fix lint by adding void

This aims to fix the issue where it says

```
TypeError
Cannot read properties of undefined (reading 'component')
```

by telling the browser to not cache any chunks

.env.example

@@ -107,6 +107,14 @@ INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=
 
+#github radar app connection
+INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_ID=
+INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
+
 #gcp app connection
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 

.github/workflows/check-non-re2-regex.yml

@@ -0,0 +1,53 @@
+name: Detect Non-RE2 Regex
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  check-non-re2-regex:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get diff of backend/*
+        run: |
+          git diff --unified=0 "origin/${{ github.base_ref }}"...HEAD -- backend/ > diff.txt
+
+      - name: Scan backend diff for non-RE2 regex
+        run: |
+          # Extract only added lines (excluding file headers)
+          grep '^+' diff.txt | grep -v '^+++' | sed 's/^\+//' > added_lines.txt
+
+          if [ ! -s added_lines.txt ]; then
+            echo "✅ No added lines in backend/ to check for regex usage."
+            exit 0
+          fi
+
+          regex_usage_pattern='(^|[^A-Za-z0-9_"'"'"'`\.\/\\])(\/(?:\\.|[^\/\n\\])+\/[gimsuyv]*(?=\s*[\.\(;,)\]}:]|$)|new RegExp\()'
+
+          # Find all added lines that contain regex patterns
+          if grep -E "$regex_usage_pattern" added_lines.txt > potential_violations.txt 2>/dev/null; then
+            # Filter out lines that contain 'new RE2' (allowing for whitespace variations)
+            if grep -v -E 'new\s+RE2\s*\(' potential_violations.txt > actual_violations.txt 2>/dev/null && [ -s actual_violations.txt ]; then
+              echo "🚨 ERROR: Found forbidden regex pattern in added/modified backend code."
+              echo ""
+              echo "The following lines use raw regex literals (/.../) or new RegExp(...):"
+              echo "Please replace with 'new RE2(...)' for RE2 compatibility."
+              echo ""
+              echo "Offending lines:"
+              cat actual_violations.txt
+              exit 1
+            else
+              echo "✅ All identified regex usages are correctly using 'new RE2(...)'."
+            fi
+          else
+            echo "✅ No regex patterns found in added/modified backend lines."
+          fi
+
+      - name: Cleanup temporary files
+        if: always()
+        run: |
+          rm -f diff.txt added_lines.txt potential_violations.txt actual_violations.txt

.infisicalignore

@@ -28,3 +28,16 @@ frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow
 docs/cli/commands/user.mdx:generic-api-key:51
 frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx:generic-api-key:76
 docs/integrations/app-connections/hashicorp-vault.mdx:generic-api-key:188
+cli/detect/config/gitleaks.toml:gcp-api-key:567
+cli/detect/config/gitleaks.toml:gcp-api-key:569
+cli/detect/config/gitleaks.toml:gcp-api-key:570
+cli/detect/config/gitleaks.toml:gcp-api-key:572
+cli/detect/config/gitleaks.toml:gcp-api-key:574
+cli/detect/config/gitleaks.toml:gcp-api-key:575
+cli/detect/config/gitleaks.toml:gcp-api-key:576
+cli/detect/config/gitleaks.toml:gcp-api-key:577
+cli/detect/config/gitleaks.toml:gcp-api-key:578
+cli/detect/config/gitleaks.toml:gcp-api-key:579
+cli/detect/config/gitleaks.toml:gcp-api-key:581
+cli/detect/config/gitleaks.toml:gcp-api-key:582
+backend/src/services/smtp/smtp-service.ts:generic-api-key:79

backend/e2e-test/vitest-environment-knex.ts

@@ -15,8 +15,8 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
-import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+import { buildRedisFromConfig } from "@app/lib/config/redis";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -30,7 +30,7 @@ export default {
       dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = new Redis(envConfig.REDIS_URL);
+    const redis = buildRedisFromConfig(envConfig);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,8 +55,8 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig);
 
       const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();

backend/package.json

@@ -38,8 +38,8 @@
     "build:frontend": "npm run build --prefix ../frontend",
     "start": "node --enable-source-maps dist/main.mjs",
     "type:check": "tsc --noEmit",
-    "lint:fix": "eslint --fix --ext js,ts ./src",
-    "lint": "eslint 'src/**/*.ts'",
+    "lint:fix": "node --max-old-space-size=8192 ./node_modules/.bin/eslint --fix --ext js,ts ./src",
+    "lint": "node --max-old-space-size=8192 ./node_modules/.bin/eslint 'src/**/*.ts'",
     "test:unit": "vitest run -c vitest.unit.config.ts",
     "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
@@ -131,6 +131,7 @@
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
+    "@aws-sdk/client-route-53": "^3.810.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -174,6 +175,7 @@
     "@slack/oauth": "^3.0.2",
     "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
+    "acme-client": "^5.4.0",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",
@@ -209,6 +211,7 @@
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.8",
     "nodemailer": "^6.9.9",
+    "oci-sdk": "^2.108.0",
     "odbc": "^2.4.9",
     "openid-client": "^5.6.5",
     "ora": "^7.0.1",

backend/scripts/generate-schema-types.ts

@@ -84,6 +84,11 @@ const getZodDefaultValue = (type: unknown, value: string | number | boolean | Ob
   }
 };
 
+const bigIntegerColumns: Record<string, string[]> = {
+  "folder_commits": ["commitId"]
+};
+
+
 const main = async () => {
   const tables = (
     await db("information_schema.tables")
@@ -108,6 +113,9 @@ const main = async () => {
       const columnName = columnNames[colNum];
       const colInfo = columns[columnName];
       let ztype = getZodPrimitiveType(colInfo.type);
+      if (bigIntegerColumns[tableName]?.includes(columnName)) {
+        ztype = "z.coerce.bigint()";
+      }
       if (["zodBuffer"].includes(ztype)) {
         zodImportSet.add(ztype);
       }

backend/src/@types/fastify.d.ts

@@ -26,6 +26,7 @@ import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-con
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { TPitServiceFactory } from "@app/ee/services/pit/pit-service";
 import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
@@ -37,6 +38,7 @@ import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-ap
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
+import { TSecretScanningV2ServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
 import { TSshCertificateTemplateServiceFactory } from "@app/ee/services/ssh-certificate-template/ssh-certificate-template-service";
@@ -53,10 +55,12 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
+import { TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
@@ -68,6 +72,7 @@ import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
+import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
@@ -80,6 +85,8 @@ import { TOrgServiceFactory } from "@app/services/org/org-service";
 import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
+import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
+import { TPkiTemplatesServiceFactory } from "@app/services/pki-templates/pki-templates-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -108,11 +115,16 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
+    orgId?: string;
     identityAuthInfo?: {
       identityId: string;
       oidc?: {
         claims: Record<string, string>;
       };
+      kubernetes?: {
+        namespace: string;
+        name: string;
+      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -208,6 +220,7 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOciAuth: TIdentityOciAuthServiceFactory;
       identityOidcAuth: TIdentityOidcAuthServiceFactory;
       identityJwtAuth: TIdentityJwtAuthServiceFactory;
       identityLdapAuth: TIdentityLdapAuthServiceFactory;
@@ -232,6 +245,7 @@ declare module "fastify" {
       certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
       certificateEst: TCertificateEstServiceFactory;
       pkiCollection: TPkiCollectionServiceFactory;
+      pkiSubscriber: TPkiSubscriberServiceFactory;
       secretScanning: TSecretScanningServiceFactory;
       license: TLicenseServiceFactory;
       trustedIp: TTrustedIpServiceFactory;
@@ -264,6 +278,11 @@ declare module "fastify" {
       microsoftTeams: TMicrosoftTeamsServiceFactory;
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
+      folderCommit: TFolderCommitServiceFactory;
+      pit: TPitServiceFactory;
+      secretScanningV2: TSecretScanningV2ServiceFactory;
+      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
+      pkiTemplate: TPkiTemplatesServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -6,6 +6,9 @@ import {
   TAccessApprovalPoliciesApprovers,
   TAccessApprovalPoliciesApproversInsert,
   TAccessApprovalPoliciesApproversUpdate,
+  TAccessApprovalPoliciesBypassers,
+  TAccessApprovalPoliciesBypassersInsert,
+  TAccessApprovalPoliciesBypassersUpdate,
   TAccessApprovalPoliciesInsert,
   TAccessApprovalPoliciesUpdate,
   TAccessApprovalRequests,
@@ -68,12 +71,33 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalCertificateAuthorities,
+  TExternalCertificateAuthoritiesInsert,
+  TExternalCertificateAuthoritiesUpdate,
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate,
   TExternalKms,
   TExternalKmsInsert,
   TExternalKmsUpdate,
+  TFolderCheckpointResources,
+  TFolderCheckpointResourcesInsert,
+  TFolderCheckpointResourcesUpdate,
+  TFolderCheckpoints,
+  TFolderCheckpointsInsert,
+  TFolderCheckpointsUpdate,
+  TFolderCommitChanges,
+  TFolderCommitChangesInsert,
+  TFolderCommitChangesUpdate,
+  TFolderCommits,
+  TFolderCommitsInsert,
+  TFolderCommitsUpdate,
+  TFolderTreeCheckpointResources,
+  TFolderTreeCheckpointResourcesInsert,
+  TFolderTreeCheckpointResourcesUpdate,
+  TFolderTreeCheckpoints,
+  TFolderTreeCheckpointsInsert,
+  TFolderTreeCheckpointsUpdate,
   TGateways,
   TGatewaysInsert,
   TGatewaysUpdate,
@@ -119,6 +143,9 @@ import {
   TIdentityMetadata,
   TIdentityMetadataInsert,
   TIdentityMetadataUpdate,
+  TIdentityOciAuths,
+  TIdentityOciAuthsInsert,
+  TIdentityOciAuthsUpdate,
   TIdentityOidcAuths,
   TIdentityOidcAuthsInsert,
   TIdentityOidcAuthsUpdate,
@@ -152,6 +179,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
+  TInternalCertificateAuthorities,
+  TInternalCertificateAuthoritiesInsert,
+  TInternalCertificateAuthoritiesUpdate,
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
@@ -209,6 +239,9 @@ import {
   TPkiCollections,
   TPkiCollectionsInsert,
   TPkiCollectionsUpdate,
+  TPkiSubscribers,
+  TPkiSubscribersInsert,
+  TPkiSubscribersUpdate,
   TProjectBots,
   TProjectBotsInsert,
   TProjectBotsUpdate,
@@ -264,6 +297,9 @@ import {
   TSecretApprovalPoliciesApprovers,
   TSecretApprovalPoliciesApproversInsert,
   TSecretApprovalPoliciesApproversUpdate,
+  TSecretApprovalPoliciesBypassers,
+  TSecretApprovalPoliciesBypassersInsert,
+  TSecretApprovalPoliciesBypassersUpdate,
   TSecretApprovalPoliciesInsert,
   TSecretApprovalPoliciesUpdate,
   TSecretApprovalRequests,
@@ -318,9 +354,24 @@ import {
   TSecretRotationV2SecretMappingsInsert,
   TSecretRotationV2SecretMappingsUpdate,
   TSecrets,
+  TSecretScanningConfigs,
+  TSecretScanningConfigsInsert,
+  TSecretScanningConfigsUpdate,
+  TSecretScanningDataSources,
+  TSecretScanningDataSourcesInsert,
+  TSecretScanningDataSourcesUpdate,
+  TSecretScanningFindings,
+  TSecretScanningFindingsInsert,
+  TSecretScanningFindingsUpdate,
   TSecretScanningGitRisks,
   TSecretScanningGitRisksInsert,
   TSecretScanningGitRisksUpdate,
+  TSecretScanningResources,
+  TSecretScanningResourcesInsert,
+  TSecretScanningResourcesUpdate,
+  TSecretScanningScans,
+  TSecretScanningScansInsert,
+  TSecretScanningScansUpdate,
   TSecretSharing,
   TSecretSharingInsert,
   TSecretSharingUpdate,
@@ -532,6 +583,16 @@ declare module "knex/types/tables" {
       TCertificateAuthorityCrlInsert,
       TCertificateAuthorityCrlUpdate
     >;
+    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TInternalCertificateAuthorities,
+      TInternalCertificateAuthoritiesInsert,
+      TInternalCertificateAuthoritiesUpdate
+    >;
+    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
+      TExternalCertificateAuthorities,
+      TExternalCertificateAuthoritiesInsert,
+      TExternalCertificateAuthoritiesUpdate
+    >;
     [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
     [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
       TCertificateTemplates,
@@ -564,6 +625,11 @@ declare module "knex/types/tables" {
       TPkiCollectionItemsInsert,
       TPkiCollectionItemsUpdate
     >;
+    [TableName.PkiSubscriber]: KnexOriginal.CompositeTableType<
+      TPkiSubscribers,
+      TPkiSubscribersInsert,
+      TPkiSubscribersUpdate
+    >;
     [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
       TUserGroupMembership,
       TUserGroupMembershipInsert,
@@ -730,6 +796,11 @@ declare module "knex/types/tables" {
       TIdentityAzureAuthsInsert,
       TIdentityAzureAuthsUpdate
     >;
+    [TableName.IdentityOciAuth]: KnexOriginal.CompositeTableType<
+      TIdentityOciAuths,
+      TIdentityOciAuthsInsert,
+      TIdentityOciAuthsUpdate
+    >;
     [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
       TIdentityOidcAuths,
       TIdentityOidcAuthsInsert,
@@ -788,6 +859,12 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesApproversUpdate
     >;
 
+    [TableName.AccessApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
+      TAccessApprovalPoliciesBypassers,
+      TAccessApprovalPoliciesBypassersInsert,
+      TAccessApprovalPoliciesBypassersUpdate
+    >;
+
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -811,6 +888,11 @@ declare module "knex/types/tables" {
       TSecretApprovalPoliciesApproversInsert,
       TSecretApprovalPoliciesApproversUpdate
     >;
+    [TableName.SecretApprovalPolicyBypasser]: KnexOriginal.CompositeTableType<
+      TSecretApprovalPoliciesBypassers,
+      TSecretApprovalPoliciesBypassersInsert,
+      TSecretApprovalPoliciesBypassersUpdate
+    >;
     [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
       TSecretApprovalRequests,
       TSecretApprovalRequestsInsert,
@@ -1058,5 +1140,60 @@ declare module "knex/types/tables" {
       TGithubOrgSyncConfigsInsert,
       TGithubOrgSyncConfigsUpdate
     >;
+    [TableName.FolderCommit]: KnexOriginal.CompositeTableType<
+      TFolderCommits,
+      TFolderCommitsInsert,
+      TFolderCommitsUpdate
+    >;
+    [TableName.FolderCommitChanges]: KnexOriginal.CompositeTableType<
+      TFolderCommitChanges,
+      TFolderCommitChangesInsert,
+      TFolderCommitChangesUpdate
+    >;
+    [TableName.FolderCheckpoint]: KnexOriginal.CompositeTableType<
+      TFolderCheckpoints,
+      TFolderCheckpointsInsert,
+      TFolderCheckpointsUpdate
+    >;
+    [TableName.FolderCheckpointResources]: KnexOriginal.CompositeTableType<
+      TFolderCheckpointResources,
+      TFolderCheckpointResourcesInsert,
+      TFolderCheckpointResourcesUpdate
+    >;
+    [TableName.FolderTreeCheckpoint]: KnexOriginal.CompositeTableType<
+      TFolderTreeCheckpoints,
+      TFolderTreeCheckpointsInsert,
+      TFolderTreeCheckpointsUpdate
+    >;
+    [TableName.FolderTreeCheckpointResources]: KnexOriginal.CompositeTableType<
+      TFolderTreeCheckpointResources,
+      TFolderTreeCheckpointResourcesInsert,
+      TFolderTreeCheckpointResourcesUpdate
+    >;
+    [TableName.SecretScanningDataSource]: KnexOriginal.CompositeTableType<
+      TSecretScanningDataSources,
+      TSecretScanningDataSourcesInsert,
+      TSecretScanningDataSourcesUpdate
+    >;
+    [TableName.SecretScanningResource]: KnexOriginal.CompositeTableType<
+      TSecretScanningResources,
+      TSecretScanningResourcesInsert,
+      TSecretScanningResourcesUpdate
+    >;
+    [TableName.SecretScanningScan]: KnexOriginal.CompositeTableType<
+      TSecretScanningScans,
+      TSecretScanningScansInsert,
+      TSecretScanningScansUpdate
+    >;
+    [TableName.SecretScanningFinding]: KnexOriginal.CompositeTableType<
+      TSecretScanningFindings,
+      TSecretScanningFindingsInsert,
+      TSecretScanningFindingsUpdate
+    >;
+    [TableName.SecretScanningConfig]: KnexOriginal.CompositeTableType<
+      TSecretScanningConfigs,
+      TSecretScanningConfigsInsert,
+      TSecretScanningConfigsUpdate
+    >;
   }
 }

backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts

@@ -0,0 +1,44 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
+    if (!hasProjectIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId", 36).nullable();
+        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      });
+
+      await knex.raw(`
+          UPDATE "${TableName.Certificate}" cert
+          SET "projectId" = ca."projectId"
+          FROM "${TableName.CertificateAuthority}" ca
+          WHERE cert."caId" = ca.id
+        `);
+
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("projectId").notNullable().alter();
+      });
+    }
+
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caId").nullable().alter();
+      t.uuid("caCertId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropForeign("projectId");
+        t.dropColumn("projectId");
+      });
+    }
+  }
+
+  // Altering back to notNullable for caId and caCertId will fail
+}

