -465,7 +457,7 @@ export const oidcConfigServiceFactory = ({
   };
 
   const updateOidcCfg = async ({
-    orgSlug,
+    organizationId,
     allowedEmailDomains,
     configurationType,
     discoveryURL,
@@ -484,13 +476,11 @@ export const oidcConfigServiceFactory = ({
     manageGroupMemberships,
     jwtSignatureAlgorithm
   }: TUpdateOidcCfgDTO) => {
-    const org = await orgDAL.findOne({
-      slug: orgSlug
-    });
+    const org = await orgDAL.findOne({ id: organizationId });
 
     if (!org) {
       throw new NotFoundError({
-        message: `Organization with slug '${orgSlug}' not found`
+        message: `Organization with ID '${organizationId}' not found`
       });
     }
 
@@ -555,7 +545,7 @@ export const oidcConfigServiceFactory = ({
   };
 
   const createOidcCfg = async ({
-    orgSlug,
+    organizationId,
     allowedEmailDomains,
     configurationType,
     discoveryURL,
@@ -574,12 +564,10 @@ export const oidcConfigServiceFactory = ({
     manageGroupMemberships,
     jwtSignatureAlgorithm
   }: TCreateOidcCfgDTO) => {
-    const org = await orgDAL.findOne({
-      slug: orgSlug
-    });
+    const org = await orgDAL.findOne({ id: organizationId });
     if (!org) {
       throw new NotFoundError({
-        message: `Organization with slug '${orgSlug}' not found`
+        message: `Organization with ID '${organizationId}' not found`
       });
     }
 
@@ -639,7 +627,7 @@ export const oidcConfigServiceFactory = ({
 
     const oidcCfg = await getOidc({
       type: "internal",
-      orgSlug
+      organizationId: org.id
     });
 
     if (!oidcCfg || !oidcCfg.isActive) {

backend/src/ee/services/oidc/oidc-config-types.ts

@@ -26,11 +26,11 @@ export type TOidcLoginDTO = {
 export type TGetOidcCfgDTO =
   | ({
       type: "external";
-      orgSlug: string;
+      organizationId: string;
     } & TGenericPermission)
   | {
       type: "internal";
-      orgSlug: string;
+      organizationId: string;
     };
 
 export type TCreateOidcCfgDTO = {
@@ -45,7 +45,7 @@ export type TCreateOidcCfgDTO = {
   clientId: string;
   clientSecret: string;
   isActive: boolean;
-  orgSlug: string;
+  organizationId: string;
   manageGroupMemberships: boolean;
   jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 } & TGenericPermission;
@@ -62,7 +62,7 @@ export type TUpdateOidcCfgDTO = Partial<{
   clientId: string;
   clientSecret: string;
   isActive: boolean;
-  orgSlug: string;
+  organizationId: string;
   manageGroupMemberships: boolean;
   jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 }> &

backend/src/ee/services/pit/pit-service.ts

@@ -2,28 +2,50 @@
 import { ForbiddenError } from "@casl/ability";
 
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-import { ResourceType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { TFolderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import {
+  ResourceType,
+  TCommitResourceChangeDTO,
+  TFolderCommitServiceFactory
+} from "@app/services/folder-commit/folder-commit-service";
 import {
   isFolderCommitChange,
   isSecretCommitChange
 } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
+import { SecretProtectionType, TProcessNewCommitRawDTO } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
+import { TSecretV2BridgeServiceFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-service";
+import { SecretOperations, SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
+import { TSecretApprovalPolicyServiceFactory } from "../secret-approval-policy/secret-approval-policy-service";
+import { TSecretApprovalRequestServiceFactory } from "../secret-approval-request/secret-approval-request-service";
 
 type TPitServiceFactoryDep = {
   folderCommitService: TFolderCommitServiceFactory;
   secretService: Pick<TSecretServiceFactory, "getSecretVersionsV2ByIds" | "getChangeVersions">;
-  folderService: Pick<TSecretFolderServiceFactory, "getFolderById" | "getFolderVersions">;
+  folderService: Pick<
+    TSecretFolderServiceFactory,
+    "getFolderById" | "getFolderVersions" | "createManyFolders" | "updateManyFolders" | "deleteManyFolders"
+  >;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds" | "findBySecretPath">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  secretApprovalRequestService: Pick<
+    TSecretApprovalRequestServiceFactory,
+    "generateSecretApprovalRequest" | "generateSecretApprovalRequestV2Bridge"
+  >;
+  secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug" | "findById">;
+  secretV2BridgeService: TSecretV2BridgeServiceFactory;
+  folderCommitDAL: Pick<TFolderCommitDALFactory, "transaction">;
 };
 
 export type TPitServiceFactory = ReturnType<typeof pitServiceFactory>;
@@ -34,7 +56,12 @@ export const pitServiceFactory = ({
   folderService,
   permissionService,
   folderDAL,
-  projectEnvDAL
+  projectEnvDAL,
+  secretApprovalRequestService,
+  secretApprovalPolicyService,
+  projectDAL,
+  secretV2BridgeService,
+  folderCommitDAL
 }: TPitServiceFactoryDep) => {
   const getCommitsCount = async ({
     actor,
@@ -471,6 +498,238 @@ export const pitServiceFactory = ({
     });
   };
 
+  const processNewCommitRaw = async ({
+    actorId,
+    projectId,
+    environment,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    secretPath,
+    message,
+    changes = {
+      secrets: {
+        create: [],
+        update: [],
+        delete: []
+      },
+      folders: {
+        create: [],
+        update: [],
+        delete: []
+      }
+    }
+  }: {
+    actorId: string;
+    projectId: string;
+    environment: string;
+    actor: ActorType;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    secretPath: string;
+    message: string;
+    changes: TProcessNewCommitRawDTO;
+  }) => {
+    const policy =
+      actor === ActorType.USER
+        ? await secretApprovalPolicyService.getSecretApprovalPolicy(projectId, environment, secretPath)
+        : undefined;
+
+    const project = await projectDAL.findById(projectId);
+    if (project.enforceCapitalization) {
+      const caseViolatingSecretKeys = [
+        // Check create operations
+        ...(changes.secrets?.create
+          ?.filter((sec) => sec.secretKey !== sec.secretKey.toUpperCase())
+          .map((sec) => sec.secretKey) ?? []),
+
+        // Check update operations
+        ...(changes.secrets?.update
+          ?.filter(
+            (sec) =>
+              sec.secretKey !== sec.secretKey.toUpperCase() ||
+              (sec.newSecretKey && sec.newSecretKey !== sec.newSecretKey.toUpperCase())
+          )
+          .map((sec) => sec.secretKey) ?? [])
+      ];
+
+      if (caseViolatingSecretKeys.length) {
+        throw new BadRequestError({
+          message: `Secret names must be in UPPERCASE per project requirements: ${caseViolatingSecretKeys.join(
+            ", "
+          )}. You can disable this requirement in project settings`
+        });
+      }
+    }
+
+    await folderCommitDAL.transaction(async (trx) => {
+      const targetFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
+      if (!targetFolder)
+        throw new NotFoundError({
+          message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`,
+          name: "CreateManySecret"
+        });
+      const commitChanges: TCommitResourceChangeDTO[] = [];
+
+      if ((changes.folders?.create?.length ?? 0) > 0) {
+        await folderService.createManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.create?.map((folder) => ({
+              name: folder.folderName,
+              environment,
+              path: secretPath,
+              description: folder.description
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+      }
+
+      if ((changes.folders?.update?.length ?? 0) > 0) {
+        await folderService.updateManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.update?.map((folder) => ({
+              environment,
+              path: secretPath,
+              id: folder.id,
+              name: folder.folderName,
+              description: folder.description
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+      }
+
+      if ((changes.folders?.delete?.length ?? 0) > 0) {
+        await folderService.deleteManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.delete?.map((folder) => ({
+              environment,
+              path: secretPath,
+              idOrName: folder.id
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+      }
+
+      if (policy) {
+        const approval = await secretApprovalRequestService.generateSecretApprovalRequestV2Bridge({
+          policy,
+          secretPath,
+          environment,
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          data: {
+            [SecretOperations.Create]:
+              changes.secrets?.create?.map((el) => ({
+                tagIds: el.tagIds,
+                secretValue: el.secretValue,
+                secretComment: el.secretComment,
+                metadata: el.metadata,
+                skipMultilineEncoding: el.skipMultilineEncoding,
+                secretKey: el.secretKey,
+                secretMetadata: el.secretMetadata
+              })) ?? [],
+            [SecretOperations.Update]:
+              changes.secrets?.update?.map((el) => ({
+                tagIds: el.tagIds,
+                secretValue: el.secretValue,
+                secretComment: el.secretComment,
+                metadata: el.metadata,
+                skipMultilineEncoding: el.skipMultilineEncoding,
+                secretKey: el.secretKey,
+                secretMetadata: el.secretMetadata
+              })) ?? [],
+            [SecretOperations.Delete]:
+              changes.secrets?.delete?.map((el) => ({
+                secretKey: el.secretKey
+              })) ?? []
+          }
+        });
+        return { type: SecretProtectionType.Approval as const, approval };
+      }
+
+      if ((changes.secrets?.create?.length ?? 0) > 0) {
+        await secretV2BridgeService.createManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.create ?? [],
+          tx: trx,
+          commitChanges
+        });
+      }
+      if ((changes.secrets?.update?.length ?? 0) > 0) {
+        await secretV2BridgeService.updateManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.update ?? [],
+          mode: SecretUpdateMode.FailOnNotFound,
+          tx: trx,
+          commitChanges
+        });
+      }
+      if ((changes.secrets?.delete?.length ?? 0) > 0) {
+        await secretV2BridgeService.deleteManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.delete ?? [],
+          tx: trx,
+          commitChanges
+        });
+      }
+      if (commitChanges?.length > 0) {
+        await folderCommitService.createCommit(
+          {
+            actor: {
+              type: actor || ActorType.PLATFORM,
+              metadata: {
+                id: actorId
+              }
+            },
+            message,
+            folderId: targetFolder.id,
+            changes: commitChanges
+          },
+          trx
+        );
+      }
+    });
+  };
+
   return {
     getCommitsCount,
     getCommitsForFolder,
@@ -478,6 +737,7 @@ export const pitServiceFactory = ({
     compareCommitChanges,
     rollbackToCommit,
     revertCommit,
-    getFolderStateAtCommit
+    getFolderStateAtCommit,
+    processNewCommitRaw
   };
 };

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -148,10 +148,18 @@ export const samlConfigServiceFactory = ({
     let samlConfig: TSamlConfigs | undefined;
     if (dto.type === "org") {
       samlConfig = await samlConfigDAL.findOne({ orgId: dto.orgId });
-      if (!samlConfig) return;
+      if (!samlConfig) {
+        throw new NotFoundError({
+          message: `SAML configuration for organization with ID '${dto.orgId}' not found`
+        });
+      }
     } else if (dto.type === "orgSlug") {
       const org = await orgDAL.findOne({ slug: dto.orgSlug });
-      if (!org) return;
+      if (!org) {
+        throw new NotFoundError({
+          message: `Organization with slug '${dto.orgSlug}' not found`
+        });
+      }
       samlConfig = await samlConfigDAL.findOne({ orgId: org.id });
     } else if (dto.type === "ssoId") {
       // TODO:

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -61,20 +61,17 @@ export type TSamlLoginDTO = {
 export type TSamlConfigServiceFactory = {
   createSamlCfg: (arg: TCreateSamlCfgDTO) => Promise<TSamlConfigs>;
   updateSamlCfg: (arg: TUpdateSamlCfgDTO) => Promise<TSamlConfigs>;
-  getSaml: (arg: TGetSamlCfgDTO) => Promise<
-    | {
-        id: string;
-        organization: string;
-        orgId: string;
-        authProvider: string;
-        isActive: boolean;
-        entryPoint: string;
-        issuer: string;
-        cert: string;
-        lastUsed: Date | null | undefined;
-      }
-    | undefined
-  >;
+  getSaml: (arg: TGetSamlCfgDTO) => Promise<{
+    id: string;
+    organization: string;
+    orgId: string;
+    authProvider: string;
+    isActive: boolean;
+    entryPoint: string;
+    issuer: string;
+    cert: string;
+    lastUsed: Date | null | undefined;
+  }>;
   samlLogin: (arg: TSamlLoginDTO) => Promise<{
     isUserCompleted: boolean;
     providerAuthToken: string;

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1,5 +1,6 @@
 /* eslint-disable no-nested-ternary */
 import { ForbiddenError, subject } from "@casl/ability";
+import { Knex } from "knex";
 
 import {
   ProjectMembershipRole,
@@ -1260,8 +1261,9 @@ export const secretApprovalRequestServiceFactory = ({
     policy,
     projectId,
     secretPath,
-    environment
-  }: TGenerateSecretApprovalRequestV2BridgeDTO) => {
+    environment,
+    trx: providedTx
+  }: TGenerateSecretApprovalRequestV2BridgeDTO & { trx?: Knex }) => {
     if (actor === ActorType.SERVICE || actor === ActorType.Machine)
       throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
 
@@ -1487,7 +1489,7 @@ export const secretApprovalRequestServiceFactory = ({
       );
     });
 
