misc: update tooltip for overwrite sync

Merge pull request #3906 from Infisical/feat/audit-log-fix
feat: audit log improvement
2025-07-05 04:29:09 +00:00 · 2025-07-03 02:32:10 +08:00 · 2025-07-03 01:49:06 +08:00 · 2025-07-02 23:04:36 +05:30 · 2025-07-02 23:04:36 +05:30 · 2025-07-02 23:04:36 +05:30
824 changed files with 17856 additions and 14705 deletions
--- a/.env.example
+++ b/.env.example
@ -107,6 +107,10 @@ INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
 INF_APP_CONNECTION_GITHUB_APP_ID=

+#gitlab app connection
+INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID=
+INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET=
+
 #github radar app connection
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET=
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -83,7 +83,7 @@ jobs:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-8-cores
    needs: [cli-integration-tests]
    steps:
      - uses: actions/checkout@v3
--- a/backend/e2e-test/mocks/keystore.ts
+++ b/backend/e2e-test/mocks/keystore.ts
@ -8,6 +8,9 @@ import { Lock } from "@app/lib/red-lock";
 export const mockKeyStore = (): TKeyStoreFactory => {
  const store: Record<string, string | number | Buffer> = {};

+  const getRegex = (pattern: string) =>
+    new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
+
  return {
    setItem: async (key, value) => {
      store[key] = value;
@ -23,7 +26,7 @@ export const mockKeyStore = (): TKeyStoreFactory => {
      return 1;
    },
    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
-      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
+      const regex = getRegex(pattern);
      let totalDeleted = 0;
      const keys = Object.keys(store);

@ -53,6 +56,27 @@ export const mockKeyStore = (): TKeyStoreFactory => {
    incrementBy: async () => {
      return 1;
    },
+    getItems: async (keys) => {
+      const values = keys.map((key) => {
+        const value = store[key];
+        if (typeof value === "string") {
+          return value;
+        }
+        return null;
+      });
+      return values;
+    },
+    getKeysByPattern: async (pattern) => {
+      const regex = getRegex(pattern);
+      const keys = Object.keys(store);
+      return keys.filter((key) => regex.test(key));
+    },
+    deleteItemsByKeyIn: async (keys) => {
+      for (const key of keys) {
+        delete store[key];
+      }
+      return keys.length;
+    },
    acquireLock: () => {
      return Promise.resolve({
        release: () => {}
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -30,6 +30,7 @@
        "@fastify/static": "^7.0.4",
        "@fastify/swagger": "^8.14.0",
        "@fastify/swagger-ui": "^2.1.0",
+        "@gitbeaker/rest": "^42.5.0",
        "@google-cloud/kms": "^4.5.0",
        "@infisical/quic": "^1.0.8",
        "@node-saml/passport-saml": "^5.0.1",
@ -7807,6 +7808,48 @@
        "p-limit": "^3.1.0"
      }
    },
+    "node_modules/@gitbeaker/core": {
+      "version": "42.5.0",
+      "resolved": "https://registry.npmjs.org/@gitbeaker/core/-/core-42.5.0.tgz",
+      "integrity": "sha512-rMWpOPaZi1iLiifnOIoVO57p2EmQQdfIwP4txqNyMvG4WjYP5Ez0U7jRD9Nra41x6K5kTPBZkuQcAdxVWRJcEQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@gitbeaker/requester-utils": "^42.5.0",
+        "qs": "^6.12.2",
+        "xcase": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18.20.0"
+      }
+    },
+    "node_modules/@gitbeaker/requester-utils": {
+      "version": "42.5.0",
+      "resolved": "https://registry.npmjs.org/@gitbeaker/requester-utils/-/requester-utils-42.5.0.tgz",
+      "integrity": "sha512-HLdLS9LPBMVQumvroQg/4qkphLDtwDB+ygEsrD2u4oYCMUtXV4V1xaVqU4yTXjbTJ5sItOtdB43vYRkBcgueBw==",
+      "license": "MIT",
+      "dependencies": {
+        "picomatch-browser": "^2.2.6",
+        "qs": "^6.12.2",
+        "rate-limiter-flexible": "^4.0.1",
+        "xcase": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18.20.0"
+      }
+    },
+    "node_modules/@gitbeaker/rest": {
+      "version": "42.5.0",
+      "resolved": "https://registry.npmjs.org/@gitbeaker/rest/-/rest-42.5.0.tgz",
+      "integrity": "sha512-oC5cM6jS7aFOp0luTw5mWSRuMgdxwHRLZQ/aWkI+ETMfsprR/HyxsXfljlMY/XJ/fRxTbRJiodR5Axf66WjO3w==",
+      "license": "MIT",
+      "dependencies": {
+        "@gitbeaker/core": "^42.5.0",
+        "@gitbeaker/requester-utils": "^42.5.0"
+      },
+      "engines": {
+        "node": ">=18.20.0"
+      }
+    },
    "node_modules/@google-cloud/kms": {
      "version": "4.5.0",
      "resolved": "https://registry.npmjs.org/@google-cloud/kms/-/kms-4.5.0.tgz",
@ -24628,6 +24671,18 @@
        "url": "https://github.com/sponsors/jonschlinkert"
      }
    },
+    "node_modules/picomatch-browser": {
+      "version": "2.2.6",
+      "resolved": "https://registry.npmjs.org/picomatch-browser/-/picomatch-browser-2.2.6.tgz",
+      "integrity": "sha512-0ypsOQt9D4e3hziV8O4elD9uN0z/jtUEfxVRtNaAAtXIyUx9m/SzlO020i8YNL2aL/E6blOvvHQcin6HZlFy/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
    "node_modules/pify": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
@ -25562,6 +25617,12 @@
        "node": ">= 0.6"
      }
    },
+    "node_modules/rate-limiter-flexible": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-4.0.1.tgz",
+      "integrity": "sha512-2/dGHpDFpeA0+755oUkW+EKyklqLS9lu0go9pDsbhqQjZcxfRyJ6LA4JI0+HAdZ2bemD/oOjUeZQB2lCZqXQfQ==",
+      "license": "ISC"
+    },
    "node_modules/raw-body": {
      "version": "2.5.2",
      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
@ -31039,6 +31100,12 @@
        }
      }
    },
+    "node_modules/xcase": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/xcase/-/xcase-2.0.1.tgz",
+      "integrity": "sha512-UmFXIPU+9Eg3E9m/728Bii0lAIuoc+6nbrNUKaRPJOFp91ih44qqGlWtxMB6kXFrRD6po+86ksHM5XHCfk6iPw==",
+      "license": "MIT"
+    },
    "node_modules/xml-crypto": {
      "version": "6.0.1",
      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@ -149,6 +149,7 @@
    "@fastify/static": "^7.0.4",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
+    "@gitbeaker/rest": "^42.5.0",
    "@google-cloud/kms": "^4.5.0",
    "@infisical/quic": "^1.0.8",
    "@node-saml/passport-saml": "^5.0.1",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -74,6 +74,7 @@ import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-a
 import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { TIdentityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-types";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@ -218,6 +219,7 @@ declare module "fastify" {
      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
      identityGcpAuth: TIdentityGcpAuthServiceFactory;
      identityAliCloudAuth: TIdentityAliCloudAuthServiceFactory;
+      identityTlsCertAuth: TIdentityTlsCertAuthServiceFactory;
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
      identityAzureAuth: TIdentityAzureAuthServiceFactory;
      identityOciAuth: TIdentityOciAuthServiceFactory;
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -164,6 +164,9 @@ import {
  TIdentityProjectMemberships,
  TIdentityProjectMembershipsInsert,
  TIdentityProjectMembershipsUpdate,
+  TIdentityTlsCertAuths,
+  TIdentityTlsCertAuthsInsert,
+  TIdentityTlsCertAuthsUpdate,
  TIdentityTokenAuths,
  TIdentityTokenAuthsInsert,
  TIdentityTokenAuthsUpdate,
@ -794,6 +797,11 @@ declare module "knex/types/tables" {
      TIdentityAlicloudAuthsInsert,
      TIdentityAlicloudAuthsUpdate
    >;
+    [TableName.IdentityTlsCertAuth]: KnexOriginal.CompositeTableType<
+      TIdentityTlsCertAuths,
+      TIdentityTlsCertAuthsInsert,
+      TIdentityTlsCertAuthsUpdate
+    >;
    [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
      TIdentityAwsAuths,
      TIdentityAwsAuthsInsert,
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -110,7 +110,8 @@ export const initAuditLogDbConnection = ({
    },
    migrations: {
      tableName: "infisical_migrations"
-    }
+    },
+    pool: { min: 0, max: 10 }
  });

  // we add these overrides so that auditLogDb and the primary DB are interchangeable
--- a/backend/src/db/migrations/20250624061429_identity-tls-auth.ts
+++ b/backend/src/db/migrations/20250624061429_identity-tls-auth.ts
@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityTlsCertAuth))) {
+    await knex.schema.createTable(TableName.IdentityTlsCertAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("allowedCommonNames").nullable();
+      t.binary("encryptedCaCertificate").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityTlsCertAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityTlsCertAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityTlsCertAuth);
+}
--- a/backend/src/db/migrations/20250626101747_default-project-type.ts
+++ b/backend/src/db/migrations/20250626101747_default-project-type.ts
@ -0,0 +1,41 @@
+import { Knex } from "knex";
+
+import { ProjectType, TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
+  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+  if (hasTypeColumn && !hasDefaultTypeColumn) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("type").nullable().alter();
+      t.string("defaultProduct").notNullable().defaultTo(ProjectType.SecretManager);
+    });
+
+    await knex(TableName.Project).update({
+      // eslint-disable-next-line
+      // @ts-ignore this is because this field is created later
+      defaultProduct: knex.raw(`
+    CASE 
+      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
+      ELSE "type" 
+    END
+  `)
+    });
+  }
+
+  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
+  if (hasTemplateTypeColumn) {
+    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
+      t.string("type").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
+  if (hasDefaultTypeColumn) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("defaultProduct");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250630212553_user-latest-invite.ts
+++ b/backend/src/db/migrations/20250630212553_user-latest-invite.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
+  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+    if (!hasColumn) {
+      t.datetime("lastInvitedAt").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
+  await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+    if (hasColumn) {
+      t.dropColumn("lastInvitedAt");
+    }
+  });
+}
--- a/backend/src/db/schemas/identity-tls-cert-auths.ts
+++ b/backend/src/db/schemas/identity-tls-cert-auths.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityTlsCertAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  allowedCommonNames: z.string().nullable().optional(),
+  encryptedCaCertificate: zodBuffer
+});
+
+export type TIdentityTlsCertAuths = z.infer<typeof IdentityTlsCertAuthsSchema>;
+export type TIdentityTlsCertAuthsInsert = Omit<z.input<typeof IdentityTlsCertAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityTlsCertAuthsUpdate = Partial<Omit<z.input<typeof IdentityTlsCertAuthsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@ -52,6 +52,7 @@ export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
+export * from "./identity-tls-cert-auths";
 export * from "./identity-token-auths";
 export * from "./identity-ua-client-secrets";
 export * from "./identity-universal-auths";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@ -86,6 +86,7 @@ export enum TableName {
  IdentityOidcAuth = "identity_oidc_auths",
  IdentityJwtAuth = "identity_jwt_auths",
  IdentityLdapAuth = "identity_ldap_auths",
+  IdentityTlsCertAuth = "identity_tls_cert_auths",
  IdentityOrgMembership = "identity_org_memberships",
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
@ -251,6 +252,7 @@ export enum IdentityAuthMethod {
  ALICLOUD_AUTH = "alicloud-auth",
  AWS_AUTH = "aws-auth",
  AZURE_AUTH = "azure-auth",
+  TLS_CERT_AUTH = "tls-cert-auth",
  OCI_AUTH = "oci-auth",
  OIDC_AUTH = "oidc-auth",
  JWT_AUTH = "jwt-auth",
@ -265,16 +267,6 @@ export enum ProjectType {
  SecretScanning = "secret-scanning"
 }

-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  SecretScanning = ProjectType.SecretScanning,
-  // project operations that happen on all types
-  Any = "any"
-}
-
 export enum SortDirection {
  ASC = "asc",
  DESC = "desc"
--- a/backend/src/db/schemas/org-memberships.ts
+++ b/backend/src/db/schemas/org-memberships.ts
@ -18,7 +18,8 @@ export const OrgMembershipsSchema = z.object({
  orgId: z.string().uuid(),
  roleId: z.string().uuid().nullable().optional(),
  projectFavorites: z.string().array().nullable().optional(),
-  isActive: z.boolean().default(true)
+  isActive: z.boolean().default(true),
+  lastInvitedAt: z.date().nullable().optional()
 });

 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
--- a/backend/src/db/schemas/project-templates.ts
+++ b/backend/src/db/schemas/project-templates.ts
@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  type: z.string().default("secret-manager")
+  type: z.string().nullable().optional()
 });