backend/src/db/migrations/20250430174352_email-case-change.ts

@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEmail = await knex.schema.hasColumn(TableName.Users, "email");
+  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
+  if (hasEmail) {
+    await knex(TableName.Users)
+      .where({ isGhost: false })
+      .update({
+        // @ts-expect-error email assume string this is expected
+        email: knex.raw("lower(email)")
+      });
+  }
+  if (hasUsername) {
+    await knex.schema.raw(`
+      CREATE INDEX IF NOT EXISTS ${TableName.Users}_lower_username_idx 
+      ON ${TableName.Users} (LOWER(username))
+    `);
+
+    const duplicatesSubquery = knex(TableName.Users)
+      .select(knex.raw("lower(username) as lowercase_username"))
+      .groupBy("lowercase_username")
+      .having(knex.raw("count(*)"), ">", 1);
+
+    // Update usernames to lowercase where they won't create duplicates
+    await knex(TableName.Users)
+      .where({ isGhost: false })
+      .whereRaw("username <> lower(username)") // Only update if not already lowercase
+      // @ts-expect-error username assume string this is expected
+      .whereNotIn(knex.raw("lower(username)"), duplicatesSubquery)
+      .update({
+        // @ts-expect-error username assume string this is expected
+        username: knex.raw("lower(username)")
+      });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
+  if (hasUsername) {
+    await knex.schema.raw(`
+  DROP INDEX IF EXISTS ${TableName.Users}_lower_username_idx
+`);
+  }
+}

backend/src/db/migrations/20250505194916_add-pit-revamp-tables.ts

@@ -0,0 +1,166 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (!hasFolderCommitTable) {
+    await knex.schema.createTable(TableName.FolderCommit, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.bigIncrements("commitId");
+      t.jsonb("actorMetadata").notNullable();
+      t.string("actorType").notNullable();
+      t.string("message");
+      t.uuid("folderId").notNullable();
+      t.uuid("envId").notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderId");
+      t.index("envId");
+    });
+  }
+
+  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
+  if (!hasFolderCommitChangesTable) {
+    await knex.schema.createTable(TableName.FolderCommitChanges, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.string("changeType").notNullable();
+      t.boolean("isUpdate").notNullable().defaultTo(false);
+      t.uuid("secretVersionId");
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("folderVersionId");
+      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+      t.index("secretVersionId");
+      t.index("folderVersionId");
+    });
+  }
+
+  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
+  if (!hasFolderCheckpointTable) {
+    await knex.schema.createTable(TableName.FolderCheckpoint, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+    });
+  }
+
+  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
+  if (!hasFolderCheckpointResourcesTable) {
+    await knex.schema.createTable(TableName.FolderCheckpointResources, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCheckpointId").notNullable();
+      t.foreign("folderCheckpointId").references("id").inTable(TableName.FolderCheckpoint).onDelete("CASCADE");
+      t.uuid("secretVersionId");
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("folderVersionId");
+      t.foreign("folderVersionId").references("id").inTable(TableName.SecretFolderVersion).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCheckpointId");
+      t.index("secretVersionId");
+      t.index("folderVersionId");
+    });
+  }
+
+  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
+  if (!hasFolderTreeCheckpointTable) {
+    await knex.schema.createTable(TableName.FolderTreeCheckpoint, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderCommitId");
+    });
+  }
+
+  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
+  if (!hasFolderTreeCheckpointResourcesTable) {
+    await knex.schema.createTable(TableName.FolderTreeCheckpointResources, (t) => {
+      t.uuid("id").primary().defaultTo(knex.fn.uuid());
+      t.uuid("folderTreeCheckpointId").notNullable();
+      t.foreign("folderTreeCheckpointId").references("id").inTable(TableName.FolderTreeCheckpoint).onDelete("CASCADE");
+      t.uuid("folderId").notNullable();
+      t.uuid("folderCommitId").notNullable();
+      t.foreign("folderCommitId").references("id").inTable(TableName.FolderCommit).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.index("folderTreeCheckpointId");
+      t.index("folderId");
+      t.index("folderCommitId");
+    });
+  }
+
+  if (!hasFolderCommitTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCommit);
+  }
+
+  if (!hasFolderCommitChangesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCommitChanges);
+  }
+
+  if (!hasFolderCheckpointTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCheckpoint);
+  }
+
+  if (!hasFolderCheckpointResourcesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
+  }
+
+  if (!hasFolderTreeCheckpointTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
+  }
+
+  if (!hasFolderTreeCheckpointResourcesTable) {
+    await createOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFolderCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderCheckpointResources);
+  const hasFolderTreeCheckpointResourcesTable = await knex.schema.hasTable(TableName.FolderTreeCheckpointResources);
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  const hasFolderCommitChangesTable = await knex.schema.hasTable(TableName.FolderCommitChanges);
+  const hasFolderTreeCheckpointTable = await knex.schema.hasTable(TableName.FolderTreeCheckpoint);
+  const hasFolderCheckpointTable = await knex.schema.hasTable(TableName.FolderCheckpoint);
+
+  if (hasFolderTreeCheckpointResourcesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpointResources);
+    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpointResources);
+  }
+
+  if (hasFolderCheckpointResourcesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCheckpointResources);
+    await knex.schema.dropTableIfExists(TableName.FolderCheckpointResources);
+  }
+
+  if (hasFolderTreeCheckpointTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderTreeCheckpoint);
+    await knex.schema.dropTableIfExists(TableName.FolderTreeCheckpoint);
+  }
+
+  if (hasFolderCheckpointTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCheckpoint);
+    await knex.schema.dropTableIfExists(TableName.FolderCheckpoint);
+  }
+
+  if (hasFolderCommitChangesTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCommitChanges);
+    await knex.schema.dropTableIfExists(TableName.FolderCommitChanges);
+  }
+
+  if (hasFolderCommitTable) {
+    await dropOnUpdateTrigger(knex, TableName.FolderCommit);
+    await knex.schema.dropTableIfExists(TableName.FolderCommit);
+  }
+}

backend/src/db/migrations/20250508160957_pki-subscriber.ts

@@ -0,0 +1,46 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.PkiSubscriber))) {
+    await knex.schema.createTable(TableName.PkiSubscriber, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("caId").nullable();
+      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("SET NULL");
+      t.string("name").notNullable();
+      t.string("commonName").notNullable();
+      t.specificType("subjectAlternativeNames", "text[]").notNullable();
+      t.string("ttl").notNullable();
+      t.specificType("keyUsages", "text[]").notNullable();
+      t.specificType("extendedKeyUsages", "text[]").notNullable();
+      t.string("status").notNullable(); // active / disabled
+      t.unique(["projectId", "name"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.PkiSubscriber);
+  }
+
+  const hasSubscriberCol = await knex.schema.hasColumn(TableName.Certificate, "pkiSubscriberId");
+  if (!hasSubscriberCol) {
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("pkiSubscriberId").nullable();
+      t.foreign("pkiSubscriberId").references("id").inTable(TableName.PkiSubscriber).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSubscriberCol = await knex.schema.hasColumn(TableName.Certificate, "pkiSubscriberId");
+  if (hasSubscriberCol) {
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.dropColumn("pkiSubscriberId");
+    });
+  }
+
+  await knex.schema.dropTableIfExists(TableName.PkiSubscriber);
+  await dropOnUpdateTrigger(knex, TableName.PkiSubscriber);
+}

backend/src/db/migrations/20250508210717_identity-oci-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityOciAuth))) {
+    await knex.schema.createTable(TableName.IdentityOciAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+
+      t.string("tenancyOcid").notNullable();
+      t.string("allowedUsernames").nullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityOciAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}

backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (!hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -0,0 +1,110 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+// Note(daniel): We aren't dropping tables or columns in this migrations so we can easily rollback if needed.
+// In the future we need to drop the projectGatewayId on the dynamic secrets table, and drop the project_gateways table entirely.
+
+const BATCH_SIZE = 500;
+
+export async function up(knex: Knex): Promise<void> {
+  // eslint-disable-next-line no-param-reassign
+  knex.replicaNode = () => {
+    return knex;
+  };
+
+  if (!(await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+
+      table.index("gatewayId");
+    });
+
+    const existingDynamicSecretsWithProjectGatewayId = await knex(TableName.DynamicSecret)
+      .select(selectAllTableCols(TableName.DynamicSecret))
+      .whereNotNull(`${TableName.DynamicSecret}.projectGatewayId`)
+      .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.id`, `${TableName.DynamicSecret}.projectGatewayId`)
+      .whereNotNull(`${TableName.ProjectGateway}.gatewayId`)
+      .select(
+        knex.ref("projectId").withSchema(TableName.ProjectGateway).as("projectId"),
+        knex.ref("gatewayId").withSchema(TableName.ProjectGateway).as("projectGatewayGatewayId")
+      );
+
+    initLogger();
+    const envConfig = getMigrationEnvConfig();
+    const keyStore = inMemoryKeyStore();
+    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+    const updatedDynamicSecrets = await Promise.all(
+      existingDynamicSecretsWithProjectGatewayId.map(async (existingDynamicSecret) => {
+        if (!existingDynamicSecret.projectGatewayGatewayId) {
+          const result = {
+            ...existingDynamicSecret,
+            gatewayId: null
+          };
+
+          const { projectId, projectGatewayGatewayId, ...rest } = result;
+          return rest;
+        }
+
+        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+        const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+
+        let decryptedStoredInput = JSON.parse(
+          secretManagerDecryptor({ cipherTextBlob: Buffer.from(existingDynamicSecret.encryptedInput) }).toString()
+        ) as object;
+
+        // We're not removing the existing projectGatewayId from the input so we can easily rollback without having to re-encrypt the input
+        decryptedStoredInput = {
+          ...decryptedStoredInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const encryptedInput = secretManagerEncryptor({
+          plainText: Buffer.from(JSON.stringify(decryptedStoredInput))
+        }).cipherTextBlob;
+
+        const result = {
+          ...existingDynamicSecret,
+          encryptedInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const { projectId, projectGatewayGatewayId, ...rest } = result;
+        return rest;
+      })
+    );
+
+    for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.DynamicSecret)
+        .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
+        .onConflict("id")
+        .merge();
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // no re-encryption needed as we keep the old projectGatewayId in the input
+  if (await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId")) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250515164622_select-org-products.ts

@@ -0,0 +1,53 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!columns.secretsProductEnabled) {
+      t.boolean("secretsProductEnabled").defaultTo(true);
+    }
+    if (!columns.pkiProductEnabled) {
+      t.boolean("pkiProductEnabled").defaultTo(true);
+    }
+    if (!columns.kmsProductEnabled) {
+      t.boolean("kmsProductEnabled").defaultTo(true);
+    }
+    if (!columns.sshProductEnabled) {
+      t.boolean("sshProductEnabled").defaultTo(true);
+    }
+    if (!columns.scannerProductEnabled) {
+      t.boolean("scannerProductEnabled").defaultTo(true);
+    }
+    if (!columns.shareSecretsProductEnabled) {
+      t.boolean("shareSecretsProductEnabled").defaultTo(true);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (columns.secretsProductEnabled) {
+      t.dropColumn("secretsProductEnabled");
+    }
+    if (columns.pkiProductEnabled) {
+      t.dropColumn("pkiProductEnabled");
+    }
+    if (columns.kmsProductEnabled) {
+      t.dropColumn("kmsProductEnabled");
+    }
+    if (columns.sshProductEnabled) {
+      t.dropColumn("sshProductEnabled");
+    }
+    if (columns.scannerProductEnabled) {
+      t.dropColumn("scannerProductEnabled");
+    }
+    if (columns.shareSecretsProductEnabled) {
+      t.dropColumn("shareSecretsProductEnabled");
+    }
+  });
+}

backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (!hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.boolean("secretSharing").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
+  if (hasSecretSharingColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.dropColumn("secretSharing");
+    });
+  }
+}

backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (!hasLifetimeColumn || !hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (!hasLifetimeColumn) {
+        t.integer("maxSharedSecretLifetime").nullable().defaultTo(2592000); // 30 days in seconds
+      }
+      if (!hasViewLimitColumn) {
+        t.integer("maxSharedSecretViewLimit").nullable();
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
+  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
+
+  if (hasLifetimeColumn || hasViewLimitColumn) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      if (hasLifetimeColumn) {
+        t.dropColumn("maxSharedSecretLifetime");
+      }
+      if (hasViewLimitColumn) {
+        t.dropColumn("maxSharedSecretViewLimit");
+      }
+    });
+  }
+}

backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts

@@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (!hasEncryptedSalt || !hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        // These two columns are only needed when secrets are shared with a specific list of emails
+
+        if (!hasEncryptedSalt) {
+          t.binary("encryptedSalt").nullable();
+        }
+
+        if (!hasAuthorizedEmails) {
+          t.json("authorizedEmails").nullable();
+        }
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
+
+    if (hasEncryptedSalt || hasAuthorizedEmails) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        if (hasEncryptedSalt) {
+          t.dropColumn("encryptedSalt");
+        }
+
+        if (hasAuthorizedEmails) {
+          t.dropColumn("authorizedEmails");
+        }
+      });
+    }
+  }
+}

backend/src/db/migrations/20250517002225_secret-scanning-v2.ts

@@ -0,0 +1,107 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+import {
+  SecretScanningFindingStatus,
+  SecretScanningScanStatus
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretScanningDataSource))) {
+    await knex.schema.createTable(TableName.SecretScanningDataSource, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("externalId").index(); // if we need a unique way of identifying this data source from an external resource
+      t.string("name", 48).notNullable();
+      t.string("description");
+      t.string("type").notNullable();
+      t.jsonb("config").notNullable();
+      t.binary("encryptedCredentials"); // webhook credentials, etc.
+      t.uuid("connectionId");
+      t.boolean("isAutoScanEnabled").defaultTo(true);
+      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.boolean("isDisconnected").notNullable().defaultTo(false);
+      t.unique(["projectId", "name"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SecretScanningDataSource);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretScanningResource))) {
+    await knex.schema.createTable(TableName.SecretScanningResource, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("externalId").notNullable();
+      t.string("name").notNullable();
+      t.string("type").notNullable();
+      t.uuid("dataSourceId").notNullable();
+      t.foreign("dataSourceId").references("id").inTable(TableName.SecretScanningDataSource).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.unique(["dataSourceId", "externalId"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SecretScanningResource);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretScanningScan))) {
+    await knex.schema.createTable(TableName.SecretScanningScan, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("status").notNullable().defaultTo(SecretScanningScanStatus.Queued);
+      t.string("statusMessage", 1024);
+      t.string("type").notNullable();
+      t.uuid("resourceId").notNullable();
+      t.foreign("resourceId").references("id").inTable(TableName.SecretScanningResource).onDelete("CASCADE");
+      t.timestamp("createdAt").defaultTo(knex.fn.now());
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretScanningFinding))) {
+    await knex.schema.createTable(TableName.SecretScanningFinding, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("dataSourceName").notNullable();
+      t.string("dataSourceType").notNullable();
+      t.string("resourceName").notNullable();
+      t.string("resourceType").notNullable();
+      t.string("rule").notNullable();
+      t.string("severity").notNullable();
+      t.string("status").notNullable().defaultTo(SecretScanningFindingStatus.Unresolved);
+      t.string("remarks");
+      t.string("fingerprint").notNullable();
+      t.jsonb("details").notNullable();
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("scanId");
+      t.foreign("scanId").references("id").inTable(TableName.SecretScanningScan).onDelete("SET NULL");
+      t.timestamps(true, true, true);
+      t.unique(["projectId", "fingerprint"]);
+    });
+    await createOnUpdateTrigger(knex, TableName.SecretScanningFinding);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretScanningConfig))) {
+    await knex.schema.createTable(TableName.SecretScanningConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("projectId").notNullable().unique();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("content", 5000);
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.SecretScanningConfig);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretScanningFinding);
+
+  await dropOnUpdateTrigger(knex, TableName.SecretScanningFinding);
+  await knex.schema.dropTableIfExists(TableName.SecretScanningScan);
+
+  await knex.schema.dropTableIfExists(TableName.SecretScanningResource);
+  await dropOnUpdateTrigger(knex, TableName.SecretScanningResource);
+
+  await knex.schema.dropTableIfExists(TableName.SecretScanningDataSource);
+  await dropOnUpdateTrigger(knex, TableName.SecretScanningDataSource);
+
+  await knex.schema.dropTableIfExists(TableName.SecretScanningConfig);
+  await dropOnUpdateTrigger(knex, TableName.SecretScanningConfig);
+}

backend/src/db/migrations/20250521061831_increase-name-sizes.ts

@@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+  await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
+    t.string("name", 64).notNullable().alter();
+  });
+}
+
+export async function down(): Promise<void> {
+  // No down migration or it will error
+}