-    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
+    const executeApprovalRequestCreation = async (tx: Knex) => {
       const doc = await secretApprovalRequestDAL.create(
         {
           folderId,
@@ -1549,7 +1551,11 @@ export const secretApprovalRequestServiceFactory = ({
       }
 
       return { ...doc, commits: approvalCommits };
-    });
+    };
+
+    const secretApprovalRequest = providedTx
+      ? await executeApprovalRequestCreation(providedTx)
+      : await secretApprovalRequestDAL.transaction(executeApprovalRequestCreation);
 
     const user = await userDAL.findById(secretApprovalRequest.committerUserId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -318,7 +318,7 @@ export const secretScanningV2QueueServiceFactory = async ({
     },
     {
       batchSize: 1,
-      workerCount: 20,
+      workerCount: 2,
       pollingIntervalSeconds: 1
     }
   );
@@ -539,7 +539,7 @@ export const secretScanningV2QueueServiceFactory = async ({
     },
     {
       batchSize: 1,
-      workerCount: 20,
+      workerCount: 2,
       pollingIntervalSeconds: 1
     }
   );
@@ -613,7 +613,7 @@ export const secretScanningV2QueueServiceFactory = async ({
     },
     {
       batchSize: 1,
-      workerCount: 5,
+      workerCount: 2,
       pollingIntervalSeconds: 1
     }
   );

backend/src/lib/api-docs/constants.ts

@@ -66,7 +66,10 @@ export enum ApiDocsTags {
   KmsKeys = "KMS Keys",
   KmsEncryption = "KMS Encryption",
   KmsSigning = "KMS Signing",
-  SecretScanning = "Secret Scanning"
+  SecretScanning = "Secret Scanning",
+  OidcSso = "OIDC SSO",
+  SamlSso = "SAML SSO",
+  LdapSso = "LDAP SSO"
 }
 
 export const GROUPS = {
@@ -2268,6 +2271,10 @@ export const AppConnections = {
       accessToken: "The Access Token used to access GitLab.",
       code: "The OAuth code to use to connect with GitLab.",
       accessTokenType: "The type of token used to connect with GitLab."
+    },
+    ZABBIX: {
+      apiToken: "The API Token used to access Zabbix.",
+      instanceUrl: "The Zabbix instance URL to connect with."
     }
   }
 };
@@ -2457,6 +2464,12 @@ export const SecretSyncs = {
     CLOUDFLARE_PAGES: {
       projectName: "The name of the Cloudflare Pages project to sync secrets to.",
       environment: "The environment of the Cloudflare Pages project to sync secrets to."
+    },
+    ZABBIX: {
+      scope: "The Zabbix scope that secrets should be synced to.",
+      hostId: "The ID of the Zabbix host to sync secrets to.",
+      hostName: "The name of the Zabbix host to sync secrets to.",
+      macroType: "The type of macro to sync secrets to. (0: Text, 1: Secret)"
     }
   }
 };
@@ -2652,3 +2665,113 @@ export const SecretScanningConfigs = {
     content: "The contents of the Secret Scanning Configuration file."
   }
 };
+
+export const OidcSSo = {
+  GET_CONFIG: {
+    organizationId: "The ID of the organization to get the OIDC config for."
+  },
+  UPDATE_CONFIG: {
+    organizationId: "The ID of the organization to update the OIDC config for.",
+    allowedEmailDomains:
+      "A list of allowed email domains that users can use to authenticate with. This field is comma separated. Example: 'example.com,acme.com'",
+    discoveryURL: "The URL of the OIDC discovery endpoint.",
+    configurationType: "The configuration type to use for the OIDC configuration.",
+    issuer:
+      "The issuer for the OIDC configuration. This is only supported when the OIDC configuration type is set to 'custom'.",
+    authorizationEndpoint:
+      "The endpoint to use for OIDC authorization. This is only supported when the OIDC configuration type is set to 'custom'.",
+    jwksUri: "The URL of the OIDC JWKS endpoint.",
+    tokenEndpoint: "The token endpoint to use for OIDC token exchange.",
+    userinfoEndpoint: "The userinfo endpoint to get user information from the OIDC provider.",
+    clientId: "The client ID to use for OIDC authentication.",
+    clientSecret: "The client secret to use for OIDC authentication.",
+    isActive: "Whether to enable or disable this OIDC configuration.",
+    manageGroupMemberships:
+      "Whether to manage group memberships for the OIDC configuration. If enabled, users will automatically be assigned groups when they sign in, based on which groups they are a member of in the OIDC provider.",
+    jwtSignatureAlgorithm: "The algorithm to use for JWT signature verification."
+  },
+  CREATE_CONFIG: {
+    organizationId: "The ID of the organization to create the OIDC config for.",
+    allowedEmailDomains:
+      "A list of allowed email domains that users can use to authenticate with. This field is comma separated.",
+    discoveryURL: "The URL of the OIDC discovery endpoint.",
+    configurationType: "The configuration type to use for the OIDC configuration.",
+    issuer:
+      "The issuer for the OIDC configuration. This is only supported when the OIDC configuration type is set to 'custom'.",
+    authorizationEndpoint:
+      "The authorization endpoint to use for OIDC authorization. This is only supported when the OIDC configuration type is set to 'custom'.",
+    jwksUri: "The URL of the OIDC JWKS endpoint.",
+    tokenEndpoint: "The token endpoint to use for OIDC token exchange.",
+    userinfoEndpoint: "The userinfo endpoint to get user information from the OIDC provider.",
+    clientId: "The client ID to use for OIDC authentication.",
+    clientSecret: "The client secret to use for OIDC authentication.",
+    isActive: "Whether to enable or disable this OIDC configuration.",
+    manageGroupMemberships:
+      "Whether to manage group memberships for the OIDC configuration. If enabled, users will automatically be assigned groups when they sign in, based on which groups they are a member of in the OIDC provider.",
+    jwtSignatureAlgorithm: "The algorithm to use for JWT signature verification."
+  }
+};
+
+export const SamlSso = {
+  GET_CONFIG: {
+    organizationId: "The ID of the organization to get the SAML config for."
+  },
+  UPDATE_CONFIG: {
+    organizationId: "The ID of the organization to update the SAML config for.",
+    authProvider: "Authentication provider to use for SAML authentication.",
+    isActive: "Whether to enable or disable this SAML configuration.",
+    entryPoint:
+      "The entry point for the SAML authentication. This is the URL that the user will be redirected to after they have authenticated with the SAML provider.",
+    issuer: "The SAML provider issuer URL or entity ID.",
+    cert: "The certificate to use for SAML authentication."
+  },
+  CREATE_CONFIG: {
+    organizationId: "The ID of the organization to create the SAML config for.",
+    authProvider: "Authentication provider to use for SAML authentication.",
+    isActive: "Whether to enable or disable this SAML configuration.",
+    entryPoint:
+      "The entry point for the SAML authentication. This is the URL that the user will be redirected to after they have authenticated with the SAML provider.",
+    issuer: "The SAML provider issuer URL or entity ID.",
+    cert: "The certificate to use for SAML authentication."
+  }
+};
+
+export const LdapSso = {
+  GET_CONFIG: {
+    organizationId: "The ID of the organization to get the LDAP config for."
+  },
+  CREATE_CONFIG: {
+    organizationId: "The ID of the organization to create the LDAP config for.",
+    isActive: "Whether to enable or disable this LDAP configuration.",
+    url: "The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.",
+    bindDN:
+      "The distinguished name of the object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`",
+    bindPass: "The password to use along with Bind DN when performing the user search.",
+    searchBase: "The base DN to use for the user search such as `ou=Users,dc=acme,dc=com`",
+    uniqueUserAttribute:
+      "The attribute to use as the unique identifier of LDAP users such as `sAMAccountName`, `cn`, `uid`, `objectGUID`. If left blank, defaults to uidNumber",
+    searchFilter:
+      "The template used to construct the LDAP user search filter such as `(uid={{username}})` uses literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.",
+    groupSearchBase: "LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`",
+    groupSearchFilter:
+      "The template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: `[UserDN, UserName]`. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.",
+    caCert: "The CA certificate to use when verifying the LDAP server certificate."
+  },
+  UPDATE_CONFIG: {
+    organizationId: "The ID of the organization to update the LDAP config for.",
+    isActive: "Whether to enable or disable this LDAP configuration.",
+    url: "The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.",
+    bindDN:
+      "The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`",
+    bindPass: "The password to use along with Bind DN when performing the user search.",
+    uniqueUserAttribute:
+      "The attribute to use as the unique identifier of LDAP users such as `sAMAccountName`, `cn`, `uid`, `objectGUID`. If left blank, defaults to uidNumber",
+    searchFilter:
+      "The template used to construct the LDAP user search filter such as `(uid={{username}})` uses literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.",
+    searchBase: "The base DN to use for the user search such as `ou=Users,dc=acme,dc=com`",
+    groupSearchBase: "LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`",
+    groupSearchFilter:
+      "The template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: `[UserDN, UserName]`. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.",
+    caCert: "The CA certificate to use when verifying the LDAP server certificate."
+  }
+};

backend/src/lib/config/env.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { QueueWorkerProfile } from "@app/lib/types";
 
+import { BadRequestError } from "../errors";
 import { removeTrailingSlash } from "../fn";
 import { CustomLogger } from "../logger/logger";
 import { zpStr } from "../zod";
@@ -341,8 +342,11 @@ const envSchema = z
 
 export type TEnvConfig = Readonly<z.infer<typeof envSchema>>;
 let envCfg: TEnvConfig;
+let originalEnvConfig: TEnvConfig;
 
 export const getConfig = () => envCfg;
+export const getOriginalConfig = () => originalEnvConfig;
+
 // cannot import singleton logger directly as it needs config to load various transport
 export const initEnvConfig = (logger?: CustomLogger) => {
   const parsedEnv = envSchema.safeParse(process.env);
@@ -352,10 +356,115 @@ export const initEnvConfig = (logger?: CustomLogger) => {
     process.exit(-1);
   }
 
-  envCfg = Object.freeze(parsedEnv.data);
+  const config = Object.freeze(parsedEnv.data);
+  envCfg = config;
+
+  if (!originalEnvConfig) {
+    originalEnvConfig = config;
+  }
+
   return envCfg;
 };
 
+// A list of environment variables that can be overwritten
+export const overwriteSchema: {
+  [key: string]: {
+    name: string;
+    fields: { key: keyof TEnvConfig; description?: string }[];
+  };
+} = {
+  azure: {
+    name: "Azure",
+    fields: [
+      {
+        key: "INF_APP_CONNECTION_AZURE_CLIENT_ID",
+        description: "The Application (Client) ID of your Azure application."
+      },
+      {
+        key: "INF_APP_CONNECTION_AZURE_CLIENT_SECRET",
+        description: "The Client Secret of your Azure application."
+      }
+    ]
+  },
+  google_sso: {
+    name: "Google SSO",
+    fields: [
+      {
+        key: "CLIENT_ID_GOOGLE_LOGIN",
+        description: "The Client ID of your GCP OAuth2 application."
+      },
+      {
+        key: "CLIENT_SECRET_GOOGLE_LOGIN",
+        description: "The Client Secret of your GCP OAuth2 application."
+      }
+    ]
+  },
+  github_sso: {
+    name: "GitHub SSO",
+    fields: [
+      {
+        key: "CLIENT_ID_GITHUB_LOGIN",
+        description: "The Client ID of your GitHub OAuth application."
+      },
+      {
+        key: "CLIENT_SECRET_GITHUB_LOGIN",
+        description: "The Client Secret of your GitHub OAuth application."
+      }
+    ]
+  },
+  gitlab_sso: {
+    name: "GitLab SSO",
+    fields: [
+      {
+        key: "CLIENT_ID_GITLAB_LOGIN",
+        description: "The Client ID of your GitLab application."
+      },
+      {
+        key: "CLIENT_SECRET_GITLAB_LOGIN",
+        description: "The Secret of your GitLab application."
+      },
+      {
+        key: "CLIENT_GITLAB_LOGIN_URL",
+        description:
+          "The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to https://gitlab.com."
+      }
+    ]
+  }
+};
+
+export const overridableKeys = new Set(
+  Object.values(overwriteSchema).flatMap(({ fields }) => fields.map(({ key }) => key))
+);
+
+export const validateOverrides = (config: Record<string, string>) => {
+  const allowedOverrides = Object.fromEntries(
+    Object.entries(config).filter(([key]) => overridableKeys.has(key as keyof z.input<typeof envSchema>))
+  );
+
+  const tempEnv: Record<string, unknown> = { ...process.env, ...allowedOverrides };
+  const parsedResult = envSchema.safeParse(tempEnv);
+
+  if (!parsedResult.success) {
+    const errorDetails = parsedResult.error.issues
+      .map((issue) => `Key: "${issue.path.join(".")}", Error: ${issue.message}`)
+      .join("\n");
+    throw new BadRequestError({ message: errorDetails });
+  }
+};
+
+export const overrideEnvConfig = (config: Record<string, string>) => {
+  const allowedOverrides = Object.fromEntries(
+    Object.entries(config).filter(([key]) => overridableKeys.has(key as keyof z.input<typeof envSchema>))
+  );
+
+  const tempEnv: Record<string, unknown> = { ...process.env, ...allowedOverrides };
+  const parsedResult = envSchema.safeParse(tempEnv);
+
+  if (parsedResult.success) {
+    envCfg = Object.freeze(parsedResult.data);
+  }
+};
+
 export const formatSmtpConfig = () => {
   const tlsOptions: {
     rejectUnauthorized: boolean;

backend/src/server/routes/index.ts

@@ -300,6 +300,7 @@ import { injectIdentity } from "../plugins/auth/inject-identity";
 import { injectPermission } from "../plugins/auth/inject-permission";
 import { injectRateLimits } from "../plugins/inject-rate-limits";
 import { registerV1Routes } from "./v1";
+import { initializeOauthConfigSync } from "./v1/sso-router";
 import { registerV2Routes } from "./v2";
 import { registerV3Routes } from "./v3";
 
@@ -1535,7 +1536,12 @@ export const registerRoutes = async (
     folderService,
     permissionService,
     folderDAL,
-    projectEnvDAL
+    projectEnvDAL,
+    secretApprovalRequestService,
+    secretApprovalPolicyService,
+    projectDAL,
+    secretV2BridgeService,
+    folderCommitDAL
   });
 
   const identityOidcAuthService = identityOidcAuthServiceFactory({
@@ -1910,6 +1916,7 @@ export const registerRoutes = async (
   await hsmService.startService();
 
   await telemetryQueue.startTelemetryCheck();
+  await telemetryQueue.startAggregatedEventsJob();
   await dailyResourceCleanUp.startCleanUp();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
   await pkiSubscriberQueue.startDailyAutoRenewalJob();
@@ -2046,6 +2053,16 @@ export const registerRoutes = async (
     }
   }
 
+  const configSyncJob = await superAdminService.initializeEnvConfigSync();
+  if (configSyncJob) {
+    cronJobs.push(configSyncJob);
+  }
+
+  const oauthConfigSyncJob = await initializeOauthConfigSync();
+  if (oauthConfigSyncJob) {
+    cronJobs.push(oauthConfigSyncJob);
+  }
+
   server.decorate<FastifyZodProvider["store"]>("store", {
     user: userDAL,
     kmipClient: kmipClientDAL

backend/src/server/routes/v1/admin-router.ts

@@ -8,7 +8,7 @@ import {
   SuperAdminSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
+import { getConfig, overridableKeys } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -42,7 +42,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
             encryptedGitHubAppConnectionClientSecret: true,
             encryptedGitHubAppConnectionSlug: true,
             encryptedGitHubAppConnectionId: true,
-            encryptedGitHubAppConnectionPrivateKey: true
+            encryptedGitHubAppConnectionPrivateKey: true,
+            encryptedEnvOverrides: true
           }).extend({
             isMigrationModeOn: z.boolean(),
             defaultAuthOrgSlug: z.string().nullable(),
@@ -110,11 +111,14 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
           .refine((content) => DOMPurify.sanitize(content) === content, {
             message: "Page frame content contains unsafe HTML."
           })
-          .optional()
+          .optional(),
+        envOverrides: z.record(z.enum(Array.from(overridableKeys) as [string, ...string[]]), z.string()).optional()
       }),
       response: {
         200: z.object({
-          config: SuperAdminSchema.extend({
+          config: SuperAdminSchema.omit({
+            encryptedEnvOverrides: true
+          }).extend({
             defaultAuthOrgSlug: z.string().nullable()
           })
         })
@@ -381,6 +385,41 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/env-overrides",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.record(
+          z.string(),
+          z.object({
+            name: z.string(),
+            fields: z
+              .object({
+                key: z.string(),
+                value: z.string(),
+                hasEnvEntry: z.boolean(),
+                description: z.string().optional()
+              })
+              .array()
+          })
+        )
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async () => {
+      const envOverrides = await server.services.superAdmin.getEnvOverridesOrganized();
+      return envOverrides;
+    }
+  });
+
   server.route({
     method: "DELETE",
     url: "/user-management/users/:userId",