 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
--- a/backend/src/db/schemas/projects.ts
+++ b/backend/src/db/schemas/projects.ts
@ -25,11 +25,12 @@ export const ProjectsSchema = z.object({
  kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
  description: z.string().nullable().optional(),
-  type: z.string(),
+  type: z.string().nullable().optional(),
  enforceCapitalization: z.boolean().default(false),
  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
  secretSharing: z.boolean().default(true),
-  showSnapshotsLegacy: z.boolean().default(false)
+  showSnapshotsLegacy: z.boolean().default(false),
+  defaultProduct: z.string().default("secret-manager")
 });

 export type TProjects = z.infer<typeof ProjectsSchema>;
--- a/backend/src/ee/routes/v1/access-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/access-approval-request-router.ts
@ -60,7 +60,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    method: "GET",
    schema: {
      querystring: z.object({
-        projectSlug: z.string().trim()
+        projectSlug: z.string().trim(),
+        policyId: z.string().trim().optional()
      }),
      response: {
        200: z.object({
@ -73,6 +74,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
    handler: async (req) => {
      const { count } = await server.services.accessApprovalRequest.getCount({
        projectSlug: req.query.projectSlug,
+        policyId: req.query.policyId,
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@ -111,15 +111,38 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
      }),
-      querystring: z.object({
-        eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
-        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
-        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
-      }),
+      querystring: z
+        .object({
+          eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
+          userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+          startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
+          endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
+          offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
+          limit: z.coerce.number().max(1000).default(20).describe(AUDIT_LOGS.EXPORT.limit),
+          actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+        })
+        .superRefine((el, ctx) => {
+          if (el.endDate && el.startDate) {
+            const startDate = new Date(el.startDate);
+            const endDate = new Date(el.endDate);
+            const maxAllowedDate = new Date(startDate);
+            maxAllowedDate.setMonth(maxAllowedDate.getMonth() + 3);
+            if (endDate < startDate) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["endDate"],
+                message: "End date cannot be before start date"
+              });
+            }
+            if (endDate > maxAllowedDate) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["endDate"],
+                message: "Dates must be within 3 months"
+              });
+            }
+          }
+        }),
      response: {
        200: z.object({
          auditLogs: AuditLogsSchema.omit({
@ -161,7 +184,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        filter: {
          ...req.query,
          projectId: req.params.workspaceId,
-          endDate: req.query.endDate,
+          endDate: req.query.endDate || new Date().toISOString(),
          startDate: req.query.startDate || getLastMidnightDateISO(),
          auditLogActorId: req.query.actor,
          eventType: req.query.eventType ? [req.query.eventType] : undefined
--- a/backend/src/ee/routes/v1/project-template-router.ts
+++ b/backend/src/ee/routes/v1/project-template-router.ts
@ -1,6 +1,6 @@
 import { z } from "zod";

-import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@ -104,9 +104,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      hide: false,
      tags: [ApiDocsTags.ProjectTemplates],
      description: "List project templates for the current organization.",
-      querystring: z.object({
-        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
-      }),
      response: {
        200: z.object({
          projectTemplates: SanitizedProjectTemplateSchema.array()
@ -115,8 +112,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const { type } = req.query;
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission, type);
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);

      const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));

@ -188,7 +184,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      tags: [ApiDocsTags.ProjectTemplates],
      description: "Create a project template.",
      body: z.object({
-        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
        name: slugSchema({ field: "name" })
          .refine((val) => !isInfisicalProjectTemplate(val), {
            message: `The requested project template name is reserved.`
@ -284,7 +279,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
      tags: [ApiDocsTags.ProjectTemplates],
      description: "Delete a project template.",
      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
-
      response: {
        200: z.object({
          projectTemplate: SanitizedProjectTemplateSchema
--- a/backend/src/ee/routes/v1/secret-approval-request-router.ts
+++ b/backend/src/ee/routes/v1/secret-approval-request-router.ts
@ -94,7 +94,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
    },
    schema: {
      querystring: z.object({
-        workspaceId: z.string().trim()
+        workspaceId: z.string().trim(),
+        policyId: z.string().trim().optional()
      }),
      response: {
        200: z.object({
@ -112,7 +113,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        projectId: req.query.workspaceId
+        projectId: req.query.workspaceId,
+        policyId: req.query.policyId
      });
      return { approvals };
    }
--- a/backend/src/ee/routes/v1/ssh-certificate-router.ts
+++ b/backend/src/ee/routes/v1/ssh-certificate-router.ts
@ -80,6 +80,7 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SignSshKey,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          certificateTemplateId: req.body.certificateTemplateId,
          principals: req.body.principals,
@ -171,6 +172,7 @@ export const registerSshCertRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueSshCreds,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          certificateTemplateId: req.body.certificateTemplateId,
          principals: req.body.principals,
--- a/backend/src/ee/routes/v1/ssh-host-router.ts
+++ b/backend/src/ee/routes/v1/ssh-host-router.ts
@ -358,6 +358,7 @@ export const registerSshHostRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueSshHostUserCert,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          sshHostId: req.params.sshHostId,
          hostname: host.hostname,
@ -427,6 +428,7 @@ export const registerSshHostRouter = async (server: FastifyZodProvider) => {

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueSshHostHostCert,
+        organizationId: req.permission.orgId,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          sshHostId: req.params.sshHostId,
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@ -97,8 +96,7 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -248,8 +246,7 @@ export const accessApprovalPolicyServiceFactory = ({
        actorId,
        projectId: project.id,
        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
      });

      const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
@ -301,8 +298,7 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: accessApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@ -498,8 +494,7 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@ -549,8 +544,7 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -589,8 +583,7 @@ export const accessApprovalPolicyServiceFactory = ({
      actorId,
      projectId: policy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-dal.ts
@ -220,7 +220,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
      bypassers: string[];
    }[]
  >;
-  getCount: ({ projectId }: { projectId: string }) => Promise<{
+  getCount: ({ projectId }: { projectId: string; policyId?: string }) => Promise<{
    pendingCount: number;
    finalizedCount: number;
  }>;
@ -702,7 +702,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
    }
  };

-  const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId }) => {
+  const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId, policyId }) => {
    try {
      const accessRequests = await db
        .replicaNode()(TableName.AccessApprovalRequest)
@ -723,8 +723,10 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
          `${TableName.AccessApprovalRequest}.id`,
          `${TableName.AccessApprovalRequestReviewer}.requestId`
        )
-
        .where(`${TableName.Environment}.projectId`, projectId)
+        .where((qb) => {
+          if (policyId) void qb.where(`${TableName.AccessApprovalPolicy}.id`, policyId);
+        })
        .select(selectAllTableCols(TableName.AccessApprovalRequest))
        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
        .select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"))
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";

-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@ -107,8 +107,7 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -217,7 +216,7 @@ export const accessApprovalRequestServiceFactory = ({
      );

      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;

      await triggerWorkflowIntegrationNotification({
        input: {
@ -290,8 +289,7 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@ -337,8 +335,7 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: accessApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    if (!membership) {
@ -350,6 +347,12 @@ export const accessApprovalRequestServiceFactory = ({
    const canBypass = !policy.bypassers.length || policy.bypassers.some((bypasser) => bypasser.userId === actorId);
    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypass);

+    // Calculate break glass attempt before sequence checks
+    const isBreakGlassApprovalAttempt =
+      policy.enforcementLevel === EnforcementLevel.Soft &&
+      actorId === accessApprovalRequest.requestedByUserId &&
+      status === ApprovalStatus.APPROVED;
+
    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
    // If user is (not an approver OR cant self approve) AND can't bypass policy
    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
@ -409,15 +412,14 @@ export const accessApprovalRequestServiceFactory = ({
      const isApproverOfTheSequence = policy.approvers.find(
        (el) => el.sequence === presentSequence.step && el.userId === actorId
      );
-      if (!isApproverOfTheSequence) throw new BadRequestError({ message: "You are not reviewer in this step" });
+
+      // Only throw if actor is not the approver and not bypassing
+      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt) {
+        throw new BadRequestError({ message: "You are not a reviewer in this step" });
+      }
    }

    const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const isBreakGlassApprovalAttempt =
-        policy.enforcementLevel === EnforcementLevel.Soft &&
-        actorId === accessApprovalRequest.requestedByUserId &&
-        status === ApprovalStatus.APPROVED;
-
      let reviewForThisActorProcessing: {
        id: string;
        requestId: string;
@ -543,7 +545,7 @@ export const accessApprovalRequestServiceFactory = ({
                  bypassReason: bypassReason || "No reason provided",
                  secretPath: policy.secretPath || "/",
                  environment,
-                  approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
+                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
                  requestType: "access"
                },
                template: SmtpTemplates.AccessSecretRequestBypassed
@ -560,6 +562,7 @@ export const accessApprovalRequestServiceFactory = ({

  const getCount: TAccessApprovalRequestServiceFactory["getCount"] = async ({
    projectSlug,
+    policyId,
    actor,
    actorAuthMethod,
    actorId,
@ -573,14 +576,13 @@ export const accessApprovalRequestServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }

-    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
+    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id, policyId });

    return { count };
  };
--- a/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-types.ts
@ -12,6 +12,7 @@ export type TVerifyPermission = {

 export type TGetAccessRequestCountDTO = {
  projectSlug: string;
+  policyId?: string;
 } & Omit<TProjectPermission, "projectId">;

 export type TReviewAccessRequestDTO = {
--- a/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
+++ b/backend/src/ee/services/assume-privilege/assume-privilege-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";

-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@ -38,8 +37,7 @@ export const assumePrivilegeServiceFactory = ({
      actorId: actorPermissionDetails.id,
      projectId,
      actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
    });

    if (targetActorType === ActorType.USER) {
@ -60,8 +58,7 @@ export const assumePrivilegeServiceFactory = ({
      actorId: targetActorId,
      projectId,
      actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
    });

    const appCfg = getConfig();
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-fns.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-fns.ts
@ -0,0 +1,21 @@
+export function providerSpecificPayload(url: string) {
+  const { hostname } = new URL(url);
+
+  const payload: Record<string, string> = {};
+
+  switch (hostname) {
+    case "http-intake.logs.datadoghq.com":
+    case "http-intake.logs.us3.datadoghq.com":
+    case "http-intake.logs.us5.datadoghq.com":
+    case "http-intake.logs.datadoghq.eu":
+    case "http-intake.logs.ap1.datadoghq.com":
+    case "http-intake.logs.ddog-gov.com":
+      payload.ddsource = "infisical";
+      payload.service = "audit-logs";
+      break;
+    default:
+      break;
+  }
+
+  return payload;
+}
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@ -13,6 +13,7 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TAuditLogStreamDALFactory } from "./audit-log-stream-dal";
+import { providerSpecificPayload } from "./audit-log-stream-fns";
 import { LogStreamHeaders, TAuditLogStreamServiceFactory } from "./audit-log-stream-types";

 type TAuditLogStreamServiceFactoryDep = {
@ -69,10 +70,11 @@ export const auditLogStreamServiceFactory = ({
      headers.forEach(({ key, value }) => {
        streamHeaders[key] = value;
      });
+
    await request
      .post(
        url,
-        { ping: "ok" },
+        { ...providerSpecificPayload(url), ping: "ok" },
        {
          headers: streamHeaders,
          // request timeout
@ -137,7 +139,7 @@ export const auditLogStreamServiceFactory = ({
    await request
      .post(
        url || logStream.url,
-        { ping: "ok" },
+        { ...providerSpecificPayload(url || logStream.url), ping: "ok" },
        {
          headers: streamHeaders,
          // request timeout
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@ -30,10 +30,10 @@ type TFindQuery = {
  actor?: string;
  projectId?: string;
  environment?: string;
-  orgId?: string;
+  orgId: string;
  eventType?: string;
-  startDate?: string;
-  endDate?: string;
+  startDate: string;
+  endDate: string;
  userAgentType?: string;
  limit?: number;
  offset?: number;
@ -61,18 +61,15 @@ export const auditLogDALFactory = (db: TDbClient) => {
    },
    tx
  ) => {
-    if (!orgId && !projectId) {
-      throw new Error("Either orgId or projectId must be provided");
-    }
-
    try {
      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
+        .where(`${TableName.AuditLog}.orgId`, orgId)
+        .whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate])
+        .andWhereRaw(`"${TableName.AuditLog}"."createdAt" < ?::timestamptz`, [endDate])
        // eslint-disable-next-line func-names
        .where(function () {
-          if (orgId) {
-            void this.where(`${TableName.AuditLog}.orgId`, orgId);
-          } else if (projectId) {
+          if (projectId) {
            void this.where(`${TableName.AuditLog}.projectId`, projectId);
          }
        });
@ -135,14 +132,6 @@ export const auditLogDALFactory = (db: TDbClient) => {
        void sqlQuery.whereIn("eventType", eventType);
      }

-      // Filter by date range
-      if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
-      }
-      if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
-      }
-
      // we timeout long running queries to prevent DB resource issues (2 minutes)
      const docs = await sqlQuery.timeout(1000 * 120);

@ -174,6 +163,8 @@ export const auditLogDALFactory = (db: TDbClient) => {
      try {
        const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
          .where("expiresAt", "<", today)
+          .where("createdAt", "<", today) // to use audit log partition
+          .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
          .select("id")
          .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);

--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@ -1,13 +1,15 @@
-import { RawAxiosRequestHeaders } from "axios";
+import { AxiosError, RawAxiosRequestHeaders } from "axios";

 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";

 import { TAuditLogStreamDALFactory } from "../audit-log-stream/audit-log-stream-dal";
+import { providerSpecificPayload } from "../audit-log-stream/audit-log-stream-fns";
 import { LogStreamHeaders } from "../audit-log-stream/audit-log-stream-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TAuditLogDALFactory } from "./audit-log-dal";
@ -128,13 +130,25 @@ export const auditLogQueueServiceFactory = async ({
                  headers[key] = value;
                });

-              return request.post(url, auditLog, {
-                headers,
-                // request timeout
-                timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                // connection timeout
-                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-              });
+              try {
+                const response = await request.post(
+                  url,
+                  { ...providerSpecificPayload(url), ...auditLog },
+                  {
+                    headers,
+                    // request timeout
+                    timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                    // connection timeout
+                    signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+                  }
+                );
+                return response;
+              } catch (error) {
+                logger.error(
+                  `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+                );
+                return error;
+              }
            }
          )
        );
@ -218,13 +232,25 @@ export const auditLogQueueServiceFactory = async ({
              headers[key] = value;
            });