backend/src/db/migrations/20250521110635_add-external-ca-pki.ts

@@ -0,0 +1,205 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && !hasInternalCATable) {
+    await knex.schema.createTableLike(TableName.InternalCertificateAuthority, TableName.CertificateAuthority, (t) => {
+      t.uuid("caId").nullable();
+    });
+
+    // @ts-expect-error intentional: migration
+    await knex(TableName.InternalCertificateAuthority).insert(knex(TableName.CertificateAuthority).select("*"));
+    await knex(TableName.InternalCertificateAuthority).update("caId", knex.ref("id"));
+
+    await knex.schema.alterTable(TableName.InternalCertificateAuthority, (t) => {
+      t.dropColumn("projectId");
+      t.dropColumn("requireTemplateForIssuance");
+      t.dropColumn("createdAt");
+      t.dropColumn("updatedAt");
+      t.dropColumn("status");
+      t.uuid("parentCaId")
+        .nullable()
+        .references("id")
+        .inTable(TableName.CertificateAuthority)
+        .onDelete("CASCADE")
+        .alter();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert).alter();
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE").alter();
+    });
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.renameColumn("requireTemplateForIssuance", "enableDirectIssuance");
+      t.string("name").nullable();
+    });
+
+    // prefill name for existing internal CAs and flip enableDirectIssuance
+    const cas = await knex(TableName.CertificateAuthority).select("id", "friendlyName", "enableDirectIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        const slugifiedName = ca.friendlyName
+          ? slugify(`${ca.friendlyName.slice(0, 16)}-${alphaNumericNanoId(8)}`)
+          : slugify(alphaNumericNanoId(12));
+
+        return knex(TableName.CertificateAuthority)
+          .where({ id: ca.id })
+          .update({ name: slugifiedName, enableDirectIssuance: !ca.enableDirectIssuance });
+      })
+    );
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.dropColumn("parentCaId");
+      t.dropColumn("type");
+      t.dropColumn("friendlyName");
+      t.dropColumn("organization");
+      t.dropColumn("ou");
+      t.dropColumn("country");
+      t.dropColumn("province");
+      t.dropColumn("locality");
+      t.dropColumn("commonName");
+      t.dropColumn("dn");
+      t.dropColumn("serialNumber");
+      t.dropColumn("maxPathLength");
+      t.dropColumn("keyAlgorithm");
+      t.dropColumn("notBefore");
+      t.dropColumn("notAfter");
+      t.dropColumn("activeCaCertId");
+      t.boolean("enableDirectIssuance").notNullable().defaultTo(true).alter();
+      t.string("name").notNullable().alter();
+      t.unique(["name", "projectId"]);
+    });
+  }
+
+  if (!hasExternalCATable) {
+    await knex.schema.createTable(TableName.ExternalCertificateAuthority, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("type").notNullable();
+      t.uuid("appConnectionId").nullable();
+      t.foreign("appConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("dnsAppConnectionId").nullable();
+      t.foreign("dnsAppConnectionId").references("id").inTable(TableName.AppConnection);
+      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("credentials");
+      t.json("configuration");
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.string("ttl").nullable().alter();
+
+      t.boolean("enableAutoRenewal").notNullable().defaultTo(false);
+      t.integer("autoRenewalPeriodInDays");
+      t.datetime("lastAutoRenewAt");
+
+      t.string("lastOperationStatus");
+      t.text("lastOperationMessage");
+      t.dateTime("lastOperationAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
+  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
+  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
+
+  if (hasCATable && hasInternalCATable) {
+    // First add all columns as nullable
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.uuid("parentCaId").nullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.string("type").nullable();
+      t.string("friendlyName").nullable();
+      t.string("organization").nullable();
+      t.string("ou").nullable();
+      t.string("country").nullable();
+      t.string("province").nullable();
+      t.string("locality").nullable();
+      t.string("commonName").nullable();
+      t.string("dn").nullable();
+      t.string("serialNumber").nullable().unique();
+      t.integer("maxPathLength").nullable();
+      t.string("keyAlgorithm").nullable();
+      t.timestamp("notBefore").nullable();
+      t.timestamp("notAfter").nullable();
+      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert);
+      t.renameColumn("enableDirectIssuance", "requireTemplateForIssuance");
+      t.dropColumn("name");
+    });
+
+    // flip requireTemplateForIssuance for existing internal CAs
+    const cas = await knex(TableName.CertificateAuthority).select("id", "requireTemplateForIssuance");
+    await Promise.all(
+      cas.map((ca) => {
+        return (
+          knex(TableName.CertificateAuthority)
+            .where({ id: ca.id })
+            // @ts-expect-error intentional: migration
+            .update({ requireTemplateForIssuance: !ca.requireTemplateForIssuance })
+        );
+      })
+    );
+
+    await knex.raw(`
+      UPDATE ${TableName.CertificateAuthority} ca
+      SET
+        type = ica.type,
+        "friendlyName" = ica."friendlyName",
+        organization = ica.organization,
+        ou = ica.ou,
+        country = ica.country,
+        province = ica.province,
+        locality = ica.locality,
+        "commonName" = ica."commonName",
+        dn = ica.dn,
+        "parentCaId" = ica."parentCaId",
+        "serialNumber" = ica."serialNumber",
+        "maxPathLength" = ica."maxPathLength",
+        "keyAlgorithm" = ica."keyAlgorithm",
+        "notBefore" = ica."notBefore",
+        "notAfter" = ica."notAfter",
+        "activeCaCertId" = ica."activeCaCertId"
+      FROM ${TableName.InternalCertificateAuthority} ica
+      WHERE ca.id = ica."caId"
+    `);
+
+    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+      t.string("type").notNullable().alter();
+      t.string("friendlyName").notNullable().alter();
+      t.string("organization").notNullable().alter();
+      t.string("ou").notNullable().alter();
+      t.string("country").notNullable().alter();
+      t.string("province").notNullable().alter();
+      t.string("locality").notNullable().alter();
+      t.string("commonName").notNullable().alter();
+      t.string("dn").notNullable().alter();
+      t.string("keyAlgorithm").notNullable().alter();
+      t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false).alter();
+    });
+
+    await knex.schema.dropTable(TableName.InternalCertificateAuthority);
+  }
+
+  if (hasExternalCATable) {
+    await knex.schema.dropTable(TableName.ExternalCertificateAuthority);
+  }
+
+  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.dropColumn("enableAutoRenewal");
+      t.dropColumn("autoRenewalPeriodInDays");
+      t.dropColumn("lastAutoRenewAt");
+
+      t.dropColumn("lastOperationStatus");
+      t.dropColumn("lastOperationMessage");
+      t.dropColumn("lastOperationAt");
+    });
+  }
+}

backend/src/db/migrations/20250527030702_policy-bypassers.ts

@@ -0,0 +1,48 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyBypasser))) {
+    await knex.schema.createTable(TableName.AccessApprovalPolicyBypasser, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("bypasserGroupId").nullable();
+      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+
+      t.uuid("bypasserUserId").nullable();
+      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyBypasser))) {
+    await knex.schema.createTable(TableName.SecretApprovalPolicyBypasser, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("bypasserGroupId").nullable();
+      t.foreign("bypasserGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+
+      t.uuid("bypasserUserId").nullable();
+      t.foreign("bypasserUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      t.uuid("policyId").notNullable();
+      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyBypasser);
+  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyBypasser);
+
+  await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyBypasser);
+  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyBypasser);
+}

backend/src/db/migrations/20250527140639_dynamic-secret-username-template.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "usernameTemplate");
+  if (!hasColumn) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      t.string("usernameTemplate").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "usernameTemplate");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      t.dropColumn("usernameTemplate");
+    });
+  }
+}

backend/src/db/migrations/20250527164523_add-mi-access-token-period.ts

@@ -0,0 +1,139 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod"))) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+
+  if (await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod")) {
+    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
+      t.dropColumn("accessTokenPeriod");
+    });
+  }
+}

backend/src/db/migrations/20250528110936_add-folder-description-to-versioning.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretFolderVersion, "description"))) {
+    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
+      t.string("description").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretFolderVersion, "description")) {
+    await knex.schema.alterTable(TableName.SecretFolderVersion, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/migrations/20250528145356_add-template-slug.ts

@@ -0,0 +1,24 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasNameCol = await knex.schema.hasColumn(TableName.CertificateTemplate, "name");
+  if (hasNameCol) {
+    const templates = await knex(TableName.CertificateTemplate).select("id", "name");
+    await Promise.all(
+      templates.map((el) => {
+        const slugifiedName = el.name
+          ? slugify(`${el.name.slice(0, 16)}-${alphaNumericNanoId(8)}`)
+          : slugify(alphaNumericNanoId(12));
+
+        return knex(TableName.CertificateTemplate).where({ id: el.id }).update({ name: slugifiedName });
+      })
+    );
+  }
+}
+
+export async function down(): Promise<void> {}

backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("encryptedSalt");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (!hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.binary("encryptedSalt").nullable();
+      });
+    }
+  }
+}

backend/src/db/migrations/20250530152721_add-access-approval-request-deleted-at.ts

@@ -0,0 +1,63 @@
+import { Knex } from "knex";
+
+import { ApprovalStatus } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalRequest,
+    "privilegeDeletedAt"
+  );
+  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
+
+  if (!hasPrivilegeDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.timestamp("privilegeDeletedAt").nullable();
+    });
+  }
+
+  if (!hasStatusColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.string("status").defaultTo(ApprovalStatus.PENDING).notNullable();
+    });
+
+    // Update existing rows based on business logic
+    // If privilegeId is not null, set status to "approved"
+    await knex(TableName.AccessApprovalRequest).whereNotNull("privilegeId").update({ status: ApprovalStatus.APPROVED });
+
+    // If privilegeId is null and there's a rejected reviewer, set to "rejected"
+    const rejectedRequestIds = await knex(TableName.AccessApprovalRequestReviewer)
+      .select("requestId")
+      .where("status", "rejected")
+      .distinct()
+      .pluck("requestId");
+
+    if (rejectedRequestIds.length > 0) {
+      await knex(TableName.AccessApprovalRequest)
+        .whereNull("privilegeId")
+        .whereIn("id", rejectedRequestIds)
+        .update({ status: ApprovalStatus.REJECTED });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasPrivilegeDeletedAtColumn = await knex.schema.hasColumn(
+    TableName.AccessApprovalRequest,
+    "privilegeDeletedAt"
+  );
+  const hasStatusColumn = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "status");
+
+  if (hasPrivilegeDeletedAtColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.dropColumn("privilegeDeletedAt");
+    });
+  }
+
+  if (hasStatusColumn) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
+      t.dropColumn("status");
+    });
+  }
+}

backend/src/db/migrations/20250602155451_fix-secret-versions.ts

@@ -0,0 +1,139 @@
+/* eslint-disable no-await-in-loop */
+import { Knex } from "knex";
+
+import { chunkArray } from "@app/lib/fn";
+import { selectAllTableCols } from "@app/lib/knex";
+import { logger } from "@app/lib/logger";
+
+import { SecretType, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  logger.info("Starting secret version fix migration");
+
+  // Get all shared secret IDs first to optimize versions query
+  const secretIds = await knex(TableName.SecretV2)
+    .where("type", SecretType.Shared)
+    .select("id")
+    .then((rows) => rows.map((row) => row.id));
+
+  logger.info(`Found ${secretIds.length} shared secrets to process`);
+
+  if (secretIds.length === 0) {
+    logger.info("No shared secrets found");
+    return;
+  }
+
+  const secretIdChunks = chunkArray(secretIds, 5000);
+
+  for (let chunkIndex = 0; chunkIndex < secretIdChunks.length; chunkIndex += 1) {
+    const currentSecretIds = secretIdChunks[chunkIndex];
+    logger.info(`Processing chunk ${chunkIndex + 1} of ${secretIdChunks.length}`);
+
+    // Get secrets and versions for current chunk
+    const [sharedSecrets, allVersions] = await Promise.all([
+      knex(TableName.SecretV2).whereIn("id", currentSecretIds).select(selectAllTableCols(TableName.SecretV2)),
+      knex(TableName.SecretVersionV2).whereIn("secretId", currentSecretIds).select("secretId", "version")
+    ]);
+
+    const versionsBySecretId = new Map<string, number[]>();
+
+    allVersions.forEach((v) => {
+      const versions = versionsBySecretId.get(v.secretId);
+      if (versions) {
+        versions.push(v.version);
+      } else {
+        versionsBySecretId.set(v.secretId, [v.version]);
+      }
+    });
+
+    const versionsToAdd = [];
+    const secretsToUpdate = [];
+
+    // Process each shared secret
+    for (const secret of sharedSecrets) {
+      const existingVersions = versionsBySecretId.get(secret.id) || [];
+
+      if (existingVersions.length === 0) {
+        // No versions exist - add current version
+        versionsToAdd.push({
+          secretId: secret.id,
+          version: secret.version,
+          key: secret.key,
+          encryptedValue: secret.encryptedValue,
+          encryptedComment: secret.encryptedComment,
+          reminderNote: secret.reminderNote,
+          reminderRepeatDays: secret.reminderRepeatDays,
+          skipMultilineEncoding: secret.skipMultilineEncoding,
+          metadata: secret.metadata,
+          folderId: secret.folderId,
+          actorType: "platform"
+        });
+      } else {
+        const latestVersion = Math.max(...existingVersions);
+
+        if (latestVersion !== secret.version) {
+          // Latest version doesn't match - create new version and update secret
+          const nextVersion = latestVersion + 1;
+
+          versionsToAdd.push({
+            secretId: secret.id,
+            version: nextVersion,
+            key: secret.key,
+            encryptedValue: secret.encryptedValue,
+            encryptedComment: secret.encryptedComment,
+            reminderNote: secret.reminderNote,
+            reminderRepeatDays: secret.reminderRepeatDays,
+            skipMultilineEncoding: secret.skipMultilineEncoding,
+            metadata: secret.metadata,
+            folderId: secret.folderId,
+            actorType: "platform"
+          });
+
+          secretsToUpdate.push({
+            id: secret.id,
+            newVersion: nextVersion
+          });
+        }
+      }
+    }
+
+    logger.info(
+      `Chunk ${chunkIndex + 1}: Adding ${versionsToAdd.length} versions, updating ${secretsToUpdate.length} secrets`
+    );
+
+    // Batch insert new versions
+    if (versionsToAdd.length > 0) {
+      const insertBatches = chunkArray(versionsToAdd, 9000);
+      for (let i = 0; i < insertBatches.length; i += 1) {
+        await knex.batchInsert(TableName.SecretVersionV2, insertBatches[i]);
+      }
+    }
+
+    if (secretsToUpdate.length > 0) {
+      const updateBatches = chunkArray(secretsToUpdate, 1000);
+
+      for (const updateBatch of updateBatches) {
+        const ids = updateBatch.map((u) => u.id);
+        const versionCases = updateBatch.map((u) => `WHEN '${u.id}' THEN ${u.newVersion}`).join(" ");
+
+        await knex.raw(
+          `
+            UPDATE ${TableName.SecretV2} 
+            SET version = CASE id ${versionCases} END,
+                "updatedAt" = NOW()
+            WHERE id IN (${ids.map(() => "?").join(",")})
+          `,
+          ids
+        );
+      }
+    }
+  }
+
+  logger.info("Secret version fix migration completed");
+}
+
+export async function down(): Promise<void> {
+  logger.info("Rollback not implemented for secret version fix migration");
+  // Note: Rolling back this migration would be complex and potentially destructive
+  // as it would require tracking which version entries were added
+}

