fix: variable naming

feat: better rate limit errors
Merge pull request #2621 from scott-ray-wilson/improve-overview-table-overflow
2025-08-22 10:12:15 +00:00 · 2024-10-19 06:41:29 +04:00 · 2024-10-19 06:35:49 +04:00 · 2024-10-18 19:14:42 -04:00 · 2024-10-18 16:06:25 -07:00 · 2024-10-18 18:30:35 -04:00
530 changed files with 17707 additions and 5913 deletions
--- a/.env.example
+++ b/.env.example
@@ -36,16 +36,22 @@ CLIENT_ID_HEROKU=
 CLIENT_ID_VERCEL=
 CLIENT_ID_NETLIFY=
 CLIENT_ID_GITHUB=
 CLIENT_ID_GITHUB_APP=
 CLIENT_SLUG_GITHUB_APP=
 CLIENT_ID_GITLAB=
 CLIENT_ID_BITBUCKET=
 CLIENT_SECRET_HEROKU=
 CLIENT_SECRET_VERCEL=
 CLIENT_SECRET_NETLIFY=
 CLIENT_SECRET_GITHUB=
 CLIENT_SECRET_GITHUB_APP=
 CLIENT_SECRET_GITLAB=
 CLIENT_SECRET_BITBUCKET=
 CLIENT_SLUG_VERCEL=
 CLIENT_PRIVATE_KEY_GITHUB_APP=
 CLIENT_APP_ID_GITHUB_APP=
 # Sentry (optional) for monitoring errors
 SENTRY_DSN=
--- a/.env.migration.example
+++ b/.env.migration.example
@@ -1 +1,2 @@
 DB_CONNECTION_URI=
 AUDIT_LOGS_DB_CONNECTION_URI=
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -6,6 +6,7 @@
 - [ ] Bug fix
 - [ ] New feature
 - [ ] Improvement
 - [ ] Breaking change
 - [ ] Documentation
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -7,7 +7,6 @@ on:
                description: "Version number"
                required: true
                type: string
 defaults:
    run:
        working-directory: ./backend
@@ -49,9 +48,9 @@ jobs:
            - name: Package into node binary
              run: |
                  if [ "${{ matrix.os }}" != "linux" ]; then
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                    pkg --no-bytecode --public-packages "*" --public --compress GZip --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
                  else
-                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                    pkg --no-bytecode --public-packages "*" --public --compress GZip --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
                  fi
            # Set up .deb package structure (Debian/Ubuntu only)
@@ -83,6 +82,86 @@ jobs:
                  dpkg-deb --build infisical-core
                  mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb
            ### RPM
            # Set up .rpm package structure
            - name: Set up .rpm package structure
              if: matrix.os == 'linux'
              run: |
                  mkdir -p infisical-core-rpm/usr/local/bin
                  cp ./binary/infisical-core infisical-core-rpm/usr/local/bin/
                  chmod +x infisical-core-rpm/usr/local/bin/infisical-core
            # Install RPM build tools
            - name: Install RPM build tools
              if: matrix.os == 'linux'
              run: sudo apt-get update && sudo apt-get install -y rpm
            # Create .spec file for RPM
            - name: Create .spec file for RPM
              if: matrix.os == 'linux'
              run: |
                  cat <<EOF > infisical-core.spec
                  %global _enable_debug_package 0
                  %global debug_package %{nil}
                  %global __os_install_post /usr/lib/rpm/brp-compress %{nil}
                  Name:           infisical-core
                  Version:        ${{ github.event.inputs.version }}
                  Release:        1%{?dist}
                  Summary:        Infisical Core standalone executable
                  License:        Proprietary
                  URL:            https://app.infisical.com
                  %description
                  Infisical Core standalone executable (app.infisical.com)
                  %install
                  mkdir -p %{buildroot}/usr/local/bin
                  cp %{_sourcedir}/infisical-core %{buildroot}/usr/local/bin/
                  %files
                  /usr/local/bin/infisical-core
                  %pre
                  %post
                  %preun
                  %postun
                  EOF
            # Build .rpm file
            - name: Build .rpm package
              if: matrix.os == 'linux'
              run: |
                  # Create necessary directories
                  mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
                  # Copy the binary directly to SOURCES
                  cp ./binary/infisical-core rpmbuild/SOURCES/
                  # Run rpmbuild with verbose output
                  rpmbuild -vv -bb \
                    --define "_topdir $(pwd)/rpmbuild" \
                    --define "_sourcedir $(pwd)/rpmbuild/SOURCES" \
                    --define "_rpmdir $(pwd)/rpmbuild/RPMS" \
                    --target ${{ matrix.arch == 'x64' && 'x86_64' || 'aarch64' }} \
                    infisical-core.spec
                  # Try to find the RPM file
                  find rpmbuild -name "*.rpm"
                  # Move the RPM file if found
                  if [ -n "$(find rpmbuild -name '*.rpm')" ]; then
                    mv $(find rpmbuild -name '*.rpm') ./binary/infisical-core-${{matrix.arch}}.rpm
                  else
                    echo "RPM file not found!"
                    exit 1
                  fi
            - uses: actions/setup-python@v4
              with:
                  python-version: "3.x" # Specify the Python version you need
@@ -97,6 +176,12 @@ jobs:
              working-directory: ./backend
              run: cloudsmith push deb --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.deb
            # Publish .rpm file to Cloudsmith (Red Hat-based systems only)
            - name: Publish .rpm to Cloudsmith
              if: matrix.os == 'linux'
              working-directory: ./backend
              run: cloudsmith push rpm --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.rpm
            # Publish .exe file to Cloudsmith (Windows only)
            - name: Publish to Cloudsmith (Windows)
              if: matrix.os == 'win'
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@@ -127,6 +127,7 @@ jobs:
      - name: Change directory to backend and install dependencies
        env:
          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
        run: |
          cd backend
          npm install
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@@ -95,6 +95,10 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 RUN apk add --upgrade --no-cache ca-certificates
 RUN apk add --no-cache bash curl && curl -1sLf \
  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
  && apk add infisical=0.31.1 && apk add --no-cache git
 RUN addgroup --system --gid 1001 nodejs \
  && adduser --system --uid 1001 non-root-user
--- a/README.md
+++ b/README.md
@@ -73,6 +73,11 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
 ### Key Management (KMS):
 - **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
@@ -130,9 +135,7 @@ Lean about Infisical's code scanning feature [here](https://infisical.com/docs/c
 This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license.
-If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo):
+If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our website](https://infisical.com/) or [book a meeting with us](https://infisical.cal.com/vlad/infisical-demo).
 <a href="[https://infisical.cal.com/vlad/infisical-demo](https://infisical.cal.com/vlad/infisical-demo)"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
 ## Security
@@ -158,4 +161,3 @@ Not sure where to get started? You can:
 - [Twitter](https://twitter.com/infisical) for fast news
 - [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
 - [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
 - [Roadmap](https://www.notion.so/infisical/be2d2585a6694e40889b03aef96ea36b?v=5b19a8127d1a4060b54769567a8785fa) for planned features
--- a/backend/e2e-test/routes/v1/project-env.spec.ts
+++ b/backend/e2e-test/routes/v1/project-env.spec.ts
@@ -123,7 +123,7 @@ describe("Project Environment Router", async () => {
        id: deletedProjectEnvironment.id,
        name: mockProjectEnv.name,
        slug: mockProjectEnv.slug,
-        position: 4,
+        position: 5,
        createdAt: expect.any(String),
        updatedAt: expect.any(String)
      })
--- a/backend/e2e-test/routes/v2/service-token.spec.ts
+++ b/backend/e2e-test/routes/v2/service-token.spec.ts
@@ -510,7 +510,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@@ -532,7 +532,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(fetchSecrets.statusCode).toBe(401);
+    expect(fetchSecrets.statusCode).toBe(403);
    expect(fetchSecrets.json().error).toBe("PermissionDenied");
    await deleteServiceToken();
  });
@@ -557,7 +557,7 @@ describe("Service token fail cases", async () => {
        authorization: `Bearer ${serviceToken}`
      }
    });
-    expect(writeSecrets.statusCode).toBe(401);
+    expect(writeSecrets.statusCode).toBe(403);
    expect(writeSecrets.json().error).toBe("PermissionDenied");
    // but read access should still work fine
--- a/backend/e2e-test/routes/v3/secrets.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets.spec.ts
@@ -1075,7 +1075,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: createSecretReqBody
    });
-    expect(createSecRes.statusCode).toBe(400);
+    expect(createSecRes.statusCode).toBe(404);
  });
  test("Update secret raw", async () => {
@@ -1093,7 +1093,7 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: updateSecretReqBody
    });
-    expect(updateSecRes.statusCode).toBe(400);
+    expect(updateSecRes.statusCode).toBe(404);
  });
  test("Delete secret raw", async () => {
@@ -1110,6 +1110,6 @@ describe("Secret V3 Raw Router Without E2EE enabled", async () => {
      },
      body: deletedSecretReqBody
    });
-    expect(deletedSecRes.statusCode).toBe(400);
+    expect(deletedSecRes.statusCode).toBe(404);
  });
 });
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -21,12 +21,14 @@
        "@fastify/etag": "^5.1.0",
        "@fastify/formbody": "^7.4.0",
        "@fastify/helmet": "^11.1.1",
        "@fastify/multipart": "8.3.0",
        "@fastify/passport": "^2.4.0",
        "@fastify/rate-limit": "^9.0.0",
        "@fastify/session": "^10.7.0",
        "@fastify/swagger": "^8.14.0",
        "@fastify/swagger-ui": "^2.1.0",
        "@node-saml/passport-saml": "^4.0.4",
        "@octokit/auth-app": "^7.1.1",
        "@octokit/plugin-retry": "^5.0.5",
        "@octokit/rest": "^20.0.2",
        "@octokit/webhooks-types": "^7.3.1",
@@ -61,6 +63,7 @@
        "jwks-rsa": "^3.1.0",
        "knex": "^3.0.1",
        "ldapjs": "^3.0.7",
        "ldif": "0.5.1",
        "libsodium-wrappers": "^0.7.13",
        "lodash.isequal": "^4.5.0",
        "mongodb": "^6.8.1",
@@ -85,6 +88,7 @@
        "safe-regex": "^2.1.1",
        "scim-patch": "^0.8.3",
        "scim2-parse-filter": "^0.2.10",
        "sjcl": "^1.0.8",
        "smee-client": "^2.0.0",
        "tedious": "^18.2.1",
        "tweetnacl": "^1.0.3",
@@ -117,6 +121,7 @@
        "@types/prompt-sync": "^4.2.3",
        "@types/resolve": "^1.20.6",
        "@types/safe-regex": "^1.1.6",
        "@types/sjcl": "^1.0.34",
        "@types/uuid": "^9.0.7",
        "@typescript-eslint/eslint-plugin": "^6.20.0",
        "@typescript-eslint/parser": "^6.20.0",
@@ -4308,6 +4313,15 @@
        "fast-uri": "^2.0.0"
      }
    },
    "node_modules/@fastify/busboy": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
      "license": "MIT",
      "engines": {
        "node": ">=14"
      }
    },
    "node_modules/@fastify/cookie": {
      "version": "9.3.1",
      "resolved": "https://registry.npmjs.org/@fastify/cookie/-/cookie-9.3.1.tgz",
@@ -4378,6 +4392,20 @@
        "helmet": "^7.0.0"
      }
    },
    "node_modules/@fastify/multipart": {
      "version": "8.3.0",
      "resolved": "https://registry.npmjs.org/@fastify/multipart/-/multipart-8.3.0.tgz",
      "integrity": "sha512-A8h80TTyqUzaMVH0Cr9Qcm6RxSkVqmhK/MVBYHYeRRSUbUYv08WecjWKSlG2aSnD4aGI841pVxAjC+G1GafUeQ==",
      "license": "MIT",
      "dependencies": {
        "@fastify/busboy": "^2.1.0",
        "@fastify/deepmerge": "^1.0.0",
        "@fastify/error": "^3.0.0",
        "fastify-plugin": "^4.0.0",
        "secure-json-parse": "^2.4.0",
        "stream-wormhole": "^1.1.0"
      }
    },
    "node_modules/@fastify/passport": {
      "version": "2.4.0",
      "resolved": "https://registry.npmjs.org/@fastify/passport/-/passport-2.4.0.tgz",
@@ -4973,24 +5001,73 @@
      }
    },
    "node_modules/@octokit/auth-app": {
-      "version": "6.0.3",
+      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-6.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-7.1.1.tgz",
-      "integrity": "sha512-9N7IlBAKEJR3tJgPSubCxIDYGXSdc+2xbkjYpk9nCyqREnH8qEMoMhiEB1WgoA9yTFp91El92XNXAi+AjuKnfw==",
+      "integrity": "sha512-kRAd6yelV9OgvlEJE88H0VLlQdZcag9UlLr7dV0YYP37X8PPDvhgiTy66QVhDXdyoT0AleFN2w/qXkPdrSzINg==",
      "dependencies": {
-        "@octokit/auth-oauth-app": "^7.0.0",
+        "@octokit/auth-oauth-app": "^8.1.0",
-        "@octokit/auth-oauth-user": "^4.0.0",
+        "@octokit/auth-oauth-user": "^5.1.0",
-        "@octokit/request": "^8.0.2",
+        "@octokit/request": "^9.1.1",
-        "@octokit/request-error": "^5.0.0",
+        "@octokit/request-error": "^6.1.1",
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.4.1",
        "deprecation": "^2.3.1",
        "lru-cache": "^10.0.0",
-        "universal-github-app-jwt": "^1.1.2",
+        "universal-github-app-jwt": "^2.2.0",
-        "universal-user-agent": "^6.0.0"
+        "universal-user-agent": "^7.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-app/node_modules/@octokit/endpoint": {
      "version": "10.1.1",
      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
      "dependencies": {
        "@octokit/types": "^13.0.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-app/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/auth-app/node_modules/@octokit/request": {
      "version": "9.1.3",
      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
      "dependencies": {
        "@octokit/endpoint": "^10.0.0",
        "@octokit/request-error": "^6.0.1",
        "@octokit/types": "^13.1.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-app/node_modules/@octokit/request-error": {
      "version": "6.1.5",
      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
      "dependencies": {
        "@octokit/types": "^13.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-app/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/auth-app/node_modules/lru-cache": {
      "version": "10.2.0",
      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.0.tgz",
@@ -4999,53 +5076,220 @@
        "node": "14 || >=16.14"
      }
    },
    "node_modules/@octokit/auth-app/node_modules/universal-user-agent": {
      "version": "7.0.2",
      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
    },
    "node_modules/@octokit/auth-oauth-app": {
-      "version": "7.0.1",
+      "version": "8.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-7.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-8.1.1.tgz",
-      "integrity": "sha512-RE0KK0DCjCHXHlQBoubwlLijXEKfhMhKm9gO56xYvFmP1QTMb+vvwRPmQLLx0V+5AvV9N9I3lr1WyTzwL3rMDg==",
+      "integrity": "sha512-5UtmxXAvU2wfcHIPPDWzVSAWXVJzG3NWsxb7zCFplCWEmMCArSZV0UQu5jw5goLQXbFyOr5onzEH37UJB3zQQg==",
      "dependencies": {
-        "@octokit/auth-oauth-device": "^6.0.0",
+        "@octokit/auth-oauth-device": "^7.0.0",
-        "@octokit/auth-oauth-user": "^4.0.0",
+        "@octokit/auth-oauth-user": "^5.0.1",
-        "@octokit/request": "^8.0.2",
+        "@octokit/request": "^9.0.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.0.0",
-        "@types/btoa-lite": "^1.0.0",
+        "universal-user-agent": "^7.0.0"
        "btoa-lite": "^1.0.0",
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/endpoint": {
      "version": "10.1.1",
      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
      "dependencies": {
        "@octokit/types": "^13.0.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/request": {
      "version": "9.1.3",
      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
      "dependencies": {
        "@octokit/endpoint": "^10.0.0",
        "@octokit/request-error": "^6.0.1",
        "@octokit/types": "^13.1.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/request-error": {
      "version": "6.1.5",
      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
      "dependencies": {
        "@octokit/types": "^13.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/auth-oauth-app/node_modules/universal-user-agent": {
      "version": "7.0.2",
      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
    },
    "node_modules/@octokit/auth-oauth-device": {
-      "version": "6.0.1",
+      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-6.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-7.1.1.tgz",
-      "integrity": "sha512-yxU0rkL65QkjbqQedgVx3gmW7YM5fF+r5uaSj9tM/cQGVqloXcqP2xK90eTyYvl29arFVCW8Vz4H/t47mL0ELw==",
+      "integrity": "sha512-HWl8lYueHonuyjrKKIup/1tiy0xcmQCdq5ikvMO1YwkNNkxb6DXfrPjrMYItNLyCP/o2H87WuijuE+SlBTT8eg==",
      "dependencies": {
-        "@octokit/oauth-methods": "^4.0.0",
+        "@octokit/oauth-methods": "^5.0.0",
-        "@octokit/request": "^8.0.0",
+        "@octokit/request": "^9.0.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^6.0.0"
+        "universal-user-agent": "^7.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/endpoint": {
      "version": "10.1.1",
      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
      "dependencies": {
        "@octokit/types": "^13.0.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/request": {
      "version": "9.1.3",
      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
      "dependencies": {
        "@octokit/endpoint": "^10.0.0",
        "@octokit/request-error": "^6.0.1",
        "@octokit/types": "^13.1.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/request-error": {
      "version": "6.1.5",
      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
      "dependencies": {
        "@octokit/types": "^13.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/auth-oauth-device/node_modules/universal-user-agent": {
      "version": "7.0.2",
      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
    },
    "node_modules/@octokit/auth-oauth-user": {
-      "version": "4.0.1",
+      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-4.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-5.1.1.tgz",
-      "integrity": "sha512-N94wWW09d0hleCnrO5wt5MxekatqEJ4zf+1vSe8MKMrhZ7gAXKFOKrDEZW2INltvBWJCyDUELgGRv8gfErH1Iw==",
+      "integrity": "sha512-rRkMz0ErOppdvEfnemHJXgZ9vTPhBuC6yASeFaB7I2yLMd7QpjfrL1mnvRPlyKo+M6eeLxrKanXJ9Qte29SRsw==",
      "dependencies": {
-        "@octokit/auth-oauth-device": "^6.0.0",
+        "@octokit/auth-oauth-device": "^7.0.1",
-        "@octokit/oauth-methods": "^4.0.0",
+        "@octokit/oauth-methods": "^5.0.0",
-        "@octokit/request": "^8.0.2",
+        "@octokit/request": "^9.0.1",
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.0.0",
-        "btoa-lite": "^1.0.0",
+        "universal-user-agent": "^7.0.0"
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/endpoint": {
      "version": "10.1.1",
      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
      "dependencies": {
        "@octokit/types": "^13.0.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/request": {
      "version": "9.1.3",
      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
      "dependencies": {
        "@octokit/endpoint": "^10.0.0",
        "@octokit/request-error": "^6.0.1",
        "@octokit/types": "^13.1.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/request-error": {
      "version": "6.1.5",
      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
      "dependencies": {
        "@octokit/types": "^13.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/auth-oauth-user/node_modules/universal-user-agent": {
      "version": "7.0.2",
      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
    },
    "node_modules/@octokit/auth-token": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
@@ -5109,28 +5353,82 @@
      }
    },
    "node_modules/@octokit/oauth-authorization-url": {
-      "version": "6.0.2",
+      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-6.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz",
-      "integrity": "sha512-CdoJukjXXxqLNK4y/VOiVzQVjibqoj/xHgInekviUJV73y/BSIcwvJ/4aNHPBPKcPWFnd4/lO9uqRV65jXhcLA==",
+      "integrity": "sha512-ooXV8GBSabSWyhLUowlMIVd9l1s2nsOGQdlP2SQ4LnkEsGXzeCvbSbCPdZThXhEFzleGPwbapT0Sb+YhXRyjCA==",
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/oauth-methods": {
-      "version": "4.0.1",
+      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-4.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-5.1.2.tgz",
-      "integrity": "sha512-1NdTGCoBHyD6J0n2WGXg9+yDLZrRNZ0moTEex/LSPr49m530WNKcCfXDghofYptr3st3eTii+EHoG5k/o+vbtw==",
+      "integrity": "sha512-C5lglRD+sBlbrhCUTxgJAFjWgJlmTx5bQ7Ch0+2uqRjYv7Cfb5xpX4WuSC9UgQna3sqRGBL9EImX9PvTpMaQ7g==",
      "dependencies": {
-        "@octokit/oauth-authorization-url": "^6.0.2",
+        "@octokit/oauth-authorization-url": "^7.0.0",
-        "@octokit/request": "^8.0.2",
+        "@octokit/request": "^9.1.0",
-        "@octokit/request-error": "^5.0.0",
+        "@octokit/request-error": "^6.1.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.0.0"
        "btoa-lite": "^1.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/oauth-methods/node_modules/@octokit/endpoint": {
      "version": "10.1.1",
      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
      "dependencies": {
        "@octokit/types": "^13.0.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/oauth-methods/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/oauth-methods/node_modules/@octokit/request": {
      "version": "9.1.3",
      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-9.1.3.tgz",
      "integrity": "sha512-V+TFhu5fdF3K58rs1pGUJIDH5RZLbZm5BI+MNF+6o/ssFNT4vWlCh/tVpF3NxGtP15HUxTTMUbsG5llAuU2CZA==",
      "dependencies": {
        "@octokit/endpoint": "^10.0.0",
        "@octokit/request-error": "^6.0.1",
        "@octokit/types": "^13.1.0",
        "universal-user-agent": "^7.0.2"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/oauth-methods/node_modules/@octokit/request-error": {
      "version": "6.1.5",
      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-6.1.5.tgz",
      "integrity": "sha512-IlBTfGX8Yn/oFPMwSfvugfncK2EwRLjzbrpifNaMY8o/HTEAFqCA1FZxjD9cWvSKBHgrIhc4CSBIzMxiLsbzFQ==",
      "dependencies": {
        "@octokit/types": "^13.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/oauth-methods/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/oauth-methods/node_modules/universal-user-agent": {
      "version": "7.0.2",
      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
    },
    "node_modules/@octokit/openapi-types": {
      "version": "19.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.1.0.tgz",
@@ -5245,13 +5543,13 @@
      }
    },
    "node_modules/@octokit/request": {
-      "version": "8.1.6",
+      "version": "8.4.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.1.6.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.0.tgz",
-      "integrity": "sha512-YhPaGml3ncZC1NfXpP3WZ7iliL1ap6tLkAp6MvbK2fTTPytzVUyUesBBogcdMm86uRYO5rHaM1xIWxigWZ17MQ==",
+      "integrity": "sha512-9Bb014e+m2TgBeEJGEbdplMVWwPmL1FPtggHQRkV+WVsMggPtEkLKPlcVYm/o8xKLkpJ7B+6N8WfQMtDLX2Dpw==",
      "dependencies": {
-        "@octokit/endpoint": "^9.0.0",
+        "@octokit/endpoint": "^9.0.1",
-        "@octokit/request-error": "^5.0.0",
+        "@octokit/request-error": "^5.1.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.1.0",
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
@@ -5259,11 +5557,11 @@
      }
    },
    "node_modules/@octokit/request-error": {
-      "version": "5.0.1",
+      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz",
-      "integrity": "sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==",
+      "integrity": "sha512-GETXfE05J0+7H2STzekpKObFe765O5dlAKUTLNGeH+x47z7JjXHfsHKo5z21D/o/IOZTUEI6nyWyR+bZVP/n5Q==",
      "dependencies": {
-        "@octokit/types": "^12.0.0",
+        "@octokit/types": "^13.1.0",
        "deprecation": "^2.0.0",
        "once": "^1.4.0"
      },
@@ -5271,6 +5569,32 @@
        "node": ">= 18"
      }
    },
    "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/request-error/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/@octokit/request/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/@octokit/rest": {
      "version": "20.0.2",
      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-20.0.2.tgz",
@@ -7296,6 +7620,13 @@
        "@types/node": "*"
      }
    },
    "node_modules/@types/sjcl": {
      "version": "1.0.34",
      "resolved": "https://registry.npmjs.org/@types/sjcl/-/sjcl-1.0.34.tgz",
      "integrity": "sha512-bQHEeK5DTQRunIfQeUMgtpPsNNCcZyQ9MJuAfW1I7iN0LDunTc78Fu17STbLMd7KiEY/g2zHVApippa70h6HoQ==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@types/uuid": {
      "version": "9.0.7",
      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-9.0.7.tgz",
@@ -13008,6 +13339,12 @@
        "verror": "^1.10.1"
      }
    },
    "node_modules/ldif": {
      "version": "0.5.1",
      "resolved": "https://registry.npmjs.org/ldif/-/ldif-0.5.1.tgz",
      "integrity": "sha512-8s46m/r2lSFO2+DqMxqWiJ10iiL4tuR5LC/KndV+E5//OAOzOx5s3HS5O34PJ5+kyaCA+K2oCaEPaDRfXUnQow==",