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -84,6 +84,7 @@ import {
   SanitizedWindmillConnectionSchema,
   WindmillConnectionListItemSchema
 } from "@app/services/app-connection/windmill";
+import { SanitizedZabbixConnectionSchema, ZabbixConnectionListItemSchema } from "@app/services/app-connection/zabbix";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
@@ -116,7 +117,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedRenderConnectionSchema.options,
   ...SanitizedFlyioConnectionSchema.options,
   ...SanitizedGitLabConnectionSchema.options,
-  ...SanitizedCloudflareConnectionSchema.options
+  ...SanitizedCloudflareConnectionSchema.options,
+  ...SanitizedZabbixConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -148,7 +150,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   RenderConnectionListItemSchema,
   FlyioConnectionListItemSchema,
   GitLabConnectionListItemSchema,
-  CloudflareConnectionListItemSchema
+  CloudflareConnectionListItemSchema,
+  ZabbixConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -29,6 +29,7 @@ import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
 import { registerWindmillConnectionRouter } from "./windmill-connection-router";
+import { registerZabbixConnectionRouter } from "./zabbix-connection-router";
 
 export * from "./app-connection-router";
 
@@ -62,5 +63,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Render]: registerRenderConnectionRouter,
     [AppConnection.Flyio]: registerFlyioConnectionRouter,
     [AppConnection.GitLab]: registerGitLabConnectionRouter,
-    [AppConnection.Cloudflare]: registerCloudflareConnectionRouter
+    [AppConnection.Cloudflare]: registerCloudflareConnectionRouter,
+    [AppConnection.Zabbix]: registerZabbixConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/zabbix-connection-router.ts

@@ -0,0 +1,51 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateZabbixConnectionSchema,
+  SanitizedZabbixConnectionSchema,
+  UpdateZabbixConnectionSchema
+} from "@app/services/app-connection/zabbix";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerZabbixConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Zabbix,
+    server,
+    sanitizedResponseSchema: SanitizedZabbixConnectionSchema,
+    createSchema: CreateZabbixConnectionSchema,
+    updateSchema: UpdateZabbixConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/hosts`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            hostId: z.string(),
+            host: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const hosts = await server.services.appConnection.zabbix.listHosts(connectionId, req.permission);
+      return hosts;
+    }
+  });
+};

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -22,6 +22,7 @@ import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
 import { registerWindmillSyncRouter } from "./windmill-sync-router";
+import { registerZabbixSyncRouter } from "./zabbix-sync-router";
 
 export * from "./secret-sync-router";
 
@@ -47,5 +48,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Render]: registerRenderSyncRouter,
   [SecretSync.Flyio]: registerFlyioSyncRouter,
   [SecretSync.GitLab]: registerGitLabSyncRouter,
-  [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter
+  [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter,
+  [SecretSync.Zabbix]: registerZabbixSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts

@@ -382,7 +382,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
         {
           syncId,
           destination,
-          importBehavior
+          importBehavior,
+          auditLogInfo: req.auditLogInfo
         },
         req.permission
       )) as T;
@@ -415,7 +416,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
       const secretSync = (await server.services.secretSync.triggerSecretSyncRemoveSecretsById(
         {
           syncId,
-          destination
+          destination,
+          auditLogInfo: req.auditLogInfo
         },
         req.permission
       )) as T;

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -39,6 +39,7 @@ import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/se
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
 import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
+import { ZabbixSyncListItemSchema, ZabbixSyncSchema } from "@app/services/secret-sync/zabbix";
 
 const SecretSyncSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncSchema,
@@ -62,7 +63,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   RenderSyncSchema,
   FlyioSyncSchema,
   GitLabSyncSchema,
-  CloudflarePagesSyncSchema
+  CloudflarePagesSyncSchema,
+  ZabbixSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -87,7 +89,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   RenderSyncListItemSchema,
   FlyioSyncListItemSchema,
   GitLabSyncListItemSchema,
-  CloudflarePagesSyncListItemSchema
+  CloudflarePagesSyncListItemSchema,
+  ZabbixSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/secret-sync-routers/zabbix-sync-router.ts

@@ -0,0 +1,13 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { CreateZabbixSyncSchema, UpdateZabbixSyncSchema, ZabbixSyncSchema } from "@app/services/secret-sync/zabbix";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerZabbixSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Zabbix,
+    server,
+    responseSchema: ZabbixSyncSchema,
+    createSchema: CreateZabbixSyncSchema,
+    updateSchema: UpdateZabbixSyncSchema
+  });

backend/src/server/routes/v1/sso-router.ts

@@ -9,6 +9,7 @@
 import { Authenticator } from "@fastify/passport";
 import fastifySession from "@fastify/session";
 import RedisStore from "connect-redis";
+import { CronJob } from "cron";
 import { Strategy as GitLabStrategy } from "passport-gitlab2";
 import { Strategy as GoogleStrategy } from "passport-google-oauth20";
 import { Strategy as OAuth2Strategy } from "passport-oauth2";
@@ -25,27 +26,14 @@ import { AuthMethod } from "@app/services/auth/auth-type";
 import { OrgAuthMethod } from "@app/services/org/org-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
-export const registerSsoRouter = async (server: FastifyZodProvider) => {
+const passport = new Authenticator({ key: "sso", userProperty: "passportUser" });
+
+let serverInstance: FastifyZodProvider | null = null;
+
+export const registerOauthMiddlewares = (server: FastifyZodProvider) => {
+  serverInstance = server;
   const appCfg = getConfig();
 
-  const passport = new Authenticator({ key: "sso", userProperty: "passportUser" });
-  const redisStore = new RedisStore({
-    client: server.redis,
-    prefix: "oauth-session:",
-    ttl: 600 // 10 minutes
-  });
-
-  await server.register(fastifySession, {
-    secret: appCfg.COOKIE_SECRET_SIGN_KEY,
-    store: redisStore,
-    cookie: {
-      secure: appCfg.HTTPS_ENABLED,
-      sameSite: "lax" // we want cookies to be sent to Infisical in redirects originating from IDP server
-    }
-  });
-  await server.register(passport.initialize());
-  await server.register(passport.secureSession());
-
   // passport oauth strategy for Google
   const isGoogleOauthActive = Boolean(appCfg.CLIENT_ID_GOOGLE_LOGIN && appCfg.CLIENT_SECRET_GOOGLE_LOGIN);
   if (isGoogleOauthActive) {
@@ -176,6 +164,49 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
       )
     );
   }
+};
+
+export const refreshOauthConfig = () => {
+  if (!serverInstance) {
+    logger.warn("Cannot refresh OAuth config: server instance not available");
+    return;
+  }
+
+  logger.info("Refreshing OAuth configuration...");
+  registerOauthMiddlewares(serverInstance);
+};
+
+export const initializeOauthConfigSync = async () => {
+  logger.info("Setting up background sync process for oauth configuration");
+
+  // sync every 5 minutes
+  const job = new CronJob("*/5 * * * *", refreshOauthConfig);
+  job.start();
+
+  return job;
+};
+
+export const registerSsoRouter = async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+
+  const redisStore = new RedisStore({
+    client: server.redis,
+    prefix: "oauth-session:",
+    ttl: 600 // 10 minutes
+  });
+
+  await server.register(fastifySession, {
+    secret: appCfg.COOKIE_SECRET_SIGN_KEY,
+    store: redisStore,
+    cookie: {
+      secure: appCfg.HTTPS_ENABLED,
+      sameSite: "lax" // we want cookies to be sent to Infisical in redirects originating from IDP server
+    }
+  });
+  await server.register(passport.initialize());
+  await server.register(passport.secureSession());
+
+  registerOauthMiddlewares(server);
 
   server.route({
     url: "/redirect/google",

backend/src/services/app-connection/app-connection-enums.ts

@@ -27,7 +27,8 @@ export enum AppConnection {
   Render = "render",
   Flyio = "flyio",
   GitLab = "gitlab",
-  Cloudflare = "cloudflare"
+  Cloudflare = "cloudflare",
+  Zabbix = "zabbix"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -105,6 +105,7 @@ import {
   validateWindmillConnectionCredentials,
   WindmillConnectionMethod
 } from "./windmill";
+import { getZabbixConnectionListItem, validateZabbixConnectionCredentials, ZabbixConnectionMethod } from "./zabbix";
 
 export const listAppConnectionOptions = () => {
   return [
@@ -136,7 +137,8 @@ export const listAppConnectionOptions = () => {
     getRenderConnectionListItem(),
     getFlyioConnectionListItem(),
     getGitLabConnectionListItem(),
-    getCloudflareConnectionListItem()
+    getCloudflareConnectionListItem(),
+    getZabbixConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -216,7 +218,8 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -253,6 +256,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case VercelConnectionMethod.ApiToken:
     case OnePassConnectionMethod.ApiToken:
     case CloudflareConnectionMethod.APIToken:
+    case ZabbixConnectionMethod.ApiToken:
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
@@ -332,7 +336,8 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.Render]: platformManagedCredentialsNotSupported,
   [AppConnection.Flyio]: platformManagedCredentialsNotSupported,
   [AppConnection.GitLab]: platformManagedCredentialsNotSupported,
-  [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported
+  [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported,
+  [AppConnection.Zabbix]: platformManagedCredentialsNotSupported
 };
 
 export const enterpriseAppCheck = async (

backend/src/services/app-connection/app-connection-maps.ts

@@ -29,7 +29,8 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Render]: "Render",
   [AppConnection.Flyio]: "Fly.io",
   [AppConnection.GitLab]: "GitLab",
-  [AppConnection.Cloudflare]: "Cloudflare"
+  [AppConnection.Cloudflare]: "Cloudflare",
+  [AppConnection.Zabbix]: "Zabbix"
 };
 
 export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@@ -61,5 +62,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
   [AppConnection.Render]: AppConnectionPlanType.Regular,
   [AppConnection.Flyio]: AppConnectionPlanType.Regular,
   [AppConnection.GitLab]: AppConnectionPlanType.Regular,
-  [AppConnection.Cloudflare]: AppConnectionPlanType.Regular
+  [AppConnection.Cloudflare]: AppConnectionPlanType.Regular,
+  [AppConnection.Zabbix]: AppConnectionPlanType.Regular
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -80,6 +80,8 @@ import { ValidateVercelConnectionCredentialsSchema } from "./vercel";
 import { vercelConnectionService } from "./vercel/vercel-connection-service";
 import { ValidateWindmillConnectionCredentialsSchema } from "./windmill";
 import { windmillConnectionService } from "./windmill/windmill-connection-service";
+import { ValidateZabbixConnectionCredentialsSchema } from "./zabbix";
+import { zabbixConnectionService } from "./zabbix/zabbix-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -119,7 +121,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
   [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
   [AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema,
-  [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema
+  [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema,
+  [AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -529,6 +532,7 @@ export const appConnectionServiceFactory = ({
     render: renderConnectionService(connectAppConnectionById),
     flyio: flyioConnectionService(connectAppConnectionById),
     gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    cloudflare: cloudflareConnectionService(connectAppConnectionById)
+    cloudflare: cloudflareConnectionService(connectAppConnectionById),
+    zabbix: zabbixConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -165,6 +165,12 @@ import {
   TWindmillConnectionConfig,
   TWindmillConnectionInput
 } from "./windmill";
+import {
+  TValidateZabbixConnectionCredentialsSchema,
+  TZabbixConnection,
+  TZabbixConnectionConfig,
+  TZabbixConnectionInput
+} from "./zabbix";
 
 export type TAppConnection = { id: string } & (
   | TAwsConnection
@@ -196,6 +202,7 @@ export type TAppConnection = { id: string } & (
   | TFlyioConnection
   | TGitLabConnection
   | TCloudflareConnection
+  | TZabbixConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -232,6 +239,7 @@ export type TAppConnectionInput = { id: string } & (
   | TFlyioConnectionInput
   | TGitLabConnectionInput
   | TCloudflareConnectionInput
+  | TZabbixConnectionInput
 );
 
 export type TSqlConnectionInput =
@@ -275,7 +283,8 @@ export type TAppConnectionConfig =
   | TRenderConnectionConfig
   | TFlyioConnectionConfig
   | TGitLabConnectionConfig
-  | TCloudflareConnectionConfig;
+  | TCloudflareConnectionConfig
+  | TZabbixConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -306,7 +315,8 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateRenderConnectionCredentialsSchema
   | TValidateFlyioConnectionCredentialsSchema
   | TValidateGitLabConnectionCredentialsSchema
-  | TValidateCloudflareConnectionCredentialsSchema;
+  | TValidateCloudflareConnectionCredentialsSchema
+  | TValidateZabbixConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/zabbix/index.ts

@@ -0,0 +1,4 @@
+export * from "./zabbix-connection-enums";
+export * from "./zabbix-connection-fns";
+export * from "./zabbix-connection-schemas";
+export * from "./zabbix-connection-types";

backend/src/services/app-connection/zabbix/zabbix-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum ZabbixConnectionMethod {
+  ApiToken = "api-token"
+}

backend/src/services/app-connection/zabbix/zabbix-connection-fns.ts

@@ -0,0 +1,108 @@
+import { AxiosError } from "axios";
+import RE2 from "re2";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { ZabbixConnectionMethod } from "./zabbix-connection-enums";
+import {
+  TZabbixConnection,
+  TZabbixConnectionConfig,
+  TZabbixHost,
+  TZabbixHostListResponse
+} from "./zabbix-connection-types";
+
+const TRAILING_SLASH_REGEX = new RE2("/+$");
+
+export const getZabbixConnectionListItem = () => {
+  return {
+    name: "Zabbix" as const,
+    app: AppConnection.Zabbix as const,
+    methods: Object.values(ZabbixConnectionMethod) as [ZabbixConnectionMethod.ApiToken]
+  };
+};
+
+export const validateZabbixConnectionCredentials = async (config: TZabbixConnectionConfig) => {
+  const { apiToken, instanceUrl } = config.credentials;
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  try {
+    const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
+
+    const payload = {
+      jsonrpc: "2.0",
+      method: "authentication.get",
+      params: {
+        output: "extend"
+      },
+      id: 1
+    };
+
+    const response: { data: { error?: { message: string }; result?: string } } = await request.post(apiUrl, payload, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiToken}`
+      }
+    });
+
+    if (response.data.error) {
+      throw new BadRequestError({
+        message: response.data.error.message
+      });
+    }
+
+    return config.credentials;
+  } catch (error) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to connect to Zabbix instance: ${error.message}`
+      });
+    }
+    throw error;
+  }
+};
+
+export const listZabbixHosts = async (appConnection: TZabbixConnection): Promise<TZabbixHost[]> => {
+  const { apiToken, instanceUrl } = appConnection.credentials;
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  try {
+    const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
+
+    const payload = {
+      jsonrpc: "2.0",
+      method: "host.get",
+      params: {
+        output: ["hostid", "host"],
+        sortfield: "host",
+        sortorder: "ASC"
+      },
+      id: 1
+    };
+
+    const response: { data: TZabbixHostListResponse } = await request.post(apiUrl, payload, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiToken}`
+      }
+    });
+
+    return response.data.result
+      ? response.data.result.map((host) => ({
+          hostId: host.hostid,
+          host: host.host
+        }))
+      : [];
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+};