-          return request.post(url, auditLog, {
-            headers,
-            // request timeout
-            timeout: AUDIT_LOG_STREAM_TIMEOUT,
-            // connection timeout
-            signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-          });
+          try {
+            const response = await request.post(
+              url,
+              { ...providerSpecificPayload(url), ...auditLog },
+              {
+                headers,
+                // request timeout
+                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                // connection timeout
+                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              }
+            );
+            return response;
+          } catch (error) {
+            logger.error(
+              `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+            );
+            return error;
+          }
        }
      )
    );
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";

-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@ -38,8 +37,7 @@ export const auditLogServiceFactory = ({
        actorId,
        projectId: filter.projectId,
        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
+        actorOrgId
      });
      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
    } else {
@ -69,7 +67,8 @@ export const auditLogServiceFactory = ({
      secretPath: filter.secretPath,
      secretKey: filter.secretKey,
      environment: filter.environment,
-      ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
+      orgId: actorOrgId,
+      ...(filter.projectId ? { projectId: filter.projectId } : {})
    });

    return auditLogs.map(({ eventType: logEventType, actor: eActor, actorMetadata, eventMetadata, ...el }) => ({
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -56,8 +56,8 @@ export type TListProjectAuditLogDTO = {
    eventType?: EventType[];
    offset?: number;
    limit: number;
-    endDate?: string;
-    startDate?: string;
+    endDate: string;
+    startDate: string;
    projectId?: string;
    environment?: string;
    auditLogActorId?: string;
@ -202,6 +202,12 @@ export enum EventType {
  REVOKE_IDENTITY_ALICLOUD_AUTH = "revoke-identity-alicloud-auth",
  GET_IDENTITY_ALICLOUD_AUTH = "get-identity-alicloud-auth",

+  LOGIN_IDENTITY_TLS_CERT_AUTH = "login-identity-tls-cert-auth",
+  ADD_IDENTITY_TLS_CERT_AUTH = "add-identity-tls-cert-auth",
+  UPDATE_IDENTITY_TLS_CERT_AUTH = "update-identity-tls-cert-auth",
+  REVOKE_IDENTITY_TLS_CERT_AUTH = "revoke-identity-tls-cert-auth",
+  GET_IDENTITY_TLS_CERT_AUTH = "get-identity-tls-cert-auth",
+
  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
@ -1141,6 +1147,53 @@ interface GetIdentityAliCloudAuthEvent {
  };
 }

+interface LoginIdentityTlsCertAuthEvent {
+  type: EventType.LOGIN_IDENTITY_TLS_CERT_AUTH;
+  metadata: {
+    identityId: string;
+    identityTlsCertAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityTlsCertAuthEvent {
+  type: EventType.ADD_IDENTITY_TLS_CERT_AUTH;
+  metadata: {
+    identityId: string;
+    allowedCommonNames: string | null | undefined;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityTlsCertAuthEvent {
+  type: EventType.REVOKE_IDENTITY_TLS_CERT_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityTlsCertAuthEvent {
+  type: EventType.UPDATE_IDENTITY_TLS_CERT_AUTH;
+  metadata: {
+    identityId: string;
+    allowedCommonNames: string | null | undefined;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityTlsCertAuthEvent {
+  type: EventType.GET_IDENTITY_TLS_CERT_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityOciAuthEvent {
  type: EventType.LOGIN_IDENTITY_OCI_AUTH;
  metadata: {
@ -3358,6 +3411,11 @@ export type Event =
  | UpdateIdentityAliCloudAuthEvent
  | GetIdentityAliCloudAuthEvent
  | DeleteIdentityAliCloudAuthEvent
+  | LoginIdentityTlsCertAuthEvent
+  | AddIdentityTlsCertAuthEvent
+  | UpdateIdentityTlsCertAuthEvent
+  | GetIdentityTlsCertAuthEvent
+  | DeleteIdentityTlsCertAuthEvent
  | LoginIdentityOciAuthEvent
  | AddIdentityOciAuthEvent
  | UpdateIdentityOciAuthEvent
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";

-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -78,8 +77,7 @@ export const certificateAuthorityCrlServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";

-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@ -85,8 +84,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const plan = await licenseService.getPlan(actorOrgId);
@ -202,8 +200,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@ -300,8 +297,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@ -389,8 +385,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@ -437,8 +432,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@ -78,8 +77,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -202,8 +200,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const plan = await licenseService.getPlan(actorOrgId);
@ -354,8 +351,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@ -420,8 +416,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@ -485,8 +480,7 @@ export const dynamicSecretServiceFactory = ({
        actorId,
        projectId,
        actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
      });

      // verify user has access to each env in request
@ -529,8 +523,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionDynamicSecretActions.ReadRootCredential,
@ -578,8 +571,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@ -616,8 +608,7 @@ export const dynamicSecretServiceFactory = ({
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId: actor.orgId
    });

    const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@ -661,8 +652,7 @@ export const dynamicSecretServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
--- a/backend/src/ee/services/dynamic-secret/providers/github.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/github.ts
@ -1,5 +1,5 @@
 import axios from "axios";
-import * as jwt from "jsonwebtoken";
+import jwt from "jsonwebtoken";

 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
--- a/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";

-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@ -61,8 +61,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId: identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@ -160,8 +158,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@ -172,8 +169,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@ -260,8 +256,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@ -272,8 +267,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    const permissionBoundary = validatePrivilegeChangeOperation(
      membership.shouldUseNewPrivilegeSystem,
@ -321,8 +315,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
@ -356,8 +349,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
@ -392,8 +384,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";

-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -87,8 +85,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId: identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@ -175,8 +172,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -189,8 +185,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@ -293,8 +288,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Edit,
@ -306,8 +300,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId: identityProjectMembership.identityId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    const permissionBoundary = validatePrivilegeChangeOperation(
      membership.shouldUseNewPrivilegeSystem,
@ -366,8 +359,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionIdentityActions.Read,
@ -409,8 +401,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: identityProjectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/kmip/kmip-operation-service.ts
+++ b/backend/src/ee/services/kmip/kmip-operation-service.ts
@ -24,7 +24,7 @@ type TKmipOperationServiceFactoryDep = {
  kmsService: TKmsServiceFactory;
  kmsDAL: TKmsKeyDALFactory;
  kmipClientDAL: TKmipClientDALFactory;
-  projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId" | "findById">;
+  projectDAL: Pick<TProjectDALFactory, "findById">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
 };

--- a/backend/src/ee/services/kmip/kmip-service.ts
+++ b/backend/src/ee/services/kmip/kmip-service.ts
@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";

-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
@ -73,8 +72,7 @@ export const kmipServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -127,8 +125,7 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -159,8 +156,7 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -193,8 +189,7 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@ -215,8 +210,7 @@ export const kmipServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
@ -252,8 +246,7 @@ export const kmipServiceFactory = ({
      actorId,
      projectId: kmipClient.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.KMS
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@ -91,7 +91,7 @@ export interface TPermissionDALFactory {
        userId: string;
        projectId: string;
        username: string;
-        projectType: string;
+        projectType?: string | null;
        id: string;
        createdAt: Date;
        updatedAt: Date;
@ -163,7 +163,7 @@ export interface TPermissionDALFactory {
        createdAt: Date;
        updatedAt: Date;
        orgId: string;
-        projectType: string;
+        projectType?: string | null;
        shouldUseNewPrivilegeSystem: boolean;
        orgAuthEnforced: boolean;
        metadata: {
@ -201,7 +201,7 @@ export interface TPermissionDALFactory {
      userId: string;
      projectId: string;
      username: string;
-      projectType: string;
+      projectType?: string | null;
      id: string;
      createdAt: Date;
      updatedAt: Date;
@ -267,7 +267,7 @@ export interface TPermissionDALFactory {
      createdAt: Date;
      updatedAt: Date;
      orgId: string;
-      projectType: string;
+      projectType?: string | null;
      orgAuthEnforced: boolean;
      metadata: {
        id: string;
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@ -1,7 +1,6 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";

-import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";

 import { OrgPermissionSet } from "./org-permission";
@ -21,7 +20,6 @@ export type TGetUserProjectPermissionArg = {
  userId: string;
  projectId: string;
  authMethod: ActorAuthMethod;
-  actionProjectType: ActionProjectType;
  userOrgId?: string;
 };

@ -29,14 +27,12 @@ export type TGetIdentityProjectPermissionArg = {
  identityId: string;
  projectId: string;
  identityOrgId?: string;
-  actionProjectType: ActionProjectType;
 };

 export type TGetServiceTokenProjectPermissionArg = {
  serviceTokenId: string;
  projectId: string;
  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
 };

 export type TGetProjectPermissionArg = {
@ -45,7 +41,6 @@ export type TGetProjectPermissionArg = {
  projectId: string;
  actorAuthMethod: ActorAuthMethod;
  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
 };

 export type TPermissionServiceFactory = {
@ -143,13 +138,7 @@ export type TPermissionServiceFactory = {
        };
      }
  >;
-  getUserProjectPermission: ({
-    userId,
-    projectId,
-    authMethod,
-    userOrgId,
-    actionProjectType
-  }: TGetUserProjectPermissionArg) => Promise<{
+  getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
    permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
    membership: {
      id: string;
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@ -5,7 +5,6 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";

 import {
-  ActionProjectType,
  OrgMembershipRole,
  ProjectMembershipRole,
  ServiceTokenScopes,
@ -214,8 +213,7 @@ export const permissionServiceFactory = ({
    userId,
    projectId,
    authMethod,
-    userOrgId,
-    actionProjectType
+    userOrgId
  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
@ -242,12 +240,6 @@ export const permissionServiceFactory = ({
      userProjectPermission.orgRole
    );

-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -295,8 +287,7 @@ export const permissionServiceFactory = ({
  const getIdentityProjectPermission = async ({
    identityId,
    projectId,
-    identityOrgId,
-    actionProjectType
+    identityOrgId
  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
    if (!identityProjectPermission)
@ -316,12 +307,6 @@ export const permissionServiceFactory = ({
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }

-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
    const rolePermissions =
      identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
    const additionalPrivileges =
@ -376,8 +361,7 @@ export const permissionServiceFactory = ({
  const getServiceTokenProjectPermission = async ({
    serviceTokenId,
    projectId,
-    actorOrgId,
-    actionProjectType
+    actorOrgId
  }: TGetServiceTokenProjectPermissionArg) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
    if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
@ -402,12 +386,6 @@ export const permissionServiceFactory = ({
      });
    }

-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
-      throw new BadRequestError({
-        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
      permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
@ -559,8 +537,7 @@ export const permissionServiceFactory = ({
    actorId: inputActorId,
    projectId,
    actorAuthMethod,
-    actorOrgId,
-    actionProjectType
+    actorOrgId
  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
    let actor = inputActor;
    let actorId = inputActorId;
@ -581,22 +558,19 @@ export const permissionServiceFactory = ({
          userId: actorId,
          projectId,
          authMethod: actorAuthMethod,
-          userOrgId: actorOrgId,
-          actionProjectType
+          userOrgId: actorOrgId
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.SERVICE:
        return getServiceTokenProjectPermission({
          serviceTokenId: actorId,
          projectId,
-          actorOrgId,
-          actionProjectType
+          actorOrgId
        }) as Promise<TProjectPermissionRT<T>>;
      case ActorType.IDENTITY:
        return getIdentityProjectPermission({
          identityId: actorId,
          projectId,
-          identityOrgId: actorOrgId,
-          actionProjectType
+          identityOrgId: actorOrgId
        }) as Promise<TProjectPermissionRT<T>>;
      default:
        throw new BadRequestError({
--- a/backend/src/ee/services/pit/pit-service.ts
+++ b/backend/src/ee/services/pit/pit-service.ts
@ -1,7 +1,6 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@ -321,8 +320,7 @@ export const pitServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(userPermission).throwUnlessCan(
--- a/backend/src/ee/services/project-template/project-template-fns.ts
+++ b/backend/src/ee/services/project-template/project-template-fns.ts
@ -1,4 +1,3 @@
-import { ProjectType } from "@app/db/schemas";
 import {
  InfisicalProjectTemplate,
  TUnpackedPermission
@ -7,21 +6,18 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"

 import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";

-export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
+export const getDefaultProjectTemplate = (orgId: string) => ({
  id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
-  type,
  name: InfisicalProjectTemplate.Default,
  createdAt: new Date(),
  updatedAt: new Date(),
-  description: `Infisical's ${type} default project template`,
-  environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
-  roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
-    ({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })
-  ),
+  description: `Infisical's default project template`,
+  environments: ProjectTemplateDefaultEnvironments,
+  roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
+    name: string;
+    slug: string;
+    permissions: TUnpackedPermission[];
+  }>,
  orgId
 });

--- a/backend/src/ee/services/project-template/project-template-service.ts
+++ b/backend/src/ee/services/project-template/project-template-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";

-import { ProjectType, TProjectTemplates } from "@app/db/schemas";
+import { TProjectTemplates } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@ -29,13 +29,11 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
  ...rest,
  environments: environments as TProjectTemplateEnvironment[],
  roles: [
-    ...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
-      ({ name, slug, permissions }) => ({
-        name,
-        slug,
-        permissions: permissions as TUnpackedPermission[]
-      })
-    ),
+    ...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
+      name,
+      slug,
+      permissions: permissions as TUnpackedPermission[]
+    })),
    ...(roles as TProjectTemplateRole[]).map((role) => ({
      ...role,
      permissions: unpackPermissions(role.permissions)
@ -48,10 +46,7 @@ export const projectTemplateServiceFactory = ({
  permissionService,
  projectTemplateDAL
 }: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
-  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
-    actor,
-    type
-  ) => {
+  const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
    const plan = await licenseService.getPlan(actor.orgId);

    if (!plan.projectTemplates)
@ -70,14 +65,11 @@ export const projectTemplateServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);

    const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId,
-      ...(type ? { type } : {})
+      orgId: actor.orgId
    });

    return [
-      ...(type
-        ? [getDefaultProjectTemplate(actor.orgId, type)]
-        : Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
+      getDefaultProjectTemplate(actor.orgId),
      ...projectTemplates.map((template) => $unpackProjectTemplate(template))
    ];
  };
@ -142,7 +134,7 @@ export const projectTemplateServiceFactory = ({
  };

  const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
-    { roles, environments, type, ...params },
+    { roles, environments, ...params },
    actor
  ) => {
    const plan = await licenseService.getPlan(actor.orgId);
@ -162,10 +154,6 @@ export const projectTemplateServiceFactory = ({