      "license": "MIT"
    },
    "node_modules/leven": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/leven/-/leven-2.1.0.tgz",
@@ -14144,6 +14481,154 @@
        "@octokit/core": ">=5"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-app": {
      "version": "6.1.2",
      "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-6.1.2.tgz",
      "integrity": "sha512-fWjIOpxnL8/YFY3kqquciFQ4o99aCqHw5kMFoGPYbz/h5HNZ11dJlV9zag5wS2nt0X1wJ5cs9BUo+CsAPfW4jQ==",
      "dependencies": {
        "@octokit/auth-oauth-app": "^7.1.0",
        "@octokit/auth-oauth-user": "^4.1.0",
        "@octokit/request": "^8.3.1",
        "@octokit/request-error": "^5.1.0",
        "@octokit/types": "^13.1.0",
        "deprecation": "^2.3.1",
        "lru-cache": "^10.0.0",
        "universal-github-app-jwt": "^1.1.2",
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-app/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-app": {
      "version": "7.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-7.1.0.tgz",
      "integrity": "sha512-w+SyJN/b0l/HEb4EOPRudo7uUOSW51jcK1jwLa+4r7PA8FPFpoxEnHBHMITqCsc/3Vo2qqFjgQfz/xUUvsSQnA==",
      "dependencies": {
        "@octokit/auth-oauth-device": "^6.1.0",
        "@octokit/auth-oauth-user": "^4.1.0",
        "@octokit/request": "^8.3.1",
        "@octokit/types": "^13.0.0",
        "@types/btoa-lite": "^1.0.0",
        "btoa-lite": "^1.0.0",
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-app/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-device": {
      "version": "6.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-6.1.0.tgz",
      "integrity": "sha512-FNQ7cb8kASufd6Ej4gnJ3f1QB5vJitkoV1O0/g6e6lUsQ7+VsSNRHRmFScN2tV4IgKA12frrr/cegUs0t+0/Lw==",
      "dependencies": {
        "@octokit/oauth-methods": "^4.1.0",
        "@octokit/request": "^8.3.1",
        "@octokit/types": "^13.0.0",
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-device/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-user": {
      "version": "4.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-4.1.0.tgz",
      "integrity": "sha512-FrEp8mtFuS/BrJyjpur+4GARteUCrPeR/tZJzD8YourzoVhRics7u7we/aDcKv+yywRNwNi/P4fRi631rG/OyQ==",
      "dependencies": {
        "@octokit/auth-oauth-device": "^6.1.0",
        "@octokit/oauth-methods": "^4.1.0",
        "@octokit/request": "^8.3.1",
        "@octokit/types": "^13.0.0",
        "btoa-lite": "^1.0.0",
        "universal-user-agent": "^6.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/auth-oauth-user/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/oauth-authorization-url": {
      "version": "6.0.2",
      "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-6.0.2.tgz",
      "integrity": "sha512-CdoJukjXXxqLNK4y/VOiVzQVjibqoj/xHgInekviUJV73y/BSIcwvJ/4aNHPBPKcPWFnd4/lO9uqRV65jXhcLA==",
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/oauth-methods": {
      "version": "4.1.0",
      "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-4.1.0.tgz",
      "integrity": "sha512-4tuKnCRecJ6CG6gr0XcEXdZtkTDbfbnD5oaHBmLERTjTMZNi2CbfEHZxPU41xXLDG4DfKf+sonu00zvKI9NSbw==",
      "dependencies": {
        "@octokit/oauth-authorization-url": "^6.0.2",
        "@octokit/request": "^8.3.1",
        "@octokit/request-error": "^5.1.0",
        "@octokit/types": "^13.0.0",
        "btoa-lite": "^1.0.0"
      },
      "engines": {
        "node": ">= 18"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/oauth-methods/node_modules/@octokit/types": {
      "version": "13.6.1",
      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
      "dependencies": {
        "@octokit/openapi-types": "^22.2.0"
      }
    },
    "node_modules/octokit-auth-probot/node_modules/@octokit/openapi-types": {
      "version": "22.2.0",
      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
    },
    "node_modules/octokit-auth-probot/node_modules/lru-cache": {
      "version": "10.4.3",
      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
    },
    "node_modules/octokit-auth-probot/node_modules/universal-github-app-jwt": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-1.2.0.tgz",
      "integrity": "sha512-dncpMpnsKBk0eetwfN8D8OUHGfiDhhJ+mtsbMl+7PfW7mYjiH8LIcqRmYMtzYLgSh47HjfdBtrBwIQ/gizKR3g==",
      "dependencies": {
        "@types/jsonwebtoken": "^9.0.0",
        "jsonwebtoken": "^9.0.2"
      }
    },
    "node_modules/oidc-token-hash": {
      "version": "5.0.3",
      "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz",
@@ -16397,6 +16882,15 @@
        "node": ">=10"
      }
    },
    "node_modules/sjcl": {
      "version": "1.0.8",
      "resolved": "https://registry.npmjs.org/sjcl/-/sjcl-1.0.8.tgz",
      "integrity": "sha512-LzIjEQ0S0DpIgnxMEayM1rq9aGwGRG4OnZhCdjx7glTaJtf4zRfpg87ImfjSJjoW9vKpagd82McDOwbRT5kQKQ==",
      "license": "(BSD-2-Clause OR GPL-2.0-only)",
      "engines": {
        "node": "*"
      }
    },
    "node_modules/slash": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz",
@@ -16579,6 +17073,15 @@
      "resolved": "https://registry.npmjs.org/stream-shift/-/stream-shift-1.0.3.tgz",
      "integrity": "sha512-76ORR0DO1o1hlKwTbi/DM3EXWGf3ZJYO8cXX5RJwnul2DEg2oyoZyjLNoQM8WsvZiFKCRfC1O0J7iCvie3RZmQ=="
    },
    "node_modules/stream-wormhole": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/stream-wormhole/-/stream-wormhole-1.1.0.tgz",
      "integrity": "sha512-gHFfL3px0Kctd6Po0M8TzEvt3De/xu6cnRrjlfYNhwbhLPLwigI2t1nc6jrzNuaYg5C4YF78PPFuQPzRiqn9ew==",
      "license": "MIT",
      "engines": {
        "node": ">=4.0.0"
      }
    },
    "node_modules/string_decoder": {
      "version": "1.3.0",
      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
@@ -17874,12 +18377,14 @@
    "node_modules/tweetnacl": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz",
-      "integrity": "sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw=="
+      "integrity": "sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw==",
      "license": "Unlicense"
    },
    "node_modules/tweetnacl-util": {
      "version": "0.15.1",
      "resolved": "https://registry.npmjs.org/tweetnacl-util/-/tweetnacl-util-0.15.1.tgz",
-      "integrity": "sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw=="
+      "integrity": "sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw==",
      "license": "Unlicense"
    },
    "node_modules/type-check": {
      "version": "0.4.0",
@@ -18116,13 +18621,9 @@
      }
    },
    "node_modules/universal-github-app-jwt": {
-      "version": "1.1.2",
+      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-1.1.2.tgz",
+      "resolved": "https://registry.npmjs.org/universal-github-app-jwt/-/universal-github-app-jwt-2.2.0.tgz",
-      "integrity": "sha512-t1iB2FmLFE+yyJY9+3wMx0ejB+MQpEVkH0gQv7dR6FZyltyq+ZZO0uDpbopxhrZ3SLEO4dCEkIujOMldEQ2iOA==",
+      "integrity": "sha512-G5o6f95b5BggDGuUfKDApKaCgNYy2x7OdHY0zSMF081O0EJobw+1130VONhrA7ezGSV2FNOGyM+KQpQZAr9bIQ=="
      "dependencies": {
        "@types/jsonwebtoken": "^9.0.0",
        "jsonwebtoken": "^9.0.2"
      }
    },
    "node_modules/universal-user-agent": {
      "version": "6.0.1",
--- a/backend/package.json
+++ b/backend/package.json
@@ -45,13 +45,19 @@
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
    "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
    "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
@@ -80,6 +86,7 @@
    "@types/prompt-sync": "^4.2.3",
    "@types/resolve": "^1.20.6",
    "@types/safe-regex": "^1.1.6",
    "@types/sjcl": "^1.0.34",
    "@types/uuid": "^9.0.7",
    "@typescript-eslint/eslint-plugin": "^6.20.0",
    "@typescript-eslint/parser": "^6.20.0",
@@ -118,12 +125,14 @@
    "@fastify/etag": "^5.1.0",
    "@fastify/formbody": "^7.4.0",
    "@fastify/helmet": "^11.1.1",
    "@fastify/multipart": "8.3.0",
    "@fastify/passport": "^2.4.0",
    "@fastify/rate-limit": "^9.0.0",
    "@fastify/session": "^10.7.0",
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/auth-app": "^7.1.1",
    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
@@ -158,6 +167,7 @@
    "jwks-rsa": "^3.1.0",
    "knex": "^3.0.1",
    "ldapjs": "^3.0.7",
    "ldif": "0.5.1",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
    "mongodb": "^6.8.1",
@@ -182,6 +192,7 @@
    "safe-regex": "^2.1.1",
    "scim-patch": "^0.8.3",
    "scim2-parse-filter": "^0.2.10",
    "sjcl": "^1.0.8",
    "smee-client": "^2.0.0",
    "tedious": "^18.2.1",
    "tweetnacl": "^1.0.3",
--- a/backend/scripts/generate-schema-types.ts
+++ b/backend/scripts/generate-schema-types.ts
@@ -90,7 +90,12 @@ const main = async () => {
      .whereRaw("table_schema =  current_schema()")
      .select<{ tableName: string }[]>("table_name as tableName")
      .orderBy("table_name")
-  ).filter((el) => !el.tableName.includes("_migrations"));
+  ).filter(
    (el) =>
      !el.tableName.includes("_migrations") &&
      !el.tableName.includes("audit_logs_") &&
      el.tableName !== "intermediate_audit_logs"
  );
  for (let i = 0; i < tables.length; i += 1) {
    const { tableName } = tables[i];
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -38,6 +38,9 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@@ -181,6 +184,9 @@ declare module "fastify" {
      orgAdmin: TOrgAdminServiceFactory;
      slack: TSlackServiceFactory;
      workflowIntegration: TWorkflowIntegrationServiceFactory;
      cmek: TCmekServiceFactory;
      migration: TExternalMigrationServiceFactory;
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -101,6 +101,9 @@ import {
  TIdentityKubernetesAuths,
  TIdentityKubernetesAuthsInsert,
  TIdentityKubernetesAuthsUpdate,
  TIdentityMetadata,
  TIdentityMetadataInsert,
  TIdentityMetadataUpdate,
  TIdentityOidcAuths,
  TIdentityOidcAuthsInsert,
  TIdentityOidcAuthsUpdate,
@@ -333,6 +336,11 @@ import {
  TWorkflowIntegrationsInsert,
  TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
 import {
  TExternalGroupOrgRoleMappings,
  TExternalGroupOrgRoleMappingsInsert,
  TExternalGroupOrgRoleMappingsUpdate
 } from "@app/db/schemas/external-group-org-role-mappings";
 import {
  TSecretV2TagJunction,
  TSecretV2TagJunctionInsert,
@@ -546,6 +554,11 @@ declare module "knex/types/tables" {
      TIdentityUniversalAuthsInsert,
      TIdentityUniversalAuthsUpdate
    >;
    [TableName.IdentityMetadata]: KnexOriginal.CompositeTableType<
      TIdentityMetadata,
      TIdentityMetadataInsert,
      TIdentityMetadataUpdate
    >;
    [TableName.IdentityKubernetesAuth]: KnexOriginal.CompositeTableType<
      TIdentityKubernetesAuths,
      TIdentityKubernetesAuthsInsert,
@@ -800,5 +813,10 @@ declare module "knex/types/tables" {
      TWorkflowIntegrationsInsert,
      TWorkflowIntegrationsUpdate
    >;
    [TableName.ExternalGroupOrgRoleMapping]: KnexOriginal.CompositeTableType<
      TExternalGroupOrgRoleMappings,
      TExternalGroupOrgRoleMappingsInsert,
      TExternalGroupOrgRoleMappingsUpdate
    >;
  }
 }
--- a/backend/src/@types/ldif.d.ts
+++ b/backend/src/@types/ldif.d.ts
@@ -0,0 +1,4 @@
 declare module "ldif" {
  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, the function returns `any`.
  function parse(input: string, ...args: any[]): any;
 }
--- a/backend/src/db/auditlog-knexfile.ts
+++ b/backend/src/db/auditlog-knexfile.ts
@@ -0,0 +1,75 @@
 // eslint-disable-next-line
 import "ts-node/register";
 import dotenv from "dotenv";
 import type { Knex } from "knex";
 import path from "path";
 // Update with your config settings. .
 dotenv.config({
  path: path.join(__dirname, "../../../.env.migration")
 });
 dotenv.config({
  path: path.join(__dirname, "../../../.env")
 });
 if (!process.env.AUDIT_LOGS_DB_CONNECTION_URI && !process.env.AUDIT_LOGS_DB_HOST) {
  console.info("Dedicated audit log database not found. No further migrations necessary");
  process.exit(0);
 }
 console.info("Executing migration on audit log database...");
 export default {
  development: {
    client: "postgres",
    connection: {
      connectionString: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
      host: process.env.AUDIT_LOGS_DB_HOST,
      port: process.env.AUDIT_LOGS_DB_PORT,
      user: process.env.AUDIT_LOGS_DB_USER,
      database: process.env.AUDIT_LOGS_DB_NAME,
      password: process.env.AUDIT_LOGS_DB_PASSWORD,
      ssl: process.env.AUDIT_LOGS_DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
            ca: Buffer.from(process.env.AUDIT_LOGS_DB_ROOT_CERT, "base64").toString("ascii")
          }
        : false
    },
    pool: {
      min: 2,
      max: 10
    },
    seeds: {
      directory: "./seeds"
    },
    migrations: {
      tableName: "infisical_migrations"
    }
  },
  production: {
    client: "postgres",
    connection: {
      connectionString: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
      host: process.env.AUDIT_LOGS_DB_HOST,
      port: process.env.AUDIT_LOGS_DB_PORT,
      user: process.env.AUDIT_LOGS_DB_USER,
      database: process.env.AUDIT_LOGS_DB_NAME,
      password: process.env.AUDIT_LOGS_DB_PASSWORD,
      ssl: process.env.AUDIT_LOGS_DB_ROOT_CERT
        ? {
            rejectUnauthorized: true,
            ca: Buffer.from(process.env.AUDIT_LOGS_DB_ROOT_CERT, "base64").toString("ascii")
          }
        : false
    },
    pool: {
      min: 2,
      max: 10
    },
    migrations: {
      tableName: "infisical_migrations"
    }
  }
 } as Knex.Config;
--- a/backend/src/db/index.ts
+++ b/backend/src/db/index.ts
@@ -1,2 +1,2 @@
 export type { TDbClient } from "./instance";
-export { initDbConnection } from "./instance";
+export { initAuditLogDbConnection, initDbConnection } from "./instance";
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@@ -70,3 +70,45 @@ export const initDbConnection = ({
  return db;
 };
 export const initAuditLogDbConnection = ({
  dbConnectionUri,
  dbRootCert
 }: {
  dbConnectionUri: string;
  dbRootCert?: string;
 }) => {
  // akhilmhdh: the default Knex is knex.Knex<any, any[]>. but when assigned with knex({<config>}) the value is knex.Knex<any, unknown[]>
  // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[]
  // eslint-disable-next-line
  const db: Knex<any, unknown[]> = knex({
    client: "pg",
    connection: {
      connectionString: dbConnectionUri,
      host: process.env.AUDIT_LOGS_DB_HOST,
      // @ts-expect-error I have no clue why only for the port there is a type error
      // eslint-disable-next-line
      port: process.env.AUDIT_LOGS_DB_PORT,
      user: process.env.AUDIT_LOGS_DB_USER,
      database: process.env.AUDIT_LOGS_DB_NAME,
      password: process.env.AUDIT_LOGS_DB_PASSWORD,
      ssl: dbRootCert
        ? {
            rejectUnauthorized: true,
            ca: Buffer.from(dbRootCert, "base64").toString("ascii")
          }
        : false
    }
  });
  // we add these overrides so that auditLogDb and the primary DB are interchangeable
  db.primaryNode = () => {
    return db;
  };
  db.replicaNode = () => {
    return db;
  };
  return db;
 };
--- a/backend/src/db/manual-migrations/partition-audit-logs.ts
+++ b/backend/src/db/manual-migrations/partition-audit-logs.ts
@@ -0,0 +1,161 @@
 import kx, { Knex } from "knex";
 import { TableName } from "../schemas";
 const INTERMEDIATE_AUDIT_LOG_TABLE = "intermediate_audit_logs";
 const formatPartitionDate = (date: Date) => {
  const year = date.getFullYear();
  const month = String(date.getMonth() + 1).padStart(2, "0");
  const day = String(date.getDate()).padStart(2, "0");
  return `${year}-${month}-${day}`;
 };
 const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Date) => {
  const startDateStr = formatPartitionDate(startDate);
  const endDateStr = formatPartitionDate(endDate);
  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;
  await knex.schema.raw(
    `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`
  );
 };
 const up = async (knex: Knex): Promise<void> => {
  console.info("Dropping primary key of audit log table...");
  await knex.schema.alterTable(TableName.AuditLog, (t) => {
    // remove existing keys
    t.dropPrimary();
  });
  // Get all indices of the audit log table and drop them
  const indexNames: { rows: { indexname: string }[] } = await knex.raw(
    `
    SELECT indexname
    FROM pg_indexes
    WHERE tablename = '${TableName.AuditLog}'
  `
  );
  console.log(
    "Deleting existing audit log indices:",
    indexNames.rows.map((e) => e.indexname)
  );
  for await (const row of indexNames.rows) {
    await knex.raw(`DROP INDEX IF EXISTS ${row.indexname}`);
  }
  // renaming audit log to intermediate table
  console.log("Renaming audit log table to the intermediate name");
  await knex.schema.renameTable(TableName.AuditLog, INTERMEDIATE_AUDIT_LOG_TABLE);
  if (!(await knex.schema.hasTable(TableName.AuditLog))) {
    const createTableSql = knex.schema
      .createTable(TableName.AuditLog, (t) => {
        t.uuid("id").defaultTo(knex.fn.uuid());
        t.string("actor").notNullable();
        t.jsonb("actorMetadata").notNullable();
        t.string("ipAddress");
        t.string("eventType").notNullable();
        t.jsonb("eventMetadata");
        t.string("userAgent");
        t.string("userAgentType");
        t.datetime("expiresAt");
        t.timestamps(true, true, true);
        t.uuid("orgId");
        t.string("projectId");
        t.string("projectName");
        t.primary(["id", "createdAt"]);
      })
      .toString();
    console.info("Creating partition table...");
    await knex.schema.raw(`
        ${createTableSql} PARTITION BY RANGE ("createdAt");
    `);
    console.log("Adding indices...");
    await knex.schema.alterTable(TableName.AuditLog, (t) => {
      t.index(["projectId", "createdAt"]);
      t.index(["orgId", "createdAt"]);
      t.index("expiresAt");
      t.index("orgId");
      t.index("projectId");
    });
    console.log("Adding GIN indices...");
    await knex.raw(
      `CREATE INDEX IF NOT EXISTS "audit_logs_actorMetadata_idx" ON ${TableName.AuditLog} USING gin("actorMetadata" jsonb_path_ops)`
    );
    console.log("GIN index for actorMetadata done");
    await knex.raw(
      `CREATE INDEX IF NOT EXISTS "audit_logs_eventMetadata_idx" ON ${TableName.AuditLog} USING gin("eventMetadata" jsonb_path_ops)`
    );
    console.log("GIN index for eventMetadata done");
    // create default partition
    console.log("Creating default partition...");
    await knex.schema.raw(`CREATE TABLE ${TableName.AuditLog}_default PARTITION OF ${TableName.AuditLog} DEFAULT`);
    const nextDate = new Date();
    nextDate.setDate(nextDate.getDate() + 1);
    const nextDateStr = formatPartitionDate(nextDate);
    console.log("Attaching existing audit log table as a partition...");
    await knex.schema.raw(`
    ALTER TABLE ${INTERMEDIATE_AUDIT_LOG_TABLE} ADD CONSTRAINT audit_log_old
    CHECK ( "createdAt" < DATE '${nextDateStr}' );
    ALTER TABLE ${TableName.AuditLog} ATTACH PARTITION ${INTERMEDIATE_AUDIT_LOG_TABLE}
    FOR VALUES FROM (MINVALUE) TO ('${nextDateStr}' );
    `);
    // create partition from now until end of month
    console.log("Creating audit log partitions ahead of time... next date:", nextDateStr);
    await createAuditLogPartition(knex, nextDate, new Date(nextDate.getFullYear(), nextDate.getMonth() + 1));
    // create partitions 4 years ahead
    const partitionMonths = 4 * 12;
    const partitionPromises: Promise<void>[] = [];
    for (let x = 1; x <= partitionMonths; x += 1) {
      partitionPromises.push(
        createAuditLogPartition(
          knex,
          new Date(nextDate.getFullYear(), nextDate.getMonth() + x, 1),
          new Date(nextDate.getFullYear(), nextDate.getMonth() + (x + 1), 1)
        )
      );
    }
    await Promise.all(partitionPromises);
    console.log("Partition migration complete");
  }
 };
 export const executeMigration = async (url: string) => {
  console.log("Executing migration...");
  const knex = kx({
    client: "pg",
    connection: url
  });
  await knex.transaction(async (tx) => {
    await up(tx);
  });
 };
 const dbUrl = process.env.AUDIT_LOGS_DB_CONNECTION_URI;
 if (!dbUrl) {
  console.error("Please provide a DB connection URL to the AUDIT_LOGS_DB_CONNECTION_URI env");
  process.exit(1);
 }
 void executeMigration(dbUrl).then(() => {
  console.log("Migration: partition-audit-logs DONE");
  process.exit(0);
 });
--- a/backend/src/db/migrations/20240918005344_add-group-approvals.ts
+++ b/backend/src/db/migrations/20240918005344_add-group-approvals.ts
@@ -3,34 +3,74 @@ import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  const hasAccessApproverGroupId = await knex.schema.hasColumn(
    TableName.AccessApprovalPolicyApprover,
    "approverGroupId"
  );
  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
  const hasSecretApproverGroupId = await knex.schema.hasColumn(
    TableName.SecretApprovalPolicyApprover,
    "approverGroupId"
  );
  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
    // add column approverGroupId to AccessApprovalPolicyApprover
    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
-      // make nullable
+      // add column approverGroupId to AccessApprovalPolicyApprover
      if (!hasAccessApproverGroupId) {
        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
      }
      // make approverUserId nullable
      if (hasAccessApproverUserId) {
        table.uuid("approverUserId").nullable().alter();
      }
    });
    // add column approverGroupId to SecretApprovalPolicyApprover
    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
-      table.uuid("approverGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      // add column approverGroupId to SecretApprovalPolicyApprover
      if (!hasSecretApproverGroupId) {
        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
      }
      // make approverUserId nullable
      if (hasSecretApproverUserId) {
        table.uuid("approverUserId").nullable().alter();
      }
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const hasAccessApproverGroupId = await knex.schema.hasColumn(
    TableName.AccessApprovalPolicyApprover,
    "approverGroupId"
  );
  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
  const hasSecretApproverGroupId = await knex.schema.hasColumn(
    TableName.SecretApprovalPolicyApprover,
    "approverGroupId"
  );
  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
    // remove
    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
      if (hasAccessApproverGroupId) {
        table.dropColumn("approverGroupId");
      }
      // make approverUserId not nullable
      if (hasAccessApproverUserId) {
        table.uuid("approverUserId").notNullable().alter();
      }
    });
    // remove
    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
      if (hasSecretApproverGroupId) {
        table.dropColumn("approverGroupId");
      }
      // make approverUserId not nullable
      if (hasSecretApproverUserId) {
        table.uuid("approverUserId").notNullable().alter();
      }
    });
  }
 }
--- a/backend/src/db/migrations/20240924100329_identity-metadata.ts
+++ b/backend/src/db/migrations/20240924100329_identity-metadata.ts
@@ -0,0 +1,24 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasTable(TableName.IdentityMetadata))) {
    await knex.schema.createTable(TableName.IdentityMetadata, (tb) => {
      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      tb.string("key").notNullable();
      tb.string("value").notNullable();
      tb.uuid("orgId").notNullable();
      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      tb.uuid("userId");
      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
      tb.uuid("identityId");
      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
      tb.timestamps(true, true, true);
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  await knex.schema.dropTableIfExists(TableName.IdentityMetadata);
 }
--- a/backend/src/db/migrations/20240925100349_managed-secret-sharing.ts
+++ b/backend/src/db/migrations/20240925100349_managed-secret-sharing.ts
@@ -0,0 +1,30 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.SecretSharing)) {
    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
      t.string("iv").nullable().alter();
      t.string("tag").nullable().alter();
      t.string("encryptedValue").nullable().alter();
      t.binary("encryptedSecret").nullable();
      t.string("hashedHex").nullable().alter();
      t.string("identifier", 64).nullable();
      t.unique("identifier");
      t.index("identifier");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.SecretSharing)) {
    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
      t.dropColumn("encryptedSecret");
      t.dropColumn("identifier");
    });
  }
 }
--- a/backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts
+++ b/backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts
@@ -0,0 +1,19 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed"))) {
    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
      tb.datetime("lastUsed");
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed")) {
    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
      tb.dropColumn("lastUsed");
    });
  }
 }
--- a/backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts
+++ b/backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts
@@ -0,0 +1,46 @@
 import { Knex } from "knex";
 import { dropConstraintIfExists } from "@app/db/migrations/utils/dropConstraintIfExists";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
    // drop constraint if exists (won't exist if rolled back, see below)