backend/src/db/migrations/20250602155452_pit-projects-commits-initialization.ts

@@ -0,0 +1,345 @@
+import { Knex } from "knex";
+
+import { chunkArray } from "@app/lib/fn";
+import { selectAllTableCols } from "@app/lib/knex";
+import { logger } from "@app/lib/logger";
+import { ActorType } from "@app/services/auth/auth-type";
+import { ChangeType } from "@app/services/folder-commit/folder-commit-service";
+
+import {
+  ProjectType,
+  SecretType,
+  TableName,
+  TFolderCheckpoints,
+  TFolderCommits,
+  TFolderTreeCheckpoints,
+  TSecretFolders
+} from "../schemas";
+
+const sortFoldersByHierarchy = (folders: TSecretFolders[]) => {
+  // Create a map for quick lookup of children by parent ID
+  const childrenMap = new Map<string, TSecretFolders[]>();
+
+  // Set of all folder IDs
+  const allFolderIds = new Set<string>();
+
+  // Build the set of all folder IDs
+  folders.forEach((folder) => {
+    if (folder.id) {
+      allFolderIds.add(folder.id);
+    }
+  });
+
+  // Group folders by their parentId
+  folders.forEach((folder) => {
+    if (folder.parentId) {
+      const children = childrenMap.get(folder.parentId) || [];
+      children.push(folder);
+      childrenMap.set(folder.parentId, children);
+    }
+  });
+
+  // Find root folders - those with no parentId or with a parentId that doesn't exist
+  const rootFolders = folders.filter((folder) => !folder.parentId || !allFolderIds.has(folder.parentId));
+
+  // Process each level of the hierarchy
+  const result = [];
+  let currentLevel = rootFolders;
+
+  while (currentLevel.length > 0) {
+    result.push(...currentLevel);
+
+    const nextLevel = [];
+    for (const folder of currentLevel) {
+      if (folder.id) {
+        const children = childrenMap.get(folder.id) || [];
+        nextLevel.push(...children);
+      }
+    }
+
+    currentLevel = nextLevel;
+  }
+
+  return result.reverse();
+};
+
+const getSecretsByFolderIds = async (knex: Knex, folderIds: string[]): Promise<Record<string, string[]>> => {
+  const secrets = await knex(TableName.SecretV2)
+    .whereIn(`${TableName.SecretV2}.folderId`, folderIds)
+    .where(`${TableName.SecretV2}.type`, SecretType.Shared)
+    .join<TableName.SecretVersionV2>(TableName.SecretVersionV2, (queryBuilder) => {
+      void queryBuilder
+        .on(`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretV2}.id`)
+        .andOn(`${TableName.SecretVersionV2}.version`, `${TableName.SecretV2}.version`);
+    })
+    .select(selectAllTableCols(TableName.SecretV2))
+    .select(knex.ref("id").withSchema(TableName.SecretVersionV2).as("secretVersionId"));
+
+  const secretsMap: Record<string, string[]> = {};
+
+  secrets.forEach((secret) => {
+    if (!secretsMap[secret.folderId]) {
+      secretsMap[secret.folderId] = [];
+    }
+    secretsMap[secret.folderId].push(secret.secretVersionId);
+  });
+
+  return secretsMap;
+};
+
+const getFoldersByParentIds = async (knex: Knex, parentIds: string[]): Promise<Record<string, string[]>> => {
+  const folders = await knex(TableName.SecretFolder)
+    .whereIn(`${TableName.SecretFolder}.parentId`, parentIds)
+    .where(`${TableName.SecretFolder}.isReserved`, false)
+    .join<TableName.SecretFolderVersion>(TableName.SecretFolderVersion, (queryBuilder) => {
+      void queryBuilder
+        .on(`${TableName.SecretFolderVersion}.folderId`, `${TableName.SecretFolder}.id`)
+        .andOn(`${TableName.SecretFolderVersion}.version`, `${TableName.SecretFolder}.version`);
+    })
+    .select(selectAllTableCols(TableName.SecretFolder))
+    .select(knex.ref("id").withSchema(TableName.SecretFolderVersion).as("folderVersionId"));
+
+  const foldersMap: Record<string, string[]> = {};
+
+  folders.forEach((folder) => {
+    if (!folder.parentId) {
+      return;
+    }
+    if (!foldersMap[folder.parentId]) {
+      foldersMap[folder.parentId] = [];
+    }
+    foldersMap[folder.parentId].push(folder.folderVersionId);
+  });
+
+  return foldersMap;
+};
+
+export async function up(knex: Knex): Promise<void> {
+  logger.info("Initializing folder commits");
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (hasFolderCommitTable) {
+    // Get Projects to Initialize
+    const projects = await knex(TableName.Project)
+      .where(`${TableName.Project}.version`, 3)
+      .where(`${TableName.Project}.type`, ProjectType.SecretManager)
+      .select(selectAllTableCols(TableName.Project));
+    logger.info(`Found ${projects.length} projects to initialize`);
+
+    // Process Projects in batches of 100
+    const batches = chunkArray(projects, 100);
+    let i = 0;
+    for (const batch of batches) {
+      i += 1;
+      logger.info(`Processing project batch ${i} of ${batches.length}`);
+      let foldersCommitsList = [];
+
+      const rootFoldersMap: Record<string, string> = {};
+      const envRootFoldersMap: Record<string, string> = {};
+
+      // Get All Folders for the Project
+      // eslint-disable-next-line no-await-in-loop
+      const folders = await knex(TableName.SecretFolder)
+        .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+        .whereIn(
+          `${TableName.Environment}.projectId`,
+          batch.map((project) => project.id)
+        )
+        .where(`${TableName.SecretFolder}.isReserved`, false)
+        .select(selectAllTableCols(TableName.SecretFolder));
+      logger.info(`Found ${folders.length} folders to initialize in project batch ${i} of ${batches.length}`);
+
+      // Sort Folders by Hierarchy (parents before nested folders)
+      const sortedFolders = sortFoldersByHierarchy(folders);
+
+      // eslint-disable-next-line no-await-in-loop
+      const folderSecretsMap = await getSecretsByFolderIds(
+        knex,
+        sortedFolders.map((folder) => folder.id)
+      );
+      // eslint-disable-next-line no-await-in-loop
+      const folderFoldersMap = await getFoldersByParentIds(
+        knex,
+        sortedFolders.map((folder) => folder.id)
+      );
+
+      // Get folder commit changes
+      for (const folder of sortedFolders) {
+        const subFolderVersionIds = folderFoldersMap[folder.id];
+        const secretVersionIds = folderSecretsMap[folder.id];
+        const changes = [];
+        if (subFolderVersionIds) {
+          changes.push(
+            ...subFolderVersionIds.map((folderVersionId) => ({
+              folderId: folder.id,
+              changeType: ChangeType.ADD,
+              secretVersionId: undefined,
+              folderVersionId,
+              isUpdate: false
+            }))
+          );
+        }
+        if (secretVersionIds) {
+          changes.push(
+            ...secretVersionIds.map((secretVersionId) => ({
+              folderId: folder.id,
+              changeType: ChangeType.ADD,
+              secretVersionId,
+              folderVersionId: undefined,
+              isUpdate: false
+            }))
+          );
+        }
+        if (changes.length > 0) {
+          const folderCommit = {
+            commit: {
+              actorMetadata: {},
+              actorType: ActorType.PLATFORM,
+              message: "Initialized folder",
+              folderId: folder.id,
+              envId: folder.envId
+            },
+            changes
+          };
+          foldersCommitsList.push(folderCommit);
+          if (!folder.parentId) {
+            rootFoldersMap[folder.id] = folder.envId;
+            envRootFoldersMap[folder.envId] = folder.id;
+          }
+        }
+      }
+      logger.info(`Retrieved folder changes for project batch ${i} of ${batches.length}`);
+
+      const filteredBrokenProjectFolders: string[] = [];
+
+      foldersCommitsList = foldersCommitsList.filter((folderCommit) => {
+        if (!envRootFoldersMap[folderCommit.commit.envId]) {
+          filteredBrokenProjectFolders.push(folderCommit.commit.folderId);
+          return false;
+        }
+        return true;
+      });
+
+      logger.info(
+        `Filtered ${filteredBrokenProjectFolders.length} broken project folders: ${JSON.stringify(filteredBrokenProjectFolders)}`
+      );
+
+      // Insert New Commits in batches of 9000
+      const newCommits = foldersCommitsList.map((folderCommit) => folderCommit.commit);
+      const commitBatches = chunkArray(newCommits, 9000);
+
+      let j = 0;
+      for (const commitBatch of commitBatches) {
+        j += 1;
+        logger.info(`Inserting folder commits - batch ${j} of ${commitBatches.length}`);
+        // Create folder commit
+        // eslint-disable-next-line no-await-in-loop
+        const newCommitsInserted = (await knex
+          .batchInsert(TableName.FolderCommit, commitBatch)
+          .returning("*")) as TFolderCommits[];
+
+        logger.info(`Finished inserting folder commits - batch ${j} of ${commitBatches.length}`);
+
+        const newCommitsMap: Record<string, string> = {};
+        const newCommitsMapInverted: Record<string, string> = {};
+        const newCheckpointsMap: Record<string, string> = {};
+        newCommitsInserted.forEach((commit) => {
+          newCommitsMap[commit.folderId] = commit.id;
+          newCommitsMapInverted[commit.id] = commit.folderId;
+        });
+
+        // Create folder checkpoints
+        // eslint-disable-next-line no-await-in-loop
+        const newCheckpoints = (await knex
+          .batchInsert(
+            TableName.FolderCheckpoint,
+            Object.values(newCommitsMap).map((commitId) => ({
+              folderCommitId: commitId
+            }))
+          )
+          .returning("*")) as TFolderCheckpoints[];
+
+        logger.info(`Finished inserting folder checkpoints - batch ${j} of ${commitBatches.length}`);
+
+        newCheckpoints.forEach((checkpoint) => {
+          newCheckpointsMap[newCommitsMapInverted[checkpoint.folderCommitId]] = checkpoint.id;
+        });
+
+        // Create folder commit changes
+        // eslint-disable-next-line no-await-in-loop
+        await knex.batchInsert(
+          TableName.FolderCommitChanges,
+          foldersCommitsList
+            .map((folderCommit) => folderCommit.changes)
+            .flat()
+            .map((change) => ({
+              folderCommitId: newCommitsMap[change.folderId],
+              changeType: change.changeType,
+              secretVersionId: change.secretVersionId,
+              folderVersionId: change.folderVersionId,
+              isUpdate: false
+            }))
+        );
+
+        logger.info(`Finished inserting folder commit changes - batch ${j} of ${commitBatches.length}`);
+
+        // Create folder checkpoint resources
+        // eslint-disable-next-line no-await-in-loop
+        await knex.batchInsert(
+          TableName.FolderCheckpointResources,
+          foldersCommitsList
+            .map((folderCommit) => folderCommit.changes)
+            .flat()
+            .map((change) => ({
+              folderCheckpointId: newCheckpointsMap[change.folderId],
+              folderVersionId: change.folderVersionId,
+              secretVersionId: change.secretVersionId
+            }))
+        );
+
+        logger.info(`Finished inserting folder checkpoint resources - batch ${j} of ${commitBatches.length}`);
+
+        // Create Folder Tree Checkpoint
+        // eslint-disable-next-line no-await-in-loop
+        const newTreeCheckpoints = (await knex
+          .batchInsert(
+            TableName.FolderTreeCheckpoint,
+            Object.keys(rootFoldersMap).map((folderId) => ({
+              folderCommitId: newCommitsMap[folderId]
+            }))
+          )
+          .returning("*")) as TFolderTreeCheckpoints[];
+
+        logger.info(`Finished inserting folder tree checkpoints - batch ${j} of ${commitBatches.length}`);
+
+        const newTreeCheckpointsMap: Record<string, string> = {};
+        newTreeCheckpoints.forEach((checkpoint) => {
+          newTreeCheckpointsMap[rootFoldersMap[newCommitsMapInverted[checkpoint.folderCommitId]]] = checkpoint.id;
+        });
+
+        // Create Folder Tree Checkpoint Resources
+        // eslint-disable-next-line no-await-in-loop
+        await knex
+          .batchInsert(
+            TableName.FolderTreeCheckpointResources,
+            newCommitsInserted.map((folderCommit) => ({
+              folderTreeCheckpointId: newTreeCheckpointsMap[folderCommit.envId],
+              folderId: folderCommit.folderId,
+              folderCommitId: folderCommit.id
+            }))
+          )
+          .returning("*");
+
+        logger.info(`Finished inserting folder tree checkpoint resources - batch ${j} of ${commitBatches.length}`);
+      }
+    }
+  }
+  logger.info("Folder commits initialized");
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFolderCommitTable = await knex.schema.hasTable(TableName.FolderCommit);
+  if (hasFolderCommitTable) {
+    // delete all existing entries
+    await knex(TableName.FolderCommit).del();
+  }
+}

backend/src/db/migrations/20250604174128_identity-kubernetes-auth-gateway-reviewer.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasTokenReviewModeColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "tokenReviewMode");
+
+  if (!hasTokenReviewModeColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.string("tokenReviewMode").notNullable().defaultTo("api");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTokenReviewModeColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "tokenReviewMode");
+
+  if (hasTokenReviewModeColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.dropColumn("tokenReviewMode");
+    });
+  }
+}

backend/src/db/migrations/20250606134139_add-project-snapshots-legacy-option.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasShowSnapshotsLegacyColumn = await knex.schema.hasColumn(TableName.Project, "showSnapshotsLegacy");
+  if (!hasShowSnapshotsLegacyColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.boolean("showSnapshotsLegacy").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasShowSnapshotsLegacyColumn = await knex.schema.hasColumn(TableName.Project, "showSnapshotsLegacy");
+  if (hasShowSnapshotsLegacyColumn) {
+    await knex.schema.table(TableName.Project, (table) => {
+      table.dropColumn("showSnapshotsLegacy");
+    });
+  }
+}

backend/src/db/migrations/utils/services.ts

@@ -3,12 +3,27 @@ import { Knex } from "knex";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { folderCheckpointDALFactory } from "@app/services/folder-checkpoint/folder-checkpoint-dal";
+import { folderCheckpointResourcesDALFactory } from "@app/services/folder-checkpoint-resources/folder-checkpoint-resources-dal";
+import { folderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import { folderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { folderCommitChangesDALFactory } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { folderTreeCheckpointDALFactory } from "@app/services/folder-tree-checkpoint/folder-tree-checkpoint-dal";
+import { folderTreeCheckpointResourcesDALFactory } from "@app/services/folder-tree-checkpoint-resources/folder-tree-checkpoint-resources-dal";
+import { identityDALFactory } from "@app/services/identity/identity-dal";
 import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
 import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { kmsServiceFactory } from "@app/services/kms/kms-service";
 import { orgDALFactory } from "@app/services/org/org-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
+import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
+import { secretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
+import { secretFolderVersionDALFactory } from "@app/services/secret-folder/secret-folder-version-dal";
+import { secretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
+import { secretV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-dal";
+import { secretVersionV2BridgeDALFactory } from "@app/services/secret-v2-bridge/secret-version-dal";
+import { userDALFactory } from "@app/services/user/user-dal";
 
 import { TMigrationEnvConfig } from "./env-config";
 
@@ -50,3 +65,77 @@ export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }
 
   return { kmsService };
 };
+
+export const getMigrationPITServices = async ({
+  db,
+  keyStore,
+  envConfig
+}: {
+  db: Knex;
+  keyStore: TKeyStoreFactory;
+  envConfig: TMigrationEnvConfig;
+}) => {
+  const projectDAL = projectDALFactory(db);
+  const folderCommitDAL = folderCommitDALFactory(db);
+  const folderCommitChangesDAL = folderCommitChangesDALFactory(db);
+  const folderCheckpointDAL = folderCheckpointDALFactory(db);
+  const folderTreeCheckpointDAL = folderTreeCheckpointDALFactory(db);
+  const userDAL = userDALFactory(db);
+  const identityDAL = identityDALFactory(db);
+  const folderDAL = secretFolderDALFactory(db);
+  const folderVersionDAL = secretFolderVersionDALFactory(db);
+  const secretVersionV2BridgeDAL = secretVersionV2BridgeDALFactory(db);
+  const folderCheckpointResourcesDAL = folderCheckpointResourcesDALFactory(db);
+  const secretV2BridgeDAL = secretV2BridgeDALFactory({ db, keyStore });
+  const folderTreeCheckpointResourcesDAL = folderTreeCheckpointResourcesDALFactory(db);
+  const secretTagDAL = secretTagDALFactory(db);
+
+  const orgDAL = orgDALFactory(db);
+  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const resourceMetadataDAL = resourceMetadataDALFactory(db);
+
+  const hsmModule = initializeHsmModule(envConfig);
+  hsmModule.initialize();
+
+  const hsmService = hsmServiceFactory({
+    hsmModule: hsmModule.getModule(),
+    envConfig
+  });
+
+  const kmsService = kmsServiceFactory({
+    kmsRootConfigDAL,
+    keyStore,
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL,
+    hsmService,
+    envConfig
+  });
+
+  await hsmService.startService();
+  await kmsService.startService();
+
+  const folderCommitService = folderCommitServiceFactory({
+    folderCommitDAL,
+    folderCommitChangesDAL,
+    folderCheckpointDAL,
+    folderTreeCheckpointDAL,
+    userDAL,
+    identityDAL,
+    folderDAL,
+    folderVersionDAL,
+    secretVersionV2BridgeDAL,
+    projectDAL,
+    folderCheckpointResourcesDAL,
+    secretV2BridgeDAL,
+    folderTreeCheckpointResourcesDAL,
+    kmsService,
+    secretTagDAL,
+    resourceMetadataDAL
+  });
+
+  return { folderCommitService };
+};

backend/src/db/schemas/access-approval-policies-bypassers.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AccessApprovalPoliciesBypassersSchema = z.object({
+  id: z.string().uuid(),
+  bypasserGroupId: z.string().uuid().nullable().optional(),
+  bypasserUserId: z.string().uuid().nullable().optional(),
+  policyId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAccessApprovalPoliciesBypassers = z.infer<typeof AccessApprovalPoliciesBypassersSchema>;
+export type TAccessApprovalPoliciesBypassersInsert = Omit<
+  z.input<typeof AccessApprovalPoliciesBypassersSchema>,
+  TImmutableDBKeys
+>;
+export type TAccessApprovalPoliciesBypassersUpdate = Partial<
+  Omit<z.input<typeof AccessApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/access-approval-requests.ts

@@ -18,7 +18,9 @@ export const AccessApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   requestedByUserId: z.string().uuid(),
-  note: z.string().nullable().optional()
+  note: z.string().nullable().optional(),
+  privilegeDeletedAt: z.date().nullable().optional(),
+  status: z.string().default("pending")
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/certificate-authorities.ts

@@ -11,25 +11,10 @@ export const CertificateAuthoritiesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  parentCaId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
-  type: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  requireTemplateForIssuance: z.boolean().default(false)
+  name: z.string()
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificates.ts

@@ -11,7 +11,7 @@ export const CertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  caId: z.string().uuid(),
+  caId: z.string().uuid().nullable().optional(),
   status: z.string(),
   serialNumber: z.string(),
   friendlyName: z.string(),
@@ -21,10 +21,12 @@ export const CertificatesSchema = z.object({
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
   altNames: z.string().nullable().optional(),
-  caCertId: z.string().uuid(),
+  caCertId: z.string().uuid().nullable().optional(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
-  extendedKeyUsages: z.string().array().nullable().optional()
+  extendedKeyUsages: z.string().array().nullable().optional(),
+  pkiSubscriberId: z.string().uuid().nullable().optional(),
+  projectId: z.string()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -27,7 +27,9 @@ export const DynamicSecretsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional()
+  projectGatewayId: z.string().uuid().nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional(),
+  usernameTemplate: z.string().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/external-certificate-authorities.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  type: z.string(),
+  appConnectionId: z.string().uuid().nullable().optional(),
+  dnsAppConnectionId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid(),
+  credentials: zodBuffer.nullable().optional(),
+  configuration: z.unknown().nullable().optional()
+});
+
+export type TExternalCertificateAuthorities = z.infer<typeof ExternalCertificateAuthoritiesSchema>;
+export type TExternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof ExternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TExternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof ExternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/folder-checkpoint-resources.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCheckpointResourcesSchema = z.object({
+  id: z.string().uuid(),
+  folderCheckpointId: z.string().uuid(),
+  secretVersionId: z.string().uuid().nullable().optional(),
+  folderVersionId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCheckpointResources = z.infer<typeof FolderCheckpointResourcesSchema>;
+export type TFolderCheckpointResourcesInsert = Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>;
+export type TFolderCheckpointResourcesUpdate = Partial<
+  Omit<z.input<typeof FolderCheckpointResourcesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/folder-checkpoints.ts