    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);

-    if (environments && type !== ProjectType.SecretManager) {
-      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
-    }
-
    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
      throw new BadRequestError({
        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
@ -188,10 +176,8 @@ export const projectTemplateServiceFactory = ({
    const projectTemplate = await projectTemplateDAL.create({
      ...params,
      roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments:
-        type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
-      orgId: actor.orgId,
-      type
+      environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
+      orgId: actor.orgId
    });

    return $unpackProjectTemplate(projectTemplate);
@ -223,12 +209,6 @@ export const projectTemplateServiceFactory = ({

    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);

-    if (projectTemplate.type !== ProjectType.SecretManager && environments)
-      throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
-
-    if (projectTemplate.type === ProjectType.SecretManager && environments === null)
-      throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
-
    if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
      throw new BadRequestError({
        // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
--- a/backend/src/ee/services/project-template/project-template-types.ts
+++ b/backend/src/ee/services/project-template/project-template-types.ts
@ -1,6 +1,6 @@
 import { z } from "zod";

-import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
+import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
 import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { OrgServiceActor } from "@app/lib/types";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@ -16,7 +16,6 @@ export type TProjectTemplateRole = {
 export type TCreateProjectTemplateDTO = {
  name: string;
  description?: string;
-  type: ProjectType;
  roles: TProjectTemplateRole[];
  environments?: TProjectTemplateEnvironment[] | null;
 };
@ -30,14 +29,10 @@ export enum InfisicalProjectTemplate {
 }

 export type TProjectTemplateServiceFactory = {
-  listProjectTemplatesByOrg: (
-    actor: OrgServiceActor,
-    type?: ProjectType
-  ) => Promise<
+  listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
    (
      | {
          id: string;
-          type: ProjectType;
          name: InfisicalProjectTemplate;
          createdAt: Date;
          updatedAt: Date;
@ -74,7 +69,6 @@ export type TProjectTemplateServiceFactory = {
            name: string;
          }[];
          name: string;
-          type: string;
          orgId: string;
          id: string;
          createdAt: Date;
@ -99,7 +93,6 @@ export type TProjectTemplateServiceFactory = {
      name: string;
    }[];
    name: string;
-    type: string;
    orgId: string;
    id: string;
    createdAt: Date;
@ -123,7 +116,6 @@ export type TProjectTemplateServiceFactory = {
      name: string;
    }[];
    name: string;
-    type: string;
    orgId: string;
    id: string;
    createdAt: Date;
@ -146,7 +138,6 @@ export type TProjectTemplateServiceFactory = {
      name: string;
    }[];
    name: string;
-    type: string;
    orgId: string;
    id: string;
    createdAt: Date;
@ -170,7 +161,6 @@ export type TProjectTemplateServiceFactory = {
      name: string;
    }[];
    name: string;
-    type: string;
    orgId: string;
    id: string;
    createdAt: Date;
@ -194,7 +184,6 @@ export type TProjectTemplateServiceFactory = {
      name: string;
    }[];
    name: string;
-    type: string;
    orgId: string;
    id: string;
    createdAt: Date;
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";

-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@ -61,8 +61,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
    const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
@ -70,8 +69,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId: projectMembership.userId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@ -166,8 +164,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
@ -175,8 +172,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId: projectMembership.userId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });

    // we need to validate that the privilege given is not higher than the assigning users permission
@ -276,8 +272,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);

@ -322,8 +317,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

@ -349,8 +343,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
      actorId,
      projectId: projectMembership.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";

-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -91,8 +90,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
@ -267,8 +265,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId: secretApprovalPolicy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);

@ -423,8 +420,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Delete,
@ -463,8 +459,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);

@ -508,8 +503,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    return getSecretApprovalPolicy(projectId, environment, secretPath);
@ -535,8 +529,7 @@ export const secretApprovalPolicyServiceFactory = ({
      actorId,
      projectId: sapPolicy.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@ -290,7 +290,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
    }
  };

-  const findProjectRequestCount = async (projectId: string, userId: string, tx?: Knex) => {
+  const findProjectRequestCount = async (projectId: string, userId: string, policyId?: string, tx?: Knex) => {
    try {
      const docs = await (tx || db)
        .with(
@ -309,6 +309,9 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
              `${TableName.SecretApprovalPolicy}.id`
            )
            .where({ projectId })
+            .where((qb) => {
+              if (policyId) void qb.where(`${TableName.SecretApprovalPolicy}.id`, policyId);
+            })
            .andWhere(
              (bd) =>
                void bd
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-fns.ts
@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
        firstName: reviewerUser.firstName,
        projectName: project.name,
        organizationName: project.organization.name,
-        approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
+        approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
      },
      template: SmtpTemplates.SecretApprovalRequestNeedsReview
    });
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@ -2,7 +2,6 @@
 import { ForbiddenError, subject } from "@casl/ability";

 import {
-  ActionProjectType,
  ProjectMembershipRole,
  SecretEncryptionAlgo,
  SecretKeyEncoding,
@ -168,7 +167,14 @@ export const secretApprovalRequestServiceFactory = ({
  microsoftTeamsService,
  folderCommitService
 }: TSecretApprovalRequestServiceFactoryDep) => {
-  const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
+  const requestCount = async ({
+    projectId,
+    policyId,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TApprovalRequestCountDTO) => {
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });

    await permissionService.getProjectPermission({
@ -176,11 +182,10 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

-    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
+    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
    return count;
  };

@ -204,8 +209,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@ -257,8 +261,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@ -407,8 +410,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@ -477,8 +479,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId: secretApprovalRequest.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
@ -534,8 +535,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    if (
@ -951,7 +951,7 @@ export const secretApprovalRequestServiceFactory = ({
          bypassReason,
          secretPath: policy.secretPath,
          environment: env.name,
-          approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
+          approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
        },
        template: SmtpTemplates.AccessSecretRequestBypassed
      });
@ -980,8 +980,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
@ -1271,8 +1270,7 @@ export const secretApprovalRequestServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts
@ -84,7 +84,7 @@ export type TReviewRequestDTO = {
  comment?: string;
 } & Omit<TProjectPermission, "projectId">;

-export type TApprovalRequestCountDTO = TProjectPermission;
+export type TApprovalRequestCountDTO = TProjectPermission & { policyId?: string };

 export type TListApprovalsDTO = {
  projectId: string;
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts
@ -166,7 +166,9 @@ export const secretRotationV2QueueServiceFactory = async ({
            secretPath: folder.path,
            environment: environment.name,
            projectName: project.name,
-            rotationUrl: encodeURI(`${appCfg.SITE_URL}/secret-manager/${projectId}/secrets/${environment.slug}`)
+            rotationUrl: encodeURI(
+              `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
+            )
          }
        });
      } catch (error) {
--- a/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
+++ b/backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { Knex } from "knex";
 import isEqual from "lodash.isequal";

-import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
+import { SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
@ -218,7 +218,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -269,7 +269,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -315,7 +315,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -380,7 +380,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -424,7 +424,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -625,7 +625,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -775,7 +775,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -1105,7 +1105,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -1152,7 +1152,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -1204,7 +1204,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager,
+
      projectId
    });

@ -1320,8 +1320,7 @@ export const secretRotationV2ServiceFactory = ({
      actorId: actor.id,
      projectId,
      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId: actor.orgId
    });

    const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";

-import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@ -66,8 +66,7 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Read,
@ -98,8 +97,7 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Read,
@ -215,8 +213,7 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Read,
@ -264,8 +261,7 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId: project.id,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Edit,
@ -285,8 +281,7 @@ export const secretRotationServiceFactory = ({
      actorId,
      projectId: doc.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionSecretRotationActions.Delete,
--- a/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts
+++ b/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts
@ -588,7 +588,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                  numberOfSecrets: payload.numberOfSecrets,
                  isDiffScan: payload.isDiffScan,
                  url: encodeURI(
-                    `${appCfg.SITE_URL}/secret-scanning/${projectId}/findings?search=scanId:${payload.scanId}`
+                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/findings?search=scanId:${payload.scanId}`
                  ),
                  timestamp
                }
@ -599,7 +599,7 @@ export const secretScanningV2QueueServiceFactory = async ({
                  timestamp,
                  errorMessage: payload.errorMessage,
                  url: encodeURI(
-                    `${appCfg.SITE_URL}/secret-scanning/${projectId}/data-sources/${dataSource.type}/${dataSource.id}`
+                    `${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/data-sources/${dataSource.type}/${dataSource.id}`
                  )
                }
        });
--- a/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts
+++ b/backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-service.ts
@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { join } from "path";

-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@ -92,7 +91,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId
    });

@ -154,7 +153,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -199,7 +198,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId
    });

@ -233,7 +232,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: payload.projectId
    });

@ -346,7 +345,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -399,7 +398,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -444,7 +443,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -508,7 +507,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -553,7 +552,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -596,7 +595,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -639,7 +638,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: dataSource.projectId
    });

@ -672,7 +671,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId
    });

@ -706,7 +705,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId
    });

@ -746,7 +745,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId: finding.projectId
    });

@ -777,7 +776,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId
    });

@ -812,7 +811,7 @@ export const secretScanningV2ServiceFactory = ({
      actorId: actor.id,
      actorAuthMethod: actor.authMethod,
      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretScanning,
+
      projectId
    });

--- a/backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts
@ -1,17 +1,11 @@
-import { ProbotOctokit } from "probot";
-
-import { OrgMembershipRole, TableName } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
-import { logger } from "@app/lib/logger";
-import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+import { InternalServerError } from "@app/lib/errors";
+import { TQueueServiceFactory } from "@app/queue";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { TSmtpService } from "@app/services/smtp/smtp-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
-import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";

 import { TSecretScanningDALFactory } from "../secret-scanning-dal";
-import { scanContentAndGetFindings, scanFullRepoContentAndGetFindings } from "./secret-scanning-fns";
-import { SecretMatch, TScanFullRepoEventPayload, TScanPushEventPayload } from "./secret-scanning-queue-types";
+import { TScanFullRepoEventPayload, TScanPushEventPayload } from "./secret-scanning-queue-types";

 type TSecretScanningQueueFactoryDep = {
  queueService: TQueueServiceFactory;
@ -23,227 +17,21 @@ type TSecretScanningQueueFactoryDep = {

 export type TSecretScanningQueueFactory = ReturnType<typeof secretScanningQueueFactory>;

-export const secretScanningQueueFactory = ({
-  queueService,
-  secretScanningDAL,
-  smtpService,
-  telemetryService,
-  orgMembershipDAL: orgMemberDAL
-}: TSecretScanningQueueFactoryDep) => {
-  const startFullRepoScan = async (payload: TScanFullRepoEventPayload) => {
-    await queueService.queue(QueueName.SecretFullRepoScan, QueueJobs.SecretScan, payload, {
-      attempts: 3,
-      backoff: {
-        type: "exponential",
-        delay: 5000
-      },
-      removeOnComplete: true,
-      removeOnFail: {
-        count: 20 // keep the most recent 20 jobs
-      }
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export const secretScanningQueueFactory = (_props: TSecretScanningQueueFactoryDep) => {
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const startFullRepoScan = async (_payload: TScanFullRepoEventPayload) => {
+    throw new InternalServerError({
+      message: "Secret Scanning V1 has been deprecated. Please migrate to Secret Scanning V2"
    });
  };

-  const startPushEventScan = async (payload: TScanPushEventPayload) => {
-    await queueService.queue(QueueName.SecretPushEventScan, QueueJobs.SecretScan, payload, {
-      attempts: 3,
-      backoff: {
-        type: "exponential",
-        delay: 5000
-      },
-      removeOnComplete: true,
-      removeOnFail: {
-        count: 20 // keep the most recent 20 jobs
-      }
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const startPushEventScan = async (_payload: TScanPushEventPayload) => {
+    throw new InternalServerError({
+      message: "Secret Scanning V1 has been deprecated. Please migrate to Secret Scanning V2"
    });
  };