    await dropConstraintIfExists(TableName.KmsKey, "kms_keys_orgid_slug_unique", knex);
    // projectId for CMEK functionality
    await knex.schema.alterTable(TableName.KmsKey, (table) => {
      table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
      if (hasOrgId) {
        table.unique(["orgId", "projectId", "slug"]);
      }
      if (hasSlug) {
        table.renameColumn("slug", "name");
      }
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
    const hasName = await knex.schema.hasColumn(TableName.KmsKey, "name");
    // remove projectId for CMEK functionality
    await knex.schema.alterTable(TableName.KmsKey, (table) => {
      if (hasName) {
        table.renameColumn("name", "slug");
      }
      if (hasOrgId) {
        table.dropUnique(["orgId", "projectId", "slug"]);
      }
      table.dropColumn("projectId");
    });
  }
 }
--- a/backend/src/db/migrations/20241005170802_kms-keys-temp-slug-col.ts
+++ b/backend/src/db/migrations/20241005170802_kms-keys-temp-slug-col.ts
@@ -0,0 +1,30 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
    if (!hasSlug) {
      // add slug back temporarily and set value equal to name
      await knex.schema
        .alterTable(TableName.KmsKey, (table) => {
          table.string("slug", 32);
        })
        .then(() => knex(TableName.KmsKey).update("slug", knex.ref("name")));
    }
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.KmsKey)) {
    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
    if (hasSlug) {
      await knex.schema.alterTable(TableName.KmsKey, (table) => {
        table.dropColumn("slug");
      });
    }
  }
 }
--- a/backend/src/db/migrations/20241007052025_make-audit-log-independent.ts
+++ b/backend/src/db/migrations/20241007052025_make-audit-log-independent.ts
@@ -0,0 +1,48 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.AuditLog)) {
    const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
    const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
    const doesProjectNameExist = await knex.schema.hasColumn(TableName.AuditLog, "projectName");
    await knex.schema.alterTable(TableName.AuditLog, (t) => {
      if (doesOrgIdExist) {
        t.dropForeign("orgId");
      }
      if (doesProjectIdExist) {
        t.dropForeign("projectId");
      }
      // add normalized field
      if (!doesProjectNameExist) {
        t.string("projectName");
      }
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
  const doesProjectNameExist = await knex.schema.hasColumn(TableName.AuditLog, "projectName");
  if (await knex.schema.hasTable(TableName.AuditLog)) {
    await knex.schema.alterTable(TableName.AuditLog, (t) => {
      if (doesOrgIdExist) {
        t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      }
      if (doesProjectIdExist) {
        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
      }
      // remove normalized field
      if (doesProjectNameExist) {
        t.dropColumn("projectName");
      }
    });
  }
 }
--- a/backend/src/db/migrations/20241007202149_default-org-membership-roles.ts
+++ b/backend/src/db/migrations/20241007202149_default-org-membership-roles.ts
@@ -0,0 +1,29 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export async function up(knex: Knex): Promise<void> {
  // org default role
  if (await knex.schema.hasTable(TableName.Organization)) {
    const hasDefaultRoleCol = await knex.schema.hasColumn(TableName.Organization, "defaultMembershipRole");
    if (!hasDefaultRoleCol) {
      await knex.schema.alterTable(TableName.Organization, (tb) => {
        tb.string("defaultMembershipRole").notNullable().defaultTo("member");
      });
    }
  }
 }
 export async function down(knex: Knex): Promise<void> {
  // org default role
  if (await knex.schema.hasTable(TableName.Organization)) {
    const hasDefaultRoleCol = await knex.schema.hasColumn(TableName.Organization, "defaultMembershipRole");
    if (hasDefaultRoleCol) {
      await knex.schema.alterTable(TableName.Organization, (tb) => {
        tb.dropColumn("defaultMembershipRole");
      });
    }
  }
 }
--- a/backend/src/db/migrations/20241015084434_increase-identity-metadata-col-length.ts
+++ b/backend/src/db/migrations/20241015084434_increase-identity-metadata-col-length.ts
@@ -0,0 +1,19 @@
 import { Knex } from "knex";
 import { TableName } from "../schemas";
 export async function up(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
      t.string("value", 1020).alter();
    });
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
      t.string("value", 255).alter();
    });
  }
 }
--- a/backend/src/db/migrations/20241015145450_external-group-org-role-mapping.ts
+++ b/backend/src/db/migrations/20241015145450_external-group-org-role-mapping.ts
@@ -0,0 +1,32 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
 export async function up(knex: Knex): Promise<void> {
  // add external group to org role mapping table
  if (!(await knex.schema.hasTable(TableName.ExternalGroupOrgRoleMapping))) {
    await knex.schema.createTable(TableName.ExternalGroupOrgRoleMapping, (t) => {
      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
      t.string("groupName").notNullable();
      t.index("groupName");
      t.string("role").notNullable();
      t.uuid("roleId");
      t.foreign("roleId").references("id").inTable(TableName.OrgRoles);
      t.uuid("orgId").notNullable();
      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
      t.timestamps(true, true, true);
      t.unique(["orgId", "groupName"]);
    });
    await createOnUpdateTrigger(knex, TableName.ExternalGroupOrgRoleMapping);
  }
 }
 export async function down(knex: Knex): Promise<void> {
  if (await knex.schema.hasTable(TableName.ExternalGroupOrgRoleMapping)) {
    await dropOnUpdateTrigger(knex, TableName.ExternalGroupOrgRoleMapping);
    await knex.schema.dropTable(TableName.ExternalGroupOrgRoleMapping);
  }
 }
--- a/backend/src/db/migrations/utils/dropConstraintIfExists.ts
+++ b/backend/src/db/migrations/utils/dropConstraintIfExists.ts
@@ -0,0 +1,6 @@
 import { Knex } from "knex";
 import { TableName } from "@app/db/schemas";
 export const dropConstraintIfExists = (tableName: TableName, constraintName: string, knex: Knex) =>
  knex.raw(`ALTER TABLE ${tableName} DROP CONSTRAINT IF EXISTS ${constraintName};`);
--- a/backend/src/db/migrations/utils/kms.ts
+++ b/backend/src/db/migrations/utils/kms.ts
@@ -54,7 +54,7 @@ export const getSecretManagerDataKey = async (knex: Knex, projectId: string) =>
  } else {
    const [kmsDoc] = await knex(TableName.KmsKey)
      .insert({
-        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
+        name: slugify(alphaNumericNanoId(8).toLowerCase()),
        orgId: project.orgId,
        isReserved: false
      })
--- a/backend/src/db/schemas/audit-logs.ts
+++ b/backend/src/db/schemas/audit-logs.ts
@@ -20,7 +20,8 @@ export const AuditLogsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  orgId: z.string().uuid().nullable().optional(),
-  projectId: z.string().nullable().optional()
+  projectId: z.string().nullable().optional(),
  projectName: z.string().nullable().optional()
 });
 export type TAuditLogs = z.infer<typeof AuditLogsSchema>;
--- a/backend/src/db/schemas/external-group-org-role-mappings.ts
+++ b/backend/src/db/schemas/external-group-org-role-mappings.ts
@@ -0,0 +1,27 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const ExternalGroupOrgRoleMappingsSchema = z.object({
  id: z.string().uuid(),
  groupName: z.string(),
  role: z.string(),
  roleId: z.string().uuid().nullable().optional(),
  orgId: z.string().uuid(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TExternalGroupOrgRoleMappings = z.infer<typeof ExternalGroupOrgRoleMappingsSchema>;
 export type TExternalGroupOrgRoleMappingsInsert = Omit<
  z.input<typeof ExternalGroupOrgRoleMappingsSchema>,
  TImmutableDBKeys
 >;
 export type TExternalGroupOrgRoleMappingsUpdate = Partial<
  Omit<z.input<typeof ExternalGroupOrgRoleMappingsSchema>, TImmutableDBKeys>
 >;
--- a/backend/src/db/schemas/identity-metadata.ts
+++ b/backend/src/db/schemas/identity-metadata.ts
@@ -0,0 +1,23 @@
 // Code generated by automation script, DO NOT EDIT.
 // Automated by pulling database and generating zod schema
 // To update. Just run npm run generate:schema
 // Written by akhilmhdh.
 import { z } from "zod";
 import { TImmutableDBKeys } from "./models";
 export const IdentityMetadataSchema = z.object({
  id: z.string().uuid(),
  key: z.string(),
  value: z.string(),
  orgId: z.string().uuid(),
  userId: z.string().uuid().nullable().optional(),
  identityId: z.string().uuid().nullable().optional(),
  createdAt: z.date(),
  updatedAt: z.date()
 });
 export type TIdentityMetadata = z.infer<typeof IdentityMetadataSchema>;
 export type TIdentityMetadataInsert = Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>;
 export type TIdentityMetadataUpdate = Partial<Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -31,6 +31,7 @@ export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
--- a/backend/src/db/schemas/kms-keys.ts
+++ b/backend/src/db/schemas/kms-keys.ts
@@ -13,9 +13,11 @@ export const KmsKeysSchema = z.object({
  isDisabled: z.boolean().default(false).nullable().optional(),
  isReserved: z.boolean().default(true).nullable().optional(),
  orgId: z.string().uuid(),
-  slug: z.string(),
+  name: z.string(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
  projectId: z.string().nullable().optional(),
  slug: z.string().nullable().optional()
 });
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -17,6 +17,7 @@ export enum TableName {
  Groups = "groups",
  GroupProjectMembership = "group_project_memberships",
  GroupProjectMembershipRole = "group_project_membership_roles",
  ExternalGroupOrgRoleMapping = "external_group_org_role_mappings",
  UserGroupMembership = "user_group_membership",
  UserAliases = "user_aliases",
  UserEncryptionKey = "user_encryption_keys",
@@ -70,6 +71,8 @@ export enum TableName {
  IdentityProjectMembership = "identity_project_memberships",
  IdentityProjectMembershipRole = "identity_project_membership_role",
  IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
  // used by both identity and users
  IdentityMetadata = "identity_metadata",
  ScimToken = "scim_tokens",
  AccessApprovalPolicy = "access_approval_policies",
  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
--- a/backend/src/db/schemas/oidc-configs.ts
+++ b/backend/src/db/schemas/oidc-configs.ts
@@ -26,7 +26,8 @@ export const OidcConfigsSchema = z.object({
  isActive: z.boolean(),
  createdAt: z.date(),
  updatedAt: z.date(),
-  orgId: z.string().uuid()
+  orgId: z.string().uuid(),
  lastUsed: z.date().nullable().optional()
 });
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -19,7 +19,8 @@ export const OrganizationsSchema = z.object({
  authEnforced: z.boolean().default(false).nullable().optional(),
  scimEnabled: z.boolean().default(false).nullable().optional(),
  kmsDefaultKeyId: z.string().uuid().nullable().optional(),
-  kmsEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
  defaultMembershipRole: z.string().default("member")
 });
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/secret-sharing.ts
+++ b/backend/src/db/schemas/secret-sharing.ts
@@ -5,14 +5,16 @@
 import { z } from "zod";
 import { zodBuffer } from "@app/lib/zod";
 import { TImmutableDBKeys } from "./models";
 export const SecretSharingSchema = z.object({
  id: z.string().uuid(),
-  encryptedValue: z.string(),
+  encryptedValue: z.string().nullable().optional(),
-  iv: z.string(),
+  iv: z.string().nullable().optional(),
-  tag: z.string(),
+  tag: z.string().nullable().optional(),
-  hashedHex: z.string(),
+  hashedHex: z.string().nullable().optional(),
  expiresAt: z.date(),
  userId: z.string().uuid().nullable().optional(),
  orgId: z.string().uuid().nullable().optional(),
@@ -22,7 +24,9 @@ export const SecretSharingSchema = z.object({
  accessType: z.string().default("anyone"),
  name: z.string().nullable().optional(),
  lastViewedAt: z.date().nullable().optional(),
-  password: z.string().nullable().optional()
+  password: z.string().nullable().optional(),
  encryptedSecret: zodBuffer.nullable().optional(),
  identifier: z.string().nullable().optional()
 });
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;
--- a/backend/src/ee/routes/v1/external-kms-router.ts
+++ b/backend/src/ee/routes/v1/external-kms-router.ts
@@ -26,7 +26,7 @@ const sanitizedExternalSchemaForGetAll = KmsKeysSchema.pick({
  isDisabled: true,
  createdAt: true,
  updatedAt: true,
-  slug: true
+  name: true
 })
  .extend({
    externalKms: ExternalKmsSchema.pick({
@@ -57,7 +57,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        slug: z.string().min(1).trim().toLowerCase(),
+        name: z.string().min(1).trim().toLowerCase(),
        description: z.string().trim().optional(),
        provider: ExternalKmsInputSchema
      }),
@@ -74,7 +74,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
        provider: req.body.provider,
        description: req.body.description
      });
@@ -87,7 +87,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          metadata: {
            kmsId: externalKms.id,
            provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
            description: req.body.description
          }
        }
@@ -108,7 +108,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        id: z.string().trim().min(1)
      }),
      body: z.object({
-        slug: z.string().min(1).trim().toLowerCase().optional(),
+        name: z.string().min(1).trim().toLowerCase().optional(),
        description: z.string().trim().optional(),
        provider: ExternalKmsInputUpdateSchema
      }),
@@ -125,7 +125,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
        provider: req.body.provider,
        description: req.body.description,
        id: req.params.id
@@ -139,7 +139,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          metadata: {
            kmsId: externalKms.id,
            provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
            description: req.body.description
          }
        }
@@ -182,7 +182,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          type: EventType.DELETE_KMS,
          metadata: {
            kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
          }
        }
      });
@@ -224,7 +224,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
          type: EventType.GET_KMS,
          metadata: {
            kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
          }
        }
      });
@@ -260,13 +260,13 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
  server.route({
    method: "GET",
-    url: "/slug/:slug",
+    url: "/name/:name",
    config: {
      rateLimit: readLimit
    },
    schema: {
      params: z.object({
-        slug: z.string().trim().min(1)
+        name: z.string().trim().min(1)
      }),
      response: {
        200: z.object({
@@ -276,12 +276,12 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
-      const externalKms = await server.services.externalKms.findBySlug({
+      const externalKms = await server.services.externalKms.findByName({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
-        slug: req.params.slug
+        name: req.params.name
      });
      return { externalKms };
    }
--- a/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
+++ b/backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts
@@ -5,7 +5,7 @@ import { z } from "zod";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -61,7 +61,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }
      const permission = privilegePermission
@@ -140,7 +140,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission } = req.body;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }
      const permission = privilegePermission
@@ -224,7 +224,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
    handler: async (req) => {
      const { permissions, privilegePermission, ...updatedInfo } = req.body.privilegeDetails;
      if (!permissions && !privilegePermission) {
-        throw new BadRequestError({ message: "Permission or privilegePermission must be provided" });
+        throw new UnauthorizedError({ message: "Permission or privilegePermission must be provided" });
      }
      const permission = privilegePermission
--- a/backend/src/ee/routes/v1/project-role-router.ts
+++ b/backend/src/ee/routes/v1/project-role-router.ts
@@ -3,10 +3,11 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
 import { ProjectPermissionSchema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ProjectPermissionSchema, SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/ee/routes/v1/project-router.ts
+++ b/backend/src/ee/routes/v1/project-router.ts
@@ -203,7 +203,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secretManagerKmsKey: z.object({
            id: z.string(),
-            slug: z.string(),
+            name: z.string(),
            isExternal: z.boolean()
          })
        })
@@ -243,7 +243,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secretManagerKmsKey: z.object({
            id: z.string(),
-            slug: z.string(),
+            name: z.string(),
            isExternal: z.boolean()
          })
        })
@@ -268,7 +268,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
          metadata: {
            secretManagerKmsKey: {
              id: secretManagerKmsKey.id,
-              slug: secretManagerKmsKey.slug
+              name: secretManagerKmsKey.name
            }
          }
        }
@@ -336,7 +336,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secretManagerKmsKey: z.object({
            id: z.string(),
-            slug: z.string(),
+            name: z.string(),
            isExternal: z.boolean()
          })
        })
--- a/backend/src/ee/routes/v1/rate-limit-router.ts
+++ b/backend/src/ee/routes/v1/rate-limit-router.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";
 import { RateLimitSchema } from "@app/db/schemas";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -29,7 +29,7 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
    handler: async () => {
      const rateLimit = await server.services.rateLimit.getRateLimits();
      if (!rateLimit) {
-        throw new BadRequestError({
+        throw new NotFoundError({
          name: "Get Rate Limit Error",
          message: "Rate limit configuration does not exist."
        });
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -61,7 +61,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
                id: samlConfigId
              };
            } else {
-              throw new BadRequestError({ message: "Missing sso identitier or org slug" });
+              throw new BadRequestError({ message: "Missing sso identifier or org slug" });
            }
            const ssoConfig = await server.services.saml.getSaml(ssoLookupDetails);
@@ -100,6 +100,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
      async (req, profile, cb) => {
        try {
          if (!profile) throw new BadRequestError({ message: "Missing profile" });
          const email =
            profile?.email ??
            // entra sends data in this format
@@ -123,6 +124,17 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
            );
          }
          const userMetadata = Object.keys(profile.attributes || {})
            .map((key) => {
              // for the ones like in format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
              const formatedKey = key.startsWith("http") ? key.split("/").at(-1) || "" : key;
              return {
                key: formatedKey,
                value: String((profile.attributes as Record<string, string>)[key]).substring(0, 1020)
              };
            })
            .filter((el) => el.key && !["email", "firstName", "lastName"].includes(el.key));
          const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
            externalId: profile.nameID,
            email,
@@ -130,7 +142,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
            lastName: lastName as string,
            relayState: (req.body as { RelayState?: string }).RelayState,
            authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
            metadata: userMetadata
          });
          cb(null, { isUserCompleted, providerAuthToken });
        } catch (error) {
--- a/backend/src/ee/routes/v1/scim-router.ts
+++ b/backend/src/ee/routes/v1/scim-router.ts
@@ -20,7 +20,7 @@ const ScimUserSchema = z.object({
      z.object({
        primary: z.boolean(),
        value: z.string().email(),
-        type: z.string().trim()
+        type: z.string().trim().default("work")
      })
    )
    .optional(),
@@ -210,8 +210,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
          .array(
            z.object({
              primary: z.boolean(),
-              value: z.string().email(),
+              value: z.string().email()
              type: z.string().trim()
            })
          )
          .optional(),
@@ -281,8 +280,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
          .array(
            z.object({
              primary: z.boolean(),
-              value: z.string().email(),
+              value: z.string().email()
              type: z.string().trim()
            })
          )
          .optional(),
@@ -301,7 +299,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
            z.object({
              primary: z.boolean(),
              value: z.string().email(),
-              type: z.string().trim()
+              type: z.string().trim().default("work")
            })
          ),
          displayName: z.string().trim(),
--- a/backend/src/ee/routes/v1/secret-scanning-router.ts
+++ b/backend/src/ee/routes/v1/secret-scanning-router.ts
@@ -2,6 +2,8 @@ import { z } from "zod";
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
 import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -23,6 +25,13 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
    },
    onRequest: verifyAuth([AuthMode.JWT]),
    handler: async (req) => {
      const appCfg = getConfig();
      if (!appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(req.auth.orgId)) {
        throw new BadRequestError({
          message: "Secret scanning is temporarily unavailable."
        });
      }
      const session = await server.services.secretScanning.createInstallationSession({
        actor: req.permission.type,
        actorId: req.permission.id,
@@ -30,6 +39,7 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
        actorOrgId: req.permission.orgId,
        orgId: req.body.organizationId
      });
      return session;
    }
  });
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts
@@ -1,12 +1,11 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers } from "./access-approval-policy-types";
+import { TIsApproversValid } from "./access-approval-policy-types";
-export const verifyApprovers = async ({
+export const isApproversValid = async ({
  userIds,
  projectId,
  orgId,
@@ -14,9 +13,9 @@ export const verifyApprovers = async ({
  actorAuthMethod,
  secretPath,
  permissionService
-}: TVerifyApprovers) => {
+}: TIsApproversValid) => {
  for await (const userId of userIds) {
  try {
    for await (const userId of userIds) {
      const { permission: approverPermission } = await permissionService.getProjectPermission(
        ActorType.USER,
        userId,
@@ -29,8 +28,9 @@ export const verifyApprovers = async ({
        ProjectPermissionActions.Create,
        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
      );
    } catch (err) {
      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
    }
  } catch {
    return false;
  }
  return true;
 };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts
@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -11,7 +11,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
+import { isApproversValid } from "./access-approval-policy-fns";
 import {
  ApproverType,
  TCreateAccessApprovalPolicy,
@@ -58,7 +58,7 @@ export const accessApprovalPolicyServiceFactory = ({
    enforcementLevel
  }: TCreateAccessApprovalPolicy) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    // If there is a group approver people might be added to the group later to meet the approvers quota
    const groupApprovers = approvers
@@ -89,7 +89,7 @@ export const accessApprovalPolicyServiceFactory = ({
      ProjectPermissionSub.SecretApproval
    );
    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });
    let approverUserIds = userApprovers;
    if (userApproverNames.length) {
@@ -132,7 +132,7 @@ export const accessApprovalPolicyServiceFactory = ({
      .map((user) => user.id);
    verifyAllApprovers.push(...verifyGroupApprovers);
-    await verifyApprovers({
+    const approversValid = await isApproversValid({
      projectId: project.id,
      orgId: actorOrgId,
      envSlug: environment,
@@ -142,6 +142,12 @@ export const accessApprovalPolicyServiceFactory = ({
      userIds: verifyAllApprovers
    });
    if (!approversValid) {
      throw new BadRequestError({
        message: "One or more approvers doesn't have access to be specified secret path"
      });
    }
    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await accessApprovalPolicyDAL.create(
        {
@@ -186,7 +192,7 @@ export const accessApprovalPolicyServiceFactory = ({
    projectSlug
  }: TListAccessApprovalPoliciesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    // Anyone in the project should be able to get the policies.