@@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCheckpointsSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCheckpoints = z.infer<typeof FolderCheckpointsSchema>;
+export type TFolderCheckpointsInsert = Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>;
+export type TFolderCheckpointsUpdate = Partial<Omit<z.input<typeof FolderCheckpointsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-commit-changes.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCommitChangesSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  changeType: z.string(),
+  isUpdate: z.boolean().default(false),
+  secretVersionId: z.string().uuid().nullable().optional(),
+  folderVersionId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCommitChanges = z.infer<typeof FolderCommitChangesSchema>;
+export type TFolderCommitChangesInsert = Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>;
+export type TFolderCommitChangesUpdate = Partial<Omit<z.input<typeof FolderCommitChangesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-commits.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderCommitsSchema = z.object({
+  id: z.string().uuid(),
+  commitId: z.coerce.bigint(),
+  actorMetadata: z.unknown(),
+  actorType: z.string(),
+  message: z.string().nullable().optional(),
+  folderId: z.string().uuid(),
+  envId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderCommits = z.infer<typeof FolderCommitsSchema>;
+export type TFolderCommitsInsert = Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>;
+export type TFolderCommitsUpdate = Partial<Omit<z.input<typeof FolderCommitsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/folder-tree-checkpoint-resources.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderTreeCheckpointResourcesSchema = z.object({
+  id: z.string().uuid(),
+  folderTreeCheckpointId: z.string().uuid(),
+  folderId: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderTreeCheckpointResources = z.infer<typeof FolderTreeCheckpointResourcesSchema>;
+export type TFolderTreeCheckpointResourcesInsert = Omit<
+  z.input<typeof FolderTreeCheckpointResourcesSchema>,
+  TImmutableDBKeys
+>;
+export type TFolderTreeCheckpointResourcesUpdate = Partial<
+  Omit<z.input<typeof FolderTreeCheckpointResourcesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/folder-tree-checkpoints.ts

@@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const FolderTreeCheckpointsSchema = z.object({
+  id: z.string().uuid(),
+  folderCommitId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TFolderTreeCheckpoints = z.infer<typeof FolderTreeCheckpointsSchema>;
+export type TFolderTreeCheckpointsInsert = Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>;
+export type TFolderTreeCheckpointsUpdate = Partial<Omit<z.input<typeof FolderTreeCheckpointsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-access-tokens.ts

@@ -21,7 +21,8 @@ export const IdentityAccessTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   name: z.string().nullable().optional(),
-  authMethod: z.string()
+  authMethod: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -19,7 +19,8 @@ export const IdentityAwsAuthsSchema = z.object({
   type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
+  allowedAccountIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -18,7 +18,8 @@ export const IdentityAzureAuthsSchema = z.object({
   identityId: z.string().uuid(),
   tenantId: z.string(),
   resource: z.string(),
-  allowedServicePrincipalIds: z.string()
+  allowedServicePrincipalIds: z.string(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -19,7 +19,8 @@ export const IdentityGcpAuthsSchema = z.object({
   type: z.string(),
   allowedServiceAccounts: z.string().nullable().optional(),
   allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional()
+  allowedZones: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-jwt-auths.ts

@@ -25,7 +25,8 @@ export const IdentityJwtAuthsSchema = z.object({
   boundClaims: z.unknown(),
   boundSubject: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -29,7 +29,10 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNames: z.string(),
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0),
+  tokenReviewMode: z.string().default("api")
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -24,7 +24,8 @@ export const IdentityLdapAuthsSchema = z.object({
   searchFilter: z.string(),
   allowedFields: z.unknown().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityOciAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  tenancyOcid: z.string(),
+  allowedUsernames: z.string().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
+});
+
+export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;
+export type TIdentityOciAuthsInsert = Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityOciAuthsUpdate = Partial<Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -27,7 +27,8 @@ export const IdentityOidcAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional()
+  claimMetadataMapping: z.unknown().nullable().optional(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-token-auths.ts

@@ -15,7 +15,8 @@ export const IdentityTokenAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityTokenAuths = z.infer<typeof IdentityTokenAuthsSchema>;

backend/src/db/schemas/identity-universal-auths.ts

@@ -17,7 +17,8 @@ export const IdentityUniversalAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid()
+  identityId: z.string().uuid(),
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -1,5 +1,6 @@
 export * from "./access-approval-policies";
 export * from "./access-approval-policies-approvers";
+export * from "./access-approval-policies-bypassers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
@@ -20,8 +21,15 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
+export * from "./folder-checkpoint-resources";
+export * from "./folder-checkpoints";
+export * from "./folder-commit-changes";
+export * from "./folder-commits";
+export * from "./folder-tree-checkpoint-resources";
+export * from "./folder-tree-checkpoints";
 export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
@@ -37,6 +45,7 @@ export * from "./identity-gcp-auths";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
+export * from "./identity-oci-auths";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
@@ -48,6 +57,7 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./internal-certificate-authorities";
 export * from "./internal-kms";
 export * from "./kmip-client-certificates";
 export * from "./kmip-clients";
@@ -69,6 +79,7 @@ export * from "./organizations";
 export * from "./pki-alerts";
 export * from "./pki-collection-items";
 export * from "./pki-collections";
+export * from "./pki-subscribers";
 export * from "./project-bots";
 export * from "./project-environments";
 export * from "./project-gateways";
@@ -88,6 +99,7 @@ export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";
 export * from "./secret-approval-policies-approvers";
+export * from "./secret-approval-policies-bypassers";
 export * from "./secret-approval-request-secret-tags";
 export * from "./secret-approval-request-secret-tags-v2";
 export * from "./secret-approval-requests";
@@ -105,7 +117,12 @@ export * from "./secret-rotation-outputs";
 export * from "./secret-rotation-v2-secret-mappings";
 export * from "./secret-rotations";
 export * from "./secret-rotations-v2";
+export * from "./secret-scanning-configs";
+export * from "./secret-scanning-data-sources";
+export * from "./secret-scanning-findings";
 export * from "./secret-scanning-git-risks";
+export * from "./secret-scanning-resources";
+export * from "./secret-scanning-scans";
 export * from "./secret-sharing";
 export * from "./secret-snapshot-folders";
 export * from "./secret-snapshot-secrets";

backend/src/db/schemas/internal-certificate-authorities.ts

@@ -0,0 +1,38 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalCertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  parentCaId: z.string().uuid().nullable().optional(),
+  type: z.string(),
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid()
+});
+
+export type TInternalCertificateAuthorities = z.infer<typeof InternalCertificateAuthoritiesSchema>;
+export type TInternalCertificateAuthoritiesInsert = Omit<
+  z.input<typeof InternalCertificateAuthoritiesSchema>,
+  TImmutableDBKeys
+>;
+export type TInternalCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof InternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/models.ts

@@ -13,6 +13,8 @@ export enum TableName {
   SshCertificate = "ssh_certificates",
   SshCertificateBody = "ssh_certificate_bodies",
   CertificateAuthority = "certificate_authorities",
+  ExternalCertificateAuthority = "external_certificate_authorities",
+  InternalCertificateAuthority = "internal_certificate_authorities",
   CertificateTemplateEstConfig = "certificate_template_est_configs",
   CertificateAuthorityCert = "certificate_authority_certs",
   CertificateAuthoritySecret = "certificate_authority_secret",
@@ -21,6 +23,7 @@ export enum TableName {
   CertificateBody = "certificate_bodies",
   CertificateSecret = "certificate_secrets",
   CertificateTemplate = "certificate_templates",
+  PkiSubscriber = "pki_subscribers",
   PkiAlert = "pki_alerts",
   PkiCollection = "pki_collections",
   PkiCollectionItem = "pki_collection_items",
@@ -78,6 +81,7 @@ export enum TableName {
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
+  IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
   IdentityLdapAuth = "identity_ldap_auths",
@@ -91,10 +95,12 @@ export enum TableName {
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
+  AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
+  SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
   SecretApprovalRequest = "secret_approval_requests",
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
@@ -153,10 +159,21 @@ export enum TableName {
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
   SecretReminderRecipients = "secret_reminder_recipients",
-  GithubOrgSyncConfig = "github_org_sync_configs"
+  GithubOrgSyncConfig = "github_org_sync_configs",
+  FolderCommit = "folder_commits",
+  FolderCommitChanges = "folder_commit_changes",
+  FolderCheckpoint = "folder_checkpoints",
+  FolderCheckpointResources = "folder_checkpoint_resources",
+  FolderTreeCheckpoint = "folder_tree_checkpoints",
+  FolderTreeCheckpointResources = "folder_tree_checkpoint_resources",
+  SecretScanningDataSource = "secret_scanning_data_sources",
+  SecretScanningResource = "secret_scanning_resources",
+  SecretScanningScan = "secret_scanning_scans",
+  SecretScanningFinding = "secret_scanning_findings",
+  SecretScanningConfig = "secret_scanning_configs"
 }
 
-export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
+export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
 
 export const UserDeviceSchema = z
   .object({
@@ -232,6 +249,7 @@ export enum IdentityAuthMethod {
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
+  OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   JWT_AUTH = "jwt-auth",
   LDAP_AUTH = "ldap-auth"
@@ -241,7 +259,8 @@ export enum ProjectType {
   SecretManager = "secret-manager",
   CertificateManager = "cert-manager",
   KMS = "kms",
-  SSH = "ssh"
+  SSH = "ssh",
+  SecretScanning = "secret-scanning"
 }
 
 export enum ActionProjectType {
@@ -249,6 +268,7 @@ export enum ActionProjectType {
   CertificateManager = ProjectType.CertificateManager,
   KMS = ProjectType.KMS,
   SSH = ProjectType.SSH,
+  SecretScanning = ProjectType.SecretScanning,
   // project operations that happen on all types
   Any = "any"
 }

backend/src/db/schemas/organizations.ts

@@ -28,7 +28,15 @@ export const OrganizationsSchema = z.object({
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
   privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
   bypassOrgAuthEnabled: z.boolean().default(false),
-  userTokenExpiration: z.string().nullable().optional()
+  userTokenExpiration: z.string().nullable().optional(),
+  secretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  pkiProductEnabled: z.boolean().default(true).nullable().optional(),
+  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
+  sshProductEnabled: z.boolean().default(true).nullable().optional(),
+  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
+  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
+  maxSharedSecretViewLimit: z.number().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/pki-subscribers.ts

@@ -0,0 +1,33 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const PkiSubscribersSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  projectId: z.string(),
+  caId: z.string().uuid().nullable().optional(),
+  name: z.string(),
+  commonName: z.string(),
+  subjectAlternativeNames: z.string().array(),
+  ttl: z.string().nullable().optional(),
+  keyUsages: z.string().array(),
+  extendedKeyUsages: z.string().array(),
+  status: z.string(),
+  enableAutoRenewal: z.boolean().default(false),
+  autoRenewalPeriodInDays: z.number().nullable().optional(),
+  lastAutoRenewAt: z.date().nullable().optional(),
+  lastOperationStatus: z.string().nullable().optional(),
+  lastOperationMessage: z.string().nullable().optional(),
+  lastOperationAt: z.date().nullable().optional()
+});
+
+export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;
+export type TPkiSubscribersInsert = Omit<z.input<typeof PkiSubscribersSchema>, TImmutableDBKeys>;
+export type TPkiSubscribersUpdate = Partial<Omit<z.input<typeof PkiSubscribersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/projects.ts

@@ -27,7 +27,9 @@ export const ProjectsSchema = z.object({
   description: z.string().nullable().optional(),
   type: z.string(),
   enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(false).nullable().optional()
+  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
+  secretSharing: z.boolean().default(true),
+  showSnapshotsLegacy: z.boolean().default(false)
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-approval-policies-bypassers.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretApprovalPoliciesBypassersSchema = z.object({
+  id: z.string().uuid(),
+  bypasserGroupId: z.string().uuid().nullable().optional(),
+  bypasserUserId: z.string().uuid().nullable().optional(),
+  policyId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretApprovalPoliciesBypassers = z.infer<typeof SecretApprovalPoliciesBypassersSchema>;
+export type TSecretApprovalPoliciesBypassersInsert = Omit<
+  z.input<typeof SecretApprovalPoliciesBypassersSchema>,
+  TImmutableDBKeys
+>;
+export type TSecretApprovalPoliciesBypassersUpdate = Partial<
+  Omit<z.input<typeof SecretApprovalPoliciesBypassersSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-folder-versions.ts

@@ -14,7 +14,8 @@ export const SecretFolderVersionsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   envId: z.string().uuid(),
-  folderId: z.string().uuid()
+  folderId: z.string().uuid(),
+  description: z.string().nullable().optional()
 });
 
 export type TSecretFolderVersions = z.infer<typeof SecretFolderVersionsSchema>;

backend/src/db/schemas/secret-scanning-configs.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretScanningConfigsSchema = z.object({
+  id: z.string().uuid(),
+  projectId: z.string(),
+  content: z.string().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretScanningConfigs = z.infer<typeof SecretScanningConfigsSchema>;
+export type TSecretScanningConfigsInsert = Omit<z.input<typeof SecretScanningConfigsSchema>, TImmutableDBKeys>;
+export type TSecretScanningConfigsUpdate = Partial<Omit<z.input<typeof SecretScanningConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-scanning-data-sources.ts

@@ -0,0 +1,32 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretScanningDataSourcesSchema = z.object({
+  id: z.string().uuid(),
+  externalId: z.string().nullable().optional(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  type: z.string(),
+  config: z.unknown(),
+  encryptedCredentials: zodBuffer.nullable().optional(),
+  connectionId: z.string().uuid().nullable().optional(),
+  isAutoScanEnabled: z.boolean().default(true).nullable().optional(),
+  projectId: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  isDisconnected: z.boolean().default(false)
+});
+
+export type TSecretScanningDataSources = z.infer<typeof SecretScanningDataSourcesSchema>;
+export type TSecretScanningDataSourcesInsert = Omit<z.input<typeof SecretScanningDataSourcesSchema>, TImmutableDBKeys>;
+export type TSecretScanningDataSourcesUpdate = Partial<
+  Omit<z.input<typeof SecretScanningDataSourcesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-scanning-findings.ts

@@ -0,0 +1,32 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretScanningFindingsSchema = z.object({
+  id: z.string().uuid(),
+  dataSourceName: z.string(),
+  dataSourceType: z.string(),
+  resourceName: z.string(),
+  resourceType: z.string(),
+  rule: z.string(),
+  severity: z.string(),
+  status: z.string().default("unresolved"),
+  remarks: z.string().nullable().optional(),
+  fingerprint: z.string(),
+  details: z.unknown(),
+  projectId: z.string(),
+  scanId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretScanningFindings = z.infer<typeof SecretScanningFindingsSchema>;
+export type TSecretScanningFindingsInsert = Omit<z.input<typeof SecretScanningFindingsSchema>, TImmutableDBKeys>;
+export type TSecretScanningFindingsUpdate = Partial<
+  Omit<z.input<typeof SecretScanningFindingsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-scanning-resources.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretScanningResourcesSchema = z.object({
+  id: z.string().uuid(),
+  externalId: z.string(),
+  name: z.string(),
+  type: z.string(),
+  dataSourceId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TSecretScanningResources = z.infer<typeof SecretScanningResourcesSchema>;
+export type TSecretScanningResourcesInsert = Omit<z.input<typeof SecretScanningResourcesSchema>, TImmutableDBKeys>;
+export type TSecretScanningResourcesUpdate = Partial<
+  Omit<z.input<typeof SecretScanningResourcesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-scanning-scans.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretScanningScansSchema = z.object({
+  id: z.string().uuid(),
+  status: z.string().default("queued"),
+  statusMessage: z.string().nullable().optional(),
+  type: z.string(),
+  resourceId: z.string().uuid(),
+  createdAt: z.date().nullable().optional()
+});
+
+export type TSecretScanningScans = z.infer<typeof SecretScanningScansSchema>;
+export type TSecretScanningScansInsert = Omit<z.input<typeof SecretScanningScansSchema>, TImmutableDBKeys>;
+export type TSecretScanningScansUpdate = Partial<Omit<z.input<typeof SecretScanningScansSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-sharing.ts

@@ -27,7 +27,8 @@ export const SecretSharingSchema = z.object({
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
   identifier: z.string().nullable().optional(),
-  type: z.string().default("share")
+  type: z.string().default("share"),
+  authorizedEmails: z.unknown().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,10 +24,19 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
+          .max(100, "Cannot have more than 100 approvers")
           .min(1, { message: "At least one approver should be provided" }),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -72,7 +81,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                 .object({ type: z.nativeEnum(ApproverType), id: z.string().nullable().optional() })
                 .array()
                 .nullable()
-                .optional()
+                .optional(),
+              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
             })
             .array()
             .nullable()
@@ -143,10 +153,19 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -220,6 +239,15 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
               })
               .array()
               .nullable()
+              .optional(),
+            bypassers: z
+              .object({
+                type: z.nativeEnum(BypasserType),
+                id: z.string().nullable().optional(),
+                name: z.string().nullable().optional()
+              })
+              .array()
+              .nullable()
               .optional()
           })
         })