backend/src/services/app-connection/zabbix/zabbix-connection-schemas.ts

@@ -0,0 +1,62 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { ZabbixConnectionMethod } from "./zabbix-connection-enums";
+
+export const ZabbixConnectionApiTokenCredentialsSchema = z.object({
+  apiToken: z
+    .string()
+    .trim()
+    .min(1, "API Token required")
+    .max(1000)
+    .describe(AppConnections.CREDENTIALS.ZABBIX.apiToken),
+  instanceUrl: z.string().trim().url("Invalid Instance URL").describe(AppConnections.CREDENTIALS.ZABBIX.instanceUrl)
+});
+
+const BaseZabbixConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Zabbix) });
+
+export const ZabbixConnectionSchema = BaseZabbixConnectionSchema.extend({
+  method: z.literal(ZabbixConnectionMethod.ApiToken),
+  credentials: ZabbixConnectionApiTokenCredentialsSchema
+});
+
+export const SanitizedZabbixConnectionSchema = z.discriminatedUnion("method", [
+  BaseZabbixConnectionSchema.extend({
+    method: z.literal(ZabbixConnectionMethod.ApiToken),
+    credentials: ZabbixConnectionApiTokenCredentialsSchema.pick({ instanceUrl: true })
+  })
+]);
+
+export const ValidateZabbixConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(ZabbixConnectionMethod.ApiToken).describe(AppConnections.CREATE(AppConnection.Zabbix).method),
+    credentials: ZabbixConnectionApiTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Zabbix).credentials
+    )
+  })
+]);
+
+export const CreateZabbixConnectionSchema = ValidateZabbixConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Zabbix)
+);
+
+export const UpdateZabbixConnectionSchema = z
+  .object({
+    credentials: ZabbixConnectionApiTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Zabbix).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Zabbix));
+
+export const ZabbixConnectionListItemSchema = z.object({
+  name: z.literal("Zabbix"),
+  app: z.literal(AppConnection.Zabbix),
+  methods: z.nativeEnum(ZabbixConnectionMethod).array()
+});

backend/src/services/app-connection/zabbix/zabbix-connection-service.ts

@@ -0,0 +1,30 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listZabbixHosts } from "./zabbix-connection-fns";
+import { TZabbixConnection } from "./zabbix-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TZabbixConnection>;
+
+export const zabbixConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listHosts = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Zabbix, connectionId, actor);
+
+    try {
+      const hosts = await listZabbixHosts(appConnection);
+      return hosts;
+    } catch (error) {
+      logger.error(error, "Failed to establish connection with zabbix");
+      return [];
+    }
+  };
+
+  return {
+    listHosts
+  };
+};

backend/src/services/app-connection/zabbix/zabbix-connection-types.ts

@@ -0,0 +1,33 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateZabbixConnectionSchema,
+  ValidateZabbixConnectionCredentialsSchema,
+  ZabbixConnectionSchema
+} from "./zabbix-connection-schemas";
+
+export type TZabbixConnection = z.infer<typeof ZabbixConnectionSchema>;
+
+export type TZabbixConnectionInput = z.infer<typeof CreateZabbixConnectionSchema> & {
+  app: AppConnection.Zabbix;
+};
+
+export type TValidateZabbixConnectionCredentialsSchema = typeof ValidateZabbixConnectionCredentialsSchema;
+
+export type TZabbixConnectionConfig = DiscriminativePick<TZabbixConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TZabbixHost = {
+  hostId: string;
+  host: string;
+};
+
+export type TZabbixHostListResponse = {
+  jsonrpc: string;
+  result: { hostid: string; host: string }[];
+  error?: { message: string };
+};

backend/src/services/folder-commit/folder-commit-service.ts

@@ -47,6 +47,14 @@ export enum ResourceType {
   FOLDER = "folder"
 }
 
+export type TCommitResourceChangeDTO = {
+  type: string;
+  secretVersionId?: string;
+  folderVersionId?: string;
+  isUpdate?: boolean;
+  folderId?: string;
+};
+
 type TCreateCommitDTO = {
   actor: {
     type: string;
@@ -57,13 +65,7 @@ type TCreateCommitDTO = {
   };
   message?: string;
   folderId: string;
-  changes: {
-    type: string;
-    secretVersionId?: string;
-    folderVersionId?: string;
-    isUpdate?: boolean;
-    folderId?: string;
-  }[];
+  changes: TCommitResourceChangeDTO[];
   omitIgnoreFilter?: boolean;
 };
 

backend/src/services/identity-project/identity-project-service.ts

@@ -93,23 +93,25 @@ export const identityProjectServiceFactory = ({
         projectId
       );
 
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        ProjectPermissionIdentityActions.GrantPrivileges,
-        ProjectPermissionSub.Identity,
-        permission,
-        rolePermission
-      );
-      if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to assign to role",
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionIdentityActions.GrantPrivileges,
-            ProjectPermissionSub.Identity
-          ),
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
+      if (requestedRoleChange !== ProjectMembershipRole.NoAccess) {
+        const permissionBoundary = validatePrivilegeChangeOperation(
+          membership.shouldUseNewPrivilegeSystem,
+          ProjectPermissionIdentityActions.GrantPrivileges,
+          ProjectPermissionSub.Identity,
+          permission,
+          rolePermission
+        );
+        if (!permissionBoundary.isValid)
+          throw new PermissionBoundaryError({
+            message: constructPermissionErrorMessage(
+              "Failed to assign to role",
+              membership.shouldUseNewPrivilegeSystem,
+              ProjectPermissionIdentityActions.GrantPrivileges,
+              ProjectPermissionSub.Identity
+            ),
+            details: { missingPermissions: permissionBoundary.missingPermissions }
+          });
+      }
     }
 
     // validate custom roles input

backend/src/services/identity/identity-service.ts

@@ -69,23 +69,25 @@ export const identityServiceFactory = ({
       orgId
     );
     const isCustomRole = Boolean(customRole);
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.GrantPrivileges,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
-    if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to create identity",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.GrantPrivileges,
-          OrgPermissionSubjects.Identity
-        ),
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+    if (role !== OrgMembershipRole.NoAccess) {
+      const permissionBoundary = validatePrivilegeChangeOperation(
+        membership.shouldUseNewPrivilegeSystem,
+        OrgPermissionIdentityActions.GrantPrivileges,
+        OrgPermissionSubjects.Identity,
+        permission,
+        rolePermission
+      );
+      if (!permissionBoundary.isValid)
+        throw new PermissionBoundaryError({
+          message: constructPermissionErrorMessage(
+            "Failed to create identity",
+            membership.shouldUseNewPrivilegeSystem,
+            OrgPermissionIdentityActions.GrantPrivileges,
+            OrgPermissionSubjects.Identity
+          ),
+          details: { missingPermissions: permissionBoundary.missingPermissions }
+        });
+    }
 
     const plan = await licenseService.getPlan(orgId);
 
@@ -187,6 +189,7 @@ export const identityServiceFactory = ({
           ),
           details: { missingPermissions: appliedRolePermissionBoundary.missingPermissions }
         });
+
       if (isCustomRole) customRole = customOrgRole;
     }
 

backend/src/services/secret-folder/secret-folder-service.ts

@@ -1,8 +1,10 @@
+/* eslint-disable no-await-in-loop */
 import { ForbiddenError, subject } from "@casl/ability";
+import { Knex } from "knex";
 import path from "path";
 import { v4 as uuidv4, validate as uuidValidate } from "uuid";
 
-import { TSecretFolders, TSecretFoldersInsert } from "@app/db/schemas";
+import { TProjectEnvironments, TSecretFolders, TSecretFoldersInsert } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -12,14 +14,21 @@ import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { buildFolderPath } from "@app/services/secret-folder/secret-folder-fns";
 
-import { ChangeType, CommitType, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
+import {
+  ChangeType,
+  CommitType,
+  TCommitResourceChangeDTO,
+  TFolderCommitServiceFactory
+} from "../folder-commit/folder-commit-service";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
 import {
   TCreateFolderDTO,
+  TCreateManyFoldersDTO,
   TDeleteFolderDTO,
+  TDeleteManyFoldersDTO,
   TGetFolderByIdDTO,
   TGetFolderDTO,
   TGetFoldersDeepByEnvsDTO,
@@ -236,19 +245,29 @@ export const secretFolderServiceFactory = ({
     actor,
     actorId,
     projectSlug,
+    projectId: providedProjectId,
     actorAuthMethod,
     actorOrgId,
-    folders
-  }: TUpdateManyFoldersDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) {
-      throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+    folders,
+    tx: providedTx,
+    commitChanges
+  }: TUpdateManyFoldersDTO & { tx?: Knex; commitChanges?: TCommitResourceChangeDTO[]; projectId?: string }) => {
+    let projectId = providedProjectId;
+    if (!projectId && projectSlug) {
+      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
+      if (!project) {
+        throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
+      }
+      projectId = project.id;
+    }
+    if (!projectId) {
+      throw new BadRequestError({ message: "Must provide either project slug or projectId" });
     }
 
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
-      projectId: project.id,
+      projectId,
       actorAuthMethod,
       actorOrgId
     });
@@ -260,12 +279,12 @@ export const secretFolderServiceFactory = ({
       );
     });
 
-    const result = await folderDAL.transaction(async (tx) =>
-      Promise.all(
+    const executeBulkUpdate = async (tx: Knex) => {
+      return Promise.all(
         folders.map(async (newFolder) => {
           const { environment, path: secretPath, id, name, description } = newFolder;
 
-          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
+          const parentFolder = await folderDAL.findBySecretPath(projectId as string, environment, secretPath, tx);
           if (!parentFolder) {
             throw new NotFoundError({
               message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`,
@@ -273,10 +292,10 @@ export const secretFolderServiceFactory = ({
             });
           }
 
-          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
+          const env = await projectEnvDAL.findOne({ projectId, slug: environment });
           if (!env) {
             throw new NotFoundError({
-              message: `Environment with slug '${environment}' in project with ID '${project.id}' not found`,
+              message: `Environment with slug '${environment}' in project with ID '${projectId}' not found`,
               name: "UpdateManyFolders"
             });
           }
@@ -323,26 +342,34 @@ export const secretFolderServiceFactory = ({
             },
             tx
           );
-          await folderCommitService.createCommit(
-            {
-              actor: {
-                type: actor,
-                metadata: {
-                  id: actorId
-                }
+          if (commitChanges) {
+            commitChanges.push({
+              type: CommitType.ADD,
+              isUpdate: true,
+              folderVersionId: folderVersion.id
+            });
+          } else {
+            await folderCommitService.createCommit(
+              {
+                actor: {
+                  type: actor,
+                  metadata: {
+                    id: actorId
+                  }
+                },
+                message: "Folder updated",
+                folderId: parentFolder.id,
+                changes: [
+                  {
+                    type: CommitType.ADD,
+                    isUpdate: true,
+                    folderVersionId: folderVersion.id
+                  }
+                ]
               },
-              message: "Folder updated",
-              folderId: parentFolder.id,
-              changes: [
-                {
-                  type: CommitType.ADD,
-                  isUpdate: true,
-                  folderVersionId: folderVersion.id
-                }
-              ]
-            },
-            tx
-          );
+              tx
+            );
+          }
           if (!doc) {
             throw new NotFoundError({
               message: `Failed to update folder with id '${id}', not found`,
@@ -352,13 +379,16 @@ export const secretFolderServiceFactory = ({
 
           return { oldFolder: folder, newFolder: doc };
         })
-      )
-    );
+      );
+    };
+
+    // Execute with provided transaction or create new one
+    const result = providedTx ? await executeBulkUpdate(providedTx) : await folderDAL.transaction(executeBulkUpdate);
 
     await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
 
     return {
-      projectId: project.id,
+      projectId,
       newFolders: result.map((res) => res.newFolder),
       oldFolders: result.map((res) => res.oldFolder)
     };
@@ -469,15 +499,41 @@ export const secretFolderServiceFactory = ({
 
   const $checkFolderPolicy = async ({
     projectId,
-    environment,
-    parentId
+    env,
+    parentId,
+    idOrName
   }: {
     projectId: string;
-    environment: string;
+    env: TProjectEnvironments;
     parentId: string;
+    idOrName: string;
   }) => {
+    let targetFolder = await folderDAL
+      .findOne({
+        envId: env.id,
+        name: idOrName,
+        parentId,
+        isReserved: false
+      })
+      .catch(() => null);
+
+    if (!targetFolder && uuidValidate(idOrName)) {
+      targetFolder = await folderDAL
+        .findOne({
+          envId: env.id,
+          id: idOrName,
+          parentId,
+          isReserved: false
+        })
+        .catch(() => null);
+    }
+
+    if (!targetFolder) {
+      throw new NotFoundError({ message: `Target folder not found` });
+    }
+
     // get environment root folder (as it's needed to get all folders under it)
-    const rootFolder = await folderDAL.findBySecretPath(projectId, environment, "/");
+    const rootFolder = await folderDAL.findBySecretPath(projectId, env.slug, "/");
     if (!rootFolder) throw new NotFoundError({ message: `Root folder not found` });
     // get all folders under environment root folder
     const folderPaths = await folderDAL.findByEnvsDeep({ parentIds: [rootFolder.id] });
@@ -492,7 +548,13 @@ export const secretFolderServiceFactory = ({
       folderMap.get(normalizeKey(folder.parentId))?.push(folder);
     }
 
-    // Recursively collect all folders under the given parentId
+    // Find the target folder in the folderPaths to get its full details
+    const targetFolderWithPath = folderPaths.find((f) => f.id === targetFolder!.id);
+    if (!targetFolderWithPath) {
+      throw new NotFoundError({ message: `Target folder path not found` });
+    }
+
+    // Recursively collect all folders under the target folder (descendants only)
     const collectDescendants = (
       id: string
     ): (TSecretFolders & { path: string; depth: number; environment: string })[] => {
@@ -500,23 +562,31 @@ export const secretFolderServiceFactory = ({
       return [...children, ...children.flatMap((child) => collectDescendants(child.id))];
     };
 
-    const foldersUnderParent = collectDescendants(parentId);
+    const targetFolderDescendants = collectDescendants(targetFolder.id);
 
-    const folderPolicyPaths = foldersUnderParent.map((folder) => ({
+    // Include the target folder itself plus all its descendants
+    const foldersToCheck = [targetFolderWithPath, ...targetFolderDescendants];
+
+    const folderPolicyPaths = foldersToCheck.map((folder) => ({
       path: folder.path,
       id: folder.id
     }));
 
     // get secrets under the given folders
-    const secrets = await secretV2BridgeDAL.findByFolderIds({ folderIds: folderPolicyPaths.map((p) => p.id) });
+    const secrets = await secretV2BridgeDAL.findByFolderIds({
+      folderIds: folderPolicyPaths.map((p) => p.id)
+    });
+
     for await (const folderPolicyPath of folderPolicyPaths) {
       // eslint-disable-next-line no-continue
       if (!secrets.some((s) => s.folderId === folderPolicyPath.id)) continue;
+
       const policy = await secretApprovalPolicyService.getSecretApprovalPolicy(
         projectId,
-        environment,
+        env.slug,
         folderPolicyPath.path
       );
+
       // if there is a policy and there are secrets under the given folder, throw error
       if (policy) {
         throw new BadRequestError({
@@ -560,20 +630,42 @@ export const secretFolderServiceFactory = ({
           message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`
         });
 