    /* const { permission } = */ await permissionService.getProjectPermission(
@@ -237,7 +243,7 @@ export const accessApprovalPolicyServiceFactory = ({
      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
    }
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!accessApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@@ -283,7 +289,7 @@ export const accessApprovalPolicyServiceFactory = ({
          userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
        }
-        await verifyApprovers({
+        const approversValid = await isApproversValid({
          projectId: accessApprovalPolicy.projectId,
          orgId: actorOrgId,
          envSlug: accessApprovalPolicy.environment.slug,
@@ -293,6 +299,12 @@ export const accessApprovalPolicyServiceFactory = ({
          userIds: userApproverIds
        });
        if (!approversValid) {
          throw new BadRequestError({
            message: "One or more approvers doesn't have access to be specified secret path"
          });
        }
        await accessApprovalPolicyApproverDAL.insertMany(
          userApproverIds.map((userId) => ({
            approverUserId: userId,
@@ -322,7 +334,7 @@ export const accessApprovalPolicyServiceFactory = ({
          .filter((user) => user.isPartOfGroup)
          .map((user) => user.id);
-        await verifyApprovers({
+        const approversValid = await isApproversValid({
          projectId: accessApprovalPolicy.projectId,
          orgId: actorOrgId,
          envSlug: accessApprovalPolicy.environment.slug,
@@ -331,6 +343,13 @@ export const accessApprovalPolicyServiceFactory = ({
          permissionService,
          userIds: verifyGroupApprovers
        });
        if (!approversValid) {
          throw new BadRequestError({
            message: "One or more approvers doesn't have access to be specified secret path"
          });
        }
        await accessApprovalPolicyApproverDAL.insertMany(
          groupApprovers.map((groupId) => ({
            approverGroupId: groupId,
@@ -357,7 +376,7 @@ export const accessApprovalPolicyServiceFactory = ({
    actorOrgId
  }: TDeleteAccessApprovalPolicy) => {
    const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!policy) throw new NotFoundError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -385,7 +404,7 @@ export const accessApprovalPolicyServiceFactory = ({
  }: TGetAccessPolicyCountByEnvironmentDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const { membership } = await permissionService.getProjectPermission(
      actor,
@@ -394,13 +413,15 @@ export const accessApprovalPolicyServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new BadRequestError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: "Environment not found" });
    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new BadRequestError({ message: "No policies found" });
+    if (!policies) throw new NotFoundError({ message: "No policies found" });
    return { count: policies.length };
  };
--- a/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
+++ b/backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts
@@ -3,7 +3,7 @@ import { ActorAuthMethod } from "@app/services/auth/auth-type";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-export type TVerifyApprovers = {
+export type TIsApproversValid = {
  userIds: string[];
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  envSlug: string;
--- a/backend/src/ee/services/access-approval-request/access-approval-request-fns.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-fns.ts
@@ -1,6 +1,6 @@
 import { PackRule, unpackRules } from "@casl/ability/extra";
-import { UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError } from "@app/lib/errors";
 import { TVerifyPermission } from "./access-approval-request-types";
@@ -19,7 +19,7 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
  );
  if (!permission || !permission.length) {
-    throw new UnauthorizedError({ message: "No permission provided" });
+    throw new BadRequestError({ message: "No permission provided" });
  }
  const requestedPermissions: string[] = [];
@@ -39,10 +39,10 @@ export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) =
  const permissionEnv = firstPermission.conditions?.environment;
  if (!permissionEnv || typeof permissionEnv !== "string") {
-    throw new UnauthorizedError({ message: "Permission environment is not a string" });
+    throw new BadRequestError({ message: "Permission environment is not a string" });
  }
  if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
-    throw new UnauthorizedError({ message: "Permission path is not a string" });
+    throw new BadRequestError({ message: "Permission path is not a string" });
  }
  return {
--- a/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
+++ b/backend/src/ee/services/access-approval-request/access-approval-request-service.ts
@@ -3,7 +3,7 @@ import ms from "ms";
 import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -17,7 +17,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { isApproversValid } from "../access-approval-policy/access-approval-policy-fns";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
@@ -99,7 +99,7 @@ export const accessApprovalRequestServiceFactory = ({
  }: TCreateAccessApprovalRequestDTO) => {
    const cfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    // Anyone can create an access approval request.
    const { membership } = await permissionService.getProjectPermission(
@@ -109,23 +109,25 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
    const requestedByUser = await userDAL.findById(actorId);
-    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
+    if (!requestedByUser) throw new ForbiddenRequestError({ message: "User not found" });
    await projectDAL.checkProjectUpgradeStatus(project.id);
    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
+    if (!environment) throw new NotFoundError({ message: "Environment not found" });
    const policy = await accessApprovalPolicyDAL.findOne({
      envId: environment.id,
      secretPath
    });
-    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
+    if (!policy) throw new NotFoundError({ message: "No policy matching criteria was found." });
    const approverIds: string[] = [];
    const approverGroupIds: string[] = [];
@@ -262,7 +264,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorAuthMethod
  }: TListApprovalRequestsDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const { membership } = await permissionService.getProjectPermission(
      actor,
@@ -271,7 +273,9 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
@@ -296,7 +300,7 @@ export const accessApprovalRequestServiceFactory = ({
    actorOrgId
  }: TReviewAccessRequestDTO) => {
    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!accessApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    const { policy } = accessApprovalRequest;
    const { membership, hasRole } = await permissionService.getProjectPermission(
@@ -307,19 +311,21 @@ export const accessApprovalRequestServiceFactory = ({
      actorOrgId
    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
+    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
    if (
      !hasRole(ProjectMembershipRole.Admin) &&
      accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
      !policy.approvers.find((approver) => approver.userId === actorId) // The request isn't performed by an assigned approver
    ) {
-      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
+      throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
    }
    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
-    await verifyApprovers({
+    const approversValid = await isApproversValid({
      projectId: accessApprovalRequest.projectId,
      orgId: actorOrgId,
      envSlug: accessApprovalRequest.environment,
@@ -329,6 +335,10 @@ export const accessApprovalRequestServiceFactory = ({
      userIds: [reviewerProjectMembership.userId]
    });
    if (!approversValid) {
      throw new ForbiddenRequestError({ message: "You don't have access to approve this request" });
    }
    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
@@ -411,7 +421,7 @@ export const accessApprovalRequestServiceFactory = ({
  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const { membership } = await permissionService.getProjectPermission(
      actor,
@@ -420,7 +430,9 @@ export const accessApprovalRequestServiceFactory = ({
      actorAuthMethod,
      actorOrgId
    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
+    if (!membership) {
      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
    }
    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
--- a/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
+++ b/backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts
@@ -5,7 +5,7 @@ import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { AUDIT_LOG_STREAM_TIMEOUT } from "../audit-log/audit-log-queue";
@@ -43,14 +43,15 @@ export const auditLogStreamServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TCreateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
    const appCfg = getConfig();
    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.auditLogStreams)
+    if (!plan.auditLogStreams) {
      throw new BadRequestError({
        message: "Failed to create audit log streams due to plan restriction. Upgrade plan to create group."
      });
    }
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -120,7 +121,7 @@ export const auditLogStreamServiceFactory = ({
    actorOrgId,
    actorAuthMethod
  }: TUpdateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
    const plan = await licenseService.getPlan(actorOrgId);
    if (!plan.auditLogStreams)
@@ -129,7 +130,7 @@ export const auditLogStreamServiceFactory = ({
      });
    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });
    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -178,10 +179,10 @@ export const auditLogStreamServiceFactory = ({
  };
  const deleteById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TDeleteAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });
    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -193,7 +194,7 @@ export const auditLogStreamServiceFactory = ({
  const getById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetDetailsAuditLogStreamDTO) => {
    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
+    if (!logStream) throw new NotFoundError({ message: "Audit log stream not found" });
    const { orgId } = logStream;
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
--- a/backend/src/ee/services/audit-log/audit-log-dal.ts
+++ b/backend/src/ee/services/audit-log/audit-log-dal.ts
@@ -1,8 +1,9 @@
-import { Knex } from "knex";
+// weird commonjs-related error in the CI requires us to do the import like this
 import knex from "knex";
 import { TDbClient } from "@app/db";
-import { AuditLogsSchema, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
+import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
@@ -46,7 +47,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
      eventType?: EventType[];
      eventMetadata?: Record<string, string>;
    },
-    tx?: Knex
+    tx?: knex.Knex
  ) => {
    if (!orgId && !projectId) {
      throw new Error("Either orgId or projectId must be provided");
@@ -55,11 +56,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
    try {
      // Find statements
      const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
        .leftJoin(TableName.Project, `${TableName.AuditLog}.projectId`, `${TableName.Project}.id`)
        // eslint-disable-next-line func-names
        .where(function () {
          if (orgId) {
-            void this.where(`${TableName.Project}.orgId`, orgId).orWhere(`${TableName.AuditLog}.orgId`, orgId);
+            void this.where(`${TableName.AuditLog}.orgId`, orgId);
          } else if (projectId) {
            void this.where(`${TableName.AuditLog}.projectId`, projectId);
          }
@@ -72,23 +72,19 @@ export const auditLogDALFactory = (db: TDbClient) => {
      // Select statements
      void sqlQuery
        .select(selectAllTableCols(TableName.AuditLog))
        .select(
          db.ref("name").withSchema(TableName.Project).as("projectName"),
          db.ref("slug").withSchema(TableName.Project).as("projectSlug")
        )
        .limit(limit)
        .offset(offset)
        .orderBy(`${TableName.AuditLog}.createdAt`, "desc");
      // Special case: Filter by actor ID
      if (actorId) {
-        void sqlQuery.whereRaw(`"actorMetadata"->>'userId' = ?`, [actorId]);
+        void sqlQuery.whereRaw(`"actorMetadata" @> jsonb_build_object('userId', ?::text)`, [actorId]);
      }
      // Special case: Filter by key/value pairs in eventMetadata field
      if (eventMetadata && Object.keys(eventMetadata).length) {
        Object.entries(eventMetadata).forEach(([key, value]) => {
-          void sqlQuery.whereRaw(`"eventMetadata"->>'${key}' = ?`, [value]);
+          void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object(?::text, ?::text)`, [key, value]);
        });
      }
@@ -109,30 +105,25 @@ export const auditLogDALFactory = (db: TDbClient) => {
      if (endDate) {
        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
      }
      const docs = await sqlQuery;
-      return docs.map((doc) => {
+      // we timeout long running queries to prevent DB resource issues (2 minutes)
-        // Our type system refuses to acknowledge that the project name and slug are present in the doc, due to the disjointed query structure above.
+      const docs = await sqlQuery.timeout(1000 * 120);
        // This is a quick and dirty way to get around the types.
        const projectDoc = doc as unknown as { projectName: string; projectSlug: string };
-        return {
+      return docs;
          ...AuditLogsSchema.parse(doc),
          ...(projectDoc?.projectSlug && {
            project: {
              name: projectDoc.projectName,
              slug: projectDoc.projectSlug
            }
          })
        };
      });
    } catch (error) {
      if (error instanceof knex.KnexTimeoutError) {
        throw new GatewayTimeoutError({
          error,
          message: "Failed to fetch audit logs due to timeout. Add more search filters."
        });
      }
      throw new DatabaseError({ error });
    }
  };
  // delete all audit log that have expired
-  const pruneAuditLog = async (tx?: Knex) => {
+  const pruneAuditLog = async (tx?: knex.Knex) => {
    const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
    const MAX_RETRY_ON_FAILURE = 3;
@@ -148,6 +139,7 @@ export const auditLogDALFactory = (db: TDbClient) => {
          .where("expiresAt", "<", today)
          .select("id")
          .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
        // eslint-disable-next-line no-await-in-loop
        deletedAuditLogIds = await (tx || db)(TableName.AuditLog)
          .whereIn("id", findExpiredLogSubQuery)
--- a/backend/src/ee/services/audit-log/audit-log-queue.ts
+++ b/backend/src/ee/services/audit-log/audit-log-queue.ts
@@ -74,6 +74,7 @@ export const auditLogQueueServiceFactory = ({
      actorMetadata: actor.metadata,
      userAgent,
      projectId,
      projectName: project?.name,
      ipAddress,
      orgId,
      eventType: event.type,
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -1,3 +1,4 @@
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
@@ -122,6 +123,7 @@ export enum EventType {
  UPDATE_WEBHOOK_STATUS = "update-webhook-status",
  DELETE_WEBHOOK = "delete-webhook",
  GET_SECRET_IMPORTS = "get-secret-imports",
  GET_SECRET_IMPORT = "get-secret-import",
  CREATE_SECRET_IMPORT = "create-secret-import",
  UPDATE_SECRET_IMPORT = "update-secret-import",
  DELETE_SECRET_IMPORT = "delete-secret-import",
@@ -182,7 +184,15 @@ export enum EventType {
  DELETE_SLACK_INTEGRATION = "delete-slack-integration",
  GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
  UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
-  INTEGRATION_SYNCED = "integration-synced"
+  INTEGRATION_SYNCED = "integration-synced",
  CREATE_CMEK = "create-cmek",
  UPDATE_CMEK = "update-cmek",
  DELETE_CMEK = "delete-cmek",
  GET_CMEKS = "get-cmeks",
  CMEK_ENCRYPT = "cmek-encrypt",
  CMEK_DECRYPT = "cmek-decrypt",
  UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping"
 }
 interface UserActorMetadata {
@@ -1004,6 +1014,14 @@ interface GetSecretImportsEvent {
  };
 }
 interface GetSecretImportEvent {
  type: EventType.GET_SECRET_IMPORT;
  metadata: {
    secretImportId: string;
    folderId: string;
  };
 }
 interface CreateSecretImportEvent {
  type: EventType.CREATE_SECRET_IMPORT;
  metadata: {
@@ -1350,7 +1368,7 @@ interface CreateKmsEvent {
  metadata: {
    kmsId: string;
    provider: string;
-    slug: string;
+    name: string;
    description?: string;
  };
 }
@@ -1359,7 +1377,7 @@ interface DeleteKmsEvent {
  type: EventType.DELETE_KMS;
  metadata: {
    kmsId: string;
-    slug: string;
+    name: string;
  };
 }
@@ -1368,7 +1386,7 @@ interface UpdateKmsEvent {
  metadata: {
    kmsId: string;
    provider: string;
-    slug?: string;
+    name?: string;
    description?: string;
  };
 }
@@ -1377,7 +1395,7 @@ interface GetKmsEvent {
  type: EventType.GET_KMS;
  metadata: {
    kmsId: string;
-    slug: string;
+    name: string;
  };
 }
@@ -1386,7 +1404,7 @@ interface UpdateProjectKmsEvent {
  metadata: {
    secretManagerKmsKey: {
      id: string;
-      slug: string;
+      name: string;
    };
  };
 }
@@ -1541,6 +1559,65 @@ interface IntegrationSyncedEvent {
  };
 }
 interface CreateCmekEvent {
  type: EventType.CREATE_CMEK;
  metadata: {
    keyId: string;
    name: string;
    description?: string;
    encryptionAlgorithm: SymmetricEncryption;
  };
 }
 interface DeleteCmekEvent {
  type: EventType.DELETE_CMEK;
  metadata: {
    keyId: string;
  };
 }
 interface UpdateCmekEvent {
  type: EventType.UPDATE_CMEK;
  metadata: {
    keyId: string;
    name?: string;
    description?: string;
  };
 }
 interface GetCmeksEvent {
  type: EventType.GET_CMEKS;
  metadata: {
    keyIds: string[];
  };
 }
 interface CmekEncryptEvent {
  type: EventType.CMEK_ENCRYPT;
  metadata: {
    keyId: string;
  };
 }
 interface CmekDecryptEvent {
  type: EventType.CMEK_DECRYPT;
  metadata: {
    keyId: string;
  };
 }
 interface GetExternalGroupOrgRoleMappingsEvent {
  type: EventType.GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
  metadata?: Record<string, never>; // not needed, based off orgId
 }
 interface UpdateExternalGroupOrgRoleMappingsEvent {
  type: EventType.UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS;
  metadata: {
    mappings: { groupName: string; roleSlug: string }[];
  };
 }
 export type Event =
  | GetSecretsEvent
  | GetSecretEvent
@@ -1620,6 +1697,7 @@ export type Event =
  | UpdateWebhookStatusEvent
  | DeleteWebhookEvent
  | GetSecretImportsEvent
  | GetSecretImportEvent
  | CreateSecretImportEvent
  | UpdateSecretImportEvent
  | DeleteSecretImportEvent
@@ -1680,4 +1758,12 @@ export type Event =
  | GetSlackIntegration
  | UpdateProjectSlackConfig
  | GetProjectSlackConfig
-  | IntegrationSyncedEvent;
+  | IntegrationSyncedEvent
  | CreateCmekEvent
  | UpdateCmekEvent
  | DeleteCmekEvent
  | GetCmeksEvent
  | CmekEncryptEvent
  | CmekDecryptEvent
  | GetExternalGroupOrgRoleMappingsEvent
  | UpdateExternalGroupOrgRoleMappingsEvent;
--- a/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
+++ b/backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts
@@ -2,10 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 // import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -19,7 +18,6 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
  // licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 export type TCertificateAuthorityCrlServiceFactory = ReturnType<typeof certificateAuthorityCrlServiceFactory>;
@@ -66,7 +64,7 @@ export const certificateAuthorityCrlServiceFactory = ({
   */
  const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
+    if (!ca) throw new NotFoundError({ message: "CA not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -81,13 +79,6 @@ export const certificateAuthorityCrlServiceFactory = ({
      ProjectPermissionSub.CertificateAuthorities
    );
    // const plan = await licenseService.getPlan(actorOrgId);
    // if (!plan.caCrl)
    //   throw new BadRequestError({
    //     message:
    //       "Failed to get CA certificate revocation lists (CRLs) due to plan restriction. Upgrade plan to get the CA CRL."
    //   });
    const caCrls = await certificateAuthorityCrlDAL.find({ caId: ca.id }, { sort: [["createdAt", "desc"]] });
    const keyId = await getProjectKmsCertificateKeyId({
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -7,7 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@@ -61,7 +61,7 @@ export const dynamicSecretLeaseServiceFactory = ({
  }: TCreateDynamicSecretLeaseDTO) => {
    const appCfg = getConfig();
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -84,10 +84,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    }
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
    const totalLeasesTaken = await dynamicSecretLeaseDAL.countLeasesForDynamicSecret(dynamicSecretCfg.id);
    if (totalLeasesTaken >= appCfg.MAX_LEASE_LIMIT)
@@ -134,7 +134,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    leaseId
  }: TRenewDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -157,10 +157,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    }
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });
    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@@ -208,7 +208,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    isForced
  }: TDeleteDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -224,10 +224,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });
    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
    const selectedProvider = dynamicSecretProviders[dynamicSecretCfg.type as DynamicSecretProviders];
@@ -273,7 +273,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod
  }: TListDynamicSecretLeasesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -289,10 +289,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
    const dynamicSecretLeases = await dynamicSecretLeaseDAL.find({ dynamicSecretId: dynamicSecretCfg.id });
    return dynamicSecretLeases;
@@ -309,7 +309,7 @@ export const dynamicSecretLeaseServiceFactory = ({
    actorAuthMethod
  }: TDetailsDynamicSecretLeaseDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -325,10 +325,10 @@ export const dynamicSecretLeaseServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) throw new BadRequestError({ message: "Dynamic secret lease not found" });
+    if (!dynamicSecretLease) throw new NotFoundError({ message: "Dynamic secret lease not found" });
    return dynamicSecretLease;
  };
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -5,7 +5,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
@@ -66,7 +66,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod
  }: TCreateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -89,7 +89,7 @@ export const dynamicSecretServiceFactory = ({
    }
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const existingDynamicSecret = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
    if (existingDynamicSecret)
@@ -134,7 +134,7 @@ export const dynamicSecretServiceFactory = ({
    actorAuthMethod
  }: TUpdateDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
@@ -158,10 +158,10 @@ export const dynamicSecretServiceFactory = ({
    }
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
    if (newName) {
      const existingDynamicSecret = await dynamicSecretDAL.findOne({ name: newName, folderId: folder.id });
@@ -213,7 +213,7 @@ export const dynamicSecretServiceFactory = ({
    isForced
  }: TDeleteDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
@@ -230,7 +230,7 @@ export const dynamicSecretServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
@@ -271,7 +271,7 @@ export const dynamicSecretServiceFactory = ({
    actor
  }: TDetailsDynamicSecretDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const { permission } = await permissionService.getProjectPermission(
@@ -287,10 +287,10 @@ export const dynamicSecretServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.findOne({ name, folderId: folder.id });
-    if (!dynamicSecretCfg) throw new BadRequestError({ message: "Dynamic secret not found" });
+    if (!dynamicSecretCfg) throw new NotFoundError({ message: "Dynamic secret not found" });
    const decryptedStoredInput = JSON.parse(
      infisicalSymmetricDecrypt({
        keyEncoding: dynamicSecretCfg.keyEncoding as SecretKeyEncoding,
@@ -335,7 +335,7 @@ export const dynamicSecretServiceFactory = ({
    }
    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
-    if (!folders.length) throw new BadRequestError({ message: "Folders not found" });
+    if (!folders.length) throw new NotFoundError({ message: "Folders not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.find(
      { $in: { folderId: folders.map((folder) => folder.id) }, $search: search ? { name: `%${search}%` } : undefined },
@@ -369,7 +369,7 @@ export const dynamicSecretServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.find(
      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
@@ -398,7 +398,7 @@ export const dynamicSecretServiceFactory = ({
    if (!projectId) {
      if (!projectSlug) throw new BadRequestError({ message: "Project ID or slug required" });
      const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-      if (!project) throw new BadRequestError({ message: "Project not found" });
+      if (!project) throw new NotFoundError({ message: "Project not found" });
      projectId = project.id;
    }
@@ -415,7 +415,7 @@ export const dynamicSecretServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.find(
      { folderId: folder.id, $search: search ? { name: `%${search}%` } : undefined },
@@ -459,7 +459,7 @@ export const dynamicSecretServiceFactory = ({
    }
    const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
-    if (!folders.length) throw new BadRequestError({ message: "Folders not found" });
+    if (!folders.length) throw new NotFoundError({ message: "Folders not found" });
    const dynamicSecretCfg = await dynamicSecretDAL.listDynamicSecretsByFolderIds({
      folderIds: folders.map((folder) => folder.id),
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@@ -3,6 +3,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
@@ -20,5 +21,6 @@ export const buildDynamicSecretProviders = () => ({
  [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
  [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
  [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
-  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider()
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
  [DynamicSecretProviders.Ldap]: LdapProvider()
 });
--- a/backend/src/ee/services/dynamic-secret/providers/ldap.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/ldap.ts
@@ -0,0 +1,235 @@
 import handlebars from "handlebars";
 import ldapjs from "ldapjs";
 import ldif from "ldif";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { LdapSchema, TDynamicProviderFns } from "./models";
 const generatePassword = () => {
  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
  return customAlphabet(charset, 64)();
 };
 const encodePassword = (password?: string) => {
  const quotedPassword = `"${password}"`;
  const utf16lePassword = Buffer.from(quotedPassword, "utf16le");
  const base64Password = utf16lePassword.toString("base64");
  return base64Password;
 };
 const generateUsername = () => {
  return alphaNumericNanoId(20);
 };
 const generateLDIF = ({
  username,
  password,
  ldifTemplate
 }: {
  username: string;
  password?: string;
  ldifTemplate: string;
 }): string => {
  const data = {
    Username: username,
    Password: password,
    EncodedPassword: encodePassword(password)
  };
  const renderTemplate = handlebars.compile(ldifTemplate);
  const renderedLdif = renderTemplate(data);
  return renderedLdif;
 };
 export const LdapProvider = (): TDynamicProviderFns => {
  const validateProviderInputs = async (inputs: unknown) => {
    const providerInputs = await LdapSchema.parseAsync(inputs);
    return providerInputs;
  };
  const getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
    return new Promise((resolve, reject) => {
      const client = ldapjs.createClient({
        url: providerInputs.url,
        tlsOptions: {
          ca: providerInputs.ca ? providerInputs.ca : null,
          rejectUnauthorized: !!providerInputs.ca
        },
        reconnect: true,
        bindDN: providerInputs.binddn,
        bindCredentials: providerInputs.bindpass
      });
      client.on("error", (err: Error) => {
        client.unbind();
        reject(new BadRequestError({ message: err.message }));
      });
      client.bind(providerInputs.binddn, providerInputs.bindpass, (err) => {
        if (err) {
          client.unbind();
          reject(new BadRequestError({ message: err.message }));
        } else {
          resolve(client);
        }
      });
    });
  };
  const validateConnection = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await getClient(providerInputs);
    return client.connected;
  };
  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
    type TEntry = {
      dn: string;
      type: string;
      changes: {
        operation?: string;
        attribute: {
          attribute: string;
        };
        value: {
          value: string;
        };
        values: {
          // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, can be any for ldapjs.Change.modification.values
          value: any;
        }[];
      }[];
    };
    let parsedEntries: TEntry[];
    try {
      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
      parsedEntries = ldif.parse(ldif_file).entries as TEntry[];
    } catch (err) {
      throw new BadRequestError({
        message: "Invalid LDIF format, refer to the documentation at Dynamic secrets > LDAP > LDIF Entries."