-  const getOrgAdminEmails = async (organizationId: string) => {
-    // get emails of admins
-    const adminsOfWork = await orgMemberDAL.findMembership({
-      [`${TableName.Organization}.id` as string]: organizationId,
-      role: OrgMembershipRole.Admin
-    });
-    return adminsOfWork.filter((userObject) => userObject.email).map((userObject) => userObject.email as string);
-  };
-
-  queueService.start(QueueName.SecretPushEventScan, async (job) => {
-    const appCfg = getConfig();
-    const { organizationId, commits, pusher, repository, installationId } = job.data;
-    const [owner, repo] = repository.fullName.split("/");
-    const octokit = new ProbotOctokit({
-      auth: {
-        appId: appCfg.SECRET_SCANNING_GIT_APP_ID,
-        privateKey: appCfg.SECRET_SCANNING_PRIVATE_KEY,
-        installationId
-      }
-    });
-    const allFindingsByFingerprint: { [key: string]: SecretMatch } = {};
-
-    for (const commit of commits) {
-      for (const filepath of [...commit.added, ...commit.modified]) {
-        // eslint-disable-next-line
-        const fileContentsResponse = await octokit.repos.getContent({
-          owner,
-          repo,
-          path: filepath
-        });
-
-        const { data } = fileContentsResponse;
-        const fileContent = Buffer.from((data as { content: string }).content, "base64").toString();
-
-        // eslint-disable-next-line
-        const findings = await scanContentAndGetFindings(`\n${fileContent}`); // extra line to count lines correctly
-
-        for (const finding of findings) {
-          const fingerPrintWithCommitId = `${commit.id}:${filepath}:${finding.RuleID}:${finding.StartLine}`;
-          const fingerPrintWithoutCommitId = `${filepath}:${finding.RuleID}:${finding.StartLine}`;
-          finding.Fingerprint = fingerPrintWithCommitId;
-          finding.FingerPrintWithoutCommitId = fingerPrintWithoutCommitId;
-          finding.Commit = commit.id;
-          finding.File = filepath;
-          finding.Author = commit.author.name;
-          finding.Email = commit?.author?.email ? commit?.author?.email : "";
-
-          allFindingsByFingerprint[fingerPrintWithCommitId] = finding;
-        }
-      }
-    }
-    await secretScanningDAL.transaction(async (tx) => {
-      if (!Object.keys(allFindingsByFingerprint).length) return;
-      await secretScanningDAL.upsert(
-        Object.keys(allFindingsByFingerprint).map((key) => ({
-          installationId,
-          email: allFindingsByFingerprint[key].Email,
-          author: allFindingsByFingerprint[key].Author,
-          date: allFindingsByFingerprint[key].Date,
-          file: allFindingsByFingerprint[key].File,
-          tags: allFindingsByFingerprint[key].Tags,
-          commit: allFindingsByFingerprint[key].Commit,
-          ruleID: allFindingsByFingerprint[key].RuleID,
-          endLine: String(allFindingsByFingerprint[key].EndLine),
-          entropy: String(allFindingsByFingerprint[key].Entropy),
-          message: allFindingsByFingerprint[key].Message,
-          endColumn: String(allFindingsByFingerprint[key].EndColumn),
-          startLine: String(allFindingsByFingerprint[key].StartLine),
-          startColumn: String(allFindingsByFingerprint[key].StartColumn),
-          fingerPrintWithoutCommitId: allFindingsByFingerprint[key].FingerPrintWithoutCommitId,
-          description: allFindingsByFingerprint[key].Description,
-          symlinkFile: allFindingsByFingerprint[key].SymlinkFile,
-          orgId: organizationId,
-          pusherEmail: pusher.email,
-          pusherName: pusher.name,
-          repositoryFullName: repository.fullName,
-          repositoryId: String(repository.id),
-          fingerprint: allFindingsByFingerprint[key].Fingerprint
-        })),
-        tx
-      );
-    });
-
-    const adminEmails = await getOrgAdminEmails(organizationId);
-    if (pusher?.email) {
-      adminEmails.push(pusher.email);
-    }
-    if (Object.keys(allFindingsByFingerprint).length) {
-      await smtpService.sendMail({
-        template: SmtpTemplates.SecretLeakIncident,
-        subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`,
-        recipients: adminEmails.filter((email) => email).map((email) => email),
-        substitutions: {
-          numberOfSecrets: Object.keys(allFindingsByFingerprint).length,
-          pusher_email: pusher.email,
-          pusher_name: pusher.name
-        }
-      });
-    }
-
-    await telemetryService.sendPostHogEvents({
-      event: PostHogEventTypes.SecretScannerPush,
-      distinctId: repository.fullName,
-      properties: {
-        numberOfRisks: Object.keys(allFindingsByFingerprint).length
-      }
-    });
-  });
-
-  queueService.start(QueueName.SecretFullRepoScan, async (job) => {
-    const appCfg = getConfig();
-    const { organizationId, repository, installationId } = job.data;
-    const octokit = new ProbotOctokit({
-      auth: {
-        appId: appCfg.SECRET_SCANNING_GIT_APP_ID,
-        privateKey: appCfg.SECRET_SCANNING_PRIVATE_KEY,
-        installationId
-      }
-    });
-
-    const findings = await scanFullRepoContentAndGetFindings(
-      // this is because of collision of octokit in probot and github
-      // eslint-disable-next-line
-      octokit as any,
-      installationId,
-      repository.fullName
-    );
-    await secretScanningDAL.transaction(async (tx) => {
-      if (!findings.length) return;
-      // eslint-disable-next-line
-      await secretScanningDAL.upsert(
-        findings.map((finding) => ({
-          installationId,
-          email: finding.Email,
-          author: finding.Author,
-          date: finding.Date,
-          file: finding.File,
-          tags: finding.Tags,
-          commit: finding.Commit,
-          ruleID: finding.RuleID,
-          endLine: String(finding.EndLine),
-          entropy: String(finding.Entropy),
-          message: finding.Message,
-          endColumn: String(finding.EndColumn),
-          startLine: String(finding.StartLine),
-          startColumn: String(finding.StartColumn),
-          fingerPrintWithoutCommitId: finding.FingerPrintWithoutCommitId,
-          description: finding.Description,
-          symlinkFile: finding.SymlinkFile,
-          orgId: organizationId,
-          repositoryFullName: repository.fullName,
-          repositoryId: String(repository.id),
-          fingerprint: finding.Fingerprint
-        })),
-        tx
-      );
-    });
-
-    const adminEmails = await getOrgAdminEmails(organizationId);
-    if (findings.length) {
-      await smtpService.sendMail({
-        template: SmtpTemplates.SecretLeakIncident,
-        subjectLine: `Incident alert: leaked secrets found in Github repository ${repository.fullName}`,
-        recipients: adminEmails.filter((email) => email).map((email) => email),
-        substitutions: {
-          numberOfSecrets: findings.length
-        }
-      });
-    }
-
-    await telemetryService.sendPostHogEvents({
-      event: PostHogEventTypes.SecretScannerFull,
-      distinctId: repository.fullName,
-      properties: {
-        numberOfRisks: findings.length
-      }
-    });
-  });
-
-  queueService.listen(QueueName.SecretPushEventScan, "failed", (job, err) => {
-    logger.error(err, "Failed to secret scan on push", job?.data);
-  });
-
-  queueService.listen(QueueName.SecretFullRepoScan, "failed", (job, err) => {
-    logger.error(err, "Failed to do full repo secret scan", job?.data);
-  });
-
  return { startFullRepoScan, startPushEventScan };
 };
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@ -98,6 +98,7 @@ export const secretScanningServiceFactory = ({
    if (canUseSecretScanning(actorOrgId)) {
      await Promise.all(
        repositories.map(({ id, full_name }) =>
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-call,@typescript-eslint/no-unsafe-return,@typescript-eslint/no-unsafe-member-access
          secretScanningQueue.startFullRepoScan({
            organizationId: session.orgId,
            installationId,
@ -180,6 +181,7 @@ export const secretScanningServiceFactory = ({
    if (!installationLink) return;

    if (canUseSecretScanning(installationLink.orgId)) {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call,@typescript-eslint/no-unsafe-return,@typescript-eslint/no-unsafe-member-access
      await secretScanningQueue.startPushEventScan({
        commits,
        pusher: { name: pusher.name, email: pusher.email },
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@ -2,7 +2,7 @@
 // akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@ -103,8 +103,7 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

@ -140,8 +139,7 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);

@ -169,8 +167,7 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
@ -390,8 +387,7 @@ export const secretSnapshotServiceFactory = ({
      actorId,
      projectId: snapshot.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Create,
--- a/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
+++ b/backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -59,8 +58,7 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -132,8 +130,7 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -201,8 +198,7 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: certificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -228,8 +224,7 @@ export const sshCertificateTemplateServiceFactory = ({
      actorId,
      projectId: certTemplate.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts
+++ b/backend/src/ee/services/ssh-host-group/ssh-host-group-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
@ -80,8 +79,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
@ -173,8 +171,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@ -270,8 +267,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@ -294,8 +290,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
@ -321,8 +316,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
@ -360,8 +354,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
@ -400,8 +393,7 @@ export const sshHostGroupServiceFactory = ({
      actorId,
      projectId: sshHostGroup.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
--- a/backend/src/ee/services/ssh-host/ssh-host-fns.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-fns.ts
@ -1,6 +1,5 @@
 import { Knex } from "knex";

-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";

 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
@ -63,8 +62,7 @@ export const createSshLoginMappings = async ({
            userId: user.id,
            projectId,
            authMethod: actorAuthMethod,
-            userOrgId: actorOrgId,
-            actionProjectType: ActionProjectType.SSH
+            userOrgId: actorOrgId
          });
        }

--- a/backend/src/ee/services/ssh-host/ssh-host-service.ts
+++ b/backend/src/ee/services/ssh-host/ssh-host-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";

-import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@ -12,11 +11,13 @@ import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certif
 import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
 import { TSshHostLoginUserMappingDALFactory } from "@app/ee/services/ssh-host/ssh-host-login-user-mapping-dal";
 import { TSshHostLoginUserDALFactory } from "@app/ee/services/ssh-host/ssh-login-user-dal";
+import { PgSqlLock } from "@app/keystore/keystore";
 import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { bootstrapSshProject } from "@app/services/project/project-fns";
 import { TProjectSshConfigDALFactory } from "@app/services/project/project-ssh-config-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";

@ -43,9 +44,9 @@ type TSshHostServiceFactoryDep = {
  userDAL: Pick<TUserDALFactory, "findById" | "find">;
  groupDAL: Pick<TGroupDALFactory, "findGroupsByProjectId">;
  projectDAL: Pick<TProjectDALFactory, "find">;
-  projectSshConfigDAL: Pick<TProjectSshConfigDALFactory, "findOne">;
-  sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findOne">;
-  sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "findOne">;
+  projectSshConfigDAL: Pick<TProjectSshConfigDALFactory, "findOne" | "transaction" | "create">;
+  sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findOne" | "transaction" | "create">;
+  sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "findOne" | "create">;
  sshCertificateDAL: Pick<TSshCertificateDALFactory, "create" | "transaction">;
  sshCertificateBodyDAL: Pick<TSshCertificateBodyDALFactory, "create">;
  userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "findGroupMembershipsByUserIdInOrg">;
@ -98,8 +99,7 @@ export const sshHostServiceFactory = ({
    }

    const sshProjects = await projectDAL.find({
-      orgId: actorOrgId,
-      type: ProjectType.SSH
+      orgId: actorOrgId
    });

    const allowedHosts = [];
@ -111,8 +111,7 @@ export const sshHostServiceFactory = ({
          actorId,
          projectId: project.id,
          actorAuthMethod,
-          actorOrgId,
-          actionProjectType: ActionProjectType.SSH
+          actorOrgId
        });

        const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
@ -145,8 +144,7 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -184,7 +182,25 @@ export const sshHostServiceFactory = ({
      return ca.id;
    };

-    const projectSshConfig = await projectSshConfigDAL.findOne({ projectId });
+    let projectSshConfig = await projectSshConfigDAL.findOne({ projectId });
+    if (!projectSshConfig) {
+      projectSshConfig = await projectSshConfigDAL.transaction(async (tx) => {
+        await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.SshInit(projectId)]);
+
+        let sshConfig = await projectSshConfigDAL.findOne({ projectId }, tx);
+        if (sshConfig) return sshConfig;
+
+        sshConfig = await bootstrapSshProject({
+          projectId,
+          sshCertificateAuthorityDAL,
+          sshCertificateAuthoritySecretDAL,
+          kmsService,
+          projectSshConfigDAL,
+          tx
+        });
+        return sshConfig;
+      });
+    }

    const userSshCaId = await resolveSshCaId({
      requestedId: requestedUserSshCaId,
@ -257,8 +273,7 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -319,8 +334,7 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -348,8 +362,7 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -388,8 +401,7 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    const internalPrincipals = await convertActorToPrincipals({
@ -508,8 +520,7 @@ export const sshHostServiceFactory = ({
      actorId,
      projectId: host.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
+++ b/backend/src/ee/services/ssh/ssh-certificate-authority-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@ -73,8 +72,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -109,8 +107,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -178,8 +175,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -217,8 +213,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -259,8 +254,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -381,8 +375,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: sshCertificateTemplate.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
@ -479,8 +472,7 @@ export const sshCertificateAuthorityServiceFactory = ({
      actorId,
      projectId: ca.projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
+      actorOrgId
    });

    ForbiddenError.from(permission).throwUnlessCan(
--- a/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
+++ b/backend/src/ee/services/trusted-ip/trusted-ip-service.ts
@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";

-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@ -36,8 +35,7 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
    const trustedIps = await trustedIpDAL.find({
@ -61,8 +59,7 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

@ -107,8 +104,7 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

@ -153,8 +149,7 @@ export const trustedIpServiceFactory = ({
      actorId,
      projectId,
      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId
    });
    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);

--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@ -12,7 +12,8 @@ export const PgSqlLock = {
  OrgGatewayCertExchange: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-cert-exchange:${orgId}`),
  SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
-  CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`)
+  CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`),
+  SshInit: (projectId: string) => pgAdvisoryLockHashText(`ssh-bootstrap:${projectId}`)
 } as const;