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -113,6 +113,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
+              bypassers: z.string().array(),
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),
@@ -154,7 +155,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         requestId: z.string().trim()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
+        bypassReason: z.string().min(10).max(1000).optional()
       }),
       response: {
         200: z.object({
@@ -170,7 +172,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         requestId: req.params.requestId,
-        status: req.body.status
+        status: req.body.status,
+        bypassReason: req.body.bypassReason
       });
 
       return { review };

backend/src/ee/routes/v1/app-connection-routers/oci-connection-router.ts

@@ -0,0 +1,123 @@
+import z from "zod";
+
+import {
+  CreateOCIConnectionSchema,
+  SanitizedOCIConnectionSchema,
+  UpdateOCIConnectionSchema
+} from "@app/ee/services/app-connections/oci";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "../../../../server/routes/v1/app-connection-routers/app-connection-endpoints";
+
+export const registerOCIConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.OCI,
+    server,
+    sanitizedResponseSchema: SanitizedOCIConnectionSchema,
+    createSchema: CreateOCIConnectionSchema,
+    updateSchema: UpdateOCIConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/compartments`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const compartments = await server.services.appConnection.oci.listCompartments(connectionId, req.permission);
+      return compartments;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/vaults`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        compartmentOcid: z.string().min(1, "Compartment OCID required")
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            displayName: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const { compartmentOcid } = req.query;
+
+      const vaults = await server.services.appConnection.oci.listVaults(
+        { connectionId, compartmentOcid },
+        req.permission
+      );
+      return vaults;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/vault-keys`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      querystring: z.object({
+        compartmentOcid: z.string().min(1, "Compartment OCID required"),
+        vaultOcid: z.string().min(1, "Vault OCID required")
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            displayName: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const { compartmentOcid, vaultOcid } = req.query;
+
+      const keys = await server.services.appConnection.oci.listVaultKeys(
+        { connectionId, compartmentOcid, vaultOcid },
+        req.permission
+      );
+      return keys;
+    }
+  });
+};

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -6,6 +6,8 @@ import { ApiDocsTags, DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
+import { isValidHandleBarTemplate } from "@app/lib/template/validate-handlebars";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -13,6 +15,31 @@ import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchema
 import { AuthMode } from "@app/services/auth/auth-type";
 import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
+const validateUsernameTemplateCharacters = characterValidator([
+  CharacterType.AlphaNumeric,
+  CharacterType.Underscore,
+  CharacterType.Hyphen,
+  CharacterType.OpenBrace,
+  CharacterType.CloseBrace,
+  CharacterType.CloseBracket,
+  CharacterType.OpenBracket,
+  CharacterType.Fullstop,
+  CharacterType.SingleQuote,
+  CharacterType.Spaces,
+  CharacterType.Pipe
+]);
+
+const userTemplateSchema = z
+  .string()
+  .trim()
+  .max(255)
+  .refine((el) => validateUsernameTemplateCharacters(el))
+  .refine((el) =>
+    isValidHandleBarTemplate(el, {
+      allowedExpressions: (val) => ["randomUsername", "unixTimestamp", "identity.name"].includes(val)
+    })
+  );
+
 export const registerDynamicSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -52,7 +79,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
         path: z.string().describe(DYNAMIC_SECRETS.CREATE.path).trim().default("/").transform(removeTrailingSlash),
         environmentSlug: z.string().describe(DYNAMIC_SECRETS.CREATE.environmentSlug).min(1),
         name: slugSchema({ min: 1, max: 64, field: "Name" }).describe(DYNAMIC_SECRETS.CREATE.name),
-        metadata: ResourceMetadataSchema.optional()
+        metadata: ResourceMetadataSchema.optional(),
+        usernameTemplate: userTemplateSchema.optional()
       }),
       response: {
         200: z.object({
@@ -73,39 +101,6 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/entra-id/users",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      body: z.object({
-        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
-        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
-        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
-      }),
-      response: {
-        200: z
-          .object({
-            name: z.string().min(1).describe("The name of the user"),
-            id: z.string().min(1).describe("The ID of the user"),
-            email: z.string().min(1).describe("The email of the user")
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
-        tenantId: req.body.tenantId,
-        applicationId: req.body.applicationId,
-        clientSecret: req.body.clientSecret
-      });
-      return data;
-    }
-  });
-
   server.route({
     method: "PATCH",
     url: "/:name",
@@ -150,7 +145,8 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
             })
             .nullable(),
           newName: z.string().describe(DYNAMIC_SECRETS.UPDATE.newName).optional(),
-          metadata: ResourceMetadataSchema.optional()
+          metadata: ResourceMetadataSchema.optional(),
+          usernameTemplate: userTemplateSchema.nullable().optional()
         })
       }),
       response: {
@@ -328,4 +324,37 @@ export const registerDynamicSecretRouter = async (server: FastifyZodProvider) =>
       return { leases };
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/entra-id/users",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        tenantId: z.string().min(1).describe("The tenant ID of the Azure Entra ID"),
+        applicationId: z.string().min(1).describe("The application ID of the Azure Entra ID App Registration"),
+        clientSecret: z.string().min(1).describe("The client secret of the Azure Entra ID App Registration")
+      }),
+      response: {
+        200: z
+          .object({
+            name: z.string().min(1).describe("The name of the user"),
+            id: z.string().min(1).describe("The ID of the user"),
+            email: z.string().min(1).describe("The email of the user")
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const data = await server.services.dynamicSecret.fetchAzureEntraIdUsers({
+        tenantId: req.body.tenantId,
+        applicationId: req.body.applicationId,
+        clientSecret: req.body.clientSecret
+      });
+      return data;
+    }
+  });
 };

backend/src/ee/routes/v1/gateway-router.ts

@@ -121,14 +121,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            }),
-            projects: z
-              .object({
-                name: z.string(),
-                id: z.string(),
-                slug: z.string()
-              })
-              .array()
+            })
           }).array()
         })
       }
@@ -158,17 +151,15 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            }),
-            projectGatewayId: z.string()
+            })
           }).array()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
     handler: async (req) => {
-      const gateways = await server.services.gateway.getProjectGateways({
-        projectId: req.params.projectId,
-        projectPermission: req.permission
+      const gateways = await server.services.gateway.listGateways({
+        orgPermission: req.permission
       });
       return { gateways };
     }
@@ -216,8 +207,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
         id: z.string()
       }),
       body: z.object({
-        name: slugSchema({ field: "name" }).optional(),
-        projectIds: z.string().array().optional()
+        name: slugSchema({ field: "name" }).optional()
       }),
       response: {
         200: z.object({
@@ -230,8 +220,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
       const gateway = await server.services.gateway.updateGatewayById({
         orgPermission: req.permission,
         id: req.params.id,
-        name: req.body.name,
-        projectIds: req.body.projectIds
+        name: req.body.name
       });
       return { gateway };
     }

backend/src/ee/routes/v1/index.ts

@@ -18,6 +18,7 @@ import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
 import { registerOrgRoleRouter } from "./org-role-router";
+import { registerPITRouter } from "./pit-router";
 import { registerProjectRoleRouter } from "./project-role-router";
 import { registerProjectRouter } from "./project-router";
 import { registerRateLimitRouter } from "./rate-limit-router";
@@ -53,6 +54,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     { prefix: "/workspace" }
   );
   await server.register(registerSnapshotRouter, { prefix: "/secret-snapshot" });
+  await server.register(registerPITRouter, { prefix: "/pit" });
   await server.register(registerSecretApprovalPolicyRouter, { prefix: "/secret-approvals" });
   await server.register(registerSecretApprovalRequestRouter, {
     prefix: "/secret-approval-requests"

backend/src/ee/routes/v1/license-router.ts

@@ -47,7 +47,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
         200: z.object({ plan: z.any() })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const plan = await server.services.license.getOrgPlan({
         actorId: req.permission.id,

backend/src/ee/routes/v1/pit-router.ts

@@ -0,0 +1,416 @@
+/* eslint-disable @typescript-eslint/no-base-to-string */
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
+
+const commitHistoryItemSchema = z.object({
+  id: z.string(),
+  folderId: z.string(),
+  actorType: z.string(),
+  actorMetadata: z.unknown().optional(),
+  message: z.string().optional().nullable(),
+  commitId: z.string(),
+  createdAt: z.string().or(z.date()),
+  envId: z.string()
+});
+
+const folderStateSchema = z.array(
+  z.object({
+    type: z.string(),
+    id: z.string(),
+    versionId: z.string(),
+    secretKey: z.string().optional(),
+    secretVersion: z.number().optional(),
+    folderName: z.string().optional(),
+    folderVersion: z.number().optional()
+  })
+);
+
+export const registerPITRouter = async (server: FastifyZodProvider) => {
+  // Get commits count for a folder
+  server.route({
+    method: "GET",
+    url: "/commits/count",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          count: z.number(),
+          folderId: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitsCount({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        environment: req.query.environment,
+        path: req.query.path
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMIT_COUNT,
+          metadata: {
+            environment: req.query.environment,
+            path: req.query.path,
+            commitCount: result.count.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Get all commits for a folder
+  server.route({
+    method: "GET",
+    url: "/commits",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        environment: z.string().trim(),
+        path: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim(),
+        offset: z.coerce.number().min(0).default(0),
+        limit: z.coerce.number().min(1).max(100).default(20),
+        search: z.string().trim().optional(),
+        sort: z.enum(["asc", "desc"]).default("desc")
+      }),
+      response: {
+        200: z.object({
+          commits: commitHistoryItemSchema.array(),
+          total: z.number(),
+          hasMore: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitsForFolder({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        environment: req.query.environment,
+        path: req.query.path,
+        offset: req.query.offset,
+        limit: req.query.limit,
+        search: req.query.search,
+        sort: req.query.sort
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMITS,
+          metadata: {
+            environment: req.query.environment,
+            path: req.query.path,
+            commitCount: result.commits.length.toString(),
+            offset: req.query.offset.toString(),
+            limit: req.query.limit.toString(),
+            search: req.query.search,
+            sort: req.query.sort
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Get commit changes for a specific commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId/changes",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: commitChangesResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getCommitChanges({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_PROJECT_PIT_COMMIT_CHANGES,
+          metadata: {
+            commitId: req.params.commitId,
+            changesCount: (result.changes.changes?.length || 0).toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Retrieve rollback changes for a commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId/compare",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        folderId: z.string().trim(),
+        environment: z.string().trim(),
+        deepRollback: booleanSchema.default(false),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.array(
+          z.object({
+            folderId: z.string(),
+            folderName: z.string(),
+            folderPath: z.string().optional(),
+            changes: z.array(resourceChangeSchema)
+          })
+        )
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.compareCommitChanges({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId,
+        folderId: req.query.folderId,
+        environment: req.query.environment,
+        deepRollback: req.query.deepRollback,
+        secretPath: req.query.secretPath
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.PIT_COMPARE_FOLDER_STATES,
+          metadata: {
+            targetCommitId: req.params.commitId,
+            folderId: req.query.folderId,
+            deepRollback: req.query.deepRollback,
+            diffsCount: result.length.toString(),
+            environment: req.query.environment,
+            folderPath: req.query.secretPath
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Rollback to a previous commit
+  server.route({
+    method: "POST",
+    url: "/commits/:commitId/rollback",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      body: z.object({
+        folderId: z.string().trim(),
+        deepRollback: z.boolean().default(false),
+        message: z.string().max(256).trim().optional(),
+        environment: z.string().trim(),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          success: z.boolean(),
+          secretChangesCount: z.number().optional(),
+          folderChangesCount: z.number().optional(),
+          totalChanges: z.number().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.rollbackToCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.body.projectId,
+        commitId: req.params.commitId,
+        folderId: req.body.folderId,
+        deepRollback: req.body.deepRollback,
+        message: req.body.message,
+        environment: req.body.environment
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_ROLLBACK_COMMIT,
+          metadata: {
+            targetCommitId: req.params.commitId,
+            environment: req.body.environment,
+            folderId: req.body.folderId,
+            deepRollback: req.body.deepRollback,
+            message: req.body.message || "Rollback to previous commit",
+            totalChanges: result.totalChanges?.toString() || "0"
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Revert commit
+  server.route({
+    method: "POST",
+    url: "/commits/:commitId/revert",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      body: z.object({
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          success: z.boolean(),
+          message: z.string(),
+          originalCommitId: z.string(),
+          revertCommitId: z.string().optional(),
+          changesReverted: z.number().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.revertCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.body.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_REVERT_COMMIT,
+          metadata: {
+            commitId: req.params.commitId,
+            revertCommitId: result.revertCommitId,
+            changesReverted: result.changesReverted?.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+
+  // Folder state at commit
+  server.route({
+    method: "GET",
+    url: "/commits/:commitId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        commitId: z.string().trim()
+      }),
+      querystring: z.object({
+        folderId: z.string().trim(),
+        projectId: z.string().trim()
+      }),
+      response: {
+        200: folderStateSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.getFolderStateAtCommit({
+        actor: req.permission?.type,
+        actorId: req.permission?.id,
+        actorOrgId: req.permission?.orgId,
+        actorAuthMethod: req.permission?.authMethod,
+        projectId: req.query.projectId,
+        commitId: req.params.commitId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.PIT_GET_FOLDER_STATE,
+          metadata: {
+            commitId: req.params.commitId,
+            folderId: req.query.folderId,
+            resourceCount: result.length.toString()
+          }
+        }
+      });
+
+      return result;
+    }
+  });
+};

backend/src/ee/routes/v1/saml-router.ts

@@ -145,7 +145,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
             externalId: profile.nameID,
-            email,
+            email: email.toLowerCase(),
             firstName,
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -1,7 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
-import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -30,10 +30,19 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).default(1),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true)
@@ -75,10 +84,19 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
           ])
           .array()
-          .min(1, { message: "At least one approver should be provided" }),
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
@@ -157,6 +175,12 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
                   id: z.string().nullable().optional(),
                   type: z.nativeEnum(ApproverType)
                 })
+                .array(),
+              bypassers: z
+                .object({
+                  id: z.string().nullable().optional(),
+                  type: z.nativeEnum(BypasserType)
+                })
                 .array()
             })
             .array()
@@ -193,7 +217,14 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
               .object({
                 id: z.string().nullable().optional(),
                 type: z.nativeEnum(ApproverType),
-                name: z.string().nullable().optional()
+                username: z.string().nullable().optional()
+              })
+              .array(),
+            bypassers: z
+              .object({
+                id: z.string().nullable().optional(),
+                type: z.nativeEnum(BypasserType),
+                username: z.string().nullable().optional()
               })
               .array()
           })

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -47,6 +47,11 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                   userId: z.string().nullable().optional()
                 })
                 .array(),
+              bypassers: z
+                .object({
+                  userId: z.string().nullable().optional()
+                })
+                .array(),
               secretPath: z.string().optional().nullable(),
               enforcementLevel: z.string(),
               deletedAt: z.date().nullish(),
@@ -266,6 +271,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
+                bypassers: approvalRequestUser.array(),
                 secretPath: z.string().optional().nullable(),
                 enforcementLevel: z.string(),
                 deletedAt: z.date().nullish(),

backend/src/ee/routes/v1/secret-sync-routers/oci-vault-sync-router.ts

@@ -0,0 +1,16 @@
+import {
+  CreateOCIVaultSyncSchema,
+  OCIVaultSyncSchema,
+  UpdateOCIVaultSyncSchema
+} from "@app/ee/services/secret-sync/oci-vault";
+import { registerSyncSecretsEndpoints } from "@app/server/routes/v1/secret-sync-routers/secret-sync-endpoints";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+export const registerOCIVaultSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.OCIVault,
+    server,
+    responseSchema: OCIVaultSyncSchema,
+    createSchema: CreateOCIVaultSyncSchema,
+    updateSchema: UpdateOCIVaultSyncSchema
+  });

backend/src/ee/routes/v1/snapshot-router.ts

@@ -65,9 +65,10 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
-      hide: false,
+      hide: true,
+      deprecated: true,
       tags: [ApiDocsTags.Projects],
-      description: "Roll back project secrets to those captured in a secret snapshot version.",
+      description: "(Deprecated) Roll back project secrets to those captured in a secret snapshot version.",
       security: [
         {
           bearerAuth: []
@@ -84,6 +85,10 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      throw new Error(
+        "This endpoint is deprecated. Please use the new PIT recovery system. More information is available at: https://infisical.com/docs/documentation/platform/pit-recovery."
+      );
+
       const secretSnapshot = await server.services.snapshot.rollbackSnapshot({
         actor: req.permission.type,
         actorId: req.permission.id,

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -97,7 +97,7 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
         .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TLL must be greater than or equal to TTL",
+          message: "Max TTL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {

backend/src/ee/routes/v1/ssh-host-router.ts

@@ -73,7 +73,7 @@ export const registerSshHostRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const host = await server.services.sshHost.getSshHost({
+      const host = await server.services.sshHost.getSshHostById({
         sshHostId: req.params.sshHostId,
         actor: req.permission.type,
         actorId: req.permission.id,

backend/src/ee/routes/v2/index.ts

@@ -2,6 +2,10 @@ import {
   registerSecretRotationV2Router,
   SECRET_ROTATION_REGISTER_ROUTER_MAP
 } from "@app/ee/routes/v2/secret-rotation-v2-routers";
+import {
+  registerSecretScanningV2Router,
+  SECRET_SCANNING_REGISTER_ROUTER_MAP
+} from "@app/ee/routes/v2/secret-scanning-v2-routers";
 