      });
    }
    const dnArray: string[] = [];
    for await (const entry of parsedEntries) {
      const { dn } = entry;
      let responseDn: string;
      if (entry.type === "add") {
        const attributes: Record<string, string | string[]> = {};
        entry.changes.forEach((change) => {
          const attrName = change.attribute.attribute;
          const attrValue = change.value.value;
          attributes[attrName] = Array.isArray(attrValue) ? attrValue : [attrValue];
        });
        responseDn = await new Promise((resolve, reject) => {
          client.add(dn, attributes, (err) => {
            if (err) {
              reject(new BadRequestError({ message: err.message }));
            } else {
              resolve(dn);
            }
          });
        });
      } else if (entry.type === "modify") {
        const changes: ldapjs.Change[] = [];
        entry.changes.forEach((change) => {
          changes.push(
            new ldapjs.Change({
              operation: change.operation || "replace",
              modification: {
                type: change.attribute.attribute,
                // eslint-disable-next-line @typescript-eslint/no-unsafe-return
                values: change.values.map((value) => value.value)
              }
            })
          );
        });
        responseDn = await new Promise((resolve, reject) => {
          client.modify(dn, changes, (err) => {
            if (err) {
              reject(new BadRequestError({ message: err.message }));
            } else {
              resolve(dn);
            }
          });
        });
      } else if (entry.type === "delete") {
        responseDn = await new Promise((resolve, reject) => {
          client.del(dn, (err) => {
            if (err) {
              reject(new BadRequestError({ message: err.message }));
            } else {
              resolve(dn);
            }
          });
        });
      } else {
        client.unbind();
        throw new BadRequestError({ message: `Unsupported operation type ${entry.type}` });
      }
      dnArray.push(responseDn);
    }
    client.unbind();
    return dnArray;
  };
  const create = async (inputs: unknown) => {
    const providerInputs = await validateProviderInputs(inputs);
    const client = await getClient(providerInputs);
    const username = generateUsername();
    const password = generatePassword();
    const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
    try {
      const dnArray = await executeLdif(client, generatedLdif);
      return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
    } catch (err) {
      if (providerInputs.rollbackLdif) {
        const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
        await executeLdif(client, rollbackLdif);
      }
      throw new BadRequestError({ message: (err as Error).message });
    }
  };
  const revoke = async (inputs: unknown, entityId: string) => {
    const providerInputs = await validateProviderInputs(inputs);
    const connection = await getClient(providerInputs);
    const revocationLdif = generateLDIF({ username: entityId, ldifTemplate: providerInputs.revocationLdif });
    await executeLdif(connection, revocationLdif);
    return { entityId };
  };
  const renew = async (inputs: unknown, entityId: string) => {
    // Do nothing
    return { entityId };
  };
  return {
    validateProviderInputs,
    validateConnection,
    create,
    revoke,
    renew
  };
 };
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -174,6 +174,17 @@ export const AzureEntraIDSchema = z.object({
  clientSecret: z.string().trim().min(1)
 });
 export const LdapSchema = z.object({
  url: z.string().trim().min(1),
  binddn: z.string().trim().min(1),
  bindpass: z.string().trim().min(1),
  ca: z.string().optional(),
  creationLdif: z.string().min(1),
  revocationLdif: z.string().min(1),
  rollbackLdif: z.string().optional()
 });
 export enum DynamicSecretProviders {
  SqlDatabase = "sql-database",
  Cassandra = "cassandra",
@@ -184,7 +195,8 @@ export enum DynamicSecretProviders {
  ElasticSearch = "elastic-search",
  MongoDB = "mongo-db",
  RabbitMq = "rabbit-mq",
-  AzureEntraID = "azure-entra-id"
+  AzureEntraID = "azure-entra-id",
  Ldap = "ldap"
 }
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -197,7 +209,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema })
 ]);
 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/external-kms/external-kms-dal.ts
+++ b/backend/src/ee/services/external-kms/external-kms-dal.ts
@@ -30,7 +30,7 @@ export const externalKmsDALFactory = (db: TDbClient) => {
        isDisabled: el.isDisabled,
        isReserved: el.isReserved,
        orgId: el.orgId,
-        slug: el.slug,
+        name: el.name,
        createdAt: el.createdAt,
        updatedAt: el.updatedAt,
        externalKms: {
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -43,7 +43,7 @@ export const externalKmsServiceFactory = ({
    provider,
    description,
    actor,
-    slug,
+    name,
    actorId,
    actorOrgId,
    actorAuthMethod
@@ -64,7 +64,7 @@ export const externalKmsServiceFactory = ({
      });
    }
-    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const kmsName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
    let sanitizedProviderInput = "";
    switch (provider.type) {
@@ -96,7 +96,7 @@ export const externalKmsServiceFactory = ({
        {
          isReserved: false,
          description,
-          slug: kmsSlug,
+          name: kmsName,
          orgId: actorOrgId
        },
        tx
@@ -120,7 +120,7 @@ export const externalKmsServiceFactory = ({
    description,
    actor,
    id: kmsId,
-    slug,
+    name,
    actorId,
    actorOrgId,
    actorAuthMethod
@@ -142,10 +142,10 @@ export const externalKmsServiceFactory = ({
      });
    }
-    const kmsSlug = slug ? slugify(slug) : undefined;
+    const kmsName = name ? slugify(name) : undefined;
    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
    let sanitizedProviderInput = "";
    const { encryptor: orgDataKeyEncryptor, decryptor: orgDataKeyDecryptor } =
@@ -188,7 +188,7 @@ export const externalKmsServiceFactory = ({
        kmsDoc.id,
        {
          description,
-          slug: kmsSlug
+          name: kmsName
        },
        tx
      );
@@ -220,7 +220,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);
    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
    const externalKms = await externalKmsDAL.transaction(async (tx) => {
      const kms = await kmsDAL.deleteById(kmsDoc.id, tx);
@@ -258,7 +258,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);
    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
@@ -280,14 +280,14 @@ export const externalKmsServiceFactory = ({
    }
  };
-  const findBySlug = async ({
+  const findByName = async ({
    actor,
    actorId,
    actorOrgId,
    actorAuthMethod,
-    slug: kmsSlug
+    name: kmsName
  }: TGetExternalKmsBySlugDTO) => {
-    const kmsDoc = await kmsDAL.findOne({ slug: kmsSlug, orgId: actorOrgId });
+    const kmsDoc = await kmsDAL.findOne({ name: kmsName, orgId: actorOrgId });
    const { permission } = await permissionService.getOrgPermission(
      actor,
      actorId,
@@ -298,7 +298,7 @@ export const externalKmsServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);
    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
-    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+    if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
    const { decryptor: orgDataKeyDecryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
@@ -327,6 +327,6 @@ export const externalKmsServiceFactory = ({
    deleteById,
    list,
    findById,
-    findBySlug
+    findByName
  };
 };
--- a/backend/src/ee/services/external-kms/external-kms-types.ts
+++ b/backend/src/ee/services/external-kms/external-kms-types.ts
@@ -3,14 +3,14 @@ import { TOrgPermission } from "@app/lib/types";
 import { TExternalKmsInputSchema, TExternalKmsInputUpdateSchema } from "./providers/model";
 export type TCreateExternalKmsDTO = {
-  slug?: string;
+  name?: string;
  description?: string;
  provider: TExternalKmsInputSchema;
 } & Omit<TOrgPermission, "orgId">;
 export type TUpdateExternalKmsDTO = {
  id: string;
-  slug?: string;
+  name?: string;
  description?: string;
  provider?: TExternalKmsInputUpdateSchema;
 } & Omit<TOrgPermission, "orgId">;
@@ -26,5 +26,5 @@ export type TGetExternalKmsByIdDTO = {
 } & Omit<TOrgPermission, "orgId">;
 export type TGetExternalKmsBySlugDTO = {
-  slug: string;
+  name: string;
 } & Omit<TOrgPermission, "orgId">;
--- a/backend/src/ee/services/group/group-fns.ts
+++ b/backend/src/ee/services/group/group-fns.ts
@@ -2,7 +2,7 @@ import { Knex } from "knex";
 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, ScimRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";
 import {
  TAddUsersToGroup,
@@ -73,24 +73,24 @@ const addAcceptedUsersToGroup = async ({
      const ghostUser = await projectDAL.findProjectGhostUser(projectId, tx);
      if (!ghostUser) {
-        throw new BadRequestError({
+        throw new NotFoundError({
-          message: "Failed to find sudo user"
+          message: "Failed to find project owner"
        });
      }
      const ghostUserLatestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, tx);
      if (!ghostUserLatestKey) {
-        throw new BadRequestError({
+        throw new NotFoundError({
-          message: "Failed to find sudo user latest key"
+          message: "Failed to find project owner's latest key"
        });
      }
      const bot = await projectBotDAL.findOne({ projectId }, tx);
      if (!bot) {
-        throw new BadRequestError({
+        throw new NotFoundError({
-          message: "Failed to find bot"
+          message: "Failed to find project bot"
        });
      }
@@ -200,7 +200,7 @@ export const addUsersToGroupByUserIds = async ({
    userIds.forEach((userId) => {
      if (!existingUserOrgMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
          message: `User with id ${userId} is not part of the organization`
        });
    });
@@ -303,7 +303,7 @@ export const removeUsersFromGroupByUserIds = async ({
    userIds.forEach((userId) => {
      if (!existingUserGroupMembershipsUserIdsSet.has(userId))
-        throw new BadRequestError({
+        throw new ForbiddenRequestError({
          message: `User(s) are not part of the group ${group.slug}`
        });
    });
@@ -415,7 +415,7 @@ export const convertPendingGroupAdditionsToGroupMemberships = async ({
    const usersUserIdsSet = new Set(users.map((u) => u.id));
    userIds.forEach((userId) => {
      if (!usersUserIdsSet.has(userId)) {
-        throw new BadRequestError({
+        throw new NotFoundError({
          message: `Failed to find user with id ${userId}`
        });
      }
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -3,7 +3,7 @@ import slugify from "@sindresorhus/slugify";
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -62,7 +62,7 @@ export const groupServiceFactory = ({
  licenseService
 }: TGroupServiceFactoryDep) => {
  const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -85,7 +85,8 @@ export const groupServiceFactory = ({
    );
    const isCustomRole = Boolean(customRole);
    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-    if (!hasRequiredPriviledges) throw new BadRequestError({ message: "Failed to create a more privileged group" });
+    if (!hasRequiredPriviledges)
      throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
    const group = await groupDAL.create({
      name,
@@ -108,7 +109,7 @@ export const groupServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TUpdateGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -127,7 +128,7 @@ export const groupServiceFactory = ({
    const group = await groupDAL.findOne({ orgId: actorOrgId, id });
    if (!group) {
-      throw new BadRequestError({ message: `Failed to find group with ID ${id}` });
+      throw new NotFoundError({ message: `Failed to find group with ID ${id}` });
    }
    let customRole: TOrgRoles | undefined;
@@ -140,7 +141,7 @@ export const groupServiceFactory = ({
      const isCustomRole = Boolean(customOrgRole);
      const hasRequiredNewRolePermission = isAtLeastAsPrivileged(permission, rolePermission);
      if (!hasRequiredNewRolePermission)
-        throw new BadRequestError({ message: "Failed to create a more privileged group" });
+        throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
      if (isCustomRole) customRole = customOrgRole;
    }
@@ -164,7 +165,7 @@ export const groupServiceFactory = ({
  };
  const deleteGroup = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -191,9 +192,7 @@ export const groupServiceFactory = ({
  };
  const getGroupById = async ({ id, actor, actorId, actorAuthMethod, actorOrgId }: TGetGroupByIdDTO) => {
-    if (!actorOrgId) {
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
      throw new BadRequestError({ message: "Failed to read group without organization" });
    }
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -224,7 +223,7 @@ export const groupServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TListGroupUsersDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -241,7 +240,7 @@ export const groupServiceFactory = ({
    });
    if (!group)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: `Failed to find group with ID ${id}`
      });
@@ -259,7 +258,7 @@ export const groupServiceFactory = ({
  };
  const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -277,7 +276,7 @@ export const groupServiceFactory = ({
    });
    if (!group)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: `Failed to find group with ID ${id}`
      });
@@ -289,7 +288,7 @@ export const groupServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Failed to add user to more privileged group" });
    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
    const users = await addUsersToGroupByUserIds({
      group,
@@ -314,7 +313,7 @@ export const groupServiceFactory = ({
    actorAuthMethod,
    actorOrgId
  }: TRemoveUserFromGroupDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Failed to create group without organization" });
+    if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -332,7 +331,7 @@ export const groupServiceFactory = ({
    });
    if (!group)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: `Failed to find group with ID ${id}`
      });
@@ -344,7 +343,7 @@ export const groupServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Failed to delete user from more privileged group" });
    const user = await userDAL.findOne({ username });
-    if (!user) throw new BadRequestError({ message: `Failed to find user with username ${username}` });
+    if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
    const users = await removeUsersFromGroupByUserIds({
      group,
--- a/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
+++ b/backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts
@@ -4,7 +4,7 @@ import ms from "ms";
 import { z } from "zod";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -34,18 +34,12 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
 // TODO(akhilmhdh): move this to more centralized
 export const UnpackedPermissionSchema = z.object({
-  subject: z.union([z.string().min(1), z.string().array()]).optional(),
+  subject: z
-  action: z.union([z.string().min(1), z.string().array()]),
+    .union([z.string().min(1), z.string().array()])
-  conditions: z
+    .transform((el) => (typeof el !== "string" ? el[0] : el))
-    .object({
+    .optional(),
-      environment: z.string().optional(),
+  action: z.union([z.string().min(1), z.string().array()]).transform((el) => (typeof el === "string" ? [el] : el)),
-      secretPath: z
+  conditions: z.unknown().optional()
        .object({
          $glob: z.string().min(1)
        })
        .optional()
    })
    .optional()
 });
 const unpackPermissions = (permissions: unknown) =>
@@ -71,12 +65,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    ...dto
  }: TCreateIdentityPrivilegeDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -143,12 +137,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TUpdateIdentityPrivilegeDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -173,7 +167,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      slug,
      projectMembershipId: identityProjectMembership.id
    });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
    if (data?.slug) {
      const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
        slug: data.slug,
@@ -224,12 +218,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TDeleteIdentityPrivilegeDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -254,7 +248,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      slug,
      projectMembershipId: identityProjectMembership.id
    });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
    const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
    return {
@@ -274,12 +268,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TGetIdentityPrivilegeDetailsDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@@ -293,7 +287,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
      slug,
      projectMembershipId: identityProjectMembership.id
    });
-    if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
+    if (!identityPrivilege) throw new NotFoundError({ message: "Identity additional privilege not found" });
    return {
      ...identityPrivilege,
@@ -310,12 +304,12 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
    projectSlug
  }: TListIdentityPrivilegesDTO) => {
    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
    const projectId = project.id;
    const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
    if (!identityProjectMembership)
-      throw new BadRequestError({ message: `Failed to find identity with id ${identityId}` });
+      throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -1,14 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
-import {
+import { OrgMembershipStatus, SecretKeyEncoding, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
  OrgMembershipRole,
  OrgMembershipStatus,
  SecretKeyEncoding,
  TableName,
  TLdapConfigsUpdate,
  TUsers
 } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -21,13 +14,14 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -253,7 +247,7 @@ export const ldapConfigServiceFactory = ({
    };
    const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@@ -289,10 +283,10 @@ export const ldapConfigServiceFactory = ({
  const getLdapCfg = async (filter: { orgId: string; isActive?: boolean; id?: string }) => {
    const ldapConfig = await ldapConfigDAL.findOne(filter);
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });
    const orgBot = await orgBotDAL.findOne({ orgId: ldapConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
@@ -375,7 +369,7 @@ export const ldapConfigServiceFactory = ({
  const bootLdap = async (organizationSlug: string) => {
    const organization = await orgDAL.findOne({ slug: organizationSlug });
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
    const ldapConfig = await getLdapCfg({
      orgId: organization.id,
@@ -420,7 +414,7 @@ export const ldapConfigServiceFactory = ({
    const serverCfg = await getServerCfg();
    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.LDAP)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Login with LDAP is disabled by administrator."
      });
    }
@@ -432,7 +426,7 @@ export const ldapConfigServiceFactory = ({
    });
    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
    if (userAlias) {
      await userDAL.transaction(async (tx) => {
@@ -444,11 +438,14 @@ export const ldapConfigServiceFactory = ({
          { tx }
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
          await orgDAL.createMembership(
            {
              userId: userAlias.userId,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: OrgMembershipStatus.Accepted,
              isActive: true
            },
@@ -529,12 +526,15 @@ export const ldapConfigServiceFactory = ({
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
          await orgMembershipDAL.create(
            {
              userId: newUser.id,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -700,7 +700,7 @@ export const ldapConfigServiceFactory = ({
      orgId
    });
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });
    const groupMaps = await ldapGroupMapDAL.findLdapGroupMapsByLdapConfigId(ldapConfigId);
@@ -741,13 +741,13 @@ export const ldapConfigServiceFactory = ({
    const groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
    if (!groups.some((g) => g.cn === ldapGroupCN)) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Failed to find LDAP Group CN"
      });
    }
    const group = await groupDAL.findOne({ slug: groupSlug, orgId });
-    if (!group) throw new BadRequestError({ message: "Failed to find group" });
+    if (!group) throw new NotFoundError({ message: "Failed to find group" });
    const groupMap = await ldapGroupMapDAL.create({
      ldapConfigId,
@@ -781,7 +781,7 @@ export const ldapConfigServiceFactory = ({
      orgId
    });
-    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+    if (!ldapConfig) throw new NotFoundError({ message: "Failed to find organization LDAP data" });
    const [deletedGroupMap] = await ldapGroupMapDAL.delete({
      ldapConfigId: ldapConfig.id,
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@@ -10,7 +10,7 @@ import { Knex } from "knex";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { verifyOfflineLicense } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -145,7 +145,7 @@ export const licenseServiceFactory = ({
        if (cachedPlan) return JSON.parse(cachedPlan) as TFeatureSet;
        const org = await orgDAL.findOrgById(orgId);
-        if (!org) throw new BadRequestError({ message: "Org not found" });
+        if (!org) throw new NotFoundError({ message: "Organization not found" });
        const {
          data: { currentPlan }
        } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
@@ -204,7 +204,7 @@ export const licenseServiceFactory = ({
  const updateSubscriptionOrgMemberCount = async (orgId: string, tx?: Knex) => {
    if (instanceType === InstanceType.Cloud) {
      const org = await orgDAL.findOrgById(orgId);
-      if (!org) throw new BadRequestError({ message: "Org not found" });
+      if (!org) throw new NotFoundError({ message: "Organization not found" });
      const quantity = await licenseDAL.countOfOrgMembers(orgId, tx);
      const quantityIdentities = await licenseDAL.countOrgUsersAndIdentities(orgId, tx);
@@ -266,8 +266,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -294,8 +294,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -340,8 +340,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
    const { data } = await licenseServerCloudApi.request.get(
@@ -357,8 +357,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
    const { data } = await licenseServerCloudApi.request.get(
@@ -373,8 +373,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -398,8 +398,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
    const { data } = await licenseServerCloudApi.request.patch(
@@ -418,8 +418,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -445,8 +445,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
    const {
@@ -474,8 +474,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -491,8 +491,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
    const {
@@ -509,8 +509,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -530,8 +530,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -547,8 +547,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
@@ -564,8 +564,8 @@ export const licenseServiceFactory = ({
    const organization = await orgDAL.findOrgById(orgId);
    if (!organization) {
-      throw new BadRequestError({
+      throw new NotFoundError({
-        message: "Failed to find organization"
+        message: "Organization not found"
      });
    }
--- a/backend/src/ee/services/oidc/oidc-config-dal.ts
+++ b/backend/src/ee/services/oidc/oidc-config-dal.ts
@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
@@ -7,5 +8,22 @@ export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
 export const oidcConfigDALFactory = (db: TDbClient) => {
  const oidcCfgOrm = ormify(db, TableName.OidcConfig);
-  return { ...oidcCfgOrm };
+  const findEnforceableOidcCfg = async (orgId: string) => {
    try {
      const oidcCfg = await db
        .replicaNode()(TableName.OidcConfig)
        .where({
          orgId,
          isActive: true
        })
        .whereNotNull("lastUsed")
        .first();
      return oidcCfg;
    } catch (error) {
      throw new DatabaseError({ error, name: "Find org by id" });
    }
  };
  return { ...oidcCfgOrm, findEnforceableOidcCfg };
 };
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -3,7 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
-import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
+import { OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { TOidcConfigsUpdate } from "@app/db/schemas/oidc-configs";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
@@ -17,12 +17,13 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
@@ -77,7 +78,7 @@ export const oidcConfigServiceFactory = ({
  const getOidc = async (dto: TGetOidcCfgDTO) => {
    const org = await orgDAL.findOne({ slug: dto.orgSlug });
    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found",
        name: "OrgNotFound"
      });
@@ -98,7 +99,7 @@ export const oidcConfigServiceFactory = ({
    });
    if (!oidcCfg) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Failed to find organization OIDC configuration"
      });
    }
@@ -106,7 +107,7 @@ export const oidcConfigServiceFactory = ({
    // decrypt and return cfg
    const orgBot = await orgBotDAL.findOne({ orgId: oidcCfg.orgId });
    if (!orgBot) {
-      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+      throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    }
    const key = infisicalSymmetricDecrypt({
@@ -160,7 +161,7 @@ export const oidcConfigServiceFactory = ({
    const serverCfg = await getServerCfg();
    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.OIDC)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Login with OIDC is disabled by administrator."
      });
    }
@@ -173,7 +174,7 @@ export const oidcConfigServiceFactory = ({
    });
    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
    let user: TUsers;
    if (userAlias) {
@@ -187,12 +188,15 @@ export const oidcConfigServiceFactory = ({
          { tx }
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
          await orgMembershipDAL.create(
            {
              userId: userAlias.userId,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -261,12 +265,15 @@ export const oidcConfigServiceFactory = ({
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
          await orgMembershipDAL.create(
            {
              userId: newUser.id,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -314,6 +321,8 @@ export const oidcConfigServiceFactory = ({
      }
    );
    await oidcConfigDAL.update({ orgId }, { lastUsed: new Date() });
    if (user.email && !user.isEmailVerified) {
      const token = await tokenService.createTokenForUser({
        type: TokenType.TOKEN_EMAIL_VERIFICATION,
@@ -356,7 +365,7 @@ export const oidcConfigServiceFactory = ({
    });
    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found"
      });
    }
@@ -378,7 +387,7 @@ export const oidcConfigServiceFactory = ({
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
    const orgBot = await orgBotDAL.findOne({ orgId: org.id });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@@ -395,7 +404,8 @@ export const oidcConfigServiceFactory = ({
      tokenEndpoint,
      userinfoEndpoint,
      jwksUri,
-      isActive
+      isActive,
      lastUsed: null
    };
    if (clientId !== undefined) {
@@ -418,6 +428,7 @@ export const oidcConfigServiceFactory = ({
    }
    const [ssoConfig] = await oidcConfigDAL.update({ orgId: org.id }, updateQuery);
    await orgDAL.updateById(org.id, { authEnforced: false, scimEnabled: false });
    return ssoConfig;
  };
@@ -443,7 +454,7 @@ export const oidcConfigServiceFactory = ({
      slug: orgSlug
    });
    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found"
      });
    }
@@ -549,7 +560,7 @@ export const oidcConfigServiceFactory = ({
    });
    if (!org) {
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Organization not found."