-      await $checkFolderPolicy({ projectId, environment, parentId: parentFolder.id });
+      await $checkFolderPolicy({ projectId, env, parentId: parentFolder.id, idOrName });
+
+      let folderToDelete = await folderDAL
+        .findOne({
+          envId: env.id,
+          name: idOrName,
+          parentId: parentFolder.id,
+          isReserved: false
+        })
+        .catch(() => null);
+
+      if (!folderToDelete && uuidValidate(idOrName)) {
+        folderToDelete = await folderDAL
+          .findOne({
+            envId: env.id,
+            id: idOrName,
+            parentId: parentFolder.id,
+            isReserved: false
+          })
+          .catch(() => null);
+      }
+
+      if (!folderToDelete) {
+        throw new NotFoundError({ message: `Folder with ID '${idOrName}' not found` });
+      }
 
       const [doc] = await folderDAL.delete(
         {
           envId: env.id,
-          [uuidValidate(idOrName) ? "id" : "name"]: idOrName,
+          id: folderToDelete.id,
           parentId: parentFolder.id,
           isReserved: false
         },
         tx
       );
 
-      if (!doc) throw new NotFoundError({ message: `Failed to delete folder with ID '${idOrName}', not found` });
-
       const folderVersions = await folderVersionDAL.findLatestFolderVersions([doc.id], tx);
 
       await folderCommitService.createCommit(
@@ -912,6 +1004,361 @@ export const secretFolderServiceFactory = ({
     }));
   };
 
+  const createManyFolders = async ({
+    projectId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId,
+    folders,
+    tx: providedTx,
+    commitChanges
+  }: TCreateManyFoldersDTO & { tx?: Knex; commitChanges?: TCommitResourceChangeDTO[] }) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    });
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Create,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    });
+
+    const foldersByEnv = folders.reduce(
+      (acc, folder) => {
+        if (!acc[folder.environment]) {
+          acc[folder.environment] = [];
+        }
+        acc[folder.environment].push(folder);
+        return acc;
+      },
+      {} as Record<string, typeof folders>
+    );
+
+    const executeBulkCreate = async (tx: Knex) => {
+      const createdFolders = [];
+
+      for (const [environment, envFolders] of Object.entries(foldersByEnv)) {
+        const env = await projectEnvDAL.findOne({ projectId, slug: environment });
+        if (!env) {
+          throw new NotFoundError({
+            message: `Environment with slug '${environment}' in project with ID '${projectId}' not found`
+          });
+        }
+
+        await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateFolder(env.id, env.projectId)]);
+
+        for (const folderSpec of envFolders) {
+          const { name, path: secretPath, description } = folderSpec;
+
+          const pathWithFolder = path.join(secretPath, name);
+          const parentFolder = await folderDAL.findClosestFolder(projectId, environment, pathWithFolder, tx);
+
+          if (!parentFolder) {
+            throw new NotFoundError({
+              message: `Parent folder for path '${pathWithFolder}' not found`
+            });
+          }
+
+          // Check if the exact folder already exists
+          const existingFolder = await folderDAL.findOne(
+            {
+              envId: env.id,
+              parentId: parentFolder.id,
+              name,
+              isReserved: false
+            },
+            tx
+          );
+
+          if (existingFolder) {
+            createdFolders.push(existingFolder);
+            // eslint-disable-next-line no-continue
+            continue;
+          }
+
+          // Handle exact folder case
+          if (parentFolder.path === pathWithFolder) {
+            createdFolders.push(parentFolder);
+            // eslint-disable-next-line no-continue
+            continue;
+          }
+
+          let currentParentId = parentFolder.id;
+
+          // Build the full path we need by processing each segment
+          if (parentFolder.path !== secretPath) {
+            const missingSegments = secretPath.substring(parentFolder.path.length).split("/").filter(Boolean);
+            const newFolders: TSecretFoldersInsert[] = [];
+
+            for (const segment of missingSegments) {
+              const existingSegment = await folderDAL.findOne(
+                {
+                  name: segment,
+                  parentId: currentParentId,
+                  envId: env.id,
+                  isReserved: false
+                },
+                tx
+              );
+
+              if (existingSegment) {
+                currentParentId = existingSegment.id;
+              } else {
+                const newFolder = {
+                  name: segment,
+                  parentId: currentParentId,
+                  id: uuidv4(),
+                  envId: env.id,
+                  version: 1
+                };
+
+                currentParentId = newFolder.id;
+                newFolders.push(newFolder);
+              }
+            }
+
+            if (newFolders.length) {
+              const docs = await folderDAL.insertMany(newFolders, tx);
+              const folderVersions = await folderVersionDAL.insertMany(
+                docs.map((doc) => ({
+                  name: doc.name,
+                  envId: doc.envId,
+                  version: doc.version,
+                  folderId: doc.id,
+                  description: doc.description
+                })),
+                tx
+              );
+              await folderCommitService.createCommit(
+                {
+                  actor: {
+                    type: actor,
+                    metadata: {
+                      id: actorId
+                    }
+                  },
+                  message: "Folders created (batch)",
+                  folderId: currentParentId,
+                  changes: folderVersions.map((fv) => ({
+                    type: CommitType.ADD,
+                    folderVersionId: fv.id
+                  }))
+                },
+                tx
+              );
+            }
+          }
+
+          // Create the target folder
+          const doc = await folderDAL.create(
+            { name, envId: env.id, version: 1, parentId: currentParentId, description },
+            tx
+          );
+
+          const folderVersion = await folderVersionDAL.create(
+            {
+              name: doc.name,
+              envId: doc.envId,
+              version: doc.version,
+              folderId: doc.id,
+              description: doc.description
+            },
+            tx
+          );
+
+          if (commitChanges) {
+            commitChanges.push({
+              type: CommitType.ADD,
+              folderVersionId: folderVersion.id
+            });
+          } else {
+            await folderCommitService.createCommit(
+              {
+                actor: {
+                  type: actor,
+                  metadata: {
+                    id: actorId
+                  }
+                },
+                message: "Folder created (batch)",
+                folderId: doc.id,
+                changes: [
+                  {
+                    type: CommitType.ADD,
+                    folderVersionId: folderVersion.id
+                  }
+                ]
+              },
+              tx
+            );
+          }
+
+          createdFolders.push(doc);
+        }
+      }
+
+      return createdFolders;
+    };
+    const result = providedTx ? await executeBulkCreate(providedTx) : await folderDAL.transaction(executeBulkCreate);
+    const uniqueParentIds = [...new Set(result.map((folder) => folder.parentId).filter(Boolean))];
+    await Promise.all(uniqueParentIds.map((parentId) => snapshotService.performSnapshot(parentId as string)));
+
+    return {
+      folders: result,
+      count: result.length
+    };
+  };
+
+  const deleteManyFolders = async ({
+    projectId,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    folders,
+    tx: providedTx,
+    commitChanges
+  }: TDeleteManyFoldersDTO & { tx?: Knex; commitChanges?: TCommitResourceChangeDTO[] }) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    });
+
+    folders.forEach(({ environment, path: secretPath }) => {
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Delete,
+        subject(ProjectPermissionSub.SecretFolders, { environment, secretPath })
+      );
+    });
+
+    const foldersByEnv = folders.reduce(
+      (acc, folder) => {
+        if (!acc[folder.environment]) {
+          acc[folder.environment] = [];
+        }
+        acc[folder.environment].push(folder);
+        return acc;
+      },
+      {} as Record<string, typeof folders>
+    );
+
+    const executeBulkDelete = async (tx: Knex) => {
+      const deletedFolders = [];
+
+      for (const [environment, envFolders] of Object.entries(foldersByEnv)) {
+        const env = await projectEnvDAL.findOne({ projectId, slug: environment });
+        if (!env) {
+          throw new NotFoundError({
+            message: `Environment with slug '${environment}' not found`
+          });
+        }
+
+        for (const folderSpec of envFolders) {
+          const { path: secretPath, idOrName } = folderSpec;
+
+          const parentFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath, tx);
+          if (!parentFolder) {
+            throw new NotFoundError({
+              message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`
+            });
+          }
+
+          await $checkFolderPolicy({ projectId, env, parentId: parentFolder.id, idOrName });
+
+          let folderToDelete = await folderDAL
+            .findOne({
+              envId: env.id,
+              name: idOrName,
+              parentId: parentFolder.id,
+              isReserved: false
+            })
+            .catch(() => null);
+
+          if (!folderToDelete && uuidValidate(idOrName)) {
+            folderToDelete = await folderDAL
+              .findOne({
+                envId: env.id,
+                id: idOrName,
+                parentId: parentFolder.id,
+                isReserved: false
+              })
+              .catch(() => null);
+          }
+
+          if (!folderToDelete) {
+            throw new NotFoundError({
+              message: `Folder with ID/name '${idOrName}' not found`
+            });
+          }
+
+          const [doc] = await folderDAL.delete(
+            {
+              envId: env.id,
+              id: folderToDelete.id,
+              parentId: parentFolder.id,
+              isReserved: false
+            },
+            tx
+          );
+
+          const folderVersions = await folderVersionDAL.findLatestFolderVersions([doc.id], tx);
+
+          if (commitChanges) {
+            commitChanges.push({
+              type: CommitType.DELETE,
+              folderVersionId: folderVersions[doc.id].id,
+              folderId: doc.id
+            });
+          } else {
+            await folderCommitService.createCommit(
+              {
+                actor: {
+                  type: actor,
+                  metadata: {
+                    id: actorId
+                  }
+                },
+                message: "Folder deleted (batch)",
+                folderId: parentFolder.id,
+                changes: [
+                  {
+                    type: CommitType.DELETE,
+                    folderVersionId: folderVersions[doc.id].id,
+                    folderId: doc.id
+                  }
+                ]
+              },
+              tx
+            );
+          }
+
+          deletedFolders.push(doc);
+        }
+      }
+
+      return deletedFolders;
+    };
+
+    const result = providedTx ? await executeBulkDelete(providedTx) : await folderDAL.transaction(executeBulkDelete);
+
+    const uniqueParentIds = [...new Set(result.map((folder) => folder.parentId).filter(Boolean))];
+    await Promise.all(uniqueParentIds.map((parentId) => snapshotService.performSnapshot(parentId as string)));
+
+    return {
+      folders: result,
+      count: result.length
+    };
+  };
+
   return {
     createFolder,
     updateFolder,
@@ -924,6 +1371,8 @@ export const secretFolderServiceFactory = ({
     getFoldersDeepByEnvs,
     getProjectEnvironmentsFolders,
     getFolderVersionsByIds,
-    getFolderVersions
+    getFolderVersions,
+    createManyFolders,
+    deleteManyFolders
   };
 };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -1,6 +1,8 @@
 import { OrderByDirection, TProjectPermission } from "@app/lib/types";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
+import { ActorAuthMethod, ActorType } from "../auth/auth-type";
+
 export enum ReservedFolders {
   SecretReplication = "__reserve_replication_"
 }
@@ -21,7 +23,7 @@ export type TUpdateFolderDTO = {
 } & TProjectPermission;
 
 export type TUpdateManyFoldersDTO = {
-  projectSlug: string;
+  projectSlug?: string;
   folders: {
     environment: string;
     path: string;
@@ -62,3 +64,30 @@ export type TGetFoldersDeepByEnvsDTO = {
 export type TFindFoldersDeepByParentIdsDTO = {
   parentIds: string[];
 };
+
+export type TCreateManyFoldersDTO = {
+  projectId: string;
+  actor: ActorType;
+  actorId: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId?: string;
+  folders: Array<{
+    name: string;
+    environment: string;
+    path: string;
+    description?: string | null;
+  }>;
+};
+
+export type TDeleteManyFoldersDTO = {
+  projectId: string;
+  actor: ActorType;
+  actorId: string;
+  actorAuthMethod: ActorAuthMethod;
+  actorOrgId?: string;
+  folders: Array<{
+    environment: string;
+    path: string;
+    idOrName: string;
+  }>;
+};

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -20,7 +20,8 @@ export enum SecretSync {
   Render = "render",
   Flyio = "flyio",
   GitLab = "gitlab",
-  CloudflarePages = "cloudflare-pages"
+  CloudflarePages = "cloudflare-pages",
+  Zabbix = "zabbix"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -45,6 +45,7 @@ import { TEAMCITY_SYNC_LIST_OPTION, TeamCitySyncFns } from "./teamcity";
 import { TERRAFORM_CLOUD_SYNC_LIST_OPTION, TerraformCloudSyncFns } from "./terraform-cloud";
 import { VERCEL_SYNC_LIST_OPTION, VercelSyncFns } from "./vercel";
 import { WINDMILL_SYNC_LIST_OPTION, WindmillSyncFns } from "./windmill";
+import { ZABBIX_SYNC_LIST_OPTION, ZabbixSyncFns } from "./zabbix";
 
 const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
@@ -68,7 +69,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
   [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
   [SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
-  [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION
+  [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION,
+  [SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -236,6 +238,8 @@ export const SecretSyncFns = {
         return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Zabbix:
+        return ZabbixSyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -328,6 +332,9 @@ export const SecretSyncFns = {
       case SecretSync.CloudflarePages:
         secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.Zabbix:
+        secretMap = await ZabbixSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -405,6 +412,8 @@ export const SecretSyncFns = {
         return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
       case SecretSync.CloudflarePages:
         return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Zabbix:
+        return ZabbixSyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -23,7 +23,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.Render]: "Render",
   [SecretSync.Flyio]: "Fly.io",
   [SecretSync.GitLab]: "GitLab",
-  [SecretSync.CloudflarePages]: "Cloudflare Pages"
+  [SecretSync.CloudflarePages]: "Cloudflare Pages",
+  [SecretSync.Zabbix]: "Zabbix"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -48,7 +49,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Render]: AppConnection.Render,
   [SecretSync.Flyio]: AppConnection.Flyio,
   [SecretSync.GitLab]: AppConnection.GitLab,
-  [SecretSync.CloudflarePages]: AppConnection.Cloudflare
+  [SecretSync.CloudflarePages]: AppConnection.Cloudflare,
+  [SecretSync.Zabbix]: AppConnection.Zabbix
 };
 
 export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@@ -73,5 +75,6 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
   [SecretSync.Render]: SecretSyncPlanType.Regular,
   [SecretSync.Flyio]: SecretSyncPlanType.Regular,
   [SecretSync.GitLab]: SecretSyncPlanType.Regular,
-  [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular
+  [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular,
+  [SecretSync.Zabbix]: SecretSyncPlanType.Regular
 };

backend/src/services/secret-sync/secret-sync-types.ts

@@ -113,6 +113,7 @@ import {
   TTerraformCloudSyncWithCredentials
 } from "./terraform-cloud";
 import { TVercelSync, TVercelSyncInput, TVercelSyncListItem, TVercelSyncWithCredentials } from "./vercel";
+import { TZabbixSync, TZabbixSyncInput, TZabbixSyncListItem, TZabbixSyncWithCredentials } from "./zabbix";
 
 export type TSecretSync =
   | TAwsParameterStoreSync
@@ -136,7 +137,8 @@ export type TSecretSync =
   | TRenderSync
   | TFlyioSync
   | TGitLabSync
-  | TCloudflarePagesSync;
+  | TCloudflarePagesSync
+  | TZabbixSync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -160,7 +162,8 @@ export type TSecretSyncWithCredentials =
   | TRenderSyncWithCredentials
   | TFlyioSyncWithCredentials
   | TGitLabSyncWithCredentials
-  | TCloudflarePagesSyncWithCredentials;
+  | TCloudflarePagesSyncWithCredentials
+  | TZabbixSyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -184,7 +187,8 @@ export type TSecretSyncInput =
   | TRenderSyncInput
   | TFlyioSyncInput
   | TGitLabSyncInput
-  | TCloudflarePagesSyncInput;
+  | TCloudflarePagesSyncInput
+  | TZabbixSyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -208,7 +212,8 @@ export type TSecretSyncListItem =
   | TRenderSyncListItem
   | TFlyioSyncListItem
   | TGitLabSyncListItem
-  | TCloudflarePagesSyncListItem;
+  | TCloudflarePagesSyncListItem
+  | TZabbixSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

backend/src/services/secret-sync/zabbix/index.ts

@@ -0,0 +1,5 @@
+export * from "./zabbix-sync-constants";
+export * from "./zabbix-sync-enums";
+export * from "./zabbix-sync-fns";
+export * from "./zabbix-sync-schemas";
+export * from "./zabbix-sync-types";

backend/src/services/secret-sync/zabbix/zabbix-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const ZABBIX_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Zabbix",
+  destination: SecretSync.Zabbix,
+  connection: AppConnection.Zabbix,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/zabbix/zabbix-sync-enums.ts

@@ -0,0 +1,4 @@
+export enum ZabbixSyncScope {
+  Global = "global",
+  Host = "host"
+}

backend/src/services/secret-sync/zabbix/zabbix-sync-fns.ts

@@ -0,0 +1,285 @@
+import RE2 from "re2";
+
+import { request } from "@app/lib/config/request";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+import {
+  TZabbixSecret,
+  TZabbixSyncWithCredentials,
+  ZabbixApiResponse,
+  ZabbixMacroCreateResponse,
+  ZabbixMacroDeleteResponse
+} from "@app/services/secret-sync/zabbix/zabbix-sync-types";
+
+import { ZabbixSyncScope } from "./zabbix-sync-enums";
+
+const TRAILING_SLASH_REGEX = new RE2("/+$");
+const MACRO_START_REGEX = new RE2("^\\{\\$");
+const MACRO_END_REGEX = new RE2("\\}$");
+
+const extractMacroKey = (macro: string): string => {
+  return macro.replace(MACRO_START_REGEX, "").replace(MACRO_END_REGEX, "");
+};
+
+// Helper function to handle Zabbix API responses and errors
+const handleZabbixResponse = <T>(response: ZabbixApiResponse<T>): T => {
+  if (response.data.error) {
+    const errorMessage = response.data.error.data
+      ? `${response.data.error.message}: ${response.data.error.data}`
+      : response.data.error.message;
+    throw new SecretSyncError({
+      error: new Error(`Zabbix API Error (${response.data.error.code}): ${errorMessage}`)
+    });
+  }
+
+  if (response.data.result === undefined) {
+    throw new SecretSyncError({
+      error: new Error("Zabbix API returned no result")
+    });
+  }
+
+  return response.data.result;
+};
+
+const listZabbixSecrets = async (apiToken: string, instanceUrl: string, hostId?: string): Promise<TZabbixSecret[]> => {
+  const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
+
+  // - jsonrpc: Specifies the JSON-RPC protocol version.
+  // - method: The API method to call, in this case "usermacro.get" for retrieving user macros.
+  // - id: A unique identifier for the request. Required by JSON-RPC but not used by the API for logic. Typically set to any integer.
+  const payload = {
+    jsonrpc: "2.0" as const,
+    method: "usermacro.get",
+    params: hostId ? { output: "extend", hostids: hostId } : { output: "extend", globalmacro: true },
+    id: 1
+  };
+
+  try {
+    const response: ZabbixApiResponse<TZabbixSecret[]> = await request.post(apiUrl, payload, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiToken}`
+      }
+    });
+
+    return handleZabbixResponse(response) || [];
+  } catch (error) {
+    throw new SecretSyncError({
+      error: error instanceof Error ? error : new Error("Failed to list Zabbix secrets")
+    });
+  }
+};
+
+const putZabbixSecrets = async (
+  apiToken: string,
+  instanceUrl: string,
+  secretMap: TSecretMap,
+  destinationConfig: TZabbixSyncWithCredentials["destinationConfig"],
+  existingSecrets: TZabbixSecret[]
+): Promise<void> => {
+  const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
+  const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
+
+  const existingMacroMap = new Map(existingSecrets.map((secret) => [secret.macro, secret]));
+
+  for (const [key, secret] of Object.entries(secretMap)) {
+    const macroKey = `{$${key.toUpperCase()}}`;
+    const existingMacro = existingMacroMap.get(macroKey);
+
+    try {
+      if (existingMacro) {
+        // Update existing macro
+        const updatePayload = {
+          jsonrpc: "2.0" as const,
+          method: hostId ? "usermacro.update" : "usermacro.updateglobal",
+          params: {
+            [hostId ? "hostmacroid" : "globalmacroid"]: existingMacro[hostId ? "hostmacroid" : "globalmacroid"],
+            value: secret.value,
+            type: destinationConfig.macroType,
+            description: secret.comment
+          },
+          id: 1
+        };
+
+        // eslint-disable-next-line no-await-in-loop
+        const response: ZabbixApiResponse<ZabbixMacroCreateResponse> = await request.post(apiUrl, updatePayload, {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${apiToken}`
+          }
+        });
+
+        handleZabbixResponse(response);
+      } else {
+        // Create new macro
+        const createPayload = {
+          jsonrpc: "2.0" as const,
+          method: hostId ? "usermacro.create" : "usermacro.createglobal",
+          params: hostId
+            ? {
+                hostid: hostId,
+                macro: macroKey,
+                value: secret.value,
+                type: destinationConfig.macroType,
+                description: secret.comment
+              }
+            : {
+                macro: macroKey,
+                value: secret.value,
+                type: destinationConfig.macroType,
+                description: secret.comment
+              },
+          id: 1
+        };
+
+        // eslint-disable-next-line no-await-in-loop
+        const response: ZabbixApiResponse<ZabbixMacroCreateResponse> = await request.post(apiUrl, createPayload, {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${apiToken}`
+          }
+        });
+
+        handleZabbixResponse(response);
+      }
+    } catch (error) {
+      throw new SecretSyncError({
+        error: error instanceof Error ? error : new Error(`Failed to sync secret ${key}`)
+      });
+    }
+  }
+};
+
+const deleteZabbixSecrets = async (
+  apiToken: string,
+  instanceUrl: string,
+  keys: string[],
+  hostId?: string
+): Promise<void> => {
+  if (keys.length === 0) return;
+
+  const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
+
+  try {
+    // Get existing macros to find their IDs
+    const existingSecrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
+    const macroIds = existingSecrets
+      .filter((secret) => keys.includes(secret.macro))
+      .map((secret) => secret[hostId ? "hostmacroid" : "globalmacroid"])
+      .filter(Boolean);
+
+    if (macroIds.length === 0) return;
+
+    const payload = {
+      jsonrpc: "2.0" as const,
+      method: hostId ? "usermacro.delete" : "usermacro.deleteglobal",
+      params: macroIds,
+      id: 1
+    };
+
+    const response: ZabbixApiResponse<ZabbixMacroDeleteResponse> = await request.post(apiUrl, payload, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiToken}`
+      }
+    });
+
+    handleZabbixResponse(response);
+  } catch (error) {
+    throw new SecretSyncError({
+      error: error instanceof Error ? error : new Error("Failed to delete Zabbix secrets")
+    });
+  }
+};
+
+export const ZabbixSyncFns = {
+  syncSecrets: async (secretSync: TZabbixSyncWithCredentials, secretMap: TSecretMap) => {
+    const { connection, environment, destinationConfig } = secretSync;
+    const { apiToken, instanceUrl } = connection.credentials;
+    await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+    const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
+    let secrets: TZabbixSecret[] = [];
+    try {
+      secrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
+    } catch (error) {
+      throw new SecretSyncError({
+        error: error instanceof Error ? error : new Error("Failed to list Zabbix secrets")
+      });
+    }
+
+    try {
+      await putZabbixSecrets(apiToken, instanceUrl, secretMap, destinationConfig, secrets);
+    } catch (error) {
+      throw new SecretSyncError({
+        error: error instanceof Error ? error : new Error("Failed to sync secrets")
+      });
+    }
+
+    if (secretSync.syncOptions.disableSecretDeletion) return;
+
+    try {
+      const shapedSecretMapKeys = Object.keys(secretMap).map((key) => key.toUpperCase());
+
+      const keys = secrets
+        .filter(
+          (secret) =>
+            matchesSchema(secret.macro, environment?.slug || "", secretSync.syncOptions.keySchema) &&
+            !shapedSecretMapKeys.includes(extractMacroKey(secret.macro))
+        )
+        .map((secret) => secret.macro);
+
+      await deleteZabbixSecrets(apiToken, instanceUrl, keys, hostId);
+    } catch (error) {
+      throw new SecretSyncError({
+        error: error instanceof Error ? error : new Error("Failed to delete orphaned secrets")
+      });
+    }
+  },
+
+  removeSecrets: async (secretSync: TZabbixSyncWithCredentials, secretMap: TSecretMap) => {
+    const { connection, destinationConfig } = secretSync;
+    const { apiToken, instanceUrl } = connection.credentials;
+    await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+    const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
+
+    try {
+      const secrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
+
+      const shapedSecretMapKeys = Object.keys(secretMap).map((key) => key.toUpperCase());
+      const keys = secrets
+        .filter((secret) => shapedSecretMapKeys.includes(extractMacroKey(secret.macro)))
+        .map((secret) => secret.macro);
+
+      await deleteZabbixSecrets(apiToken, instanceUrl, keys, hostId);
+    } catch (error) {
+      throw new SecretSyncError({
+        error: error instanceof Error ? error : new Error("Failed to remove secrets")
+      });
+    }
+  },
+
+  getSecrets: async (secretSync: TZabbixSyncWithCredentials) => {
+    const { connection, destinationConfig } = secretSync;
+    const { apiToken, instanceUrl } = connection.credentials;
+    await blockLocalAndPrivateIpAddresses(instanceUrl);
+    const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
+
+    try {
+      const secrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
+      return Object.fromEntries(
+        secrets.map((secret) => [
+          extractMacroKey(secret.macro),
+          { value: secret.value ?? "", comment: secret.description }
+        ])
+      );
+    } catch (error) {
+      throw new SecretSyncError({
+        error: error instanceof Error ? error : new Error("Failed to get secrets")
+      });
+    }
+  }
+};

backend/src/services/secret-sync/zabbix/zabbix-sync-schemas.ts

@@ -0,0 +1,67 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+import { ZabbixSyncScope } from "./zabbix-sync-enums";
+
+const ZabbixSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
+  z.object({
+    scope: z.literal(ZabbixSyncScope.Host).describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.scope),
+    hostId: z.string().trim().min(1, "Host required").max(255).describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.hostId),
+    hostName: z
+      .string()
+      .trim()
+      .min(1, "Host name required")
+      .max(255)
+      .describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.hostName),
+    macroType: z
+      .number()
+      .min(0, "Macro type required")
+      .max(1, "Macro type required")
+      .describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.macroType)
+  }),
+  z.object({
+    scope: z.literal(ZabbixSyncScope.Global).describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.scope),
+    macroType: z
+      .number()
+      .min(0, "Macro type required")
+      .max(1, "Macro type required")
+      .describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.macroType)
+  })
+]);
+
+const ZabbixSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const ZabbixSyncSchema = BaseSecretSyncSchema(SecretSync.Zabbix, ZabbixSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Zabbix),
+  destinationConfig: ZabbixSyncDestinationConfigSchema
+});
+
+export const CreateZabbixSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Zabbix,
+  ZabbixSyncOptionsConfig
+).extend({
+  destinationConfig: ZabbixSyncDestinationConfigSchema
+});
+
+export const UpdateZabbixSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Zabbix,
+  ZabbixSyncOptionsConfig
+).extend({
+  destinationConfig: ZabbixSyncDestinationConfigSchema.optional()
+});
+
+export const ZabbixSyncListItemSchema = z.object({
+  name: z.literal("Zabbix"),
+  connection: z.literal(AppConnection.Zabbix),
+  destination: z.literal(SecretSync.Zabbix),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/zabbix/zabbix-sync-types.ts

@@ -0,0 +1,75 @@
+import { z } from "zod";
+
+import { TZabbixConnection } from "@app/services/app-connection/zabbix";
+
+import { CreateZabbixSyncSchema, ZabbixSyncListItemSchema, ZabbixSyncSchema } from "./zabbix-sync-schemas";
+
+export type TZabbixSync = z.infer<typeof ZabbixSyncSchema>;
+export type TZabbixSyncInput = z.infer<typeof CreateZabbixSyncSchema>;
+export type TZabbixSyncListItem = z.infer<typeof ZabbixSyncListItemSchema>;
+
+export type TZabbixSyncWithCredentials = TZabbixSync & {
+  connection: TZabbixConnection;
+};
+
+export type TZabbixSecret = {
+  macro: string;
+  value: string;
+  description?: string;
+  globalmacroid?: string;
+  hostmacroid?: string;
+  hostid?: string;
+  type: number;
+  automatic?: string;
+};
+
+export interface ZabbixApiResponse<T = unknown> {
+  data: {
+    jsonrpc: "2.0";
+    result?: T;
+    error?: {
+      code: number;
+      message: string;
+      data?: string;
+    };
+    id: number;
+  };
+}
+
+export interface ZabbixMacroCreateResponse {
+  hostmacroids?: string[];
+  globalmacroids?: string[];
+}
+
+export interface ZabbixMacroUpdateResponse {
+  hostmacroids?: string[];
+  globalmacroids?: string[];
+}
+
+export interface ZabbixMacroDeleteResponse {
+  hostmacroids?: string[];
+  globalmacroids?: string[];
+}
+
+export enum ZabbixMacroType {
+  TEXT = 0,
+  SECRET = 1
+}
+
+export interface ZabbixMacroInput {
+  hostid?: string;
+  macro: string;
+  value: string;
+  description?: string;
+  type?: ZabbixMacroType;
+  automatic?: "0" | "1";
+}
+
+export interface ZabbixMacroUpdate {
+  hostmacroid?: string;
+  globalmacroid?: string;
+  value?: string;
+  description?: string;
+  type?: ZabbixMacroType;
+  automatic?: "0" | "1";
+}

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -67,6 +67,7 @@ export const getAllSecretReferences = (maybeSecretReference: string) => {
 export const fnSecretBulkInsert = async ({
   // TODO: Pick types here
   folderId,
+  commitChanges,
   orgId,
   inputSecrets,
   secretDAL,
@@ -134,28 +135,32 @@ export const fnSecretBulkInsert = async ({
     tx
   );
 
-  const commitChanges = secretVersions
+  const changes = secretVersions
     .filter(({ type }) => type === SecretType.Shared)
     .map((sv) => ({
       type: CommitType.ADD,
       secretVersionId: sv.id
     }));
 
-  if (commitChanges.length > 0) {
-    await folderCommitService.createCommit(
-      {
-        actor: {
-          type: actorType || ActorType.PLATFORM,
-          metadata: {
-            id: actor?.actorId
-          }
+  if (changes.length > 0) {
+    if (commitChanges) {
+      commitChanges.push(...changes);
+    } else {
+      await folderCommitService.createCommit(
+        {
+          actor: {
+            type: actorType || ActorType.PLATFORM,
+            metadata: {
+              id: actor?.actorId
+            }
+          },
+          message: "Secret Created",
+          folderId,
+          changes
         },
-        message: "Secret Created",
-        folderId,
-        changes: commitChanges
-      },
-      tx
-    );
+        tx
+      );
+    }
   }
 
   await secretDAL.upsertSecretReferences(
@@ -209,6 +214,7 @@ export const fnSecretBulkUpdate = async ({
   tx,
   inputSecrets,
   folderId,
+  commitChanges,
   orgId,
   secretDAL,
   secretVersionDAL,
@@ -359,28 +365,32 @@ export const fnSecretBulkUpdate = async ({
     { tx }
   );
 
-  const commitChanges = secretVersions
+  const changes = secretVersions
     .filter(({ type }) => type === SecretType.Shared)
     .map((sv) => ({
       type: CommitType.ADD,
       isUpdate: true,
       secretVersionId: sv.id
     }));
-  if (commitChanges.length > 0) {
-    await folderCommitService.createCommit(
-      {
-        actor: {
-          type: actorType || ActorType.PLATFORM,
-          metadata: {
-            id: actor?.actorId
-          }
+  if (changes.length > 0) {
+    if (commitChanges) {
+      commitChanges.push(...changes);
+    } else {
+      await folderCommitService.createCommit(
+        {
+          actor: {
+            type: actorType || ActorType.PLATFORM,
+            metadata: {
+              id: actor?.actorId
+            }
+          },
+          message: "Secret Updated",
+          folderId,
+          changes
         },
-        message: "Secret Updated",
-        folderId,
-        changes: commitChanges
-      },
-      tx
-    );
+        tx
+      );
+    }
   }
 
   return secretsWithTags.map((secret) => ({ ...secret, _id: secret.id }));
@@ -395,7 +405,8 @@ export const fnSecretBulkDelete = async ({
   secretDAL,
   secretQueueService,
   folderCommitService,
-  secretVersionDAL
+  secretVersionDAL,
+  commitChanges
 }: TFnSecretBulkDelete) => {
   const deletedSecrets = await secretDAL.deleteMany(
     inputSecrets.map(({ type, secretKey }) => ({
@@ -421,27 +432,31 @@ export const fnSecretBulkDelete = async ({
     tx
   );
 
-  const commitChanges = deletedSecrets
+  const changes = deletedSecrets
     .filter(({ type }) => type === SecretType.Shared)
     .map(({ id }) => ({
       type: CommitType.DELETE,
       secretVersionId: secretVersions[id].id
     }));
-  if (commitChanges.length > 0) {
-    await folderCommitService.createCommit(
-      {
-        actor: {
-          type: actorType || ActorType.PLATFORM,
-          metadata: {
-            id: actorId
-          }
+  if (changes.length > 0) {
+    if (commitChanges) {
+      commitChanges.push(...changes);
+    } else {
+      await folderCommitService.createCommit(
+        {
+          actor: {
+            type: actorType || ActorType.PLATFORM,
+            metadata: {
+              id: actorId
+            }
+          },
+          message: "Secret Deleted",
+          folderId,
+          changes
         },
-        message: "Secret Deleted",
-        folderId,
-        changes: commitChanges
-      },
-      tx
-    );
+        tx
+      );
+    }
   }
 
   return deletedSecrets;

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -28,7 +28,7 @@ import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { ActorType } from "../auth/auth-type";
-import { TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
+import { TCommitResourceChangeDTO, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
@@ -1474,8 +1474,10 @@ export const secretV2BridgeServiceFactory = ({
     actorOrgId,
     environment,
     projectId,
-    secrets: inputSecrets
-  }: TCreateManySecretDTO) => {
+    secrets: inputSecrets,
+    tx: providedTx,
+    commitChanges
+  }: TCreateManySecretDTO & { tx?: Knex; commitChanges?: TCommitResourceChangeDTO[] }) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -1558,8 +1560,8 @@ export const secretV2BridgeServiceFactory = ({
     const { encryptor: secretManagerEncryptor, decryptor: secretManagerDecryptor } =
       await kmsService.createCipherPairWithDataKey({ type: KmsDataKey.SecretManager, projectId });
 
-    const newSecrets = await secretDAL.transaction(async (tx) =>
-      fnSecretBulkInsert({
+    const executeBulkInsert = async (tx: Knex) => {
+      return fnSecretBulkInsert({
         inputSecrets: inputSecrets.map((el) => {
           const references = secretReferencesGroupByInputSecretKey[el.secretKey]?.nestedReferences;
 
@@ -1581,6 +1583,7 @@ export const secretV2BridgeServiceFactory = ({
           };
         }),
         folderId,
+        commitChanges,
         orgId: actorOrgId,
         secretDAL,
         resourceMetadataDAL,
@@ -1593,8 +1596,13 @@ export const secretV2BridgeServiceFactory = ({
           actorId
         },
         tx
-      })
-    );
+      });
+    };
+
+    const newSecrets = providedTx
+      ? await executeBulkInsert(providedTx)
+      : await secretDAL.transaction(executeBulkInsert);
+
     await secretDAL.invalidateSecretCacheByProjectId(projectId);
     await snapshotService.performSnapshot(folderId);
     await secretQueueService.syncSecrets({
@@ -1641,8 +1649,10 @@ export const secretV2BridgeServiceFactory = ({
     projectId,
     secretPath: defaultSecretPath = "/",
     secrets: inputSecrets,
-    mode: updateMode
-  }: TUpdateManySecretDTO) => {
+    mode: updateMode,
+    tx: providedTx,
+    commitChanges
+  }: TUpdateManySecretDTO & { tx?: Knex; commitChanges?: TCommitResourceChangeDTO[] }) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -1671,18 +1681,20 @@ export const secretV2BridgeServiceFactory = ({
     const { encryptor: secretManagerEncryptor, decryptor: secretManagerDecryptor } =
       await kmsService.createCipherPairWithDataKey({ type: KmsDataKey.SecretManager, projectId });
 
-    const updatedSecrets: Array<
-      TSecretsV2 & {
-        secretPath: string;
-        tags: {
-          id: string;
-          slug: string;
-          color?: string | null;
-          name: string;
-        }[];
-      }
-    > = [];
-    await secretDAL.transaction(async (tx) => {
+    // Function to execute the bulk update operation
+    const executeBulkUpdate = async (tx: Knex) => {
+      const updatedSecrets: Array<
+        TSecretsV2 & {
+          secretPath: string;
+          tags: {
+            id: string;
+            slug: string;
+            color?: string | null;
+            name: string;
+          }[];
+        }
+      > = [];
+
       for await (const folder of folders) {
         if (!folder) throw new NotFoundError({ message: "Folder not found" });
 
@@ -1801,7 +1813,7 @@ export const secretV2BridgeServiceFactory = ({
                         {
                           operator: "eq",
                           field: `${TableName.SecretV2}.key` as "key",
-                          value: el.secretKey
+                          value: el.newSecretName as string
                         },
                         {
                           operator: "eq",
@@ -1855,6 +1867,7 @@ export const secretV2BridgeServiceFactory = ({
           orgId: actorOrgId,
           folderCommitService,
           tx,
+          commitChanges,
           inputSecrets: secretsToUpdate.map((el) => {
             const originalSecret = secretsToUpdateInDBGroupedByKey[el.secretKey][0];
             const encryptedValue =
@@ -1934,7 +1947,13 @@ export const secretV2BridgeServiceFactory = ({
           updatedSecrets.push(...bulkInsertedSecrets.map((el) => ({ ...el, secretPath: folder.path })));
         }
       }
-    });
+
+      return updatedSecrets;
+    };
+
+    const updatedSecrets = providedTx
+      ? await executeBulkUpdate(providedTx)
+      : await secretDAL.transaction(executeBulkUpdate);
 
     await secretDAL.invalidateSecretCacheByProjectId(projectId);
     await Promise.allSettled(folders.map((el) => (el?.id ? snapshotService.performSnapshot(el.id) : undefined)));
@@ -1991,8 +2010,10 @@ export const secretV2BridgeServiceFactory = ({
     actor,
     actorId,
     actorAuthMethod,
-    actorOrgId
-  }: TDeleteManySecretDTO) => {
+    actorOrgId,
+    tx: providedTx,
+    commitChanges
+  }: TDeleteManySecretDTO & { tx?: Knex; commitChanges?: TCommitResourceChangeDTO[] }) => {
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -2051,24 +2072,29 @@ export const secretV2BridgeServiceFactory = ({
       );
     });
 
+    const executeBulkDelete = async (tx: Knex) => {
+      return fnSecretBulkDelete({
+        secretDAL,
+        secretQueueService,
+        folderCommitService,
+        secretVersionDAL,
+        inputSecrets: inputSecrets.map(({ type, secretKey }) => ({
+          secretKey,
+          type: type || SecretType.Shared
+        })),
+        projectId,
+        folderId,
+        actorId,
+        actorType: actor,
+        commitChanges,
+        tx
+      });
+    };
+
     try {
-      const secretsDeleted = await secretDAL.transaction(async (tx) =>
-        fnSecretBulkDelete({
-          secretDAL,
-          secretQueueService,
-          folderCommitService,
-          secretVersionDAL,
-          inputSecrets: inputSecrets.map(({ type, secretKey }) => ({
-            secretKey,
-            type: type || SecretType.Shared
-          })),
-          projectId,
-          folderId,
-          actorId,
-          actorType: actor,
-          tx
-        })
-      );
+      const secretsDeleted = providedTx
+        ? await executeBulkDelete(providedTx)
+        : await secretDAL.transaction(executeBulkDelete);
 
       await secretDAL.invalidateSecretCacheByProjectId(projectId);
       await snapshotService.performSnapshot(folderId);

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -8,7 +8,7 @@ import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
 
-import { TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
+import { TCommitResourceChangeDTO, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
 import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
@@ -167,6 +167,7 @@ export type TFnSecretBulkInsert = {
   folderId: string;
   orgId: string;
   tx?: Knex;
+  commitChanges?: TCommitResourceChangeDTO[];
   inputSecrets: Array<
     Omit<TSecretsV2Insert, "folderId"> & {
       tagIds?: string[];
@@ -214,6 +215,7 @@ export type TFnSecretBulkUpdate = {
     actorId?: string;
   };
   tx?: Knex;
+  commitChanges?: TCommitResourceChangeDTO[];
 };
 
 export type TFnSecretBulkDelete = {
@@ -223,6 +225,7 @@ export type TFnSecretBulkDelete = {
   actorId: string;
   actorType?: string;
   tx?: Knex;
+  commitChanges?: TCommitResourceChangeDTO[];
   secretDAL: Pick<TSecretV2BridgeDALFactory, "deleteMany">;
   secretQueueService: {
     removeSecretReminder: (data: TRemoveSecretReminderDTO, tx?: Knex) => Promise<void>;

backend/src/services/secret/secret-types.ts

@@ -544,3 +544,33 @@ export enum SecretProtectionType {
 }
 
 export type TStartSecretsV2MigrationDTO = TProjectPermission;
+
+export type TProcessNewCommitRawDTO = {
+  secrets: {
+    create?: {
+      secretKey: string;
+      secretValue: string;
+      secretComment?: string;
+      skipMultilineEncoding?: boolean;
+      tagIds?: string[];
+      secretMetadata?: ResourceMetadataDTO;
+      metadata?: { source?: string };
+    }[];
+    update?: {
+      secretKey: string;
+      newSecretKey?: string;
+      secretValue?: string;
+      secretComment?: string;
+      skipMultilineEncoding?: boolean;
+      tagIds?: string[];
+      secretMetadata?: ResourceMetadataDTO;
+      metadata?: { source?: string };
+    }[];
+    delete?: { secretKey: string }[];
+  };
+  folders: {
+    create?: { folderName: string; description?: string }[];
+    update?: { folderName: string; description?: string | null; id: string }[];
+    delete?: { folderName: string; id: string }[];
+  };
+};

backend/src/services/super-admin/super-admin-service.ts

@@ -5,7 +5,13 @@ import jwt from "jsonwebtoken";
 import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
-import { getConfig } from "@app/lib/config/env";
+import {
+  getConfig,
+  getOriginalConfig,
+  overrideEnvConfig,
+  overwriteSchema,
+  validateOverrides
+} from "@app/lib/config/env";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -33,6 +39,7 @@ import { TInvalidateCacheQueueFactory } from "./invalidate-cache-queue";
 import { TSuperAdminDALFactory } from "./super-admin-dal";
 import {
   CacheType,
+  EnvOverrides,
   LoginMethod,
   TAdminBootstrapInstanceDTO,
   TAdminGetIdentitiesDTO,
@@ -234,6 +241,45 @@ export const superAdminServiceFactory = ({
     adminIntegrationsConfig = config;
   };
 
+  const getEnvOverrides = async () => {
+    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
+
+    if (!serverCfg || !serverCfg.encryptedEnvOverrides) {
+      return {};
+    }
+
+    const decrypt = kmsService.decryptWithRootKey();
+
+    const overrides = JSON.parse(decrypt(serverCfg.encryptedEnvOverrides).toString()) as Record<string, string>;
+
+    return overrides;
+  };
+
+  const getEnvOverridesOrganized = async (): Promise<EnvOverrides> => {
+    const overrides = await getEnvOverrides();
+    const ogConfig = getOriginalConfig();
+
+    return Object.fromEntries(
+      Object.entries(overwriteSchema).map(([groupKey, groupDef]) => [
+        groupKey,
+        {
+          name: groupDef.name,
+          fields: groupDef.fields.map(({ key, description }) => ({
+            key,
+            description,
+            value: overrides[key] || "",
+            hasEnvEntry: !!(ogConfig as unknown as Record<string, string | undefined>)[key]
+          }))
+        }
+      ])
+    );
+  };
+
+  const $syncEnvConfig = async () => {
+    const config = await getEnvOverrides();
+    overrideEnvConfig(config);
+  };
+
   const updateServerCfg = async (
     data: TSuperAdminUpdate & {
       slackClientId?: string;
@@ -246,6 +292,7 @@ export const superAdminServiceFactory = ({
       gitHubAppConnectionSlug?: string;
       gitHubAppConnectionId?: string;
       gitHubAppConnectionPrivateKey?: string;
+      envOverrides?: Record<string, string>;
     },
     userId: string
   ) => {
@@ -374,6 +421,17 @@ export const superAdminServiceFactory = ({
       gitHubAppConnectionSettingsUpdated = true;
     }
 
+    let envOverridesUpdated = false;
+    if (data.envOverrides !== undefined) {
+      // Verify input format
+      validateOverrides(data.envOverrides);
+
+      const encryptedEnvOverrides = encryptWithRoot(Buffer.from(JSON.stringify(data.envOverrides)));
+      updatedData.encryptedEnvOverrides = encryptedEnvOverrides;
+      updatedData.envOverrides = undefined;
+      envOverridesUpdated = true;
+    }
+
     const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, updatedData);
 
     await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg));
@@ -382,6 +440,10 @@ export const superAdminServiceFactory = ({
       await $syncAdminIntegrationConfig();
     }
 
+    if (envOverridesUpdated) {
+      await $syncEnvConfig();
+    }
+
     if (
       updatedServerCfg.encryptedMicrosoftTeamsAppId &&
       updatedServerCfg.encryptedMicrosoftTeamsClientSecret &&
@@ -814,6 +876,18 @@ export const superAdminServiceFactory = ({
     return job;
   };
 
+  const initializeEnvConfigSync = async () => {
+    logger.info("Setting up background sync process for environment overrides");
+
+    await $syncEnvConfig();
+
+    // sync every 5 minutes
+    const job = new CronJob("*/5 * * * *", $syncEnvConfig);
+    job.start();
+
+    return job;
+  };
+
   return {
     initServerCfg,
     updateServerCfg,
@@ -833,6 +907,9 @@ export const superAdminServiceFactory = ({
     getOrganizations,
     deleteOrganization,
     deleteOrganizationMembership,
-    initializeAdminIntegrationConfigSync
+    initializeAdminIntegrationConfigSync,
+    initializeEnvConfigSync,
+    getEnvOverrides,
+    getEnvOverridesOrganized
   };
 };

backend/src/services/super-admin/super-admin-types.ts

@@ -1,3 +1,5 @@
+import { TEnvConfig } from "@app/lib/config/env";
+
 export type TAdminSignUpDTO = {
   email: string;
   password: string;
@@ -74,3 +76,10 @@ export type TAdminIntegrationConfig = {
     privateKey: string;
   };
 };
+
+export interface EnvOverrides {
+  [key: string]: {
+    name: string;
+    fields: { key: keyof TEnvConfig; value: string; hasEnvEntry: boolean; description?: string }[];
+  };
+}

backend/src/services/telemetry/telemetry-queue.ts

@@ -71,6 +71,15 @@ export const telemetryQueueServiceFactory = ({
       QueueName.TelemetryInstanceStats // just a job id
     );
 
+    if (postHog) {
+      await queueService.queue(QueueName.TelemetryInstanceStats, QueueJobs.TelemetryInstanceStats, undefined, {
+        jobId: QueueName.TelemetryInstanceStats,
+        repeat: { pattern: "0 0 * * *", utc: true }
+      });
+    }
+  };
+
+  const startAggregatedEventsJob = async () => {
     // clear previous aggregated events job
     await queueService.stopRepeatableJob(
       QueueName.TelemetryAggregatedEvents,
@@ -80,11 +89,6 @@ export const telemetryQueueServiceFactory = ({
     );
 
     if (postHog) {
-      await queueService.queue(QueueName.TelemetryInstanceStats, QueueJobs.TelemetryInstanceStats, undefined, {
-        jobId: QueueName.TelemetryInstanceStats,
-        repeat: { pattern: "0 0 * * *", utc: true }
-      });
-
       // Start aggregated events job (runs every five minutes)
       await queueService.queue(QueueName.TelemetryAggregatedEvents, QueueJobs.TelemetryAggregatedEvents, undefined, {
         jobId: QueueName.TelemetryAggregatedEvents,
@@ -102,6 +106,7 @@ export const telemetryQueueServiceFactory = ({
   });
 
   return {
-    startTelemetryCheck
+    startTelemetryCheck,
+    startAggregatedEventsJob
   };
 };

backend/src/services/telemetry/telemetry-service.ts

@@ -14,7 +14,7 @@ export const TELEMETRY_SECRET_PROCESSED_KEY = "telemetry-secret-processed";
 export const TELEMETRY_SECRET_OPERATIONS_KEY = "telemetry-secret-operations";
 
 export const POSTHOG_AGGREGATED_EVENTS = [PostHogEventTypes.SecretPulled];
-const TELEMETRY_AGGREGATED_KEY_EXP = 900; // 15mins
+const TELEMETRY_AGGREGATED_KEY_EXP = 600; // 10mins
 
 // Bucket configuration
 const TELEMETRY_BUCKET_COUNT = 30;
@@ -102,13 +102,6 @@ To opt into telemetry, you can set "TELEMETRY_ENABLED=true" within the environme
       const instanceType = licenseService.getInstanceType();
       // capture posthog only when its cloud or signup event happens in self-hosted
       if (instanceType === InstanceType.Cloud || event.event === PostHogEventTypes.UserSignedUp) {
-        if (event.organizationId) {
-          try {
-            postHog.groupIdentify({ groupType: "organization", groupKey: event.organizationId });
-          } catch (error) {
-            logger.error(error, "Failed to identify PostHog organization");
-          }
-        }
         if (POSTHOG_AGGREGATED_EVENTS.includes(event.event)) {
           const eventKey = createTelemetryEventKey(event.event, event.distinctId);
           await keyStore.setItemWithExpiry(
@@ -122,6 +115,13 @@ To opt into telemetry, you can set "TELEMETRY_ENABLED=true" within the environme
             })
           );
         } else {
+          if (event.organizationId) {
+            try {
+              postHog.groupIdentify({ groupType: "organization", groupKey: event.organizationId });
+            } catch (error) {
+              logger.error(error, "Failed to identify PostHog organization");
+            }
+          }
           postHog.capture({
             event: event.event,
             distinctId: event.distinctId,

cli/detect/cmd/scm/scm.go

@@ -35,6 +35,7 @@ const (
 	GitHubPlatform
 	GitLabPlatform
 	AzureDevOpsPlatform
+	BitBucketPlatform
 	// TODO: Add others.
 )
 
@@ -45,6 +46,7 @@ func (p Platform) String() string {
 		"github",
 		"gitlab",
 		"azuredevops",
+		"bitbucket",
 	}[p]
 }
 
@@ -60,6 +62,8 @@ func PlatformFromString(s string) (Platform, error) {
 		return GitLabPlatform, nil
 	case "azuredevops":
 		return AzureDevOpsPlatform, nil
+	case "bitbucket":
+		return BitBucketPlatform, nil
 	default:
 		return UnknownPlatform, fmt.Errorf("invalid scm platform value: %s", s)
 	}

cli/detect/git.go

@@ -208,6 +208,8 @@ func platformFromHost(u *url.URL) scm.Platform {
 		return scm.GitLabPlatform
 	case "dev.azure.com", "visualstudio.com":
 		return scm.AzureDevOpsPlatform
+	case "bitbucket.org":
+		return scm.BitBucketPlatform
 	default:
 		return scm.UnknownPlatform
 	}

cli/detect/utils.go

@@ -112,6 +112,15 @@ func createScmLink(scmPlatform scm.Platform, remoteUrl string, finding report.Fi
 		// This is a bit dirty, but Azure DevOps does not highlight the line when the lineStartColumn and lineEndColumn are not provided
 		link += "&lineStartColumn=1&lineEndColumn=10000000&type=2&lineStyle=plain&_a=files"
 		return link
+	case scm.BitBucketPlatform:
+		link := fmt.Sprintf("%s/src/%s/%s", remoteUrl, finding.Commit, filePath)
+		if finding.StartLine != 0 {
+			link += fmt.Sprintf("#lines-%d", finding.StartLine)
+		}
+		if finding.EndLine != finding.StartLine {
+			link += fmt.Sprintf(":%d", finding.EndLine)
+		}
+		return link
 	default:
 		// This should never happen.
 		return ""

cli/packages/cmd/scan.go

@@ -337,9 +337,7 @@ var scanCmd = &cobra.Command{
 			if gitCmd, err = sources.NewGitLogCmd(source, logOpts); err != nil {
 				logging.Fatal().Err(err).Msg("could not create Git cmd")
 			}
-			if scmPlatform, err = scm.PlatformFromString("github"); err != nil {
-				logging.Fatal().Err(err).Send()
-			}
+			scmPlatform = scm.UnknownPlatform
 			remote = detect.NewRemoteInfo(scmPlatform, source)
 
 			if findings, err = detector.DetectGit(gitCmd, remote); err != nil {

docs/api-reference/endpoints/app-connections/zabbix/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/zabbix/available"
+---

docs/api-reference/endpoints/app-connections/zabbix/create.mdx

@@ -0,0 +1,8 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/zabbix"
+---
+
+<Note>
+    Check out the configuration docs for [Zabbix Connections](/integrations/app-connections/zabbix) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/zabbix/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/zabbix/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/zabbix/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/zabbix/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/zabbix/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/zabbix/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/zabbix/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/zabbix"
+---

docs/api-reference/endpoints/app-connections/zabbix/update.mdx

@@ -0,0 +1,8 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/zabbix/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Zabbix Connections](/integrations/app-connections/zabbix) to learn how to obtain the required credentials.
+</Note>

docs/api-reference/endpoints/organizations/ldap-sso/create-ldap-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create LDAP SSO Config"
+openapi: "POST /api/v1/ldap/config"
+---

docs/api-reference/endpoints/organizations/ldap-sso/get-ldap-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get LDAP SSO Config"
+openapi: "GET /api/v1/ldap/config"
+---

docs/api-reference/endpoints/organizations/ldap-sso/update-ldap-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update LDAP SSO Config"
+openapi: "PATCH /api/v1/ldap/config"
+---

docs/api-reference/endpoints/organizations/oidc-sso/create-oidc-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create OIDC Config"
+openapi: "POST /api/v1/sso/oidc/config"
+---

docs/api-reference/endpoints/organizations/oidc-sso/get-oidc-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get OIDC Config"
+openapi: "GET /api/v1/sso/oidc/config"
+---

docs/api-reference/endpoints/organizations/oidc-sso/update-oidc-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update OIDC Config"
+openapi: "PATCH /api/v1/sso/oidc/config"
+---

docs/api-reference/endpoints/organizations/saml-sso/create-saml-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create SAML SSO Config"
+openapi: "POST /api/v1/sso/config"
+---

docs/api-reference/endpoints/organizations/saml-sso/get-saml-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get SAML SSO Config"
+openapi: "GET /api/v1/sso/config"
+---

docs/api-reference/endpoints/organizations/saml-sso/update-saml-config.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update SAML SSO Config"
+openapi: "PATCH /api/v1/sso/config"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/zabbix"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/zabbix/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/zabbix/{syncId}"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/zabbix/sync-name/{syncName}"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/import-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Import Secrets"
+openapi: "POST /api/v1/secret-syncs/zabbix/{syncId}/import-secrets"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/zabbix"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/remove-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/zabbix/{syncId}/remove-secrets"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/sync-secrets.mdx

@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/zabbix/{syncId}/sync-secrets"
+---

docs/api-reference/endpoints/secret-syncs/zabbix/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/zabbix/{syncId}"
+---

docs/docs.json

@@ -490,7 +490,8 @@
                   "integrations/app-connections/teamcity",
                   "integrations/app-connections/terraform-cloud",
                   "integrations/app-connections/vercel",
-                  "integrations/app-connections/windmill"
+                  "integrations/app-connections/windmill",
+                  "integrations/app-connections/zabbix"
                 ]
               }
             ]
@@ -523,7 +524,8 @@
                   "integrations/secret-syncs/teamcity",
                   "integrations/secret-syncs/terraform-cloud",
                   "integrations/secret-syncs/vercel",
-                  "integrations/secret-syncs/windmill"
+                  "integrations/secret-syncs/windmill",
+                  "integrations/secret-syncs/zabbix"
                 ]
               }
             ]
@@ -849,6 +851,30 @@
               {
                 "group": "Organizations",
                 "pages": [
+                {
+                  "group": "OIDC SSO",
+                  "pages": [
+                    "api-reference/endpoints/organizations/oidc-sso/get-oidc-config",
+                    "api-reference/endpoints/organizations/oidc-sso/update-oidc-config",
+                    "api-reference/endpoints/organizations/oidc-sso/create-oidc-config"
+                  ]
+                },
+                {
+                  "group": "LDAP SSO",
+                  "pages": [
+                    "api-reference/endpoints/organizations/ldap-sso/get-ldap-config",
+                    "api-reference/endpoints/organizations/ldap-sso/update-ldap-config",
+                    "api-reference/endpoints/organizations/ldap-sso/create-ldap-config"
+                  ]
+                },
+                {
+                  "group": "SAML SSO",
+                  "pages": [
+                    "api-reference/endpoints/organizations/saml-sso/get-saml-config",
+                    "api-reference/endpoints/organizations/saml-sso/update-saml-config",
+                    "api-reference/endpoints/organizations/saml-sso/create-saml-config"
+                  ]
+                },
                   "api-reference/endpoints/organizations/memberships",
                   "api-reference/endpoints/organizations/update-membership",
                   "api-reference/endpoints/organizations/delete-membership",
@@ -1521,6 +1547,18 @@
                       "api-reference/endpoints/app-connections/windmill/update",
                       "api-reference/endpoints/app-connections/windmill/delete"
                     ]
+                  },
+                  {
+                    "group": "Zabbix",
+                    "pages": [
+                      "api-reference/endpoints/app-connections/zabbix/list",
+                      "api-reference/endpoints/app-connections/zabbix/available",
+                      "api-reference/endpoints/app-connections/zabbix/get-by-id",
+                      "api-reference/endpoints/app-connections/zabbix/get-by-name",
+                      "api-reference/endpoints/app-connections/zabbix/create",
+                      "api-reference/endpoints/app-connections/zabbix/update",
+                      "api-reference/endpoints/app-connections/zabbix/delete"
+                    ]
                   }
                 ]
               },
@@ -1827,6 +1865,20 @@
                       "api-reference/endpoints/secret-syncs/windmill/import-secrets",
                       "api-reference/endpoints/secret-syncs/windmill/remove-secrets"
                     ]
+                  },
+                  {
+                    "group": "Zabbix",
+                    "pages": [
+                      "api-reference/endpoints/secret-syncs/zabbix/list",
+                      "api-reference/endpoints/secret-syncs/zabbix/get-by-id",
+                      "api-reference/endpoints/secret-syncs/zabbix/get-by-name",
+                      "api-reference/endpoints/secret-syncs/zabbix/create",
+                      "api-reference/endpoints/secret-syncs/zabbix/update",
+                      "api-reference/endpoints/secret-syncs/zabbix/delete",
+                      "api-reference/endpoints/secret-syncs/zabbix/sync-secrets",
+                      "api-reference/endpoints/secret-syncs/zabbix/import-secrets",
+                      "api-reference/endpoints/secret-syncs/zabbix/remove-secrets"
+                    ]
                   }
                 ]
               },