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
 import { registerProjectRoleRouter } from "./project-role-router";
@@ -31,4 +35,17 @@ export const registerV2EERoutes = async (server: FastifyZodProvider) => {
     },
     { prefix: "/secret-rotations" }
   );
+
+  await server.register(
+    async (secretScanningV2Router) => {
+      // register generic secret scanning endpoints
+      await secretScanningV2Router.register(registerSecretScanningV2Router);
+
+      // register service-specific secret scanning endpoints (gitlab/github, etc.)
+      for await (const [type, router] of Object.entries(SECRET_SCANNING_REGISTER_ROUTER_MAP)) {
+        await secretScanningV2Router.register(router, { prefix: `data-sources/${type}` });
+      }
+    },
+    { prefix: "/secret-scanning" }
+  );
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -5,6 +5,7 @@ import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-ro
 import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-rotation-router";
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
+import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
 export * from "./secret-rotation-v2-router";
@@ -15,6 +16,7 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
 > = {
   [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
   [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
+  [SecretRotation.MySqlCredentials]: registerMySqlCredentialsRotationRouter,
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,

backend/src/ee/routes/v2/secret-rotation-v2-routers/mysql-credentials-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateMySqlCredentialsRotationSchema,
+  MySqlCredentialsRotationSchema,
+  UpdateMySqlCredentialsRotationSchema
+} from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { SqlCredentialsRotationGeneratedCredentialsSchema } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerMySqlCredentialsRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.MySqlCredentials,
+    server,
+    responseSchema: MySqlCredentialsRotationSchema,
+    createSchema: CreateMySqlCredentialsRotationSchema,
+    updateSchema: UpdateMySqlCredentialsRotationSchema,
+    generatedCredentialsSchema: SqlCredentialsRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -6,6 +6,7 @@ import { AwsIamUserSecretRotationListItemSchema } from "@app/ee/services/secret-
 import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
+import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
 import { ApiDocsTags, SecretRotations } from "@app/lib/api-docs";
@@ -16,6 +17,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationListItemSchema,
   MsSqlCredentialsRotationListItemSchema,
+  MySqlCredentialsRotationListItemSchema,
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,

backend/src/ee/routes/v2/secret-scanning-v2-routers/github-secret-scanning-router.ts

@@ -0,0 +1,16 @@
+import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
+import {
+  CreateGitHubDataSourceSchema,
+  GitHubDataSourceSchema,
+  UpdateGitHubDataSourceSchema
+} from "@app/ee/services/secret-scanning-v2/github";
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+
+export const registerGitHubSecretScanningRouter = async (server: FastifyZodProvider) =>
+  registerSecretScanningEndpoints({
+    type: SecretScanningDataSource.GitHub,
+    server,
+    responseSchema: GitHubDataSourceSchema,
+    createSchema: CreateGitHubDataSourceSchema,
+    updateSchema: UpdateGitHubDataSourceSchema
+  });

backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts

@@ -0,0 +1,12 @@
+import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+
+import { registerGitHubSecretScanningRouter } from "./github-secret-scanning-router";
+
+export * from "./secret-scanning-v2-router";
+
+export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
+  SecretScanningDataSource,
+  (server: FastifyZodProvider) => Promise<void>
+> = {
+  [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter
+};

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints.ts

@@ -0,0 +1,593 @@
+import { z } from "zod";
+
+import { SecretScanningResourcesSchema, SecretScanningScansSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import {
+  SecretScanningDataSource,
+  SecretScanningScanStatus
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import { SECRET_SCANNING_DATA_SOURCE_NAME_MAP } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-maps";
+import {
+  TSecretScanningDataSource,
+  TSecretScanningDataSourceInput
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
+import { ApiDocsTags, SecretScanningDataSources } from "@app/lib/api-docs";
+import { startsWithVowel } from "@app/lib/fn";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerSecretScanningEndpoints = <
+  T extends TSecretScanningDataSource,
+  I extends TSecretScanningDataSourceInput
+>({
+  server,
+  type,
+  createSchema,
+  updateSchema,
+  responseSchema
+}: {
+  type: SecretScanningDataSource;
+  server: FastifyZodProvider;
+  createSchema: z.ZodType<{
+    name: string;
+    projectId: string;
+    connectionId?: string;
+    config: Partial<I["config"]>;
+    description?: string | null;
+    isAutoScanEnabled?: boolean;
+  }>;
+  updateSchema: z.ZodType<{
+    name?: string;
+    config?: Partial<I["config"]>;
+    description?: string | null;
+    isAutoScanEnabled?: boolean;
+  }>;
+  responseSchema: z.ZodTypeAny;
+}) => {
+  const sourceType = SECRET_SCANNING_DATA_SOURCE_NAME_MAP[type];
+
+  server.route({
+    method: "GET",
+    url: `/`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `List the ${sourceType} Data Sources for the specified project.`,
+      querystring: z.object({
+        projectId: z
+          .string()
+          .trim()
+          .min(1, "Project ID required")
+          .describe(SecretScanningDataSources.LIST(type).projectId)
+      }),
+      response: {
+        200: z.object({ dataSources: responseSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId }
+      } = req;
+
+      const dataSources = (await server.services.secretScanningV2.listSecretScanningDataSourcesByProjectId(
+        { projectId, type },
+        req.permission
+      )) as T[];
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST,
+          metadata: {
+            type,
+            count: dataSources.length,
+            dataSourceIds: dataSources.map((source) => source.id)
+          }
+        }
+      });
+
+      return { dataSources };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:dataSourceId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Get the specified ${sourceType} Data Source by ID.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.GET_BY_ID(type).dataSourceId)
+      }),
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const dataSource = (await server.services.secretScanningV2.findSecretScanningDataSourceById(
+        { dataSourceId, type },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: dataSource.projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_GET,
+          metadata: {
+            dataSourceId,
+            type
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/data-source-name/:dataSourceName`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Get the specified ${sourceType} Data Source by name and project ID.`,
+      params: z.object({
+        sourceName: z
+          .string()
+          .trim()
+          .min(1, "Data Source name required")
+          .describe(SecretScanningDataSources.GET_BY_NAME(type).sourceName)
+      }),
+      querystring: z.object({
+        projectId: z
+          .string()
+          .trim()
+          .min(1, "Project ID required")
+          .describe(SecretScanningDataSources.GET_BY_NAME(type).projectId)
+      }),
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { sourceName } = req.params;
+      const { projectId } = req.query;
+
+      const dataSource = (await server.services.secretScanningV2.findSecretScanningDataSourceByName(
+        { sourceName, projectId, type },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_GET,
+          metadata: {
+            dataSourceId: dataSource.id,
+            type
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Create ${
+        startsWithVowel(sourceType) ? "an" : "a"
+      } ${sourceType} Data Source for the specified project.`,
+      body: createSchema,
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const dataSource = (await server.services.secretScanningV2.createSecretScanningDataSource(
+        { ...req.body, type },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: dataSource.projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_CREATE,
+          metadata: {
+            dataSourceId: dataSource.id,
+            type,
+            ...req.body
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:dataSourceId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Update the specified ${sourceType} Data Source.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.UPDATE(type).dataSourceId)
+      }),
+      body: updateSchema,
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const dataSource = (await server.services.secretScanningV2.updateSecretScanningDataSource(
+        { ...req.body, dataSourceId, type },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: dataSource.projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_UPDATE,
+          metadata: {
+            dataSourceId,
+            type,
+            ...req.body
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: `/:dataSourceId`,
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Delete the specified ${sourceType} Data Source.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.DELETE(type).dataSourceId)
+      }),
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const dataSource = (await server.services.secretScanningV2.deleteSecretScanningDataSource(
+        { type, dataSourceId },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: dataSource.projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_DELETE,
+          metadata: {
+            type,
+            dataSourceId
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: `/:dataSourceId/scan`,
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Trigger a scan for the specified ${sourceType} Data Source.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.SCAN(type).dataSourceId)
+      }),
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const dataSource = (await server.services.secretScanningV2.triggerSecretScanningDataSourceScan(
+        { type, dataSourceId },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: dataSource.projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_TRIGGER_SCAN,
+          metadata: {
+            type,
+            dataSourceId
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: `/:dataSourceId/resources/:resourceId/scan`,
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Trigger a scan for the specified ${sourceType} Data Source resource.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.SCAN(type).dataSourceId),
+        resourceId: z.string().uuid().describe(SecretScanningDataSources.SCAN(type).resourceId)
+      }),
+      response: {
+        200: z.object({ dataSource: responseSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId, resourceId } = req.params;
+
+      const dataSource = (await server.services.secretScanningV2.triggerSecretScanningDataSourceScan(
+        { type, dataSourceId, resourceId },
+        req.permission
+      )) as T;
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: dataSource.projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_TRIGGER_SCAN,
+          metadata: {
+            type,
+            dataSourceId,
+            resourceId
+          }
+        }
+      });
+
+      return { dataSource };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:dataSourceId/resources",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Get the resources associated with the specified ${sourceType} Data Source by ID.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.LIST_RESOURCES(type).dataSourceId)
+      }),
+      response: {
+        200: z.object({ resources: SecretScanningResourcesSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const { resources, projectId } = await server.services.secretScanningV2.listSecretScanningResourcesByDataSourceId(
+        { dataSourceId, type },
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_RESOURCE_LIST,
+          metadata: {
+            dataSourceId,
+            type,
+            resourceIds: resources.map((resource) => resource.id),
+            count: resources.length
+          }
+        }
+      });
+
+      return { resources };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:dataSourceId/scans",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: `Get the scans associated with the specified ${sourceType} Data Source by ID.`,
+      params: z.object({
+        dataSourceId: z.string().uuid().describe(SecretScanningDataSources.LIST_SCANS(type).dataSourceId)
+      }),
+      response: {
+        200: z.object({ scans: SecretScanningScansSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const { scans, projectId } = await server.services.secretScanningV2.listSecretScanningScansByDataSourceId(
+        { dataSourceId, type },
+        req.permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_SCAN_LIST,
+          metadata: {
+            dataSourceId,
+            type,
+            count: scans.length
+          }
+        }
+      });
+
+      return { scans };
+    }
+  });
+
+  // not exposed, for UI only
+  server.route({
+    method: "GET",
+    url: "/:dataSourceId/resources-dashboard",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      tags: [ApiDocsTags.SecretScanning],
+      params: z.object({
+        dataSourceId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          resources: SecretScanningResourcesSchema.extend({
+            lastScannedAt: z.date().nullish(),
+            lastScanStatus: z.nativeEnum(SecretScanningScanStatus).nullish(),
+            lastScanStatusMessage: z.string().nullish(),
+            unresolvedFindings: z.number()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const { resources, projectId } =
+        await server.services.secretScanningV2.listSecretScanningResourcesWithDetailsByDataSourceId(
+          { dataSourceId, type },
+          req.permission
+        );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_RESOURCE_LIST,
+          metadata: {
+            dataSourceId,
+            type,
+            resourceIds: resources.map((resource) => resource.id),
+            count: resources.length
+          }
+        }
+      });
+
+      return { resources };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:dataSourceId/scans-dashboard",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      tags: [ApiDocsTags.SecretScanning],
+      params: z.object({
+        dataSourceId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          scans: SecretScanningScansSchema.extend({
+            unresolvedFindings: z.number(),
+            resolvedFindings: z.number(),
+            resourceName: z.string()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { dataSourceId } = req.params;
+
+      const { scans, projectId } =
+        await server.services.secretScanningV2.listSecretScanningScansWithDetailsByDataSourceId(
+          { dataSourceId, type },
+          req.permission
+        );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_SCAN_LIST,
+          metadata: {
+            dataSourceId,
+            type,
+            count: scans.length
+          }
+        }
+      });
+
+      return { scans };
+    }
+  });
+};

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -0,0 +1,366 @@
+import { z } from "zod";
+
+import { SecretScanningConfigsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
+import {
+  SecretScanningFindingStatus,
+  SecretScanningScanStatus
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
+import {
+  SecretScanningDataSourceSchema,
+  SecretScanningFindingSchema
+} from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-union-schemas";
+import {
+  ApiDocsTags,
+  SecretScanningConfigs,
+  SecretScanningDataSources,
+  SecretScanningFindings
+} from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [GitHubDataSourceListItemSchema]);
+
+export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/data-sources/options",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "List the available Secret Scanning Data Source Options.",
+      response: {
+        200: z.object({
+          dataSourceOptions: SecretScanningDataSourceOptionsSchema.array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: () => {
+      const dataSourceOptions = server.services.secretScanningV2.listSecretScanningDataSourceOptions();
+      return { dataSourceOptions };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/data-sources",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "List all the Secret Scanning Data Sources for the specified project.",
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretScanningDataSources.LIST().projectId)
+      }),
+      response: {
+        200: z.object({ dataSources: SecretScanningDataSourceSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const dataSources = await server.services.secretScanningV2.listSecretScanningDataSourcesByProjectId(
+        { projectId },
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST,
+          metadata: {
+            dataSourceIds: dataSources.map((dataSource) => dataSource.id),
+            count: dataSources.length
+          }
+        }
+      });
+
+      return { dataSources };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/findings",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "List all the Secret Scanning Findings for the specified project.",
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretScanningFindings.LIST.projectId)
+      }),
+      response: {
+        200: z.object({ findings: SecretScanningFindingSchema.array() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const findings = await server.services.secretScanningV2.listSecretScanningFindingsByProjectId(
+        projectId,
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_FINDING_LIST,
+          metadata: {
+            findingIds: findings.map((finding) => finding.id),
+            count: findings.length
+          }
+        }
+      });
+
+      return { findings };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/findings/:findingId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "Update the specified Secret Scanning Finding.",
+      params: z.object({
+        findingId: z.string().trim().min(1, "Finding ID required").describe(SecretScanningFindings.UPDATE.findingId)
+      }),
+      body: z.object({
+        status: z.nativeEnum(SecretScanningFindingStatus).optional().describe(SecretScanningFindings.UPDATE.status),
+        remarks: z.string().nullish().describe(SecretScanningFindings.UPDATE.remarks)
+      }),
+      response: {
+        200: z.object({ finding: SecretScanningFindingSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { findingId },
+        body,
+        permission
+      } = req;
+
+      const { finding, projectId } = await server.services.secretScanningV2.updateSecretScanningFindingById(
+        { findingId, ...body },
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_FINDING_UPDATE,
+          metadata: {
+            findingId,
+            ...body
+          }
+        }
+      });
+
+      return { finding };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/configs",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "Get the Secret Scanning Config for the specified project.",
+      querystring: z.object({
+        projectId: z
+          .string()
+          .trim()
+          .min(1, "Project ID required")
+          .describe(SecretScanningConfigs.GET_BY_PROJECT_ID.projectId)
+      }),
+      response: {
+        200: z.object({
+          config: z.object({ content: z.string().nullish(), projectId: z.string(), updatedAt: z.date().nullish() })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const config = await server.services.secretScanningV2.findSecretScanningConfigByProjectId(projectId, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_CONFIG_GET
+        }
+      });
+
+      return { config };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/configs",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.SecretScanning],
+      description: "Update the specified Secret Scanning Configuration.",
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretScanningConfigs.UPDATE.projectId)
+      }),
+      body: z.object({
+        content: z.string().nullable().describe(SecretScanningConfigs.UPDATE.content)
+      }),
+      response: {
+        200: z.object({ config: SecretScanningConfigsSchema })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        body,
+        permission
+      } = req;
+
+      const config = await server.services.secretScanningV2.upsertSecretScanningConfig(
+        { projectId, ...body },
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_CONFIG_UPDATE,
+          metadata: body
+        }
+      });
+
+      return { config };
+    }
+  });
+
+  // not exposed, for UI only
+  server.route({
+    method: "GET",
+    url: "/data-sources-dashboard",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required")
+      }),
+      response: {
+        200: z.object({
+          dataSources: z
+            .intersection(
+              SecretScanningDataSourceSchema,
+              z.object({
+                lastScannedAt: z.date().nullish(),
+                lastScanStatus: z.nativeEnum(SecretScanningScanStatus).nullish(),
+                lastScanStatusMessage: z.string().nullish(),
+                unresolvedFindings: z.number().nullish()
+              })
+            )
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const dataSources = await server.services.secretScanningV2.listSecretScanningDataSourcesWithDetailsByProjectId(
+        { projectId },
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST,
+          metadata: {
+            dataSourceIds: dataSources.map((dataSource) => dataSource.id),
+            count: dataSources.length
+          }
+        }
+      });
+
+      return { dataSources };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/unresolved-findings-count",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      tags: [ApiDocsTags.SecretScanning],
+      querystring: z.object({
+        projectId: z.string().trim().min(1, "Project ID required").describe(SecretScanningFindings.LIST.projectId)
+      }),
+      response: {
+        200: z.object({ unresolvedFindings: z.number() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const {
+        query: { projectId },
+        permission
+      } = req;
+
+      const unresolvedFindings =
+        await server.services.secretScanningV2.getSecretScanningUnresolvedFindingsCountByProjectId(
+          projectId,
+          permission
+        );
+
+      return { unresolvedFindings };
+    }
+  });
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -8,3 +8,10 @@ export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
   const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
   return { ...accessApprovalPolicyApproverOrm };
 };
+
+export type TAccessApprovalPolicyBypasserDALFactory = ReturnType<typeof accessApprovalPolicyBypasserDALFactory>;
+
+export const accessApprovalPolicyBypasserDALFactory = (db: TDbClient) => {
+  const accessApprovalPolicyBypasserOrm = ormify(db, TableName.AccessApprovalPolicyBypasser);
+  return { ...accessApprovalPolicyBypasserOrm };
+};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -1,11 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies } from "@app/db/schemas";
+import { AccessApprovalPoliciesSchema, TableName, TAccessApprovalPolicies, TUsers } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
-import { ApproverType } from "./access-approval-policy-types";
+import { ApproverType, BypasserType } from "./access-approval-policy-types";
 
 export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
 
@@ -34,9 +34,22 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
       .leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
+      .leftJoin(
+        TableName.AccessApprovalPolicyBypasser,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyBypasser}.policyId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("bypasserUsers"),
+        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
+        `bypasserUsers.id`
+      )
       .select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
+      .select(tx.ref("username").withSchema("bypasserUsers").as("bypasserUsername"))
       .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
       .select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
+      .select(tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
+      .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
       .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -129,6 +142,23 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
               id,
               type: ApproverType.Group
             })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserUserId: id, bypasserUsername }) => ({
+              id,
+              type: BypasserType.User,
+              name: bypasserUsername
+            })
+          },
+          {
+            key: "bypasserGroupId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupId: id }) => ({
+              id,
+              type: BypasserType.Group
+            })
           }
         ]
       });
@@ -144,5 +174,28 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
     return softDeletedPolicy;
   };
 