      });
    }
@@ -560,7 +571,7 @@ export const oidcConfigServiceFactory = ({
    });
    if (!oidcCfg || !oidcCfg.isActive) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Failed to authenticate with OIDC SSO"
      });
    }
@@ -617,7 +628,7 @@ export const oidcConfigServiceFactory = ({
        if (oidcCfg.allowedEmailDomains) {
          const allowedDomains = oidcCfg.allowedEmailDomains.split(", ");
          if (!allowedDomains.includes(claims.email.split("@")[1])) {
-            throw new BadRequestError({
+            throw new ForbiddenRequestError({
              message: "Email not allowed."
            });
          }
--- a/backend/src/ee/services/permission/permission-dal.ts
+++ b/backend/src/ee/services/permission/permission-dal.ts
@@ -168,8 +168,14 @@ export const permissionDALFactory = (db: TDbClient) => {
        })
        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
        })
        .select(
          db.ref("id").withSchema(TableName.Users).as("userId"),
          db.ref("username").withSchema(TableName.Users).as("username"),
          // groups specific
          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
@@ -257,6 +263,9 @@ export const permissionDALFactory = (db: TDbClient) => {
            .withSchema(TableName.ProjectUserAdditionalPrivilege)
            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
          // general
          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
          db.ref("orgId").withSchema(TableName.Project),
          db.ref("id").withSchema(TableName.Project).as("projectId")
@@ -267,6 +276,7 @@ export const permissionDALFactory = (db: TDbClient) => {
        key: "projectId",
        parentMapper: ({
          orgId,
          username,
          orgAuthEnforced,
          membershipId,
          groupMembershipId,
@@ -279,6 +289,7 @@ export const permissionDALFactory = (db: TDbClient) => {
          orgAuthEnforced,
          userId,
          projectId,
          username,
          id: membershipId || groupMembershipId,
          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
@@ -354,6 +365,15 @@ export const permissionDALFactory = (db: TDbClient) => {
              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
              isTemporary: userAdditionalPrivilegesIsTemporary
            })
          },
          {
            key: "metadataId",
            label: "metadata" as const,
            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
              id: metadataId,
              key: metadataKey,
              value: metadataValue
            })
          }
        ]
      });
@@ -399,6 +419,7 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
          `${TableName.IdentityProjectMembership}.id`
        )
        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
        .leftJoin(
          TableName.ProjectRoles,
          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
@@ -415,11 +436,17 @@ export const permissionDALFactory = (db: TDbClient) => {
          `${TableName.IdentityProjectMembership}.projectId`,
          `${TableName.Project}.id`
        )
-        .where("identityId", identityId)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
          void queryBuilder
            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
        })
        .where(`${TableName.IdentityProjectMembership}.identityId`, identityId)
        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
        .select(
          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
          db.ref("name").withSchema(TableName.Identity).as("identityName"),
          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
@@ -443,15 +470,19 @@ export const permissionDALFactory = (db: TDbClient) => {
          db
            .ref("temporaryAccessEndTime")
            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessEndTime")
+            .as("identityApTemporaryAccessEndTime"),
          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
        );
      const permission = sqlNestRelationships({
        data: docs,
        key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId, identityName }) => ({
          id: membershipId,
          identityId,
          username: identityName,
          projectId,
          createdAt: membershipCreatedAt,
          updatedAt: membershipUpdatedAt,
@@ -489,6 +520,15 @@ export const permissionDALFactory = (db: TDbClient) => {
              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
              isTemporary: identityApIsTemporary
            })
          },
          {
            key: "metadataId",
            label: "metadata" as const,
            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
              id: metadataId,
              key: metadataKey,
              value: metadataValue
            })
          }
        ]
      });
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -1,5 +1,5 @@
 import { TOrganizations } from "@app/db/schemas";
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
@@ -14,14 +14,19 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
  ].includes(actorAuthMethod);
 }
-function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrganizations["authEnforced"]) {
+function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrganizations["authEnforced"]) {
  if (actorAuthMethod === undefined) {
    throw new UnauthorizedError({ name: "No auth method defined" });
  }
-  if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
+  if (
-    throw new UnauthorizedError({ name: "Cannot access org-scoped resource" });
+    isOrgSsoEnforced &&
    actorAuthMethod !== null &&
    !isAuthMethodSaml(actorAuthMethod) &&
    actorAuthMethod !== AuthMethod.OIDC
  ) {
    throw new ForbiddenRequestError({ name: "Org auth enforced. Cannot access org-scoped resource" });
  }
 }
-export { isAuthMethodSaml, validateOrgSAML };
+export { isAuthMethodSaml, validateOrgSSO };
--- a/backend/src/ee/services/permission/permission-service-types.ts
+++ b/backend/src/ee/services/permission/permission-service-types.ts
@@ -0,0 +1,9 @@
 export type TBuildProjectPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
 export type TBuildOrgPermissionDTO = {
  permissions?: unknown;
  role: string;
 }[];
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -1,6 +1,7 @@
 import { createMongoAbility, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, unpackRules } from "@casl/ability/extra";
 import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 import {
  OrgMembershipRole,
@@ -10,7 +11,8 @@ import {
  TProjectMemberships
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { objectify } from "@app/lib/fn";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -19,8 +21,8 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { validateOrgSAML } from "./permission-fns";
+import { validateOrgSSO } from "./permission-fns";
-import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
  buildServiceTokenProjectPermission,
  projectAdminPermissions,
@@ -62,7 +64,7 @@ export const permissionServiceFactory = ({
              permissions as PackRule<RawRuleOf<MongoAbility<OrgPermissionSet>>>[]
            );
          default:
-            throw new BadRequestError({ name: "OrgRoleInvalid", message: "Org role not found" });
+            throw new NotFoundError({ name: "OrgRoleInvalid", message: "Organization role not found" });
        }
      })
      .reduce((curr, prev) => prev.concat(curr), []);
@@ -72,7 +74,7 @@ export const permissionServiceFactory = ({
    });
  };
-  const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
+  const buildProjectPermissionRules = (projectUserRoles: TBuildProjectPermissionDTO) => {
    const rules = projectUserRoles
      .map(({ role, permissions }) => {
        switch (role) {
@@ -90,7 +92,7 @@ export const permissionServiceFactory = ({
            );
          }
          default:
-            throw new BadRequestError({
+            throw new NotFoundError({
              name: "ProjectRoleInvalid",
              message: "Project role not found"
            });
@@ -98,9 +100,7 @@ export const permissionServiceFactory = ({
      })
      .reduce((curr, prev) => prev.concat(curr), []);
-    return createMongoAbility<ProjectPermissionSet>(rules, {
+    return rules;
      conditionsMatcher
    });
  };
  /*
@@ -114,11 +114,11 @@ export const permissionServiceFactory = ({
  ) => {
    // when token is scoped, ensure the passed org id is same as user org id
    if (userOrgId && userOrgId !== orgId)
-      throw new BadRequestError({ message: "Invalid user token. Scoped to different organization." });
+      throw new ForbiddenRequestError({ message: "Invalid user token. Scoped to different organization." });
    const membership = await permissionDAL.getOrgPermission(userId, orgId);
-    if (!membership) throw new UnauthorizedError({ name: "User not in org" });
+    if (!membership) throw new ForbiddenRequestError({ name: "You are not apart of this organization" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new BadRequestError({ name: "Custom organization permission not found" });
    }
    // If the org ID is API_KEY, the request is being made with an API Key.
@@ -127,10 +127,10 @@ export const permissionServiceFactory = ({
    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
    if (userOrgId !== "API_KEY" && membership.orgId !== userOrgId) {
-      throw new UnauthorizedError({ name: "You are not logged into this organization" });
+      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
    }
-    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+    validateOrgSSO(authMethod, membership.orgAuthEnforced);
    const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
      membership?.groups?.map(({ role, customRolePermission }) => ({
@@ -143,9 +143,9 @@ export const permissionServiceFactory = ({
  const getIdentityOrgPermission = async (identityId: string, orgId: string) => {
    const membership = await permissionDAL.getOrgIdentityPermission(identityId, orgId);
-    if (!membership) throw new UnauthorizedError({ name: "Identity not in org" });
+    if (!membership) throw new ForbiddenRequestError({ name: "Identity is not apart of this organization" });
    if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "Custom organization permission not found" });
    }
    return {
      permission: buildOrgPermission([{ role: membership.role, permissions: membership.permissions }]),
@@ -166,8 +166,8 @@ export const permissionServiceFactory = ({
      case ActorType.IDENTITY:
        return getIdentityOrgPermission(id, orgId);
      default:
-        throw new UnauthorizedError({
+        throw new BadRequestError({
-          message: "Permission not defined",
+          message: "Invalid actor provided",
          name: "Get org permission"
        });
    }
@@ -179,7 +179,7 @@ export const permissionServiceFactory = ({
    const isCustomRole = !Object.values(OrgMembershipRole).includes(role as OrgMembershipRole);
    if (isCustomRole) {
      const orgRole = await orgRoleDAL.findOne({ slug: role, orgId });
-      if (!orgRole) throw new BadRequestError({ message: "Role not found" });
+      if (!orgRole) throw new NotFoundError({ message: "Specified role was not found" });
      return {
        permission: buildOrgPermission([{ role: OrgMembershipRole.Custom, permissions: orgRole.permissions }]),
        role: orgRole
@@ -196,12 +196,12 @@ export const permissionServiceFactory = ({
    userOrgId?: string
  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
    const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
-    if (!userProjectPermission) throw new UnauthorizedError({ name: "User not in project" });
+    if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
    if (
      userProjectPermission.roles.some(({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions)
    ) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "The permission was not found" });
    }
    // If the org ID is API_KEY, the request is being made with an API Key.
@@ -210,10 +210,10 @@ export const permissionServiceFactory = ({
    // Extra: This means that when users are using API keys to make requests, they can't use slug-based routes.
    // Slug-based routes depend on the organization ID being present on the request, since project slugs aren't globally unique, and we need a way to filter by organization.
    if (userOrgId !== "API_KEY" && userProjectPermission.orgId !== userOrgId) {
-      throw new UnauthorizedError({ name: "You are not logged into this organization" });
+      throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
    }
-    validateOrgSAML(authMethod, userProjectPermission.orgAuthEnforced);
+    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
    // join two permissions and pass to build the final permission set
    const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
@@ -223,8 +223,32 @@ export const permissionServiceFactory = ({
        permissions
      })) || [];
    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
    const metadataKeyValuePair = objectify(
      userProjectPermission.metadata,
      (i) => i.key,
      (i) => i.value
    );
    const interpolateRules = templatedRules(
      {
        identity: {
          id: userProjectPermission.userId,
          username: userProjectPermission.username,
          metadata: metadataKeyValuePair
        }
      },
      { data: false }
    );
    const permission = createMongoAbility<ProjectPermissionSet>(
      JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
      {
        conditionsMatcher
      }
    );
    return {
-      permission: buildProjectPermission(rolePermissions.concat(additionalPrivileges)),
+      permission,
      membership: userProjectPermission,
      hasRole: (role: string) =>
        userProjectPermission.roles.findIndex(
@@ -239,18 +263,19 @@ export const permissionServiceFactory = ({
    identityOrgId: string | undefined
  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
    const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
-    if (!identityProjectPermission) throw new UnauthorizedError({ name: "Identity not in project" });
+    if (!identityProjectPermission)
      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified project" });
    if (
      identityProjectPermission.roles.some(
        ({ role, permissions }) => role === ProjectMembershipRole.Custom && !permissions
      )
    ) {
-      throw new BadRequestError({ name: "Custom permission not found" });
+      throw new NotFoundError({ name: "Custom permission not found" });
    }
    if (identityProjectPermission.orgId !== identityOrgId) {
-      throw new UnauthorizedError({ name: "You are not a member of this organization" });
+      throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
    }
    const rolePermissions =
@@ -261,8 +286,32 @@ export const permissionServiceFactory = ({
        permissions
      })) || [];
    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
    const metadataKeyValuePair = objectify(
      identityProjectPermission.metadata,
      (i) => i.key,
      (i) => i.value
    );
    const interpolateRules = templatedRules(
      {
        identity: {
          id: identityProjectPermission.identityId,
          username: identityProjectPermission.username,
          metadata: metadataKeyValuePair
        }
      },
      { data: false }
    );
    const permission = createMongoAbility<ProjectPermissionSet>(
      JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
      {
        conditionsMatcher
      }
    );
    return {
-      permission: buildProjectPermission(rolePermissions.concat(additionalPrivileges)),
+      permission,
      membership: identityProjectPermission,
      hasRole: (role: string) =>
        identityProjectPermission.roles.findIndex(
@@ -277,25 +326,23 @@ export const permissionServiceFactory = ({
    actorOrgId: string | undefined
  ) => {
    const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
-    if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });
+    if (!serviceToken) throw new NotFoundError({ message: "Service token not found" });
    const serviceTokenProject = await projectDAL.findById(serviceToken.projectId);
    if (!serviceTokenProject) throw new BadRequestError({ message: "Service token not linked to a project" });
    if (serviceTokenProject.orgId !== actorOrgId) {
-      throw new UnauthorizedError({ message: "Service token not a part of this organization" });
+      throw new ForbiddenRequestError({ message: "Service token not a part of the specified organization" });
    }
-    if (serviceToken.projectId !== projectId)
+    if (serviceToken.projectId !== projectId) {
-      throw new UnauthorizedError({
+      throw new ForbiddenRequestError({ name: "Service token not a part of the specified project" });
-        message: "Failed to find service authorization for given project"
+    }
      });
-    if (serviceTokenProject.orgId !== actorOrgId)
+    if (serviceTokenProject.orgId !== actorOrgId) {
-      throw new UnauthorizedError({
+      throw new ForbiddenRequestError({ message: "Service token not a part of the specified organization" });
-        message: "Failed to find service authorization for given project"
+    }
      });
    const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
    return {
@@ -335,8 +382,8 @@ export const permissionServiceFactory = ({
      case ActorType.IDENTITY:
        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
      default:
-        throw new UnauthorizedError({
+        throw new BadRequestError({
-          message: "Permission not defined",
+          message: "Invalid actor provided",
          name: "Get project permission"
        });
    }
@@ -346,15 +393,23 @@ export const permissionServiceFactory = ({
    const isCustomRole = !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole);
    if (isCustomRole) {
      const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
-      if (!projectRole) throw new BadRequestError({ message: `Role not found: ${role}` });
+      if (!projectRole) throw new NotFoundError({ message: `Specified role was not found: ${role}` });
-      return {
+      const rules = buildProjectPermissionRules([
        permission: buildProjectPermission([
        { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
-        ]),
+      ]);
      return {
        permission: createMongoAbility<ProjectPermissionSet>(rules, {
          conditionsMatcher
        }),
        role: projectRole
      };
    }
-    return { permission: buildProjectPermission([{ role, permissions: [] }]) };
+
    const rules = buildProjectPermissionRules([{ role, permissions: [] }]);
    const permission = createMongoAbility<ProjectPermissionSet>(rules, {
      conditionsMatcher
    });
    return { permission };
  };
  return {
@@ -365,6 +420,6 @@ export const permissionServiceFactory = ({
    getOrgPermissionByRole,
    getProjectPermissionByRole,
    buildOrgPermission,
-    buildProjectPermission
+    buildProjectPermissionRules
  };
 };
--- a/backend/src/ee/services/permission/permission-types.ts
+++ b/backend/src/ee/services/permission/permission-types.ts
@@ -1,9 +1,47 @@
-export type TBuildProjectPermissionDTO = {
+import picomatch from "picomatch";
-  permissions?: unknown;
+import { z } from "zod";
  role: string;
 }[];
-export type TBuildOrgPermissionDTO = {
+export enum PermissionConditionOperators {
-  permissions?: unknown;
+  $IN = "$in",
-  role: string;
+  $ALL = "$all",
-}[];
+  $REGEX = "$regex",
  $EQ = "$eq",
  $NEQ = "$ne",
  $GLOB = "$glob"
 }
 export const PermissionConditionSchema = {
  [PermissionConditionOperators.$IN]: z.string().min(1).array(),
  [PermissionConditionOperators.$ALL]: z.string().min(1).array(),
  [PermissionConditionOperators.$REGEX]: z
    .string()
    .min(1)
    .refine(
      (el) => {
        try {
          // eslint-disable-next-line no-new
          new RegExp(el);
          return true;
        } catch {
          return false;
        }
      },
      { message: "Invalid regex pattern" }
    ),
  [PermissionConditionOperators.$EQ]: z.string().min(1),
  [PermissionConditionOperators.$NEQ]: z.string().min(1),
  [PermissionConditionOperators.$GLOB]: z
    .string()
    .min(1)
    .refine(
      (el) => {
        try {
          picomatch.parse([el]);
          return true;
        } catch {
          return false;
        }
      },
      { message: "Invalid glob pattern" }
    )
 };
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -1,8 +1,12 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 import { TableName } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError } from "@app/lib/errors";
 import { PermissionConditionOperators, PermissionConditionSchema } from "./permission-types";
 export enum ProjectPermissionActions {
  Read = "read",
  Create = "create",
@@ -10,6 +14,15 @@ export enum ProjectPermissionActions {
  Delete = "delete"
 }
 export enum ProjectPermissionCmekActions {
  Read = "read",
  Create = "create",
  Edit = "edit",
  Delete = "delete",
  Encrypt = "encrypt",
  Decrypt = "decrypt"
 }
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@@ -34,10 +47,29 @@ export enum ProjectPermissionSub {
  CertificateTemplates = "certificate-templates",
  PkiAlerts = "pki-alerts",
  PkiCollections = "pki-collections",
-  Kms = "kms"
+  Kms = "kms",
  Cmek = "cmek"
 }
-type SubjectFields = {
+export type SecretSubjectFields = {
  environment: string;
  secretPath: string;
  // secretName: string;
  // secretTags: string[];
 };
 export const CaslSecretsV2SubjectKnexMapper = (field: string) => {
  switch (field) {
    case "secretName":
      return `${TableName.SecretV2}.key`;
    case "secretTags":
      return `${TableName.SecretTag}.slug`;
    default:
      break;
  }
 };
 export type SecretFolderSubjectFields = {
  environment: string;
  secretPath: string;
 };
@@ -45,11 +77,14 @@ type SubjectFields = {
 export type ProjectPermissionSet =
  | [
      ProjectPermissionActions,
-      ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SubjectFields)
+      ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SecretSubjectFields)
    ]
  | [
      ProjectPermissionActions,
-      ProjectPermissionSub.SecretFolders | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SubjectFields)
+      (
        | ProjectPermissionSub.SecretFolders
        | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SecretFolderSubjectFields)
      )
    ]
  | [ProjectPermissionActions, ProjectPermissionSub.Role]
  | [ProjectPermissionActions, ProjectPermissionSub.Tags]
@@ -70,134 +105,254 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
  | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
-export const fullProjectPermissionSet: [ProjectPermissionActions, ProjectPermissionSub][] = [
+const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Secrets],
+  z
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Secrets],
+    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets],
+    .transform((el) => (typeof el === "string" ? [el] : el));
  [ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets],
-  [ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval],
+const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  [ProjectPermissionActions.Create, ProjectPermissionSub.SecretApproval],
+  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
  [ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval],
  [ProjectPermissionActions.Delete, ProjectPermissionSub.SecretApproval],
-  [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation],
+const SecretConditionSchema = z
-  [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRotation],
+  .object({
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation],
+    environment: z.union([
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.SecretRotation],
+      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
        })
        .partial()
    ]),
    secretPath: z.union([
      z.string(),
      z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
        })
        .partial()
    ])
  })
  .partial();
-  [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback],
+export const ProjectPermissionSchema = z.discriminatedUnion("subject", [
-  [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Member],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Member],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Member],
+    ),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Member],
+    conditions: SecretConditionSchema.describe(
-
+      "When specified, only matching conditions will be allowed to access given resource."
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Groups],
+    ).optional()
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Groups],
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Groups],
+  z.object({
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Groups],
+    subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Role],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Role],
+    )
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Role],
+  }),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Role],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Integrations],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Integrations],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations],
+  }),
-
+  z.object({
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks],
+    subject: z.literal(ProjectPermissionSub.SecretRollback).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Webhooks],
+    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Read, ProjectPermissionActions.Create]).describe(
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Webhooks],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Webhooks],
+    )
-
+  }),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Identity],
+  z.object({
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Identity],
+    subject: z.literal(ProjectPermissionSub.Member).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Identity],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Identity],
+      "Describe what action an entity can take."
-
+    )
-  [ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens],
+  }),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.ServiceTokens],
+  z.object({
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.ServiceTokens],
+    subject: z.literal(ProjectPermissionSub.Groups).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.ServiceTokens],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Settings],
+    )
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Settings],
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Settings],
+  z.object({
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Settings],
+    subject: z.literal(ProjectPermissionSub.Role).describe("The entity this permission pertains to."),
-
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Environments],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Environments],
+    )
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Environments],
+  }),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Environments],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.Integrations).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Tags],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Tags],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Tags],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Tags],
+  }),
-
+  z.object({
-  // TODO(Daniel): Remove the audit logs permissions from project-level permissions.
+    subject: z.literal(ProjectPermissionSub.Webhooks).describe("The entity this permission pertains to."),
-  // TODO: We haven't done this yet because it might break existing roles, since those roles will become "invalid" since the audit log permission defined on those roles, no longer exist in the project-level defined permissions.
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Create, ProjectPermissionSub.AuditLogs],
+    )
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.AuditLogs],
+  }),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.AuditLogs],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.Identity).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.IpAllowList],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.IpAllowList],
+  }),
-
+  z.object({
-  // double check if all CRUD are needed for CA and Certificates
+    subject: z.literal(ProjectPermissionSub.ServiceTokens).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.CertificateAuthorities],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.CertificateAuthorities],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.CertificateAuthorities],
+  }),
-
+  z.object({
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Certificates],
+    subject: z.literal(ProjectPermissionSub.Settings).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Certificates],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Certificates],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates],
+    )
-
+  }),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.CertificateTemplates],
+  z.object({
-  [ProjectPermissionActions.Create, ProjectPermissionSub.CertificateTemplates],
+    subject: z.literal(ProjectPermissionSub.Environments).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.CertificateTemplates],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.CertificateTemplates],
+      "Describe what action an entity can take."
-
+    )
-  [ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts],
+  }),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.PkiAlerts],
+  z.object({
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.PkiAlerts],
+    subject: z.literal(ProjectPermissionSub.Tags).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.PkiAlerts],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections],
+    )
-  [ProjectPermissionActions.Create, ProjectPermissionSub.PkiCollections],
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.PkiCollections],
+  z.object({
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.PkiCollections],
+    subject: z.literal(ProjectPermissionSub.AuditLogs).describe("The entity this permission pertains to."),
-
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Project],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Project],
+    )
-
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms]
+  z.object({
-];
+    subject: z.literal(ProjectPermissionSub.IpAllowList).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.CertificateAuthorities).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Certificates).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to. "),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.PkiAlerts).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.PkiCollections).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Project).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete]).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Kms).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Edit]).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.SecretFolders).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Read]).describe(
      "Describe what action an entity can take."
    )
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
      "Describe what action an entity can take."
    )
  })
 ]);
 const buildAdminPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
  // Admins get full access to everything
-  fullProjectPermissionSet.forEach((permission) => {
+  [
-    const [action, subject] = permission;
+    ProjectPermissionSub.Secrets,
-    can(action, subject);
+    ProjectPermissionSub.SecretApproval,
    ProjectPermissionSub.SecretRotation,
    ProjectPermissionSub.Member,
    ProjectPermissionSub.Groups,
    ProjectPermissionSub.Role,
    ProjectPermissionSub.Integrations,
    ProjectPermissionSub.Webhooks,
    ProjectPermissionSub.Identity,
    ProjectPermissionSub.ServiceTokens,
    ProjectPermissionSub.Settings,
    ProjectPermissionSub.Environments,
    ProjectPermissionSub.Tags,
    ProjectPermissionSub.AuditLogs,
    ProjectPermissionSub.IpAllowList,
    ProjectPermissionSub.CertificateAuthorities,
    ProjectPermissionSub.Certificates,
    ProjectPermissionSub.CertificateTemplates,
    ProjectPermissionSub.PkiAlerts,
    ProjectPermissionSub.PkiCollections
  ].forEach((el) => {
    can(
      [
        ProjectPermissionActions.Read,
        ProjectPermissionActions.Edit,
        ProjectPermissionActions.Create,
        ProjectPermissionActions.Delete
      ],
      el as ProjectPermissionSub
    );
  });
  can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
  can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
  can(
    [
      ProjectPermissionCmekActions.Create,
      ProjectPermissionCmekActions.Edit,
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt
    ],
    ProjectPermissionSub.Cmek
  );
  return rules;
 };
@@ -206,73 +361,128 @@ export const projectAdminPermissions = buildAdminPermissionRules();
 const buildMemberPermissionRules = () => {
  const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Secrets
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretRotation);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.Member);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.Groups);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Integrations
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Webhooks);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Webhooks);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Webhooks);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Webhooks
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Identity);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Identity
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.ServiceTokens);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.ServiceTokens);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.ServiceTokens);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.ServiceTokens
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Settings);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Settings);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Settings
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Environments
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Tags);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Tags);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Tags);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Tags
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);
  // double check if all CRUD are needed for CA and Certificates
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateAuthorities);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Certificates);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates);
+      ProjectPermissionActions.Edit,
      ProjectPermissionActions.Create,
      ProjectPermissionActions.Delete
    ],
    ProjectPermissionSub.Certificates
  );
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateTemplates);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
  can(
    [
      ProjectPermissionCmekActions.Create,
      ProjectPermissionCmekActions.Edit,
      ProjectPermissionCmekActions.Delete,
      ProjectPermissionCmekActions.Read,
      ProjectPermissionCmekActions.Encrypt,
      ProjectPermissionCmekActions.Decrypt
    ],
    ProjectPermissionSub.Cmek
  );
  return rules;
 };
@@ -300,6 +510,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
  return rules;
 };
@@ -382,32 +593,19 @@ export const isAtLeastAsPrivilegedWorkspace = (
  return set1.size >= set2.size;
 };
 /* eslint-enable */
-/*
+export const SecretV2SubjectFieldMapper = (arg: string) => {
- * Case: The user requests to create a role with permissions that are not valid and not supposed to be used ever.
+  switch (arg) {
- * If we don't check for this, we can run into issues where functions like the `isAtLeastAsPrivileged` will not work as expected, because we compare the size of each permission set.
+    case "environment":
- * If the permission set contains invalid permissions, the size will be different, and result in incorrect results.
+      return null;
- */
+    case "secretPath":
-export const validateProjectPermissions = (permissions: unknown) => {
+      return null;
-  const parsedPermissions =
+    case "secretName":
-    typeof permissions === "string" ? (JSON.parse(permissions) as string[]) : (permissions as string[]);
+      return `${TableName.SecretV2}.key`;
-
+    case "secretTags":
-  const flattenedPermissions = [...parsedPermissions];
+      return `${TableName.SecretTag}.slug`;
-
+    default:
-  for (const perm of flattenedPermissions) {
+      throw new BadRequestError({ message: `Invalid dynamic knex operator field: ${arg}` });
    const [action, subject] = perm;
    if (
      !fullProjectPermissionSet.find(
        (currentPermission) => currentPermission[0] === action && currentPermission[1] === subject
      )
    ) {
      throw new BadRequestError({
        message: `Permission action ${action} on subject ${subject} is not valid`,
        name: "Create Role"
      });
    }
  }
 };
 /* eslint-enable */
--- a/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
+++ b/backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts
@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -42,7 +42,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    ...dto
  }: TCreateUserPrivilegeDTO) => {
    const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -94,14 +94,14 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    ...dto
  }: TUpdateUserPrivilegeDTO) => {
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });
    const projectMembership = await projectMembershipDAL.findOne({
      userId: userPrivilege.userId,
      projectId: userPrivilege.projectId
    });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -147,13 +147,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
  const deleteById = async ({ actorId, actor, actorOrgId, actorAuthMethod, privilegeId }: TDeleteUserPrivilegeDTO) => {
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });
    const projectMembership = await projectMembershipDAL.findOne({
      userId: userPrivilege.userId,
      projectId: userPrivilege.projectId
    });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -176,13 +176,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TGetUserPrivilegeDetailsDTO) => {
    const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
-    if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
+    if (!userPrivilege) throw new NotFoundError({ message: "User additional privilege not found" });
    const projectMembership = await projectMembershipDAL.findOne({
      userId: userPrivilege.userId,
      projectId: userPrivilege.projectId
    });
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -204,7 +204,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
    actorAuthMethod
  }: TListUserPrivilegesDTO) => {
    const projectMembership = await projectMembershipDAL.findById(projectMembershipId);
-    if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
+    if (!projectMembership) throw new NotFoundError({ message: "Project membership not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
--- a/backend/src/ee/services/saml-config/saml-config-service.ts
+++ b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 import {
  OrgMembershipRole,
  OrgMembershipStatus,
  SecretKeyEncoding,
  TableName,
@@ -19,12 +18,14 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TIdentityMetadataDALFactory } from "@app/services/identity/identity-metadata-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
@@ -51,6 +52,8 @@ type TSamlConfigServiceFactoryDep = {
    TOrgDALFactory,
    "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
  >;
  identityMetadataDAL: Pick<TIdentityMetadataDALFactory, "delete" | "insertMany" | "transaction">;
  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
@@ -71,7 +74,8 @@ export const samlConfigServiceFactory = ({
  permissionService,
  licenseService,
  tokenService,
-  smtpService
+  smtpService,
  identityMetadataDAL
 }: TSamlConfigServiceFactoryDep) => {
  const createSamlCfg = async ({
    cert,
@@ -187,7 +191,7 @@ export const samlConfigServiceFactory = ({
    const updateQuery: TSamlConfigsUpdate = { authProvider, isActive, lastUsed: null };
    const orgBot = await orgBotDAL.findOne({ orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@@ -253,7 +257,7 @@ export const samlConfigServiceFactory = ({
      ssoConfig = await samlConfigDAL.findById(id);
    }
-    if (!ssoConfig) throw new BadRequestError({ message: "Failed to find organization SSO data" });
+    if (!ssoConfig) throw new NotFoundError({ message: "Failed to find organization SSO data" });
    // when dto is type id means it's internally used
    if (dto.type === "org") {
@@ -279,7 +283,7 @@ export const samlConfigServiceFactory = ({
    } = ssoConfig;
    const orgBot = await orgBotDAL.findOne({ orgId: ssoConfig.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    if (!orgBot) throw new NotFoundError({ message: "Organization bot not found", name: "OrgBotNotFound" });
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
@@ -332,13 +336,14 @@ export const samlConfigServiceFactory = ({
    lastName,
    authProvider,
    orgId,
-    relayState
+    relayState,
    metadata
  }: TSamlLoginDTO) => {
    const appCfg = getConfig();
    const serverCfg = await getServerCfg();
    if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.SAML)) {
-      throw new BadRequestError({
+      throw new ForbiddenRequestError({
        message: "Login with SAML is disabled by administrator."
      });
    }
@@ -350,7 +355,7 @@ export const samlConfigServiceFactory = ({
    });
    const organization = await orgDAL.findOrgById(orgId);
-    if (!organization) throw new BadRequestError({ message: "Org not found" });
+    if (!organization) throw new NotFoundError({ message: "Organization not found" });
    let user: TUsers;
    if (userAlias) {
@@ -364,12 +369,15 @@ export const samlConfigServiceFactory = ({
          { tx }
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
          await orgMembershipDAL.create(
            {
              userId: userAlias.userId,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -386,6 +394,21 @@ export const samlConfigServiceFactory = ({
          );
        }
        if (metadata && foundUser.id) {
          await identityMetadataDAL.delete({ userId: foundUser.id, orgId }, tx);
          if (metadata.length) {
            await identityMetadataDAL.insertMany(
              metadata.map(({ key, value }) => ({
                userId: foundUser.id,
                orgId,
                key,
                value
              })),
              tx
            );
          }
        }
        return foundUser;
      });
    } else {
@@ -452,12 +475,15 @@ export const samlConfigServiceFactory = ({
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(organization.defaultMembershipRole);
          await orgMembershipDAL.create(
            {
              userId: newUser.id,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -474,6 +500,20 @@ export const samlConfigServiceFactory = ({
          );
        }
        if (metadata && newUser.id) {
          await identityMetadataDAL.delete({ userId: newUser.id, orgId }, tx);
          if (metadata.length) {
            await identityMetadataDAL.insertMany(
              metadata.map(({ key, value }) => ({
                userId: newUser?.id,
                orgId,
                key,
                value
              })),
              tx
            );
          }
        }
        return newUser;
      });
    }
--- a/backend/src/ee/services/saml-config/saml-config-types.ts
+++ b/backend/src/ee/services/saml-config/saml-config-types.ts
@@ -53,4 +53,5 @@ export type TSamlLoginDTO = {
  orgId: string;
  // saml thingy
  relayState?: string;
  metadata?: { key: string; value: string }[];
 };
--- a/backend/src/ee/services/scim/scim-service.ts
+++ b/backend/src/ee/services/scim/scim-service.ts
@@ -3,19 +3,21 @@ import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";
 import { scimPatch } from "scim-patch";
-import { OrgMembershipRole, OrgMembershipStatus, TableName, TOrgMemberships, TUsers } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TExternalGroupOrgRoleMappingDALFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-dal";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -70,7 +72,10 @@ type TScimServiceFactoryDep = {
    | "transaction"
    | "updateMembershipById"
  >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById" | "findById">;
+  orgMembershipDAL: Pick<
    TOrgMembershipDALFactory,
    "find" | "findOne" | "create" | "updateById" | "findById" | "update"
  >;
  projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
  groupDAL: Pick<
@@ -101,6 +106,7 @@ type TScimServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  smtpService: Pick<TSmtpService, "sendMail">;
  projectUserAdditionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
  externalGroupOrgRoleMappingDAL: TExternalGroupOrgRoleMappingDALFactory;
 };
 export type TScimServiceFactory = ReturnType<typeof scimServiceFactory>;
@@ -121,7 +127,8 @@ export const scimServiceFactory = ({
  projectBotDAL,
  permissionService,
  projectUserAdditionalPrivilegeDAL,
-  smtpService
+  smtpService,
  externalGroupOrgRoleMappingDAL
 }: TScimServiceFactoryDep) => {
  const createScimToken = async ({
    actor,
@@ -176,7 +183,7 @@ export const scimServiceFactory = ({
  const deleteScimToken = async ({ scimTokenId, actor, actorId, actorAuthMethod, actorOrgId }: TDeleteScimTokenDTO) => {
    let scimToken = await scimDAL.findById(scimTokenId);
-    if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });
+    if (!scimToken) throw new NotFoundError({ message: "Failed to find SCIM token to delete" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -318,12 +325,15 @@ export const scimServiceFactory = ({
        );
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(org.defaultMembershipRole);
          orgMembership = await orgMembershipDAL.create(
            {
              userId: userAlias.userId,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.NoAccess,
+              role,
              roleId,
              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -391,12 +401,15 @@ export const scimServiceFactory = ({
        orgMembership = foundOrgMembership;
        if (!orgMembership) {
          const { role, roleId } = await getDefaultOrgMembershipRole(org.defaultMembershipRole);
          orgMembership = await orgMembershipDAL.create(
            {
              userId: user.id,
              inviteEmail: email,
              orgId,
-              role: OrgMembershipRole.Member,
+              role,
              roleId,
              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
              isActive: true
            },
@@ -685,6 +698,43 @@ export const scimServiceFactory = ({
    });
  };
  const $syncNewMembersRoles = async (group: TGroups, members: TScimGroup["members"]) => {
    // this function handles configuring newly provisioned users org membership if an external group mapping exists
    if (!members.length) return;
    const externalGroupMapping = await externalGroupOrgRoleMappingDAL.findOne({
      orgId: group.orgId,
      groupName: group.name
    });
    // no mapping, user will have default org membership
    if (!externalGroupMapping) return;
    // only get org memberships that are new (invites)
    const newOrgMemberships = await orgMembershipDAL.find({
      status: "invited",
      $in: {
        id: members.map((member) => member.value)
      }
    });
    if (!newOrgMemberships.length) return;
    // set new membership roles to group mapping value
    await orgMembershipDAL.update(
      {
        $in: {
          id: newOrgMemberships.map((membership) => membership.id)
        }
      },
      {
        role: externalGroupMapping.role,
        roleId: externalGroupMapping.roleId
      }
    );
  };
  const createScimGroup = async ({ displayName, orgId, members }: TCreateScimGroupDTO) => {
    const plan = await licenseService.getPlan(orgId);
    if (!plan.groups)
@@ -738,6 +788,8 @@ export const scimServiceFactory = ({
          tx
        });
        await $syncNewMembersRoles(group, members);
        return { group, newMembers };
      }
@@ -813,8 +865,31 @@ export const scimServiceFactory = ({
    orgId: string,
    { displayName, members = [] }: { displayName: string; members: { value: string }[] }
  ) => {
    let group = await groupDAL.findOne({
      id: groupId,
      orgId
    });
    if (!group) {
      throw new ScimRequestError({
        detail: "Group Not Found",
        status: 404
      });
    }
    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      const [group] = await groupDAL.update(
+      if (group.name !== displayName) {
        await externalGroupOrgRoleMappingDAL.update(
          {
            groupName: group.name,
            orgId
          },
          {
            groupName: displayName
          }
        );
        const [modifiedGroup] = await groupDAL.update(
          {
            id: groupId,
            orgId
@@ -824,11 +899,7 @@ export const scimServiceFactory = ({
          }
        );
-      if (!group) {
+        group = modifiedGroup;
        throw new ScimRequestError({
          detail: "Group Not Found",
          status: 404
        });
      }
      const orgMemberships = members.length
@@ -885,6 +956,8 @@ export const scimServiceFactory = ({
      return group;
    });
    await $syncNewMembersRoles(group, members);
    return updatedGroup;
  };
--- a/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
+++ b/backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts
@@ -95,7 +95,7 @@ export const secretApprovalPolicyServiceFactory = ({
    }
    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });
    const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
      const doc = await secretApprovalPolicyDAL.create(
@@ -178,7 +178,7 @@ export const secretApprovalPolicyServiceFactory = ({
      .filter(Boolean) as string[];
    const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
-    if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!secretApprovalPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -271,7 +271,7 @@ export const secretApprovalPolicyServiceFactory = ({
    actorOrgId
  }: TDeleteSapDTO) => {
    const sapPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
-    if (!sapPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
+    if (!sapPolicy) throw new NotFoundError({ message: "Secret approval policy not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
@@ -320,7 +320,7 @@ export const secretApprovalPolicyServiceFactory = ({
  const getSecretApprovalPolicy = async (projectId: string, environment: string, path: string) => {
    const secretPath = removeTrailingSlash(path);
    const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
+    if (!env) throw new NotFoundError({ message: "Environment not found" });
    const policies = await secretApprovalPolicyDAL.find({ envId: env.id });
    if (!policies.length) return;
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts
@@ -8,7 +8,7 @@ import {
  TSecretApprovalRequestsSecrets,
  TSecretTags
 } from "@app/db/schemas";
-import { BadRequestError, DatabaseError } from "@app/lib/errors";
+import { DatabaseError, NotFoundError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 export type TSecretApprovalRequestSecretDALFactory = ReturnType<typeof secretApprovalRequestSecretDALFactory>;
@@ -31,7 +31,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
      );
      if (existingApprovalSecrets.length !== data.length) {
-        throw new BadRequestError({ message: "Some of the secret approvals do not exist" });
+        throw new NotFoundError({ message: "Some of the secret approvals do not exist" });
      }
      if (data.length === 0) return [];
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts
@@ -10,7 +10,7 @@ import {
 } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -204,7 +204,7 @@ export const secretApprovalRequestServiceFactory = ({
    if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(id);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    const { projectId } = secretApprovalRequest;
    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
@@ -222,7 +222,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
    let secrets;
@@ -271,7 +271,7 @@ export const secretApprovalRequestServiceFactory = ({
          : undefined
      }));
    } else {
-      if (!botKey) throw new BadRequestError({ message: "Bot key not found" });
+      if (!botKey) throw new NotFoundError({ message: "Project bot key not found" });
      const encrypedSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
      secrets = encrypedSecrets.map((el) => ({
        ...el,
@@ -307,7 +307,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorOrgId
  }: TReviewRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
    const plan = await licenseService.getPlan(actorOrgId);
@@ -331,7 +331,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
    const reviewStatus = await secretApprovalRequestReviewerDAL.transaction(async (tx) => {
      const review = await secretApprovalRequestReviewerDAL.findOne(
@@ -365,7 +365,7 @@ export const secretApprovalRequestServiceFactory = ({
    actorAuthMethod
  }: TStatusChangeDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
    const plan = await licenseService.getPlan(actorOrgId);
@@ -389,7 +389,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
    if (secretApprovalRequest.hasMerged) throw new BadRequestError({ message: "Approval request has been merged" });
@@ -414,7 +414,7 @@ export const secretApprovalRequestServiceFactory = ({
    bypassReason
  }: TMergeSecretApprovalRequestDTO) => {
    const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
-    if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
+    if (!secretApprovalRequest) throw new NotFoundError({ message: "Secret approval request not found" });
    if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
    const plan = await licenseService.getPlan(actorOrgId);
@@ -439,7 +439,7 @@ export const secretApprovalRequestServiceFactory = ({
      secretApprovalRequest.committerUserId !== actorId &&
      !policy.approvers.find(({ userId }) => userId === actorId)
    ) {
-      throw new UnauthorizedError({ message: "User has no access" });
+      throw new ForbiddenRequestError({ message: "User has insufficient privileges" });
    }
    const reviewers = secretApprovalRequest.reviewers.reduce<Record<string, ApprovalStatus>>(
      (prev, curr) => ({ ...prev, [curr.userId.toString()]: curr.status as ApprovalStatus }),
@@ -462,7 +462,7 @@ export const secretApprovalRequestServiceFactory = ({
      const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestIdBridgeSecretV2(
        secretApprovalRequest.id
      );
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+      if (!secretApprovalSecrets) throw new NotFoundError({ message: "No secrets found" });
      const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
        type: KmsDataKey.SecretManager,
@@ -602,7 +602,7 @@ export const secretApprovalRequestServiceFactory = ({
      });
    } else {
      const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
-      if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
+      if (!secretApprovalSecrets) throw new NotFoundError({ message: "No secrets found" });
      const conflicts: Array<{ secretId: string; op: SecretOperations }> = [];
      let secretCreationCommits = secretApprovalSecrets.filter(({ op }) => op === SecretOperations.Create);
@@ -612,8 +612,8 @@ export const secretApprovalRequestServiceFactory = ({
          secretDAL,
          inputSecrets: secretCreationCommits.map(({ secretBlindIndex }) => {
            if (!secretBlindIndex) {
-              throw new BadRequestError({
+              throw new NotFoundError({
-                message: "Missing secret blind index"
+                message: "Secret blind index not found"
              });
            }
            return { secretBlindIndex };
@@ -639,8 +639,8 @@ export const secretApprovalRequestServiceFactory = ({
            .filter(({ secretBlindIndex, secret }) => secret && secret.secretBlindIndex !== secretBlindIndex)
            .map(({ secretBlindIndex }) => {
              if (!secretBlindIndex) {
-                throw new BadRequestError({
+                throw new NotFoundError({
-                  message: "Missing secret blind index"
+                  message: "Secret blind index not found"
                });
              }
              return { secretBlindIndex };
@@ -762,8 +762,8 @@ export const secretApprovalRequestServiceFactory = ({
              secretQueueService,
              inputSecrets: secretDeletionCommits.map(({ secretBlindIndex }) => {
                if (!secretBlindIndex) {
-                  throw new BadRequestError({
+                  throw new NotFoundError({
-                    message: "Missing secret blind index"
+                    message: "Secret blind index not found"
                  });
                }
                return { secretBlindIndex, type: SecretType.Shared };
@@ -789,7 +789,7 @@ export const secretApprovalRequestServiceFactory = ({
    await snapshotService.performSnapshot(folderId);
    const [folder] = await folderDAL.findSecretPathByFolderIds(projectId, [folderId]);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    await secretQueueService.syncSecrets({
      projectId,
      secretPath: folder.path,
@@ -860,14 +860,14 @@ export const secretApprovalRequestServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Folder not found for the given environment slug & secret path",
        name: "GenSecretApproval"
      });
    const folderId = folder.id;
    const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
-    if (!blindIndexCfg) throw new BadRequestError({ message: "Blind index not found", name: "Update secret" });
+    if (!blindIndexCfg) throw new NotFoundError({ message: "Blind index not found", name: "Update secret" });
    const commits: Omit<TSecretApprovalRequestsSecretsInsert, "requestId">[] = [];
    const commitTagIds: Record<string, string[]> = {};
@@ -961,7 +961,7 @@ export const secretApprovalRequestServiceFactory = ({
        secretDAL
      });
      const secretsGroupedByBlindIndex = groupBy(secrets, (i) => {
-        if (!i.secretBlindIndex) throw new BadRequestError({ message: "Missing secret blind index" });
+        if (!i.secretBlindIndex) throw new NotFoundError({ message: "Secret blind index not found" });
        return i.secretBlindIndex;
      });
      const deletedSecretIds = deletedSecrets.map(
@@ -972,7 +972,7 @@ export const secretApprovalRequestServiceFactory = ({
        ...deletedSecrets.map((el) => {
          const secretId = secretsGroupedByBlindIndex[keyName2BlindIndex[el.secretName]][0].id;
          if (!latestSecretVersions[secretId].secretBlindIndex)
-            throw new BadRequestError({ message: "Failed to find secret blind index" });
+            throw new NotFoundError({ message: "Secret blind index not found" });
          return {
            op: SecretOperations.Delete as const,
            ...latestSecretVersions[secretId],
@@ -988,7 +988,7 @@ export const secretApprovalRequestServiceFactory = ({
    const tagIds = unique(Object.values(commitTagIds).flat());
    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });
    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
      const doc = await secretApprovalRequestDAL.create(
@@ -1054,7 +1054,7 @@ export const secretApprovalRequestServiceFactory = ({
      const commitsGroupByBlindIndex = groupBy(approvalCommits, (i) => {
        if (!i.secretBlindIndex) {
-          throw new BadRequestError({ message: "Missing secret blind index" });
+          throw new NotFoundError({ message: "Secret blind index not found" });
        }
        return i.secretBlindIndex;
      });
@@ -1132,7 +1132,7 @@ export const secretApprovalRequestServiceFactory = ({
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
    if (!folder)
-      throw new BadRequestError({
+      throw new NotFoundError({
        message: "Folder not found for the given environment slug & secret path",
        name: "GenSecretApproval"
      });
@@ -1191,8 +1191,8 @@ export const secretApprovalRequestServiceFactory = ({
        }))
      );
      if (secretsToUpdateStoredInDB.length !== secretsToUpdate.length)
-        throw new BadRequestError({
+        throw new NotFoundError({
-          message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+          message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
        });
      // now find any secret that needs to update its name
@@ -1207,8 +1207,8 @@ export const secretApprovalRequestServiceFactory = ({
          }))
        );
        if (secrets.length)
-          throw new BadRequestError({
+          throw new NotFoundError({
-            message: `Secret not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
+            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
          });
      }
@@ -1267,8 +1267,8 @@ export const secretApprovalRequestServiceFactory = ({
        }))
      );
      if (secretsToDeleteInDB.length !== deletedSecrets.length)
-        throw new BadRequestError({
+        throw new NotFoundError({
-          message: `Secret not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
+          message: `Secret does not exist: ${secretsToDeleteInDB.map((el) => el.key).join(",")}`
        });
      const secretsGroupedByKey = groupBy(secretsToDeleteInDB, (i) => i.key);
      const deletedSecretIds = deletedSecrets.map((el) => secretsGroupedByKey[el.secretKey][0].id);
@@ -1291,7 +1291,7 @@ export const secretApprovalRequestServiceFactory = ({
    const tagIds = unique(Object.values(commitTagIds).flat());
    const tags = tagIds.length ? await secretTagDAL.findManyTagsById(projectId, tagIds) : [];
-    if (tagIds.length !== tags.length) throw new BadRequestError({ message: "Tag not found" });
+    if (tagIds.length !== tags.length) throw new NotFoundError({ message: "Tag not found" });
    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
      const doc = await secretApprovalRequestDAL.create(
--- a/backend/src/ee/services/secret-replication/secret-replication-service.ts
+++ b/backend/src/ee/services/secret-replication/secret-replication-service.ts
@@ -4,7 +4,7 @@ import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approv
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -295,7 +295,7 @@ export const secretReplicationServiceFactory = ({
            const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
              destinationSecretImport.folderId
            ]);
-            if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
+            if (!destinationFolder) throw new NotFoundError({ message: "Imported folder not found" });
            let destinationReplicationFolder = await folderDAL.findOne({
              parentId: destinationFolder.id,
@@ -506,7 +506,7 @@ export const secretReplicationServiceFactory = ({
      return;
    }
-    if (!botKey) throw new BadRequestError({ message: "Bot not found" });
+    if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
    // these are the secrets to be added in replicated folders
    const sourceLocalSecrets = await secretDAL.find({ folderId: folder.id, type: SecretType.Shared });
    const sourceSecretImports = await secretImportDAL.find({ folderId: folder.id });
@@ -545,7 +545,7 @@ export const secretReplicationServiceFactory = ({
          const [destinationFolder] = await folderDAL.findSecretPathByFolderIds(projectId, [
            destinationSecretImport.folderId
          ]);
-          if (!destinationFolder) throw new BadRequestError({ message: "Imported folder not found" });
+          if (!destinationFolder) throw new NotFoundError({ message: "Imported folder not found" });
          let destinationReplicationFolder = await folderDAL.findOne({
            parentId: destinationFolder.id,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@@ -13,7 +13,7 @@ import {
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
-import { BadRequestError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@@ -332,7 +332,7 @@ export const secretRotationQueueFactory = ({
          );
        });
      } else {
-        if (!botKey) throw new BadRequestError({ message: "Bot not found" });
+        if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
        const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
          secretId,
          value: encryptSymmetric128BitHexKeyUTF8(
@@ -372,7 +372,7 @@ export const secretRotationQueueFactory = ({
          );
          await secretVersionDAL.insertMany(
            updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => {
-              if (!el.secretBlindIndex) throw new BadRequestError({ message: "Missing blind index" });
+              if (!el.secretBlindIndex) throw new NotFoundError({ message: "Secret blind index not found" });
              return {
                ...el,
                secretId: id,
--- a/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-service.ts
@@ -3,7 +3,7 @@ import Ajv from "ajv";
 import { ProjectVersion } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -94,7 +94,7 @@ export const secretRotationServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) throw new BadRequestError({ message: "Secret path not found" });
+    if (!folder) throw new NotFoundError({ message: "Secret path not found" });
    ForbiddenError.from(permission).throwUnlessCan(
      ProjectPermissionActions.Edit,
      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@@ -108,14 +108,14 @@ export const secretRotationServiceFactory = ({
        $in: { id: Object.values(outputs) }
      });
      if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
+        throw new NotFoundError({ message: "Secrets not found" });
    } else {
      const selectedSecrets = await secretDAL.find({
        folderId: folder.id,
        $in: { id: Object.values(outputs) }
      });
      if (selectedSecrets.length !== Object.values(outputs).length)
-        throw new BadRequestError({ message: "Secrets not found" });
+        throw new NotFoundError({ message: "Secrets not found" });
    }
    const plan = await licenseService.getPlan(project.orgId);
@@ -125,7 +125,7 @@ export const secretRotationServiceFactory = ({
      });
    const selectedTemplate = rotationTemplates.find(({ name }) => name === provider);
-    if (!selectedTemplate) throw new BadRequestError({ message: "Provider not found" });
+    if (!selectedTemplate) throw new NotFoundError({ message: "Provider not found" });
    const formattedInputs: Record<string, unknown> = {};
    Object.entries(inputs).forEach(([key, value]) => {
      const { type } = selectedTemplate.template.inputs.properties[key];
@@ -198,7 +198,7 @@ export const secretRotationServiceFactory = ({
      return docs;
    }
-    if (!botKey) throw new BadRequestError({ message: "bot not found" });
+    if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
    const docs = await secretRotationDAL.find({ projectId });
    return docs.map((el) => ({
      ...el,
@@ -220,7 +220,7 @@ export const secretRotationServiceFactory = ({
  const restartById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TRestartDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
-    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
+    if (!doc) throw new NotFoundError({ message: "Rotation not found" });
    const project = await projectDAL.findById(doc.projectId);
    const plan = await licenseService.getPlan(project.orgId);
@@ -244,7 +244,7 @@ export const secretRotationServiceFactory = ({
  const deleteById = async ({ actor, actorId, actorOrgId, actorAuthMethod, rotationId }: TDeleteDTO) => {
    const doc = await secretRotationDAL.findById(rotationId);
-    if (!doc) throw new BadRequestError({ message: "Rotation not found" });
+    if (!doc) throw new NotFoundError({ message: "Rotation not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
--- a/backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts
@@ -1,6 +1,6 @@
 import { ProbotOctokit } from "probot";
-import { OrgMembershipRole } from "@app/db/schemas";
+import { OrgMembershipRole, TableName } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
@@ -61,7 +61,7 @@ export const secretScanningQueueFactory = ({
  const getOrgAdminEmails = async (organizationId: string) => {
    // get emails of admins
    const adminsOfWork = await orgMemberDAL.findMembership({
-      orgId: organizationId,
+      [`${TableName.Organization}.id` as string]: organizationId,
      role: OrgMembershipRole.Admin
    });
    return adminsOfWork.filter((userObject) => userObject.email).map((userObject) => userObject.email as string);
--- a/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
+++ b/backend/src/ee/services/secret-scanning/secret-scanning-service.ts
@@ -7,7 +7,7 @@ import { ProbotOctokit } from "probot";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { NotFoundError } from "@app/lib/errors";
 import { TGitAppDALFactory } from "./git-app-dal";
 import { TGitAppInstallSessionDALFactory } from "./git-app-install-session-dal";
@@ -63,7 +63,7 @@ export const secretScanningServiceFactory = ({
    actorOrgId
  }: TLinkInstallSessionDTO) => {
    const session = await gitAppInstallSessionDAL.findOne({ sessionId });
-    if (!session) throw new UnauthorizedError({ message: "Session not found" });
+    if (!session) throw new NotFoundError({ message: "Session was not found" });
    const { permission } = await permissionService.getOrgPermission(
      actor,
@@ -90,7 +90,7 @@ export const secretScanningServiceFactory = ({
    const {
      data: { repositories }
    } = await octokit.apps.listReposAccessibleToInstallation();
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
+    if (appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(actorOrgId)) {
      await Promise.all(
        repositories.map(({ id, full_name }) =>
          secretScanningQueue.startFullRepoScan({
@@ -164,7 +164,7 @@ export const secretScanningServiceFactory = ({
    });
    if (!installationLink) return;
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
+    if (appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(installationLink.orgId)) {
      await secretScanningQueue.startPushEventScan({
        commits,
        pusher: { name: pusher.name, email: pusher.email },
--- a/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
+++ b/backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts
@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -99,7 +99,7 @@ export const secretSnapshotServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    return snapshotDAL.countOfSnapshotsByFolderId(folder.id);
  };
@@ -131,7 +131,7 @@ export const secretSnapshotServiceFactory = ({
    );
    const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not found" });
+    if (!folder) throw new NotFoundError({ message: "Folder not found" });
    const snapshots = await snapshotDAL.find({ folderId: folder.id }, { limit, offset, sort: [["createdAt", "desc"]] });
    return snapshots;
@@ -139,7 +139,7 @@ export const secretSnapshotServiceFactory = ({
  const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
    const snapshot = await snapshotDAL.findById(id);
-    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
+    if (!snapshot) throw new NotFoundError({ message: "Snapshot not found" });
    const { permission } = await permissionService.getProjectPermission(
      actor,
      actorId,
@@ -173,7 +173,7 @@ export const secretSnapshotServiceFactory = ({
    } else {
      const encryptedSnapshotDetails = await snapshotDAL.findSecretSnapshotDataById(id);
      const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
-      if (!botKey) throw new BadRequestError({ message: "bot not found" });
+      if (!botKey) throw new NotFoundError({ message: "Project bot not found" });
      snapshotDetails = {
        ...encryptedSnapshotDetails,
        secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => ({
@@ -225,7 +225,7 @@ export const secretSnapshotServiceFactory = ({
    try {
      if (!licenseService.isValidLicense) throw new InternalServerError({ message: "Invalid license" });
      const folder = await folderDAL.findById(folderId);
-      if (!folder) throw new BadRequestError({ message: "Folder not found" });
+      if (!folder) throw new NotFoundError({ message: "Folder not found" });
      const shouldUseSecretV2Bridge = folder.projectVersion === 3;
      if (shouldUseSecretV2Bridge) {
@@ -240,7 +240,8 @@ export const secretSnapshotServiceFactory = ({
            },
            tx
          );
-          const snapshotSecrets = await snapshotSecretV2BridgeDAL.insertMany(
+
          const snapshotSecrets = await snapshotSecretV2BridgeDAL.batchInsert(
            secretVersions.map(({ id }) => ({
              secretVersionId: id,
              envId: folder.environment.envId,
@@ -248,7 +249,8 @@ export const secretSnapshotServiceFactory = ({
            })),
            tx
          );
-          const snapshotFolders = await snapshotFolderDAL.insertMany(
+
          const snapshotFolders = await snapshotFolderDAL.batchInsert(
            folderVersions.map(({ id }) => ({
              folderVersionId: id,
              envId: folder.environment.envId,
@@ -309,7 +311,7 @@ export const secretSnapshotServiceFactory = ({
    actorOrgId
  }: TRollbackSnapshotDTO) => {
    const snapshot = await snapshotDAL.findById(snapshotId);
-    if (!snapshot) throw new BadRequestError({ message: "Snapshot not found" });
+    if (!snapshot) throw new NotFoundError({ message: "Snapshot not found" });
    const shouldUseBridge = snapshot.projectVersion === 3;
    const { permission } = await permissionService.getProjectPermission(
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -16,6 +16,9 @@ export const KeyStorePrefixes = {
  WaitUntilReadyKmsOrgKeyCreation: "wait-until-ready-kms-org-key-creation-",
  WaitUntilReadyKmsOrgDataKeyCreation: "wait-until-ready-kms-org-data-key-creation-",
  WaitUntilReadyProjectEnvironmentOperation: (projectId: string) =>
    `wait-until-ready-project-environments-operation-${projectId}`,
  ProjectEnvironmentLock: (projectId: string) => `project-environment-lock-${projectId}` as const,
  SyncSecretIntegrationLock: (projectId: string, environmentSlug: string, secretPath: string) =>
    `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
  SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -360,7 +360,11 @@ export const ORGANIZATIONS = {
    organizationId: "The ID of the organization to update the membership for.",
    membershipId: "The ID of the membership to update.",
    role: "The new role of the membership.",
-    isActive: "The active status of the membership"
+    isActive: "The active status of the membership",
    metadata: {
      key: "The key for user metadata tag.",
      value: "The value for user metadata tag."
    }
  },
  DELETE_USER_MEMBERSHIP: {
    organizationId: "The ID of the organization to delete the membership from.",
@@ -529,7 +533,8 @@ export const ENVIRONMENTS = {
  CREATE: {
    workspaceId: "The ID of the project to create the environment in.",
    name: "The name of the environment to create.",
-    slug: "The slug of the environment to create."
+    slug: "The slug of the environment to create.",
    position: "The position of the environment. The lowest number will be displayed as the first environment."
  },
  UPDATE: {
    workspaceId: "The ID of the project to update the environment in.",
@@ -671,6 +676,9 @@ export const SECRET_IMPORTS = {
    environment: "The slug of the environment to list secret imports from.",
    path: "The path to list secret imports from."
  },
  GET: {
    secretImportId: "The ID of the secret import to fetch."
  },
  CREATE: {
    environment: "The slug of the environment to import into.",
    path: "The path to import into.",
@@ -1343,3 +1351,37 @@ export const PROJECT_ROLE = {
    projectSlug: "The slug of the project to list the roles of."
  }
 };
 export const KMS = {
  CREATE_KEY: {
    projectId: "The ID of the project to create the key in.",
    name: "The name of the key to be created. Must be slug-friendly.",
    description: "An optional description of the key.",
    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
  },
  UPDATE_KEY: {
    keyId: "The ID of the key to be updated.",
    name: "The updated name of this key. Must be slug-friendly.",
    description: "The updated description of this key.",
    isDisabled: "The flag to enable or disable this key."
  },
  DELETE_KEY: {
    keyId: "The ID of the key to be deleted."
  },
  LIST_KEYS: {
    projectId: "The ID of the project to list keys from.",
    offset: "The offset to start from. If you enter 10, it will start from the 10th key.",
    limit: "The number of keys to return.",
    orderBy: "The column to order keys by.",
    orderDirection: "The direction to order keys in.",
    search: "The text string to filter key names by."
  },
  ENCRYPT: {
    keyId: "The ID of the key to encrypt the data with.",
    plaintext: "The plaintext to be encrypted (base64 encoded)."
  },
  DECRYPT: {
    keyId: "The ID of the key to decrypt the data with.",
    ciphertext: "The ciphertext to be decrypted (base64 encoded)."
  }
 };
--- a/backend/src/lib/base64/index.ts
+++ b/backend/src/lib/base64/index.ts
@@ -0,0 +1,28 @@
 // Credit: https://github.com/miguelmota/is-base64
 export const isBase64 = (
  v: string,
  opts = { allowEmpty: false, mimeRequired: false, allowMime: true, paddingRequired: false }
 ) => {
  if (opts.allowEmpty === false && v === "") {
    return false;
  }
  let regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+/]{3}=)?";
  const mimeRegex = "(data:\\w+\\/[a-zA-Z\\+\\-\\.]+;base64,)";
  if (opts.mimeRequired === true) {
    regex = mimeRegex + regex;
  } else if (opts.allowMime === true) {
    regex = `${mimeRegex}?${regex}`;
  }
  if (opts.paddingRequired === false) {
    regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}(==)?|[A-Za-z0-9+\\/]{3}=?)?";
  }
  return new RegExp(`^${regex}$`, "gi").test(v);
 };
 export const getBase64SizeInBytes = (base64String: string) => {
  return Buffer.from(base64String, "base64").length;
 };
--- a/backend/src/lib/casl/index.ts
+++ b/backend/src/lib/casl/index.ts
@@ -23,8 +23,19 @@ export const conditionsMatcher = buildMongoQueryMatcher({ $glob }, { glob });
 /**
 * Extracts and formats permissions from a CASL Ability object or a raw permission set.
 */
-const extractPermissions = (ability: MongoAbility) =>
+const extractPermissions = (ability: MongoAbility) => {
-  ability.rules.map((permission) => `${permission.action as string}_${permission.subject as string}`);
+  const permissions: string[] = [];
  ability.rules.forEach((permission) => {
    if (typeof permission.action === "string") {
      permissions.push(`${permission.action}_${permission.subject as string}`);
    } else {
      permission.action.forEach((permissionAction) => {
        permissions.push(`${permissionAction}_${permission.subject as string}`);
      });
    }
  });
  return permissions;
 };
 /**
 * Compares two sets of permissions to determine if the first set is at least as privileged as the second set.
--- a/backend/src/lib/casl/knex.ts
+++ b/backend/src/lib/casl/knex.ts
@@ -0,0 +1,111 @@
 import { AnyAbility, ExtractSubjectType } from "@casl/ability";
 import { AbilityQuery, rulesToQuery } from "@casl/ability/extra";
 import { Tables } from "knex/types/tables";
 import { BadRequestError, UnauthorizedError } from "../errors";
 import { TKnexDynamicOperator } from "../knex/dynamic";
 type TBuildKnexQueryFromCaslDTO<K extends AnyAbility> = {
  ability: K;
  subject: ExtractSubjectType<Parameters<K["rulesFor"]>[1]>;
  action: Parameters<K["rulesFor"]>[0];
 };
 export const buildKnexQueryFromCaslOperators = <K extends AnyAbility>({
  ability,
  subject,
  action
 }: TBuildKnexQueryFromCaslDTO<K>) => {
  const query = rulesToQuery(ability, action, subject, (rule) => {
    if (!rule.ast) throw new Error("Ast not defined");
    return rule.ast;
  });
  if (query === null) throw new UnauthorizedError({ message: `You don't have permission to do ${action} ${subject}` });
  return query;
 };
 type TFieldMapper<T extends keyof Tables> = {
  [K in T]: `${K}.${Exclude<keyof Tables[K]["base"], symbol>}`;
 }[T];
 type TFormatCaslFieldsWithTableNames<T extends keyof Tables> = {
  // handle if any missing operator else throw error let the app break because this is executing again the db
  missingOperatorCallback?: (operator: string) => void;
  fieldMapping: (arg: string) => TFieldMapper<T> | null;
  dynamicQuery: TKnexDynamicOperator;
 };
 export const formatCaslOperatorFieldsWithTableNames = <T extends keyof Tables>({
  missingOperatorCallback = (arg) => {
    throw new BadRequestError({ message: `Unknown permission operator: ${arg}` });
  },
  dynamicQuery: dynamicQueryAst,
  fieldMapping
 }: TFormatCaslFieldsWithTableNames<T>) => {
  const stack: [TKnexDynamicOperator, TKnexDynamicOperator | null][] = [[dynamicQueryAst, null]];
  while (stack.length) {
    const [filterAst, parentAst] = stack.pop()!;
    if (filterAst.operator === "and" || filterAst.operator === "or" || filterAst.operator === "not") {
      filterAst.value.forEach((el) => {
        stack.push([el, filterAst]);
      });
      // eslint-disable-next-line no-continue
      continue;
    }
    if (
      filterAst.operator === "eq" ||
      filterAst.operator === "ne" ||
      filterAst.operator === "in" ||
      filterAst.operator === "endsWith" ||
      filterAst.operator === "startsWith"
    ) {
      const attrPath = fieldMapping(filterAst.field);
      if (attrPath) {
        filterAst.field = attrPath;
      } else if (parentAst && Array.isArray(parentAst.value)) {
        parentAst.value = parentAst.value.filter((childAst) => childAst !== filterAst) as string[];
      } else throw new Error("Unknown casl field");
      // eslint-disable-next-line no-continue
      continue;
    }
    if (parentAst && Array.isArray(parentAst.value)) {
      parentAst.value = parentAst.value.filter((childAst) => childAst !== filterAst) as string[];
    } else {
      missingOperatorCallback?.(filterAst.operator);
    }
  }
  return dynamicQueryAst;
 };
 export const convertCaslOperatorToKnexOperator = <T extends keyof Tables>(
  caslKnexOperators: AbilityQuery,
  fieldMapping: (arg: string) => TFieldMapper<T> | null
 ) => {
  const value = [];
  if (caslKnexOperators.$and) {
    value.push({
      operator: "not" as const,
      value: caslKnexOperators.$and as TKnexDynamicOperator[]
    });
  }
  if (caslKnexOperators.$or) {
    value.push({
      operator: "or" as const,
      value: caslKnexOperators.$or as TKnexDynamicOperator[]
    });
  }
  return formatCaslOperatorFieldsWithTableNames({
    dynamicQuery: {
      operator: "and",
      value
    },
    fieldMapping
  });
 };
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -34,6 +34,12 @@ const envSchema = z
    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
    ),
    AUDIT_LOGS_DB_CONNECTION_URI: zpStr(
      z.string().describe("Postgres database connection string for Audit logs").optional()
    ),
    AUDIT_LOGS_DB_ROOT_CERT: zpStr(
      z.string().describe("Postgres database base64-encoded CA cert for Audit logs").optional()
    ),
    MAX_LEASE_LIMIT: z.coerce.number().default(10000),
    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
@@ -111,9 +117,16 @@ const envSchema = z
    // gcp secret manager
    CLIENT_ID_GCP_SECRET_MANAGER: zpStr(z.string().optional()),
    CLIENT_SECRET_GCP_SECRET_MANAGER: zpStr(z.string().optional()),
-    // github
+    // github oauth
    CLIENT_ID_GITHUB: zpStr(z.string().optional()),
    CLIENT_SECRET_GITHUB: zpStr(z.string().optional()),
    // github app
    CLIENT_ID_GITHUB_APP: zpStr(z.string().optional()),
    CLIENT_SECRET_GITHUB_APP: zpStr(z.string().optional()),
    CLIENT_PRIVATE_KEY_GITHUB_APP: zpStr(z.string().optional()),
    CLIENT_APP_ID_GITHUB_APP: z.coerce.number().optional(),
    CLIENT_SLUG_GITHUB_APP: zpStr(z.string().optional()),
    // azure
    CLIENT_ID_AZURE: zpStr(z.string().optional()),
    CLIENT_SECRET_AZURE: zpStr(z.string().optional()),
@@ -129,6 +142,7 @@ const envSchema = z
    SECRET_SCANNING_WEBHOOK_SECRET: zpStr(z.string().optional()),
    SECRET_SCANNING_GIT_APP_ID: zpStr(z.string().optional()),
    SECRET_SCANNING_PRIVATE_KEY: zpStr(z.string().optional()),
    SECRET_SCANNING_ORG_WHITELIST: zpStr(z.string().optional()),
    // LICENSE
    LICENSE_SERVER_URL: zpStr(z.string().optional().default("https://portal.infisical.com")),
    LICENSE_SERVER_KEY: zpStr(z.string().optional()),
@@ -164,7 +178,8 @@ const envSchema = z
      Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
      Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
      Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
-    samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG
+    samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
    SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
  }));
 let envCfg: Readonly<z.infer<typeof envSchema>>;
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@@ -23,6 +23,18 @@ export class InternalServerError extends Error {
  }
 }
 export class GatewayTimeoutError extends Error {
  name: string;
  error: unknown;
  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
    super(message || "Timeout error");
    this.name = name || "GatewayTimeoutError";
    this.error = error;
  }
 }
 export class UnauthorizedError extends Error {
  name: string;
@@ -40,9 +52,9 @@ export class ForbiddenRequestError extends Error {
  error: unknown;
-  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown } = {}) {
    super(message ?? "You are not allowed to access this resource");
-    this.name = name || "ForbideenError";
+    this.name = name || "ForbiddenError";
    this.error = error;
  }
 }
@@ -59,6 +71,13 @@ export class BadRequestError extends Error {
  }
 }
 export class RateLimitError extends Error {
  constructor({ message }: { message?: string }) {
    super(message || "Rate limit exceeded");
    this.name = "RateLimitExceeded";
  }
 }
 export class NotFoundError extends Error {
  name: string;
--- a/Show More
+++ b/Show More
`@@ -1 +1,2 @@`
	`DB_CONNECTION_URI=`	`DB_CONNECTION_URI=`
		`AUDIT_LOGS_DB_CONNECTION_URI=`
`@@ -1,2 +1,2 @@`
	`export type { TDbClient } from "./instance";`	`export type { TDbClient } from "./instance";`
	`export { initDbConnection } from "./instance";`	`export { initAuditLogDbConnection, initDbConnection } from "./instance";`