 // all the key prefixes used must be set here to avoid conflict
@ -73,6 +74,7 @@ type TWaitTillReady = {
 export type TKeyStoreFactory = {
  setItem: (key: string, value: string | number | Buffer, prefix?: string) => Promise<"OK">;
  getItem: (key: string, prefix?: string) => Promise<string | null>;
+  getItems: (keys: string[], prefix?: string) => Promise<(string | null)[]>;
  setExpiry: (key: string, expiryInSeconds: number) => Promise<number>;
  setItemWithExpiry: (
    key: string,
@ -81,6 +83,7 @@ export type TKeyStoreFactory = {
    prefix?: string
  ) => Promise<"OK">;
  deleteItem: (key: string) => Promise<number>;
+  deleteItemsByKeyIn: (keys: string[]) => Promise<number>;
  deleteItems: (arg: TDeleteItems) => Promise<number>;
  incrementBy: (key: string, value: number) => Promise<number>;
  acquireLock(
@ -89,6 +92,7 @@ export type TKeyStoreFactory = {
    settings?: Partial<Settings>
  ): Promise<{ release: () => Promise<ExecutionResult> }>;
  waitTillReady: ({ key, waitingCb, keyCheckCb, waitIteration, delay, jitter }: TWaitTillReady) => Promise<void>;
+  getKeysByPattern: (pattern: string, limit?: number) => Promise<string[]>;
 };

 export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys): TKeyStoreFactory => {
@ -100,6 +104,9 @@ export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys): TKeyStoreFac

  const getItem = async (key: string, prefix?: string) => redis.get(prefix ? `${prefix}:${key}` : key);

+  const getItems = async (keys: string[], prefix?: string) =>
+    redis.mget(keys.map((key) => (prefix ? `${prefix}:${key}` : key)));
+
  const setItemWithExpiry = async (
    key: string,
    expiryInSeconds: number | string,
@ -109,6 +116,11 @@ export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys): TKeyStoreFac

  const deleteItem = async (key: string) => redis.del(key);

+  const deleteItemsByKeyIn = async (keys: string[]) => {
+    if (keys.length === 0) return 0;
+    return redis.del(keys);
+  };
+
  const deleteItems = async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }: TDeleteItems) => {
    let cursor = "0";
    let totalDeleted = 0;
@ -164,6 +176,24 @@ export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys): TKeyStoreFac
    }
  };

+  const getKeysByPattern = async (pattern: string, limit?: number) => {
+    let cursor = "0";
+    const allKeys: string[] = [];
+
+    do {
+      // eslint-disable-next-line no-await-in-loop
+      const [nextCursor, keys] = await redis.scan(cursor, "MATCH", pattern, "COUNT", 1000);
+      cursor = nextCursor;
+      allKeys.push(...keys);
+
+      if (limit && allKeys.length >= limit) {
+        return allKeys.slice(0, limit);
+      }
+    } while (cursor !== "0");
+
+    return allKeys;
+  };
+
  return {
    setItem,
    getItem,
@ -175,6 +205,9 @@ export const keyStoreFactory = (redisConfigKeys: TRedisConfigKeys): TKeyStoreFac
    acquireLock(resources: string[], duration: number, settings?: Partial<Settings>) {
      return redisLock.acquire(resources, duration, settings);
    },
-    waitTillReady
+    waitTillReady,
+    getKeysByPattern,
+    deleteItemsByKeyIn,
+    getItems
  };
 };
--- a/backend/src/keystore/memory.ts
+++ b/backend/src/keystore/memory.ts
@ -8,6 +8,8 @@ import { TKeyStoreFactory } from "./keystore";

 export const inMemoryKeyStore = (): TKeyStoreFactory => {
  const store: Record<string, string | number | Buffer> = {};
+  const getRegex = (pattern: string) =>
+    new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);

  return {
    setItem: async (key, value) => {
@ -24,7 +26,7 @@ export const inMemoryKeyStore = (): TKeyStoreFactory => {
      return 1;
    },
    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
-      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
+      const regex = getRegex(pattern);
      let totalDeleted = 0;
      const keys = Object.keys(store);

@ -59,6 +61,27 @@ export const inMemoryKeyStore = (): TKeyStoreFactory => {
        release: () => {}
      }) as Promise<Lock>;
    },
-    waitTillReady: async () => {}
+    waitTillReady: async () => {},
+    getKeysByPattern: async (pattern) => {
+      const regex = getRegex(pattern);
+      const keys = Object.keys(store);
+      return keys.filter((key) => regex.test(key));
+    },
+    deleteItemsByKeyIn: async (keys) => {
+      for (const key of keys) {
+        delete store[key];
+      }
+      return keys.length;
+    },
+    getItems: async (keys) => {
+      const values = keys.map((key) => {
+        const value = store[key];
+        if (typeof value === "string") {
+          return value;
+        }
+        return null;
+      });
+      return values;
+    }
  };
 };
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -22,6 +22,7 @@ export enum ApiDocsTags {
  UniversalAuth = "Universal Auth",
  GcpAuth = "GCP Auth",
  AliCloudAuth = "Alibaba Cloud Auth",
+  TlsCertAuth = "TLS Certificate Auth",
  AwsAuth = "AWS Auth",
  OciAuth = "OCI Auth",
  AzureAuth = "Azure Auth",
@ -283,6 +284,38 @@ export const ALICLOUD_AUTH = {
  }
 } as const;

+export const TLS_CERT_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    allowedCommonNames:
+      "The comma-separated list of trusted common names that are allowed to authenticate with Infisical.",
+    caCertificate: "The PEM-encoded CA certificate to validate client certificates.",
+    accessTokenTTL: "The lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    allowedCommonNames:
+      "The comma-separated list of trusted common names that are allowed to authenticate with Infisical.",
+    caCertificate: "The PEM-encoded CA certificate to validate client certificates.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
+  }
+} as const;
+
 export const AWS_AUTH = {
  LOGIN: {
    identityId: "The ID of the identity to login.",
@ -667,7 +700,8 @@ export const PROJECTS = {
    slug: "An optional slug for the project. (must be unique within the organization)",
    hasDeleteProtection: "Enable or disable delete protection for the project.",
    secretSharing: "Enable or disable secret sharing for the project.",
-    showSnapshotsLegacy: "Enable or disable legacy snapshots for the project."
+    showSnapshotsLegacy: "Enable or disable legacy snapshots for the project.",
+    defaultProduct: "The default product in which the project will open"
  },
  GET_KEY: {
    workspaceId: "The ID of the project to get the key from."
@ -2228,6 +2262,12 @@ export const AppConnections = {
    },
    FLYIO: {
      accessToken: "The Access Token used to access fly.io."
+    },
+    GITLAB: {
+      instanceUrl: "The GitLab instance URL to connect with.",
+      accessToken: "The Access Token used to access GitLab.",
+      code: "The OAuth code to use to connect with GitLab.",
+      accessTokenType: "The type of token used to connect with GitLab."
    }
  }
 };
@ -2388,7 +2428,8 @@ export const SecretSyncs = {
      keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
    },
    ONEPASS: {
-      vaultId: "The ID of the 1Password vault to sync secrets to."
+      vaultId: "The ID of the 1Password vault to sync secrets to.",
+      valueLabel: "The label of the entry that holds the secret value."
    },
    HEROKU: {
      app: "The ID of the Heroku app to sync secrets to.",
@ -2402,6 +2443,17 @@ export const SecretSyncs = {
    FLYIO: {
      appId: "The ID of the Fly.io app to sync secrets to."
    },
+    GITLAB: {
+      projectId: "The GitLab Project ID to sync secrets to.",
+      projectName: "The GitLab Project Name to sync secrets to.",
+      groupId: "The GitLab Group ID to sync secrets to.",
+      groupName: "The GitLab Group Name to sync secrets to.",
+      scope: "The GitLab scope that secrets should be synced to. (default: project)",
+      targetEnvironment: "The GitLab environment scope that secrets should be synced to. (default: *)",
+      shouldProtectSecrets: "Whether variables should be protected",
+      shouldMaskSecrets: "Whether variables should be masked in logs",
+      shouldHideSecrets: "Whether variables should be hidden"
+    },
    CLOUDFLARE_PAGES: {
      projectName: "The name of the Cloudflare Pages project to sync secrets to.",
      environment: "The environment of the Cloudflare Pages project to sync secrets to."
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@ -193,6 +193,9 @@ const envSchema = z
    PYLON_API_KEY: zpStr(z.string().optional()),
    DISABLE_AUDIT_LOG_GENERATION: zodStrBool.default("false"),
    SSL_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default("x-ssl-client-cert"),
+    IDENTITY_TLS_CERT_AUTH_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default(
+      "x-identity-tls-cert-auth-client-cert"
+    ),
    WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string().optional()),
    WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true"),
@ -247,6 +250,10 @@ const envSchema = z
    INF_APP_CONNECTION_GITHUB_RADAR_APP_ID: zpStr(z.string().optional()),
    INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET: zpStr(z.string().optional()),

+    // gitlab oauth
+    INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_ID: zpStr(z.string().optional()),
+    INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET: zpStr(z.string().optional()),
+
    // gcp app
    INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),

--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@ -62,7 +62,8 @@ export enum QueueName {
  SecretRotationV2 = "secret-rotation-v2",
  FolderTreeCheckpoint = "folder-tree-checkpoint",
  InvalidateCache = "invalidate-cache",
-  SecretScanningV2 = "secret-scanning-v2"
+  SecretScanningV2 = "secret-scanning-v2",
+  TelemetryAggregatedEvents = "telemetry-aggregated-events"
 }

 export enum QueueJobs {
@ -101,7 +102,8 @@ export enum QueueJobs {
  SecretScanningV2DiffScan = "secret-scanning-v2-diff-scan",
  SecretScanningV2SendNotification = "secret-scanning-v2-notification",
  CaOrderCertificateForSubscriber = "ca-order-certificate-for-subscriber",
-  PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal"
+  PkiSubscriberDailyAutoRenewal = "pki-subscriber-daily-auto-renewal",
+  TelemetryAggregatedEvents = "telemetry-aggregated-events"
 }

 export type TQueueJobTypes = {
@ -292,6 +294,10 @@ export type TQueueJobTypes = {
    name: QueueJobs.PkiSubscriberDailyAutoRenewal;
    payload: undefined;
  };
+  [QueueName.TelemetryAggregatedEvents]: {
+    name: QueueJobs.TelemetryAggregatedEvents;
+    payload: undefined;
+  };
 };

 const SECRET_SCANNING_JOBS = [
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -193,6 +193,8 @@ import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { identityTlsCertAuthDALFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-dal";
+import { identityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-service";
 import { identityTokenAuthDALFactory } from "@app/services/identity-token-auth/identity-token-auth-dal";
 import { identityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { identityUaClientSecretDALFactory } from "@app/services/identity-ua/identity-ua-client-secret-dal";
@ -297,7 +299,6 @@ import { injectAssumePrivilege } from "../plugins/auth/inject-assume-privilege";
 import { injectIdentity } from "../plugins/auth/inject-identity";
 import { injectPermission } from "../plugins/auth/inject-permission";
 import { injectRateLimits } from "../plugins/inject-rate-limits";
-import { registerSecretScannerGhApp } from "../plugins/secret-scanner";
 import { registerV1Routes } from "./v1";
 import { registerV2Routes } from "./v2";
 import { registerV3Routes } from "./v3";
@ -326,7 +327,6 @@ export const registerRoutes = async (
  }
 ) => {
  const appCfg = getConfig();
-  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
  await server.register(registerSecretScanningV2Webhooks, {
    prefix: "/secret-scanning/webhooks"
  });
@ -386,6 +386,7 @@ export const registerRoutes = async (
  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
  const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
  const identityAliCloudAuthDAL = identityAliCloudAuthDALFactory(db);
+  const identityTlsCertAuthDAL = identityTlsCertAuthDALFactory(db);
  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
  const identityOciAuthDAL = identityOciAuthDALFactory(db);
@ -686,7 +687,8 @@ export const registerRoutes = async (
  const telemetryQueue = telemetryQueueServiceFactory({
    keyStore,
    telemetryDAL,
-    queueService
+    queueService,
+    telemetryService
  });

  const invalidateCacheQueue = invalidateCacheQueueFactory({
@ -993,8 +995,7 @@ export const registerRoutes = async (
    pkiAlertDAL,
    pkiCollectionDAL,
    permissionService,
-    smtpService,
-    projectDAL
+    smtpService
  });

  const pkiCollectionService = pkiCollectionServiceFactory({
@ -1002,8 +1003,7 @@ export const registerRoutes = async (
    pkiCollectionItemDAL,
    certificateAuthorityDAL,
    certificateDAL,
-    permissionService,
-    projectDAL
+    permissionService
  });

  const projectTemplateService = projectTemplateServiceFactory({
@ -1187,7 +1187,9 @@ export const registerRoutes = async (
    projectEnvDAL,
    snapshotService,
    projectDAL,
-    folderCommitService
+    folderCommitService,
+    secretApprovalPolicyService,
+    secretV2BridgeDAL
  });

  const secretImportService = secretImportServiceFactory({
@ -1417,7 +1419,8 @@ export const registerRoutes = async (
  const identityAccessTokenService = identityAccessTokenServiceFactory({
    identityAccessTokenDAL,
    identityOrgMembershipDAL,
-    accessTokenQueue
+    accessTokenQueue,
+    identityDAL
  });

  const identityProjectService = identityProjectServiceFactory({
@ -1493,6 +1496,15 @@ export const registerRoutes = async (
    permissionService
  });

+  const identityTlsCertAuthService = identityTlsCertAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityTlsCertAuthDAL,
+    identityOrgMembershipDAL,
+    licenseService,
+    permissionService,
+    kmsService
+  });
+
  const identityAwsAuthService = identityAwsAuthServiceFactory({
    identityAccessTokenDAL,
    identityAwsAuthDAL,
@ -1603,7 +1615,8 @@ export const registerRoutes = async (
    secretSharingDAL,
    secretVersionV2DAL: secretVersionV2BridgeDAL,
    identityUniversalAuthClientSecretDAL: identityUaClientSecretDAL,
-    serviceTokenService
+    serviceTokenService,
+    orgService
  });

  const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
@ -1651,8 +1664,7 @@ export const registerRoutes = async (
  const cmekService = cmekServiceFactory({
    kmsDAL,
    kmsService,
-    permissionService,
-    projectDAL
+    permissionService
  });

  const externalMigrationQueue = externalMigrationQueueFactory({
@ -1794,7 +1806,6 @@ export const registerRoutes = async (

  const certificateAuthorityService = certificateAuthorityServiceFactory({
    certificateAuthorityDAL,
-    projectDAL,
    permissionService,
    appConnectionDAL,
    appConnectionService,
@ -1804,7 +1815,8 @@ export const registerRoutes = async (
    certificateBodyDAL,
    certificateSecretDAL,
    kmsService,
-    pkiSubscriberDAL
+    pkiSubscriberDAL,
+    projectDAL
  });

  const internalCaFns = InternalCertificateAuthorityFns({
@ -1947,6 +1959,7 @@ export const registerRoutes = async (
    identityAwsAuth: identityAwsAuthService,
    identityAzureAuth: identityAzureAuthService,
    identityOciAuth: identityOciAuthService,
+    identityTlsCertAuth: identityTlsCertAuthService,
    identityOidcAuth: identityOidcAuthService,
    identityJwtAuth: identityJwtAuthService,
    identityLdapAuth: identityLdapAuthService,
--- a/backend/src/server/routes/sanitizedSchemas.ts
+++ b/backend/src/server/routes/sanitizedSchemas.ts
@ -251,6 +251,7 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
  name: true,
  description: true,
  type: true,
+  defaultProduct: true,
  slug: true,
  autoCapitalization: true,
  orgId: true,
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -722,6 +722,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.InvalidateCache,
+        organizationId: req.permission.orgId,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          ...req.auditLogInfo
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@ -35,6 +35,10 @@ import {
  CamundaConnectionListItemSchema,
  SanitizedCamundaConnectionSchema
 } from "@app/services/app-connection/camunda";
+import {
+  CloudflareConnectionListItemSchema,
+  SanitizedCloudflareConnectionSchema
+} from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";
 import {
  DatabricksConnectionListItemSchema,
  SanitizedDatabricksConnectionSchema
@ -46,6 +50,7 @@ import {
  GitHubRadarConnectionListItemSchema,
  SanitizedGitHubRadarConnectionSchema
 } from "@app/services/app-connection/github-radar";
+import { GitLabConnectionListItemSchema, SanitizedGitLabConnectionSchema } from "@app/services/app-connection/gitlab";
 import {
  HCVaultConnectionListItemSchema,
  SanitizedHCVaultConnectionSchema
@ -80,10 +85,6 @@ import {
  WindmillConnectionListItemSchema
 } from "@app/services/app-connection/windmill";
 import { AuthMode } from "@app/services/auth/auth-type";
-import {
-  CloudflareConnectionListItemSchema,
-  SanitizedCloudflareConnectionSchema
-} from "@app/services/app-connection/cloudflare/cloudflare-connection-schema";

 // can't use discriminated due to multiple schemas for certain apps
 const SanitizedAppConnectionSchema = z.union([
@ -114,6 +115,7 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedHerokuConnectionSchema.options,
  ...SanitizedRenderConnectionSchema.options,
  ...SanitizedFlyioConnectionSchema.options,
+  ...SanitizedGitLabConnectionSchema.options,
  ...SanitizedCloudflareConnectionSchema.options
 ]);

@ -145,6 +147,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  HerokuConnectionListItemSchema,
  RenderConnectionListItemSchema,
  FlyioConnectionListItemSchema,
+  GitLabConnectionListItemSchema,
  CloudflareConnectionListItemSchema
 ]);

--- a/backend/src/server/routes/v1/app-connection-routers/gitlab-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/gitlab-connection-router.ts
@ -0,0 +1,90 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateGitLabConnectionSchema,
+  SanitizedGitLabConnectionSchema,
+  TGitLabGroup,
+  TGitLabProject,
+  UpdateGitLabConnectionSchema
+} from "@app/services/app-connection/gitlab";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerGitLabConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.GitLab,
+    server,
+    sanitizedResponseSchema: SanitizedGitLabConnectionSchema,
+    createSchema: CreateGitLabConnectionSchema,
+    updateSchema: UpdateGitLabConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects: TGitLabProject[] = await server.services.appConnection.gitlab.listProjects(
+        connectionId,
+        req.permission
+      );
+
+      return projects;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/groups`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const groups: TGitLabGroup[] = await server.services.appConnection.gitlab.listGroups(
+        connectionId,
+        req.permission
+      );
+
+      return groups;
+    }
+  });
+};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@ -10,11 +10,13 @@ import { registerAzureClientSecretsConnectionRouter } from "./azure-client-secre
 import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-router";
 import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
 import { registerCamundaConnectionRouter } from "./camunda-connection-router";
+import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";
 import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
 import { registerFlyioConnectionRouter } from "./flyio-connection-router";
 import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 import { registerGitHubRadarConnectionRouter } from "./github-radar-connection-router";
+import { registerGitLabConnectionRouter } from "./gitlab-connection-router";
 import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
 import { registerHerokuConnectionRouter } from "./heroku-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
@ -27,7 +29,6 @@ import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
 import { registerWindmillConnectionRouter } from "./windmill-connection-router";
-import { registerCloudflareConnectionRouter } from "./cloudflare-connection-router";

 export * from "./app-connection-router";

@ -60,5 +61,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.Heroku]: registerHerokuConnectionRouter,
    [AppConnection.Render]: registerRenderConnectionRouter,
    [AppConnection.Flyio]: registerFlyioConnectionRouter,
+    [AppConnection.GitLab]: registerGitLabConnectionRouter,
    [AppConnection.Cloudflare]: registerCloudflareConnectionRouter
  };
--- a/backend/src/server/routes/v1/certificate-authority-router.ts
+++ b/backend/src/server/routes/v1/certificate-authority-router.ts
@ -692,6 +692,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueCert,
+        organizationId: req.permission.orgId,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          caId: ca.id,
@ -786,6 +787,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SignCert,
+        organizationId: req.permission.orgId,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          caId: ca.id,
--- a/backend/src/server/routes/v1/certificate-router.ts
+++ b/backend/src/server/routes/v1/certificate-router.ts
@ -266,6 +266,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueCert,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          caId: req.body.caId,
          certificateTemplateId: req.body.certificateTemplateId,
@ -442,6 +443,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SignCert,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          caId: req.body.caId,
          certificateTemplateId: req.body.certificateTemplateId,
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@ -475,6 +475,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
              await server.services.telemetry.sendPostHogEvents({
                event: PostHogEventTypes.SecretPulled,
                distinctId: getTelemetryDistinctId(req),
+                organizationId: req.permission.orgId,
                properties: {
                  numberOfSecrets: secretCountFromEnv,
                  workspaceId: projectId,
@ -979,6 +980,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
          await server.services.telemetry.sendPostHogEvents({
            event: PostHogEventTypes.SecretPulled,
            distinctId: getTelemetryDistinctId(req),
+            organizationId: req.permission.orgId,
            properties: {
              numberOfSecrets: secretCount,
              workspaceId: projectId,
@ -1144,6 +1146,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
            await server.services.telemetry.sendPostHogEvents({
              event: PostHogEventTypes.SecretPulled,
              distinctId: getTelemetryDistinctId(req),
+              organizationId: req.permission.orgId,
              properties: {
                numberOfSecrets: secretCountForEnv,
                workspaceId: projectId,
@ -1336,6 +1339,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
        await server.services.telemetry.sendPostHogEvents({
          event: PostHogEventTypes.SecretPulled,
          distinctId: getTelemetryDistinctId(req),
+          organizationId: req.permission.orgId,
          properties: {
            numberOfSecrets: secrets.length,
            workspaceId: projectId,
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@ -85,6 +85,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.MachineIdentityCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          orgId: req.body.organizationId,
          name: identity.name,
--- a/backend/src/server/routes/v1/identity-tls-cert-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-tls-cert-auth-router.ts
@ -0,0 +1,396 @@
+import crypto from "node:crypto";
+
+import { z } from "zod";
+
+import { IdentityTlsCertAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags, TLS_CERT_AUTH } from "@app/lib/api-docs";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
+
+const validateCommonNames = z
+  .string()
+  .min(1)
+  .trim()
+  .transform((el) =>
+    el
+      .split(",")
+      .map((i) => i.trim())
+      .join(",")
+  );
+
+const validateCaCertificate = (caCert: string) => {
+  if (!caCert) return true;
+  try {
+    // eslint-disable-next-line no-new
+    new crypto.X509Certificate(caCert);
+    return true;
+  } catch (err) {
+    return false;
+  }
+};
+
+export const registerIdentityTlsCertAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TlsCertAuth],
+      description: "Login with TLS Certificate Auth",
+      body: z.object({
+        identityId: z.string().trim().describe(TLS_CERT_AUTH.LOGIN.identityId)
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const appCfg = getConfig();
+      const clientCertificate = req.headers[appCfg.IDENTITY_TLS_CERT_AUTH_CLIENT_CERTIFICATE_HEADER_KEY];
+      if (!clientCertificate) {
+        throw new BadRequestError({ message: "Missing TLS certificate in header" });
+      }
+
+      const { identityTlsCertAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityTlsCertAuth.login({
+          identityId: req.body.identityId,
+          clientCertificate: clientCertificate as string
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_TLS_CERT_AUTH,
+          metadata: {
+            identityId: identityTlsCertAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityTlsCertAuthId: identityTlsCertAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityTlsCertAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityTlsCertAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TlsCertAuth],
+      description: "Attach TLS Certificate Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(TLS_CERT_AUTH.ATTACH.identityId)
+      }),
+      body: z
+        .object({
+          allowedCommonNames: validateCommonNames
+            .optional()
+            .nullable()
+            .describe(TLS_CERT_AUTH.ATTACH.allowedCommonNames),
+          caCertificate: z
+            .string()
+            .min(1)
+            .max(10240)
+            .refine(validateCaCertificate, "Invalid CA Certificate.")
+            .describe(TLS_CERT_AUTH.ATTACH.caCertificate),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(TLS_CERT_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(TLS_CERT_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .default(2592000)
+            .describe(TLS_CERT_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .default(0)
+            .describe(TLS_CERT_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityTlsCertAuth: IdentityTlsCertAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityTlsCertAuth = await server.services.identityTlsCertAuth.attachTlsCertAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_TLS_CERT_AUTH,
+          metadata: {
+            identityId: identityTlsCertAuth.identityId,
+            allowedCommonNames: identityTlsCertAuth.allowedCommonNames,
+            accessTokenTTL: identityTlsCertAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityTlsCertAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityTlsCertAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityTlsCertAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityTlsCertAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TlsCertAuth],
+      description: "Update TLS Certificate Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(TLS_CERT_AUTH.UPDATE.identityId)
+      }),
+      body: z
+        .object({
+          caCertificate: z
+            .string()
+            .min(1)
+            .max(10240)
+            .refine(validateCaCertificate, "Invalid CA Certificate.")
+            .optional()
+            .describe(TLS_CERT_AUTH.UPDATE.caCertificate),
+          allowedCommonNames: validateCommonNames
+            .optional()
+            .nullable()
+            .describe(TLS_CERT_AUTH.UPDATE.allowedCommonNames),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(TLS_CERT_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(TLS_CERT_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(TLS_CERT_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(TLS_CERT_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityTlsCertAuth: IdentityTlsCertAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityTlsCertAuth = await server.services.identityTlsCertAuth.updateTlsCertAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_TLS_CERT_AUTH,
+          metadata: {
+            identityId: identityTlsCertAuth.identityId,
+            allowedCommonNames: identityTlsCertAuth.allowedCommonNames,
+            accessTokenTTL: identityTlsCertAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityTlsCertAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityTlsCertAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityTlsCertAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityTlsCertAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TlsCertAuth],
+      description: "Retrieve TLS Certificate Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(TLS_CERT_AUTH.RETRIEVE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityTlsCertAuth: IdentityTlsCertAuthsSchema.extend({
+            caCertificate: z.string()
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityTlsCertAuth = await server.services.identityTlsCertAuth.getTlsCertAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_TLS_CERT_AUTH,
+          metadata: {
+            identityId: identityTlsCertAuth.identityId
+          }
+        }
+      });
+      return { identityTlsCertAuth };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.TlsCertAuth],
+      description: "Delete TLS Certificate Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(TLS_CERT_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityTlsCertAuth: IdentityTlsCertAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityTlsCertAuth = await server.services.identityTlsCertAuth.revokeTlsCertAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_TLS_CERT_AUTH,
+          metadata: {
+            identityId: identityTlsCertAuth.identityId
+          }
+        }
+      });
+
+      return { identityTlsCertAuth };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@ -25,6 +25,7 @@ import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
 import { registerIdentityOciAuthRouter } from "./identity-oci-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityRouter } from "./identity-router";
+import { registerIdentityTlsCertAuthRouter } from "./identity-tls-cert-auth-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
 import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@ -66,6 +67,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
      await authRouter.register(registerIdentityAccessTokenRouter);
      await authRouter.register(registerIdentityAliCloudAuthRouter);
      await authRouter.register(registerIdentityAwsAuthRouter);
+      await authRouter.register(registerIdentityTlsCertAuthRouter, { prefix: "/tls-cert-auth" });
      await authRouter.register(registerIdentityAzureAuthRouter);
      await authRouter.register(registerIdentityOciAuthRouter);
      await authRouter.register(registerIdentityOidcAuthRouter);
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -103,6 +103,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IntegrationCreated,
+        organizationId: req.permission.orgId,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          ...createIntegrationEventProperty,
--- a/backend/src/server/routes/v1/invite-org-router.ts
+++ b/backend/src/server/routes/v1/invite-org-router.ts
@ -64,6 +64,7 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.UserOrgInvitation,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          inviteeEmails: req.body.inviteeEmails,
          organizationRoleSlug: req.body.organizationRoleSlug,
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@ -113,52 +113,73 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      hide: false,
      tags: [ApiDocsTags.AuditLogs],
      description: "Get all audit logs for an organization",
-      querystring: z.object({
-        projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
-        environment: z.string().optional().describe(AUDIT_LOGS.EXPORT.environment),
-        actorType: z.nativeEnum(ActorType).optional(),
-        secretPath: z
-          .string()
-          .optional()
-          .transform((val) => (!val ? val : removeTrailingSlash(val)))
-          .describe(AUDIT_LOGS.EXPORT.secretPath),
-        secretKey: z.string().optional().describe(AUDIT_LOGS.EXPORT.secretKey),
+      querystring: z
+        .object({
+          projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
+          environment: z.string().optional().describe(AUDIT_LOGS.EXPORT.environment),
+          actorType: z.nativeEnum(ActorType).optional(),
+          secretPath: z
+            .string()
+            .optional()
+            .transform((val) => (!val ? val : removeTrailingSlash(val)))
+            .describe(AUDIT_LOGS.EXPORT.secretPath),
+          secretKey: z.string().optional().describe(AUDIT_LOGS.EXPORT.secretKey),
+          // eventType is split with , for multiple values, we need to transform it to array
+          eventType: z
+            .string()
+            .optional()
+            .transform((val) => (val ? val.split(",") : undefined)),
+          userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
+          eventMetadata: z
+            .string()
+            .optional()
+            .transform((val) => {
+              if (!val) {
+                return undefined;
+              }

-        // eventType is split with , for multiple values, we need to transform it to array
-        eventType: z
-          .string()
-          .optional()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
-        eventMetadata: z
-          .string()
-          .optional()
-          .transform((val) => {
-            if (!val) {
-              return undefined;
+              const pairs = val.split(",");
+
+              return pairs.reduce(
+                (acc, pair) => {
+                  const [key, value] = pair.split("=");
+                  if (key && value) {
+                    acc[key] = value;
+                  }
+                  return acc;
+                },
+                {} as Record<string, string>
+              );
+            })
+            .describe(AUDIT_LOGS.EXPORT.eventMetadata),
+          startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
+          endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
+          offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
+          limit: z.coerce.number().max(1000).default(20).describe(AUDIT_LOGS.EXPORT.limit),
+          actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
+        })
+        .superRefine((el, ctx) => {
+          if (el.endDate && el.startDate) {
+            const startDate = new Date(el.startDate);
+            const endDate = new Date(el.endDate);
+            const maxAllowedDate = new Date(startDate);
+            maxAllowedDate.setMonth(maxAllowedDate.getMonth() + 3);
+            if (endDate < startDate) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["endDate"],
+                message: "End date cannot be before start date"
+              });
            }
-
-            const pairs = val.split(",");
-
-            return pairs.reduce(
-              (acc, pair) => {
-                const [key, value] = pair.split("=");
-                if (key && value) {
-                  acc[key] = value;
-                }
-                return acc;
-              },
-              {} as Record<string, string>
-            );
-          })
-          .describe(AUDIT_LOGS.EXPORT.eventMetadata),
-        startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
-        endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
-        offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
-        limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
-        actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
-      }),
-
+            if (endDate > maxAllowedDate) {
+              ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["endDate"],
+                message: "Dates must be within 3 months"
+              });
+            }
+          }
+        }),
      response: {
        200: z.object({
          auditLogs: AuditLogsSchema.omit({
@ -188,14 +209,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      const auditLogs = await server.services.auditLog.listAuditLogs({
        filter: {
          ...req.query,
-          endDate: req.query.endDate,
+          endDate: req.query.endDate || new Date().toISOString(),
          projectId: req.query.projectId,
          startDate: req.query.startDate || getLastMidnightDateISO(),
          auditLogActorId: req.query.actor,
          actorType: req.query.actorType,
          eventType: req.query.eventType as EventType[] | undefined
        },
-
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/server/routes/v1/pki-subscriber-router.ts
+++ b/backend/src/server/routes/v1/pki-subscriber-router.ts
@ -331,6 +331,7 @@ export const registerPkiSubscriberRouter = async (server: FastifyZodProvider) =>

      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueCert,
+        organizationId: req.permission.orgId,
        distinctId: getTelemetryDistinctId(req),
        properties: {
          subscriberId: subscriber.id,
@ -399,6 +400,7 @@ export const registerPkiSubscriberRouter = async (server: FastifyZodProvider) =>
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.IssueCert,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          subscriberId: subscriber.id,
          commonName: subscriber.commonName,
@ -471,6 +473,7 @@ export const registerPkiSubscriberRouter = async (server: FastifyZodProvider) =>
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SignCert,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          subscriberId: subscriber.id,
          commonName: subscriber.commonName,
--- a/backend/src/server/routes/v1/project-router.ts
+++ b/backend/src/server/routes/v1/project-router.ts
@ -158,17 +158,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        includeRoles: z
          .enum(["true", "false"])
          .default("false")
-          .transform((value) => value === "true"),
-        type: z
-          .enum([
-            ProjectType.SecretManager,
-            ProjectType.KMS,
-            ProjectType.CertificateManager,
-            ProjectType.SSH,
-            ProjectType.SecretScanning,
-            "all"
-          ])
-          .optional()
+          .transform((value) => value === "true")
      }),
      response: {
        200: z.object({
@ -187,8 +177,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        type: req.query.type
+        actorOrgId: req.permission.orgId
      });
      return { workspaces };
    }
@ -377,7 +366,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          .optional()
          .describe(PROJECTS.UPDATE.slug),
        secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing),
-        showSnapshotsLegacy: z.boolean().optional().describe(PROJECTS.UPDATE.showSnapshotsLegacy)
+        showSnapshotsLegacy: z.boolean().optional().describe(PROJECTS.UPDATE.showSnapshotsLegacy),
+        defaultProduct: z.nativeEnum(ProjectType).optional().describe(PROJECTS.UPDATE.defaultProduct)
      }),
      response: {
        200: z.object({
@ -396,6 +386,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          name: req.body.name,
          description: req.body.description,
          autoCapitalization: req.body.autoCapitalization,
+          defaultProduct: req.body.defaultProduct,
          hasDeleteProtection: req.body.hasDeleteProtection,
          slug: req.body.slug,
          secretSharing: req.body.secretSharing,
@ -1059,7 +1050,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      body: z.object({
        limit: z.number().default(100),
        offset: z.number().default(0),
-        type: z.nativeEnum(ProjectType).optional(),
        orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
        orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
        name: z
--- a/backend/src/server/routes/v1/secret-requests-router.ts
+++ b/backend/src/server/routes/v1/secret-requests-router.ts
@ -165,6 +165,7 @@ export const registerSecretRequestsRouter = async (server: FastifyZodProvider) =
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretRequestDeleted,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          secretRequestId: req.params.id,
          organizationId: req.permission.orgId,
@ -256,6 +257,7 @@ export const registerSecretRequestsRouter = async (server: FastifyZodProvider) =
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretRequestCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          secretRequestId: shareRequest.id,
          organizationId: req.permission.orgId,
--- a/backend/src/server/routes/v1/secret-sync-routers/cloudflare-pages-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/cloudflare-pages-sync-router.ts
@ -1,10 +1,11 @@
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
 import {
  CloudflarePagesSyncSchema,
  CreateCloudflarePagesSyncSchema,
  UpdateCloudflarePagesSyncSchema
 } from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";

 export const registerCloudflarePagesSyncRouter = async (server: FastifyZodProvider) =>
  registerSyncSecretsEndpoints({
--- a/backend/src/server/routes/v1/secret-sync-routers/gitlab-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/gitlab-sync-router.ts
@ -0,0 +1,13 @@
+import { CreateGitLabSyncSchema, GitLabSyncSchema, UpdateGitLabSyncSchema } from "@app/services/secret-sync/gitlab";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerGitLabSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.GitLab,
+    server,
+    responseSchema: GitLabSyncSchema,
+    createSchema: CreateGitLabSyncSchema,
+    updateSchema: UpdateGitLabSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@ -13,6 +13,7 @@ import { registerDatabricksSyncRouter } from "./databricks-sync-router";
 import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
+import { registerGitLabSyncRouter } from "./gitlab-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
 import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
@ -45,5 +46,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.Heroku]: registerHerokuSyncRouter,
  [SecretSync.Render]: registerRenderSyncRouter,
  [SecretSync.Flyio]: registerFlyioSyncRouter,
+  [SecretSync.GitLab]: registerGitLabSyncRouter,
  [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@ -22,10 +22,15 @@ import {
 import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
 import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
 import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
+import {
+  CloudflarePagesSyncListItemSchema,
+  CloudflarePagesSyncSchema
+} from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";
 import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
 import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-sync/flyio";
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
+import { GitLabSyncListItemSchema, GitLabSyncSchema } from "@app/services/secret-sync/gitlab";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
 import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
@ -34,10 +39,6 @@ import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/se
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
 import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
-import {
-  CloudflarePagesSyncListItemSchema,
-  CloudflarePagesSyncSchema
-} from "@app/services/secret-sync/cloudflare-pages/cloudflare-pages-schema";

 const SecretSyncSchema = z.discriminatedUnion("destination", [
  AwsParameterStoreSyncSchema,
@ -60,6 +61,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  HerokuSyncSchema,
  RenderSyncSchema,
  FlyioSyncSchema,
+  GitLabSyncSchema,
  CloudflarePagesSyncSchema
 ]);

@ -84,6 +86,7 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  HerokuSyncListItemSchema,
  RenderSyncListItemSchema,
  FlyioSyncListItemSchema,
+  GitLabSyncListItemSchema,
  CloudflarePagesSyncListItemSchema
 ]);

--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@ -4,7 +4,6 @@ import {
  OrgMembershipsSchema,
  ProjectMembershipsSchema,
  ProjectsSchema,
-  ProjectType,
  UserEncryptionKeysSchema,
  UsersSchema
 } from "@app/db/schemas";
@ -85,9 +84,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      params: z.object({
        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
      }),
-      querystring: z.object({
-        type: z.nativeEnum(ProjectType).optional().describe(ORGANIZATIONS.GET_PROJECTS.type)
-      }),
      response: {
        200: z.object({
          workspaces: z
@ -114,8 +110,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
        actorAuthMethod: req.permission.authMethod,
-        orgId: req.params.organizationId,
-        type: req.query.type
+        orgId: req.params.organizationId
      });

      return { workspaces };
--- a/backend/src/server/routes/v2/project-router.ts
+++ b/backend/src/server/routes/v2/project-router.ts
@ -198,6 +198,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.ProjectCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          orgId: project.orgId,
          name: project.name,
@ -456,6 +457,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiAlerting],
      params: z.object({
        projectId: z.string().trim()
      }),
@ -486,6 +489,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateCollections],
      params: z.object({
        projectId: z.string().trim()
      }),
@ -548,6 +553,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
      rateLimit: readLimit
    },
    schema: {
+      hide: false,
+      tags: [ApiDocsTags.PkiCertificateTemplates],
      params: z.object({
        projectId: z.string().trim()
      }),
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -333,6 +333,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        await server.services.telemetry.sendPostHogEvents({
          event: PostHogEventTypes.SecretPulled,
          distinctId: getTelemetryDistinctId(req),
+          organizationId: req.permission.orgId,
          properties: {
            numberOfSecrets: secrets.length,
            workspaceId,
@ -489,6 +490,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
        await server.services.telemetry.sendPostHogEvents({
          event: PostHogEventTypes.SecretPulled,
+          organizationId: req.permission.orgId,
          distinctId: getTelemetryDistinctId(req),
          properties: {
            numberOfSecrets: 1,
@ -615,6 +617,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: 1,
          workspaceId: projectId,
@ -750,6 +753,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretUpdated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: 1,
          workspaceId: projectId,
@ -850,6 +854,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretDeleted,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: 1,
          workspaceId: projectId,
@ -957,6 +962,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        await server.services.telemetry.sendPostHogEvents({
          event: PostHogEventTypes.SecretPulled,
          distinctId: getTelemetryDistinctId(req),
+          organizationId: req.permission.orgId,
          properties: {
            numberOfSecrets: secrets.length,
            workspaceId: req.query.workspaceId,
@ -1036,6 +1042,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        await server.services.telemetry.sendPostHogEvents({
          event: PostHogEventTypes.SecretPulled,
          distinctId: getTelemetryDistinctId(req),
+          organizationId: req.permission.orgId,
          properties: {
            numberOfSecrets: 1,
            workspaceId: req.query.workspaceId,
@ -1207,6 +1214,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: 1,
          workspaceId: req.body.workspaceId,
@ -1396,6 +1404,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretUpdated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: 1,
          workspaceId: req.body.workspaceId,
@ -1519,6 +1528,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretDeleted,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: 1,
          workspaceId: req.body.workspaceId,
@ -1702,6 +1712,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: secrets.length,
          workspaceId: req.body.workspaceId,
@ -1828,6 +1839,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretUpdated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: secrets.length,
          workspaceId: req.body.workspaceId,
@ -1946,6 +1958,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretDeleted,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: secrets.length,
          workspaceId: req.body.workspaceId,
@ -2054,6 +2067,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretCreated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: secrets.length,
          workspaceId: secrets[0].workspace,
@ -2209,6 +2223,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretUpdated,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: secrets.length,
          workspaceId: secrets[0].workspace,
@ -2307,6 +2322,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      await server.services.telemetry.sendPostHogEvents({
        event: PostHogEventTypes.SecretDeleted,
        distinctId: getTelemetryDistinctId(req),
+        organizationId: req.permission.orgId,
        properties: {
          numberOfSecrets: secrets.length,
          workspaceId: secrets[0].workspace,
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@ -26,6 +26,7 @@ export enum AppConnection {
  Heroku = "heroku",
  Render = "render",
  Flyio = "flyio",
+  GitLab = "gitlab",
  Cloudflare = "cloudflare"
 }

--- a/Show More
+++ b/Show More