-  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById };
+  const findLastValidPolicy = async ({ envId, secretPath }: { envId: string; secretPath: string }, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
+        .where(
+          // eslint-disable-next-line @typescript-eslint/no-misused-promises
+          buildFindFilter(
+            {
+              envId,
+              secretPath
+            },
+            TableName.AccessApprovalPolicy
+          )
+        )
+        .orderBy("deletedAt", "desc")
+        .orderByRaw(`"deletedAt" IS NULL`)
+        .first();
+
+      return result;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindLastValidPolicy" });
+    }
+  };
+
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -4,6 +4,7 @@ import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -14,10 +15,14 @@ import { TAccessApprovalRequestReviewerDALFactory } from "../access-approval-req
 import { ApprovalStatus } from "../access-approval-request/access-approval-request-types";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
-import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
+import {
+  TAccessApprovalPolicyApproverDALFactory,
+  TAccessApprovalPolicyBypasserDALFactory
+} from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
 import {
   ApproverType,
+  BypasserType,
   TCreateAccessApprovalPolicy,
   TDeleteAccessApprovalPolicy,
   TGetAccessApprovalPolicyByIdDTO,
@@ -32,12 +37,14 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
   accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
+  accessApprovalPolicyBypasserDAL: TAccessApprovalPolicyBypasserDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
   groupDAL: TGroupDALFactory;
   userDAL: Pick<TUserDALFactory, "find">;
   accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "update" | "find">;
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
 };
 
 export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@@ -45,6 +52,7 @@ export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprov
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
+  accessApprovalPolicyBypasserDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -52,7 +60,8 @@ export const accessApprovalPolicyServiceFactory = ({
   userDAL,
   accessApprovalRequestDAL,
   additionalPrivilegeDAL,
-  accessApprovalRequestReviewerDAL
+  accessApprovalRequestReviewerDAL,
+  orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep) => {
   const createAccessApprovalPolicy = async ({
     name,
@@ -63,6 +72,7 @@ export const accessApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     approvals,
     approvers,
+    bypassers,
     projectSlug,
     environment,
     enforcementLevel,
@@ -82,7 +92,7 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
       .filter(Boolean) as string[];
 
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
@@ -147,6 +157,44 @@ export const accessApprovalPolicyServiceFactory = ({
       .map((user) => user.id);
     verifyAllApprovers.push(...verifyGroupApprovers);
 
+    let groupBypassers: string[] = [];
+    let bypasserUserIds: string[] = [];
+
+    if (bypassers && bypassers.length) {
+      groupBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.Group)
+        .map((bypasser) => bypasser.id) as string[];
+
+      const userBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.User)
+        .map((bypasser) => bypasser.id)
+        .filter(Boolean) as string[];
+
+      const userBypasserNames = bypassers
+        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
+        .filter(Boolean) as string[];
+
+      bypasserUserIds = userBypassers;
+      if (userBypasserNames.length) {
+        const bypasserUsers = await userDAL.find({
+          $in: {
+            username: userBypasserNames
+          }
+        });
+
+        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
+        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
+
+        if (invalidUsernames.length) {
+          throw new BadRequestError({
+            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        bypasserUserIds = bypasserUserIds.concat(bypasserUsers.map((user) => user.id));
+      }
+    }
+
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -159,6 +207,7 @@ export const accessApprovalPolicyServiceFactory = ({
         },
         tx
       );
+
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
           approverUserIds.map((userId) => ({
@@ -179,8 +228,29 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
+      if (bypasserUserIds.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          bypasserUserIds.map((userId) => ({
+            bypasserUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupBypassers.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          groupBypassers.map((groupId) => ({
+            bypasserGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
+
     return { ...accessApproval, environment: env, projectId: project.id };
   };
 
@@ -211,6 +281,7 @@ export const accessApprovalPolicyServiceFactory = ({
   const updateAccessApprovalPolicy = async ({
     policyId,
     approvers,
+    bypassers,
     secretPath,
     name,
     actorId,
@@ -231,15 +302,15 @@ export const accessApprovalPolicyServiceFactory = ({
       .filter(Boolean) as string[];
 
     const userApproverNames = approvers
-      .map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
+      .map((approver) => (approver.type === ApproverType.User ? approver.username : undefined))
       .filter(Boolean) as string[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    const currentAppovals = approvals || accessApprovalPolicy.approvals;
+    const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
       groupApprovers?.length === 0 &&
       userApprovers &&
-      currentAppovals > userApprovers.length + userApproverNames.length
+      currentApprovals > userApprovers.length + userApproverNames.length
     ) {
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
@@ -258,6 +329,78 @@ export const accessApprovalPolicyServiceFactory = ({
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
+    let groupBypassers: string[] = [];
+    let bypasserUserIds: string[] = [];
+
+    if (bypassers && bypassers.length) {
+      groupBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.Group)
+        .map((bypasser) => bypasser.id) as string[];
+
+      groupBypassers = [...new Set(groupBypassers)];
+
+      const userBypassers = bypassers
+        .filter((bypasser) => bypasser.type === BypasserType.User)
+        .map((bypasser) => bypasser.id)
+        .filter(Boolean) as string[];
+
+      const userBypasserNames = bypassers
+        .map((bypasser) => (bypasser.type === BypasserType.User ? bypasser.username : undefined))
+        .filter(Boolean) as string[];
+
+      bypasserUserIds = userBypassers;
+      if (userBypasserNames.length) {
+        const bypasserUsers = await userDAL.find({
+          $in: {
+            username: userBypasserNames
+          }
+        });
+
+        const bypasserNamesFromDb = bypasserUsers.map((user) => user.username);
+        const invalidUsernames = userBypasserNames.filter((username) => !bypasserNamesFromDb.includes(username));
+
+        if (invalidUsernames.length) {
+          throw new BadRequestError({
+            message: `Invalid bypasser user: ${invalidUsernames.join(", ")}`
+          });
+        }
+
+        bypasserUserIds = [...new Set(bypasserUserIds.concat(bypasserUsers.map((user) => user.id)))];
+      }
+
+      // Validate user bypassers
+      if (bypasserUserIds.length > 0) {
+        const orgMemberships = await orgMembershipDAL.find({
+          $in: { userId: bypasserUserIds },
+          orgId: actorOrgId
+        });
+
+        if (orgMemberships.length !== bypasserUserIds.length) {
+          const foundUserIdsInOrg = new Set(orgMemberships.map((mem) => mem.userId));
+          const missingUserIds = bypasserUserIds.filter((id) => !foundUserIdsInOrg.has(id));
+          throw new BadRequestError({
+            message: `One or more specified bypasser users are not part of the organization or do not exist. Invalid or non-member user IDs: ${missingUserIds.join(", ")}`
+          });
+        }
+      }
+
+      // Validate group bypassers
+      if (groupBypassers.length > 0) {
+        const orgGroups = await groupDAL.find({
+          $in: { id: groupBypassers },
+          orgId: actorOrgId
+        });
+
+        if (orgGroups.length !== groupBypassers.length) {
+          const foundGroupIdsInOrg = new Set(orgGroups.map((group) => group.id));
+          const missingGroupIds = groupBypassers.filter((id) => !foundGroupIdsInOrg.has(id));
+          throw new BadRequestError({
+            message: `One or more specified bypasser groups are not part of the organization or do not exist. Invalid or non-member group IDs: ${missingGroupIds.join(", ")}`
+          });
+        }
+      }
+    }
+
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
         accessApprovalPolicy.id,
@@ -313,6 +456,28 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
+      await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
+
+      if (bypasserUserIds.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          bypasserUserIds.map((userId) => ({
+            bypasserUserId: userId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
+      if (groupBypassers.length) {
+        await accessApprovalPolicyBypasserDAL.insertMany(
+          groupBypassers.map((groupId) => ({
+            bypasserGroupId: groupId,
+            policyId: doc.id
+          })),
+          tx
+        );
+      }
+
       return doc;
     });
     return {

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -18,11 +18,20 @@ export enum ApproverType {
   User = "user"
 }
 
+export enum BypasserType {
+  Group = "group",
+  User = "user"
+}
+
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
   environment: string;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  bypassers?: (
+    | { type: BypasserType.Group; id: string }
+    | { type: BypasserType.User; id?: string; username?: string }
+  )[];
   projectSlug: string;
   name: string;
   enforcementLevel: EnforcementLevel;
@@ -32,7 +41,11 @@ export type TCreateAccessApprovalPolicy = {
 export type TUpdateAccessApprovalPolicy = {
   policyId: string;
   approvals?: number;
-  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
+  approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
+  bypassers?: (
+    | { type: BypasserType.Group; id: string }
+    | { type: BypasserType.User; id?: string; username?: string }
+  )[];
   secretPath?: string;
   name?: string;
   enforcementLevel?: EnforcementLevel;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -1,7 +1,13 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests, TUsers } from "@app/db/schemas";
+import {
+  AccessApprovalRequestsSchema,
+  TableName,
+  TAccessApprovalRequests,
+  TUserGroupMembership,
+  TUsers
+} from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
 
@@ -28,12 +34,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.AccessApprovalRequest}.policyId`,
           `${TableName.AccessApprovalPolicy}.id`
         )
-
         .leftJoin(
           TableName.AccessApprovalRequestReviewer,
           `${TableName.AccessApprovalRequest}.id`,
           `${TableName.AccessApprovalRequestReviewer}.requestId`
         )
+
         .leftJoin(
           TableName.AccessApprovalPolicyApprover,
           `${TableName.AccessApprovalPolicy}.id`,
@@ -46,6 +52,17 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         )
         .leftJoin(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
 
+        .leftJoin(
+          TableName.AccessApprovalPolicyBypasser,
+          `${TableName.AccessApprovalPolicy}.id`,
+          `${TableName.AccessApprovalPolicyBypasser}.policyId`
+        )
+        .leftJoin<TUserGroupMembership>(
+          db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+          `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
+          `bypasserUserGroupMembership.groupId`
+        )
+
         .join<TUsers>(
           db(TableName.Users).as("requestedByUser"),
           `${TableName.AccessApprovalRequest}.requestedByUserId`,
@@ -69,6 +86,9 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
         .select(db.ref("userId").withSchema(TableName.UserGroupMembership).as("approverGroupUserId"))
 
+        .select(db.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser))
+        .select(db.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"))
+
         .select(
           db.ref("projectId").withSchema(TableName.Environment),
           db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
@@ -145,7 +165,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               }
             : null,
 
-          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId
+          isApproved: !!doc.policyDeletedAt || !!doc.privilegeId || doc.status !== ApprovalStatus.PENDING
         }),
         childrenMapper: [
           {
@@ -158,6 +178,12 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             key: "approverGroupUserId",
             label: "approvers" as const,
             mapper: ({ approverGroupUserId }) => approverGroupUserId
+          },
+          { key: "bypasserUserId", label: "bypassers" as const, mapper: ({ bypasserUserId }) => bypasserUserId },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({ bypasserGroupUserId }) => bypasserGroupUserId
           }
         ]
       });
@@ -166,7 +192,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
 
       return formattedDocs.map((doc) => ({
         ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers }
+        policy: { ...doc.policy, approvers: doc.approvers, bypassers: doc.bypassers }
       }));
     } catch (error) {
       throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
@@ -193,7 +219,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicy}.id`,
         `${TableName.AccessApprovalPolicyApprover}.policyId`
       )
-
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyApproverUser"),
         `${TableName.AccessApprovalPolicyApprover}.approverUserId`,
@@ -204,13 +229,33 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.AccessApprovalPolicyApprover}.approverGroupId`,
         `${TableName.UserGroupMembership}.groupId`
       )
-
       .leftJoin<TUsers>(
         db(TableName.Users).as("accessApprovalPolicyGroupApproverUser"),
         `${TableName.UserGroupMembership}.userId`,
         "accessApprovalPolicyGroupApproverUser.id"
       )
 
+      .leftJoin(
+        TableName.AccessApprovalPolicyBypasser,
+        `${TableName.AccessApprovalPolicy}.id`,
+        `${TableName.AccessApprovalPolicyBypasser}.policyId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyBypasserUser"),
+        `${TableName.AccessApprovalPolicyBypasser}.bypasserUserId`,
+        "accessApprovalPolicyBypasserUser.id"
+      )
+      .leftJoin<TUserGroupMembership>(
+        db(TableName.UserGroupMembership).as("bypasserUserGroupMembership"),
+        `${TableName.AccessApprovalPolicyBypasser}.bypasserGroupId`,
+        `bypasserUserGroupMembership.groupId`
+      )
+      .leftJoin<TUsers>(
+        db(TableName.Users).as("accessApprovalPolicyGroupBypasserUser"),
+        `bypasserUserGroupMembership.userId`,
+        "accessApprovalPolicyGroupBypasserUser.id"
+      )
+
       .leftJoin(
         TableName.AccessApprovalRequestReviewer,
         `${TableName.AccessApprovalRequest}.id`,
@@ -241,6 +286,18 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("firstName").withSchema("requestedByUser").as("requestedByUserFirstName"),
         tx.ref("lastName").withSchema("requestedByUser").as("requestedByUserLastName"),
 
+        // Bypassers
+        tx.ref("bypasserUserId").withSchema(TableName.AccessApprovalPolicyBypasser),
+        tx.ref("userId").withSchema("bypasserUserGroupMembership").as("bypasserGroupUserId"),
+        tx.ref("email").withSchema("accessApprovalPolicyBypasserUser").as("bypasserEmail"),
+        tx.ref("email").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupEmail"),
+        tx.ref("username").withSchema("accessApprovalPolicyBypasserUser").as("bypasserUsername"),
+        tx.ref("username").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupUsername"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserFirstName"),
+        tx.ref("firstName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupFirstName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyBypasserUser").as("bypasserLastName"),
+        tx.ref("lastName").withSchema("accessApprovalPolicyGroupBypasserUser").as("bypasserGroupLastName"),
+
         tx.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer),
 
         tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
@@ -265,7 +322,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
     try {
       const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db.replicaNode());
       const docs = await sql;
-      const formatedDoc = sqlNestRelationships({
+      const formattedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -335,13 +392,51 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
               lastName,
               username
             })
+          },
+          {
+            key: "bypasserUserId",
+            label: "bypassers" as const,
+            mapper: ({
+              bypasserUserId,
+              bypasserEmail: email,
+              bypasserUsername: username,
+              bypasserLastName: lastName,
+              bypasserFirstName: firstName
+            }) => ({
+              userId: bypasserUserId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
+          },
+          {
+            key: "bypasserGroupUserId",
+            label: "bypassers" as const,
+            mapper: ({
+              userId,
+              bypasserGroupEmail: email,
+              bypasserGroupUsername: username,
+              bypasserGroupLastName: lastName,
+              bypasserFirstName: firstName
+            }) => ({
+              userId,
+              email,
+              firstName,
+              lastName,
+              username
+            })
           }
         ]
       });
-      if (!formatedDoc?.[0]) return;
+      if (!formattedDoc?.[0]) return;
       return {
-        ...formatedDoc[0],
-        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
+        ...formattedDoc[0],
+        policy: {
+          ...formattedDoc[0].policy,
+          approvers: formattedDoc[0].approvers,
+          bypassers: formattedDoc[0].bypassers
+        }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
@@ -392,14 +487,20 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         ]
       });
 
-      // an approval is pending if there is no reviewer rejections and no privilege ID is set
+      // an approval is pending if there is no reviewer rejections, no privilege ID is set and the status is pending
       const pendingApprovals = formattedRequests.filter(
-        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+        (req) =>
+          !req.privilegeId &&
+          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) &&
+          req.status === ApprovalStatus.PENDING
       );
 
-      // an approval is finalized if there are any rejections or a privilege ID is set
+      // an approval is finalized if there are any rejections, a privilege ID is set or the number of approvals is equal to the number of approvals required
       const finalizedApprovals = formattedRequests.filter(
-        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
+        (req) =>
+          req.privilegeId ||
+          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED) ||
+          req.status !== ApprovalStatus.PENDING
       );
 
       return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };