update health check

Merge pull request #2340 from Infisical/misc/added-timeout-for-hijacked-est-connection
misc: added timeout for est connection
2025-04-06 11:36:53 +00:00 · 2024-08-27 20:03:36 -04:00 · 2024-08-27 23:31:07 +08:00 · 2024-08-27 23:26:56 +08:00 · 2024-08-27 13:42:58 +08:00 · 2024-08-26 16:34:27 -04:00
1562 changed files with 94192 additions and 30923 deletions
--- a/.env.example
+++ b/.env.example
@ -63,3 +63,12 @@ CLIENT_SECRET_GITHUB_LOGIN=

 CLIENT_ID_GITLAB_LOGIN=
 CLIENT_SECRET_GITLAB_LOGIN=
+
+CAPTCHA_SECRET=
+
+NEXT_PUBLIC_CAPTCHA_SITE_KEY=
+
+PLAIN_API_KEY=
+PLAIN_WISH_LABEL_IDS=
+
+SSL_CLIENT_CERTIFICATE_HEADER_KEY=
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -0,0 +1,104 @@
+name: Build Binaries and Deploy
+
+on:
+    workflow_dispatch:
+        inputs:
+            version:
+                description: "Version number"
+                required: true
+                type: string
+
+defaults:
+    run:
+        working-directory: ./backend
+
+jobs:
+    build-and-deploy:
+        strategy:
+            matrix:
+                arch: [x64, arm64]
+                os: [linux, win]
+                include:
+                    - os: linux
+                      target: node20-linux
+                    - os: win
+                      target: node20-win
+        runs-on: ${{ (matrix.arch == 'arm64' && matrix.os == 'linux') && 'ubuntu24-arm64' || 'ubuntu-latest' }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v3
+
+            - name: Set up Node.js
+              uses: actions/setup-node@v3
+              with:
+                  node-version: 20
+
+            - name: Install pkg
+              run: npm install -g @yao-pkg/pkg
+
+            - name: Install dependencies (backend)
+              run: npm install
+
+            - name: Install dependencies (frontend)
+              run: npm install --prefix ../frontend
+
+            - name: Prerequisites for pkg
+              run: npm run binary:build
+
+            - name: Package into node binary
+              run: |
+                  if [ "${{ matrix.os }}" != "linux" ]; then
+                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }} .
+                  else
+                    pkg --no-bytecode --public-packages "*" --public --target ${{ matrix.target }}-${{ matrix.arch }} --output ./binary/infisical-core .
+                  fi
+
+            # Set up .deb package structure (Debian/Ubuntu only)
+            - name: Set up .deb package structure
+              if: matrix.os == 'linux'
+              run: |
+                  mkdir -p infisical-core/DEBIAN
+                  mkdir -p infisical-core/usr/local/bin
+                  cp ./binary/infisical-core infisical-core/usr/local/bin/
+                  chmod +x infisical-core/usr/local/bin/infisical-core
+
+            - name: Create control file
+              if: matrix.os == 'linux'
+              run: |
+                  cat <<EOF > infisical-core/DEBIAN/control
+                  Package: infisical-core
+                  Version: ${{ github.event.inputs.version }}
+                  Section: base
+                  Priority: optional
+                  Architecture: ${{ matrix.arch == 'x64' && 'amd64' || matrix.arch }}
+                  Maintainer: Infisical <daniel@infisical.com>
+                  Description: Infisical Core standalone executable (app.infisical.com)
+                  EOF
+
+            # Build .deb file (Debian/Ubunutu only)
+            - name: Build .deb package
+              if: matrix.os == 'linux'
+              run: |
+                  dpkg-deb --build infisical-core
+                  mv infisical-core.deb ./binary/infisical-core-${{matrix.arch}}.deb
+
+            - uses: actions/setup-python@v4
+              with:
+                  python-version: "3.x" # Specify the Python version you need
+            - name: Install Python dependencies
+              run: |
+                  python -m pip install --upgrade pip
+                  pip install --upgrade cloudsmith-cli
+
+            # Publish .deb file to Cloudsmith (Debian/Ubuntu only)
+            - name: Publish to Cloudsmith (Debian/Ubuntu)
+              if: matrix.os == 'linux'
+              working-directory: ./backend
+              run: cloudsmith push deb --republish --no-wait-for-sync --api-key=${{ secrets.CLOUDSMITH_API_KEY }} infisical/infisical-core/any-distro/any-version ./binary/infisical-core-${{ matrix.arch }}.deb
+
+            # Publish .exe file to Cloudsmith (Windows only)
+            - name: Publish to Cloudsmith (Windows)
+              if: matrix.os == 'win'
+              working-directory: ./backend
+              run: cloudsmith push raw infisical/infisical-core ./binary/infisical-core-${{ matrix.os }}-${{ matrix.arch }}.exe --republish --no-wait-for-sync --version ${{ github.event.inputs.version }} --api-key ${{ secrets.CLOUDSMITH_API_KEY }}
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -50,6 +50,13 @@ jobs:
    environment:
      name: Gamma
    steps:
+      - uses: twingate/github-action@v1
+        with:
+          # The Twingate Service Key used to connect Twingate to the proper service
+          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+          #
+          # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Node.js environment
@ -74,21 +81,21 @@ jobs:
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-gamma-stage
+          cluster: infisical-gamma-stage
          wait-for-service-stability: true

  production-postgres-deployment:
@ -98,6 +105,13 @@ jobs:
    environment:
      name: Production
    steps:
+      - uses: twingate/github-action@v1
+        with:
+        # The Twingate Service Key used to connect Twingate to the proper service
+        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+        #
+        # Required
+          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup Node.js environment
@ -122,19 +136,19 @@ jobs:
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
          wait-for-service-stability: true
--- a/.github/workflows/check-api-for-breaking-changes.yml
+++ b/.github/workflows/check-api-for-breaking-changes.yml
@ -22,24 +22,25 @@ jobs:
      # uncomment this when testing locally using nektos/act
      - uses: KengoTODA/actions-setup-docker-compose@v1
        if: ${{ env.ACT }}
-        name: Install `docker-compose` for local simulations
+        name: Install `docker compose` for local simulations
        with:
          version: "2.14.2"
      - name: 📦Build the latest image
        run: docker build --tag infisical-api .
        working-directory: backend
      - name: Start postgres and redis
-        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
      - name: Start the server
        run: |
            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
+            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
        env:
          REDIS_URL: redis://172.17.0.1:6379
          DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
          JWT_AUTH_SECRET: something-random
+          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21.5'
@ -71,6 +72,6 @@ jobs:
        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
      - name: cleanup
        run: |
-          docker-compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down
          docker stop infisical-api
-          docker remove infisical-api
+          docker remove infisical-api
--- a/.github/workflows/check-migration-file-edited.yml
+++ b/.github/workflows/check-migration-file-edited.yml
@ -0,0 +1,25 @@
+name: Check migration file edited
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - 'backend/src/db/migrations/**'
+
+jobs:
+  rename:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check any migration files are modified, renamed or duplicated.
+        run: |
+          git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^M\|^R\|^C' || true | cut -f2 | xargs -r -n1 basename > edited_files.txt
+          if [ -s edited_files.txt ]; then
+            echo "Exiting migration files cannot be modified."
+            cat edited_files.txt
+            exit 1
+          fi
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@ -22,6 +22,9 @@ jobs:
            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

    goreleaser:
        runs-on: ubuntu-20.04
@ -56,7 +59,7 @@ jobs:
            - uses: goreleaser/goreleaser-action@v4
              with:
                  distribution: goreleaser-pro
-                  version: latest
+                  version: v1.26.2-pro
                  args: release --clean
              env:
                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
--- a/.github/workflows/run-backend-tests.yml
+++ b/.github/workflows/run-backend-tests.yml
@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v3
      - uses: KengoTODA/actions-setup-docker-compose@v1
        if: ${{ env.ACT }}
-        name: Install `docker-compose` for local simulations
+        name: Install `docker compose` for local simulations
        with:
          version: "2.14.2"
      - name: 🔧 Setup Node 20
@ -33,7 +33,7 @@ jobs:
        run: npm install
        working-directory: backend
      - name: Start postgres and redis
-        run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
+        run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
      - name: Start integration test
        run: npm run test:e2e
        working-directory: backend
@ -44,4 +44,4 @@ jobs:
          ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
      - name: cleanup
        run: |
-          docker-compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down
--- a/.github/workflows/run-cli-tests.yml
+++ b/.github/workflows/run-cli-tests.yml
@ -20,7 +20,12 @@ on:
                required: true
            CLI_TESTS_ENV_SLUG:
                required: true
-
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
 jobs:
    test:
        defaults:
@ -43,5 +48,8 @@ jobs:
                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

              run: go test -v -count=1 ./test
--- a/.github/workflows/update-be-new-migration-latest-timestamp.yml
+++ b/.github/workflows/update-be-new-migration-latest-timestamp.yml
@ -1,59 +0,0 @@
-name: Rename Migrations
-
-on:
-  pull_request:
-    types: [closed]
-    paths:
-      - 'backend/src/db/migrations/**'
-
-jobs:
-  rename:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.merged == true
-
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Get list of newly added files in migration folder
-        run: |
-          git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^A' | cut -f2 | xargs -n1 basename > added_files.txt
-          if [ ! -s added_files.txt ]; then
-            echo "No new files added. Skipping"
-            echo "SKIP_RENAME=true" >> $GITHUB_ENV
-          fi
-
-      - name: Script to rename migrations
-        if: env.SKIP_RENAME != 'true'
-        run: python .github/resources/rename_migration_files.py
-
-      - name: Commit and push changes
-        if: env.SKIP_RENAME != 'true'
-        run: |
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git add ./backend/src/db/migrations
-          rm added_files.txt
-          git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
-
-      - name: Get PR details
-        id: pr_details
-        run: |
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
-          
-          echo "PR Number: $PR_NUMBER"
-          echo "PR Merger: $PR_MERGER"
-          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
-
-      - name: Create Pull Request
-        if: env.SKIP_RENAME != 'true'
-        uses: peter-evans/create-pull-request@v6
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
-          title: 'GH Action: rename new migration file timestamp'
-          branch-suffix: timestamp
-          reviewers: ${{ steps.pr_details.outputs.pr_merger }}
--- a/.gitignore
+++ b/.gitignore
@ -69,3 +69,4 @@ frontend-build
 *.tgz
 cli/infisical-merge
 cli/test/infisical-merge
+/backend/binary
--- a/.infisicalignore
+++ b/.infisicalignore
@ -5,3 +5,4 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/M
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
+docs/mint.json:generic-api-key:651
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -1,7 +1,7 @@
 ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
-ARG SAML_ORG_SLUG=saml-org-slug-default
+ARG CAPTCHA_SITE_KEY=captcha-site-key

 FROM  node:20-alpine AS base

@ -36,8 +36,8 @@ ARG INTERCOM_ID
 ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 ARG INFISICAL_PLATFORM_VERSION
 ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
-ARG SAML_ORG_SLUG
-ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG 
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 

 # Build
 RUN npm run build
@ -55,6 +55,7 @@ VOLUME /app/.next/cache/images
 COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public
 RUN chown non-root-user:nodejs ./public/data
+
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static

@ -93,9 +94,18 @@ RUN mkdir frontend-build

 # Production stage
 FROM base AS production
+RUN apk add --upgrade --no-cache ca-certificates
 RUN addgroup --system --gid 1001 nodejs \
  && adduser --system --uid 1001 non-root-user

+# Give non-root-user permission to update SSL certs
+RUN chown -R non-root-user /etc/ssl/certs
+RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
+RUN chmod -R u+rwx /etc/ssl/certs
+RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
+RUN chown non-root-user /usr/sbin/update-ca-certificates
+RUN chmod u+rx /usr/sbin/update-ca-certificates
+
 ## set pre baked keys
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
@ -103,9 +113,9 @@ ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
 ARG INTERCOM_ID=intercom-id
 ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
-ARG SAML_ORG_SLUG
-ENV NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG \
-  BAKED_NEXT_PUBLIC_SAML_ORG_SLUG=$SAML_ORG_SLUG
+ARG CAPTCHA_SITE_KEY
+ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
+  BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

 WORKDIR / 

--- a/13
+++ b/13
@ -15,3 +15,16 @@ up-prod:

 down:
 	docker compose -f docker-compose.dev.yml down
+
+reviewable-ui:
+	cd frontend && \
+	npm run lint:fix && \
+	npm run type:check
+
+reviewable-api:
+	cd backend && \
+	npm run lint:fix && \
+	npm run type:check
+
+reviewable: reviewable-ui reviewable-api
+
--- a/README.md
+++ b/README.md
@ -48,25 +48,26 @@

 ## Introduction

-**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their secrets like API keys, database credentials, and configurations.
+**[Infisical](https://infisical.com)** is the open source secret management platform that teams use to centralize their application configuration and secrets like API keys and database credentials as well as manage their internal PKI.

-We're on a mission to make secret management more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.
+We're on a mission to make security tooling more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.

 ## Features

- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.). 
- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand. 
- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD. 
- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical. 
- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more. 
+- **[User-friendly dashboard](https://infisical.com/docs/documentation/platform/project)** to manage secrets across projects and environments (e.g. development, production, etc.).
+- **[Client SDKs](https://infisical.com/docs/sdks/overview)** to fetch secrets for your apps and infrastructure on demand.
+- **[Infisical CLI](https://infisical.com/docs/cli/overview)** to fetch and inject secrets into any framework in local development and CI/CD.
+- **[Infisical API](https://infisical.com/docs/api-reference/overview/introduction)** to perform CRUD operation on secrets, users, projects, and any other resource in Infisical.
+- **[Native integrations](https://infisical.com/docs/integrations/overview)** with platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Infisical Kubernetes operator](https://infisical.com/docs/documentation/getting-started/kubernetes)** to managed secrets in k8s, automatically reload deployments, and more.
- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic. 
+- **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)** to inject secrets into your applications without modifying any code logic.
 - **[Self-hosting and on-prem](https://infisical.com/docs/self-hosting/overview)** to get complete control over your data.
- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state. 
- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project. 
- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities. 
+- **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)** to version every secret and project state.
+- **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project.
+- **[Role-based Access Controls](https://infisical.com/docs/documentation/platform/role-based-access-controls)** to create permission sets on any resource in Infisica and assign those to user or machine identities.
 - **[Simple on-premise deployments](https://infisical.com/docs/self-hosting/overview)** to AWS, Digital Ocean, and more.
- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git. 
+- **[Internal PKI](https://infisical.com/docs/documentation/platform/pki/private-ca)** to create Private CA hierarchies and start issuing and managing X.509 digital certificates.
+- **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)** to prevent secrets from leaking to git.

 And much more.

@ -74,9 +75,9 @@ And much more.

 Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/introduction)

-| Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). |  <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+| Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                          |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |

 ### Run Infisical locally

@ -85,13 +86,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed
 Linux/macOS:

 ```console
-git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.prod.yml up
+git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker compose -f docker-compose.prod.yml up
 ```

 Windows Command Prompt:

 ```console
-git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.prod.yml up
+git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up
 ```

 Create an account at `http://localhost:80`
--- a/backend/babel.config.json
+++ b/backend/babel.config.json
@ -0,0 +1,4 @@
+{
+  "presets": ["@babel/preset-env", "@babel/preset-react"],
+  "plugins": ["@babel/plugin-syntax-import-attributes", "babel-plugin-transform-import-meta"]
+}
--- a/backend/e2e-test/mocks/keystore.ts
+++ b/backend/e2e-test/mocks/keystore.ts
@ -1,4 +1,5 @@
 import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { Lock } from "@app/lib/red-lock";

 export const mockKeyStore = (): TKeyStoreFactory => {
  const store: Record<string, string | number | Buffer> = {};
@ -25,6 +26,12 @@ export const mockKeyStore = (): TKeyStoreFactory => {
    },
    incrementBy: async () => {
      return 1;
-    }
+    },
+    acquireLock: () => {
+      return Promise.resolve({
+        release: () => {}
+      }) as Promise<Lock>;
+    },
+    waitTillReady: async () => {}
  };
 };
--- a/backend/e2e-test/routes/v3/secrets-v2.spec.ts
+++ b/backend/e2e-test/routes/v3/secrets-v2.spec.ts
@ -0,0 +1,576 @@
+import { SecretType } from "@app/db/schemas";
+import { seedData1 } from "@app/db/seed-data";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+type TRawSecret = {
+  secretKey: string;
+  secretValue: string;
+  secretComment?: string;
+  version: number;
+};
+const createSecret = async (dto: { path: string; key: string; value: string; comment: string; type?: SecretType }) => {
+  const createSecretReqBody = {
+    workspaceId: seedData1.projectV3.id,
+    environment: seedData1.environment.slug,
+    type: dto.type || SecretType.Shared,
+    secretPath: dto.path,
+    secretKey: dto.key,
+    secretValue: dto.value,
+    secretComment: dto.comment
+  };
+  const createSecRes = await testServer.inject({
+    method: "POST",
+    url: `/api/v3/secrets/raw/${dto.key}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: createSecretReqBody
+  });
+  expect(createSecRes.statusCode).toBe(200);
+  const createdSecretPayload = JSON.parse(createSecRes.payload);
+  expect(createdSecretPayload).toHaveProperty("secret");
+  return createdSecretPayload.secret as TRawSecret;
+};
+
+const deleteSecret = async (dto: { path: string; key: string }) => {
+  const deleteSecRes = await testServer.inject({
+    method: "DELETE",
+    url: `/api/v3/secrets/raw/${dto.key}`,
+    headers: {
+      authorization: `Bearer ${jwtAuthToken}`
+    },
+    body: {
+      workspaceId: seedData1.projectV3.id,
+      environment: seedData1.environment.slug,
+      secretPath: dto.path
+    }
+  });
+  expect(deleteSecRes.statusCode).toBe(200);
+  const updatedSecretPayload = JSON.parse(deleteSecRes.payload);
+  expect(updatedSecretPayload).toHaveProperty("secret");
+  return updatedSecretPayload.secret as TRawSecret;
+};
+
+describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }])(
+  "Secret V2 Architecture - $auth mode",
+  async ({ auth }) => {
+    let folderId = "";
+    let authToken = "";
+    const secretTestCases = [
+      {
+        path: "/",
+        secret: {
+          key: "SEC1",
+          value: "something-secret",
+          comment: "some comment"
+        }
+      },
+      {
+        path: "/nested1/nested2/folder",
+        secret: {
+          key: "NESTED-SEC1",
+          value: "something-secret",
+          comment: "some comment"
+        }
+      },
+      {
+        path: "/",
+        secret: {
+          key: "secret-key-2",
+          value: `-----BEGIN PRIVATE KEY-----
+        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCa6eeFk+cMVqFn
+        hoVQDYgn2Ptp5Azysr2UPq6P73pCL9BzUtOXKZROqDyGehzzfg3wE2KdYU1Jk5Uq
+        fP0ZOWDIlM2SaVCSI3FW32o5+ZiggjpqcVdLFc/PS0S/ZdSmpPd8h11iO2brtIAI
+        ugTW8fcKlGSNUwx9aFmE7A6JnTRliTxB1l6QaC+YAwTK39VgeVH2gDSWC407aS15
+        QobAkaBKKmFkzB5D7i2ZJwt+uXJV/rbLmyDmtnw0lubciGn7NX9wbYef180fisqT
+        aPNAz0nPKk0fFH2Wd5MZixNGbrrpDA+FCYvI5doThZyT2hpj08qWP07oXXCAqw46
+        IEupNSILAgMBAAECggEBAIJb5KzeaiZS3B3O8G4OBQ5rJB3WfyLYUHnoSWLsBbie
+        nc392/ovThLmtZAAQE6SO85Tsb93+t64Z2TKqv1H8G658UeMgfWIB78v4CcLJ2mi
+        TN/3opqXrzjkQOTDHzBgT7al/mpETHZ6fOdbCemK0fVALGFUioUZg4M8VXtuI4Jw
+        q28jAyoRKrCrzda4BeQ553NZ4G5RvwhX3O2I8B8upTbt5hLcisBKy8MPLYY5LUFj
+        YKAP+raf6QLliP6KYHuVxUlgzxjLTxVG41etcyqqZF+foyiKBO3PU3n8oh++tgQP
+        ExOxiR0JSkBG5b+oOBD0zxcvo3/SjBHn0dJOZCSU2SkCgYEAyCe676XnNyBZMRD7
+        6trsaoiCWBpA6M8H44+x3w4cQFtqV38RyLy60D+iMKjIaLqeBbnay61VMzo24Bz3
+        EuF2n4+9k/MetLJ0NCw8HmN5k0WSMD2BFsJWG8glVbzaqzehP4tIclwDTYc1jQVt
+        IoV2/iL7HGT+x2daUwbU5kN5hK0CgYEAxiLB+fmjxJW7VY4SHDLqPdpIW0q/kv4K
+        d/yZBrCX799vjmFb9vLh7PkQUfJhMJ/ttJOd7EtT3xh4mfkBeLfHwVU0d/ahbmSH
+        UJu/E9ZGxAW3PP0kxHZtPrLKQwBnfq8AxBauIhR3rPSorQTIOKtwz1jMlHFSUpuL
+        3KeK2YfDYJcCgYEAkQnJOlNcAuRb/WQzSHIvktssqK8NjiZHryy3Vc0hx7j2jES2
+        HGI2dSVHYD9OSiXA0KFm3OTTsnViwm/60iGzFdjRJV6tR39xGUVcoyCuPnvRfUd0
+        PYvBXgxgkYpyYlPDcwp5CvWGJy3tLi1acgOIwIuUr3S38sL//t4adGk8q1kCgYB8
+        Jbs1Tl53BvrimKpwUNbE+sjrquJu0A7vL68SqgQJoQ7dP9PH4Ff/i+/V6PFM7mib
+        BQOm02wyFbs7fvKVGVJoqWK+6CIucX732x7W5yRgHtS5ukQXdbzt1Ek3wkEW98Cb
+        HTruz7RNAt/NyXlLSODeit1lBbx3Vk9EaxZtRsv88QKBgGn7JwXgez9NOyobsNIo
+        QVO80rpUeenSjuFi+R0VmbLKe/wgAQbYJ0xTAsQ0btqViMzB27D6mJyC+KUIwWNX
+        MN8a+m46v4kqvZkKL2c4gmDibyURNe/vCtCHFuanJS/1mo2tr4XDyEeiuK52eTd9
+        omQDpP86RX/hIIQ+JyLSaWYa
+        -----END PRIVATE KEY-----`,
+          comment:
+            "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation"
+        }
+      },
+      {
+        path: "/nested1/nested2/folder",
+        secret: {
+          key: "secret-key-3",
+          value: `-----BEGIN PRIVATE KEY-----
+        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCa6eeFk+cMVqFn
+        hoVQDYgn2Ptp5Azysr2UPq6P73pCL9BzUtOXKZROqDyGehzzfg3wE2KdYU1Jk5Uq
+        fP0ZOWDIlM2SaVCSI3FW32o5+ZiggjpqcVdLFc/PS0S/ZdSmpPd8h11iO2brtIAI
+        ugTW8fcKlGSNUwx9aFmE7A6JnTRliTxB1l6QaC+YAwTK39VgeVH2gDSWC407aS15
+        QobAkaBKKmFkzB5D7i2ZJwt+uXJV/rbLmyDmtnw0lubciGn7NX9wbYef180fisqT
+        aPNAz0nPKk0fFH2Wd5MZixNGbrrpDA+FCYvI5doThZyT2hpj08qWP07oXXCAqw46
+        IEupNSILAgMBAAECggEBAIJb5KzeaiZS3B3O8G4OBQ5rJB3WfyLYUHnoSWLsBbie
+        nc392/ovThLmtZAAQE6SO85Tsb93+t64Z2TKqv1H8G658UeMgfWIB78v4CcLJ2mi
+        TN/3opqXrzjkQOTDHzBgT7al/mpETHZ6fOdbCemK0fVALGFUioUZg4M8VXtuI4Jw
+        q28jAyoRKrCrzda4BeQ553NZ4G5RvwhX3O2I8B8upTbt5hLcisBKy8MPLYY5LUFj
+        YKAP+raf6QLliP6KYHuVxUlgzxjLTxVG41etcyqqZF+foyiKBO3PU3n8oh++tgQP
+        ExOxiR0JSkBG5b+oOBD0zxcvo3/SjBHn0dJOZCSU2SkCgYEAyCe676XnNyBZMRD7
+        6trsaoiCWBpA6M8H44+x3w4cQFtqV38RyLy60D+iMKjIaLqeBbnay61VMzo24Bz3
+        EuF2n4+9k/MetLJ0NCw8HmN5k0WSMD2BFsJWG8glVbzaqzehP4tIclwDTYc1jQVt
+        IoV2/iL7HGT+x2daUwbU5kN5hK0CgYEAxiLB+fmjxJW7VY4SHDLqPdpIW0q/kv4K
+        d/yZBrCX799vjmFb9vLh7PkQUfJhMJ/ttJOd7EtT3xh4mfkBeLfHwVU0d/ahbmSH
+        UJu/E9ZGxAW3PP0kxHZtPrLKQwBnfq8AxBauIhR3rPSorQTIOKtwz1jMlHFSUpuL
+        3KeK2YfDYJcCgYEAkQnJOlNcAuRb/WQzSHIvktssqK8NjiZHryy3Vc0hx7j2jES2
+        HGI2dSVHYD9OSiXA0KFm3OTTsnViwm/60iGzFdjRJV6tR39xGUVcoyCuPnvRfUd0
+        PYvBXgxgkYpyYlPDcwp5CvWGJy3tLi1acgOIwIuUr3S38sL//t4adGk8q1kCgYB8
+        Jbs1Tl53BvrimKpwUNbE+sjrquJu0A7vL68SqgQJoQ7dP9PH4Ff/i+/V6PFM7mib
+        BQOm02wyFbs7fvKVGVJoqWK+6CIucX732x7W5yRgHtS5ukQXdbzt1Ek3wkEW98Cb
+        HTruz7RNAt/NyXlLSODeit1lBbx3Vk9EaxZtRsv88QKBgGn7JwXgez9NOyobsNIo
+        QVO80rpUeenSjuFi+R0VmbLKe/wgAQbYJ0xTAsQ0btqViMzB27D6mJyC+KUIwWNX
+        MN8a+m46v4kqvZkKL2c4gmDibyURNe/vCtCHFuanJS/1mo2tr4XDyEeiuK52eTd9
+        omQDpP86RX/hIIQ+JyLSaWYa
+        -----END PRIVATE KEY-----`,
+          comment:
+            "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation"
+        }
+      },
+      {
+        path: "/nested1/nested2/folder",
+        secret: {
+          key: "secret-key-3",
+          value:
+            "TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdC4gU2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXhlcmNpdGF0aW9uCg==",
+          comment: ""
+        }
+      }
+    ];
+
+    beforeAll(async () => {
+      if (auth === AuthMode.JWT) {
+        authToken = jwtAuthToken;
+      } else if (auth === AuthMode.IDENTITY_ACCESS_TOKEN) {
+        const identityLogin = await testServer.inject({
+          method: "POST",
+          url: "/api/v1/auth/universal-auth/login",
+          body: {
+            clientSecret: seedData1.machineIdentity.clientCredentials.secret,
+            clientId: seedData1.machineIdentity.clientCredentials.id
+          }
+        });
+        expect(identityLogin.statusCode).toBe(200);
+        authToken = identityLogin.json().accessToken;
+      }
+      // create a deep folder
+      const folderCreate = await testServer.inject({
+        method: "POST",
+        url: `/api/v1/folders`,
+        headers: {
+          authorization: `Bearer ${jwtAuthToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          name: "folder",
+          path: "/nested1/nested2"
+        }
+      });
+      expect(folderCreate.statusCode).toBe(200);
+      folderId = folderCreate.json().folder.id;
+    });
+
+    afterAll(async () => {
+      const deleteFolder = await testServer.inject({
+        method: "DELETE",
+        url: `/api/v1/folders/${folderId}`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          path: "/nested1/nested2"
+        }
+      });
+      expect(deleteFolder.statusCode).toBe(200);
+    });
+
+    const getSecrets = async (environment: string, secretPath = "/") => {
+      const res = await testServer.inject({
+        method: "GET",
+        url: `/api/v3/secrets/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        query: {
+          secretPath,
+          environment,
+          workspaceId: seedData1.projectV3.id
+        }
+      });
+      const secrets: TRawSecret[] = JSON.parse(res.payload).secrets || [];
+      return secrets;
+    };
+
+    test.each(secretTestCases)("Create secret in path $path", async ({ secret, path }) => {
+      const createdSecret = await createSecret({ path, ...secret });
+      expect(createdSecret.secretKey).toEqual(secret.key);
+      expect(createdSecret.secretValue).toEqual(secret.value);
+      expect(createdSecret.secretComment || "").toEqual(secret.comment);
+      expect(createdSecret.version).toEqual(1);
+
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            secretKey: secret.key,
+            secretValue: secret.value,
+            type: SecretType.Shared
+          })
+        ])
+      );
+      await deleteSecret({ path, key: secret.key });
+    });
+
+    test.each(secretTestCases)("Get secret by name in path $path", async ({ secret, path }) => {
+      await createSecret({ path, ...secret });
+
+      const getSecByNameRes = await testServer.inject({
+        method: "GET",
+        url: `/api/v3/secrets/raw/${secret.key}`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        query: {
+          secretPath: path,
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug
+        }
+      });
+      expect(getSecByNameRes.statusCode).toBe(200);
+      const getSecretByNamePayload = JSON.parse(getSecByNameRes.payload);
+      expect(getSecretByNamePayload).toHaveProperty("secret");
+      const decryptedSecret = getSecretByNamePayload.secret as TRawSecret;
+      expect(decryptedSecret.secretKey).toEqual(secret.key);
+      expect(decryptedSecret.secretValue).toEqual(secret.value);
+      expect(decryptedSecret.secretComment || "").toEqual(secret.comment);
+
+      await deleteSecret({ path, key: secret.key });
+    });
+
+    if (auth === AuthMode.JWT) {
+      test.each(secretTestCases)(
+        "Creating personal secret without shared throw error in path $path",
+        async ({ secret }) => {
+          const createSecretReqBody = {
+            workspaceId: seedData1.projectV3.id,
+            environment: seedData1.environment.slug,
+            type: SecretType.Personal,
+            secretKey: secret.key,
+            secretValue: secret.value,
+            secretComment: secret.comment
+          };
+          const createSecRes = await testServer.inject({
+            method: "POST",
+            url: `/api/v3/secrets/raw/SEC2`,
+            headers: {
+              authorization: `Bearer ${authToken}`
+            },
+            body: createSecretReqBody
+          });
+          const payload = JSON.parse(createSecRes.payload);
+          expect(createSecRes.statusCode).toBe(400);
+          expect(payload.error).toEqual("BadRequest");
+        }
+      );
+
+      test.each(secretTestCases)("Creating personal secret in path $path", async ({ secret, path }) => {
+        await createSecret({ path, ...secret });
+
+        const createSecretReqBody = {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          type: SecretType.Personal,
+          secretPath: path,
+          secretKey: secret.key,
+          secretValue: "personal-value",
+          secretComment: secret.comment
+        };
+        const createSecRes = await testServer.inject({
+          method: "POST",
+          url: `/api/v3/secrets/raw/${secret.key}`,
+          headers: {
+            authorization: `Bearer ${authToken}`
+          },
+          body: createSecretReqBody
+        });
+        expect(createSecRes.statusCode).toBe(200);
+
+        // list secrets should contain personal one and shared one
+        const secrets = await getSecrets(seedData1.environment.slug, path);
+        expect(secrets).toEqual(
+          expect.arrayContaining([
+            expect.objectContaining({
+              secretKey: secret.key,
+              secretValue: secret.value,
+              type: SecretType.Shared
+            }),
+            expect.objectContaining({
+              secretKey: secret.key,
+              secretValue: "personal-value",
+              type: SecretType.Personal
+            })
+          ])
+        );
+
+        await deleteSecret({ path, key: secret.key });
+      });
+
+      test.each(secretTestCases)(
+        "Deleting personal one should not delete shared secret in path $path",
+        async ({ secret, path }) => {
+          await createSecret({ path, ...secret }); // shared one
+          await createSecret({ path, ...secret, type: SecretType.Personal });
+
+          // shared secret deletion should delete personal ones also
+          const secrets = await getSecrets(seedData1.environment.slug, path);
+          expect(secrets).toEqual(
+            expect.arrayContaining([
+              expect.objectContaining({
+                secretKey: secret.key,
+                type: SecretType.Shared
+              }),
+              expect.not.objectContaining({
+                secretKey: secret.key,
+                type: SecretType.Personal
+              })
+            ])
+          );
+          await deleteSecret({ path, key: secret.key });
+        }
+      );
+    }
+
+    test.each(secretTestCases)("Update secret in path $path", async ({ path, secret }) => {
+      await createSecret({ path, ...secret });
+      const updateSecretReqBody = {
+        workspaceId: seedData1.projectV3.id,
+        environment: seedData1.environment.slug,
+        type: SecretType.Shared,
+        secretPath: path,
+        secretKey: secret.key,
+        secretValue: "new-value",
+        secretComment: secret.comment
+      };
+      const updateSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/raw/${secret.key}`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: updateSecretReqBody
+      });
+      expect(updateSecRes.statusCode).toBe(200);
+      const updatedSecretPayload = JSON.parse(updateSecRes.payload);
+      expect(updatedSecretPayload).toHaveProperty("secret");
+      const decryptedSecret = updatedSecretPayload.secret;
+      expect(decryptedSecret.secretKey).toEqual(secret.key);
+      expect(decryptedSecret.secretValue).toEqual("new-value");
+      expect(decryptedSecret.secretComment || "").toEqual(secret.comment);
+
+      // list secret should have updated value
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            secretKey: secret.key,
+            secretValue: "new-value",
+            type: SecretType.Shared
+          })
+        ])
+      );
+
+      await deleteSecret({ path, key: secret.key });
+    });
+
+    test.each(secretTestCases)("Delete secret in path $path", async ({ secret, path }) => {
+      await createSecret({ path, ...secret });
+      const deletedSecret = await deleteSecret({ path, key: secret.key });
+      expect(deletedSecret.secretKey).toEqual(secret.key);
+
+      // shared secret deletion should delete personal ones also
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.not.arrayContaining([
+          expect.objectContaining({
+            secretKey: secret.key,
+            type: SecretType.Shared
+          }),
+          expect.objectContaining({
+            secretKey: secret.key,
+            type: SecretType.Personal
+          })
+        ])
+      );
+    });
+
+    test.each(secretTestCases)("Bulk create secrets in path $path", async ({ secret, path }) => {
+      const createSharedSecRes = await testServer.inject({
+        method: "POST",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          secretPath: path,
+          secrets: Array.from(Array(5)).map((_e, i) => ({
+            secretKey: `BULK-${secret.key}-${i + 1}`,
+            secretValue: secret.value,
+            secretComment: secret.comment
+          }))
+        }
+      });
+      expect(createSharedSecRes.statusCode).toBe(200);
+      const createSharedSecPayload = JSON.parse(createSharedSecRes.payload);
+      expect(createSharedSecPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining(
+          Array.from(Array(5)).map((_e, i) =>
+            expect.objectContaining({
+              secretKey: `BULK-${secret.key}-${i + 1}`,
+              secretValue: secret.value,
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+
+      await Promise.all(
+        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
+      );
+    });
+
+    test.each(secretTestCases)("Bulk create fail on existing secret in path $path", async ({ secret, path }) => {
+      await createSecret({ ...secret, key: `BULK-${secret.key}-1`, path });
+
+      const createSharedSecRes = await testServer.inject({
+        method: "POST",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          secretPath: path,
+          secrets: Array.from(Array(5)).map((_e, i) => ({
+            secretKey: `BULK-${secret.key}-${i + 1}`,
+            secretValue: secret.value,
+            secretComment: secret.comment
+          }))
+        }
+      });
+      expect(createSharedSecRes.statusCode).toBe(400);
+
+      await deleteSecret({ path, key: `BULK-${secret.key}-1` });
+    });
+
+    test.each(secretTestCases)("Bulk update secrets in path $path", async ({ secret, path }) => {
+      await Promise.all(
+        Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))
+      );
+
+      const updateSharedSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          secretPath: path,
+          secrets: Array.from(Array(5)).map((_e, i) => ({
+            secretKey: `BULK-${secret.key}-${i + 1}`,
+            secretValue: "update-value",
+            secretComment: secret.comment
+          }))
+        }
+      });
+      expect(updateSharedSecRes.statusCode).toBe(200);
+      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
+      expect(updateSharedSecPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining(
+          Array.from(Array(5)).map((_e, i) =>
+            expect.objectContaining({
+              secretKey: `BULK-${secret.key}-${i + 1}`,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      await Promise.all(
+        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
+      );
+    });
+
+    test.each(secretTestCases)("Bulk delete secrets in path $path", async ({ secret, path }) => {
+      await Promise.all(
+        Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))
+      );
+
+      const deletedSharedSecRes = await testServer.inject({
+        method: "DELETE",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          secretPath: path,
+          secrets: Array.from(Array(5)).map((_e, i) => ({
+            secretKey: `BULK-${secret.key}-${i + 1}`
+          }))
+        }
+      });
+
+      expect(deletedSharedSecRes.statusCode).toBe(200);
+      const deletedSecretPayload = JSON.parse(deletedSharedSecRes.payload);
+      expect(deletedSecretPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.not.arrayContaining(
+          Array.from(Array(5)).map((_e, i) =>
+            expect.objectContaining({
+              secretKey: `BULK-${secret.value}-${i + 1}`,
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+    });
+  }
+);
--- a/backend/e2e-test/vitest-environment-knex.ts
+++ b/backend/e2e-test/vitest-environment-knex.ts
@ -3,7 +3,6 @@ import "ts-node/register";

 import dotenv from "dotenv";
 import jwt from "jsonwebtoken";
-import knex from "knex";
 import path from "path";

 import { seedData1 } from "@app/db/seed-data";
@ -15,6 +14,7 @@ import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { mockQueue } from "./mocks/queue";
 import { mockSmtpServer } from "./mocks/smtp";
 import { mockKeyStore } from "./mocks/keystore";
+import { initDbConnection } from "@app/db";

 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@ -23,23 +23,21 @@ export default {
  async setup() {
    const logger = await initLogger();
    const cfg = initEnvConfig(logger);
-    const db = knex({
-      client: "pg",
-      connection: cfg.DB_CONNECTION_URI,
-      migrations: {
-        directory: path.join(__dirname, "../src/db/migrations"),
-        extension: "ts",
-        tableName: "infisical_migrations"
-      },
-      seeds: {
-        directory: path.join(__dirname, "../src/db/seeds"),
-        extension: "ts"
-      }
+    const db = initDbConnection({
+      dbConnectionUri: cfg.DB_CONNECTION_URI,
+      dbRootCert: cfg.DB_ROOT_CERT
    });

    try {
-      await db.migrate.latest();
-      await db.seed.run();
+      await db.migrate.latest({
+        directory: path.join(__dirname, "../src/db/migrations"),
+        extension: "ts",
+        tableName: "infisical_migrations"
+      });
+      await db.seed.run({
+        directory: path.join(__dirname, "../src/db/seeds"),
+        extension: "ts"
+      });
      const smtp = mockSmtpServer();
      const queue = mockQueue();
      const keyStore = mockKeyStore();
@ -74,7 +72,14 @@ export default {
        // @ts-expect-error type
        delete globalThis.jwtToken;
        // called after all tests with this env have been run
-        await db.migrate.rollback({}, true);
+        await db.migrate.rollback(
+          {
+            directory: path.join(__dirname, "../src/db/migrations"),
+            extension: "ts",
+            tableName: "infisical_migrations"
+          },
+          true
+        );
        await db.destroy();
      }
    };
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -3,17 +3,45 @@
  "version": "1.0.0",
  "description": "",
  "main": "./dist/main.mjs",
+  "bin": "dist/main.js",
+  "pkg": {
+    "scripts": [
+      "dist/**/*.js",
+      "../frontend/node_modules/next/**/*.js",
+      "../frontend/.next/*/**/*.js",
+      "../frontend/node_modules/next/dist/server/**/*.js",
+      "../frontend/node_modules/@fortawesome/fontawesome-svg-core/**/*.js"
+    ],
+    "assets": [
+      "dist/**",
+      "!dist/**/*.js",
+      "node_modules/**",
+      "../frontend/node_modules/**",
+      "../frontend/.next/**",
+      "!../frontend/node_modules/next/dist/server/**/*.js",
+      "../frontend/node_modules/@fortawesome/fontawesome-svg-core/**/*",
+      "../frontend/public/**"
+    ],
+    "outputPath": "binary"
+  },
  "scripts": {
+    "binary:build": "npm run binary:clean && npm run build:frontend && npm run build && npm run binary:babel-frontend && npm run binary:babel-backend && npm run binary:rename-imports",
+    "binary:package": "pkg --no-bytecode --public-packages \"*\" --public --target host .",
+    "binary:babel-backend": " babel ./dist -d ./dist",
+    "binary:babel-frontend": "babel --copy-files ../frontend/.next/server -d ../frontend/.next/server",
+    "binary:clean": "rm -rf ./dist && rm -rf ./binary",
+    "binary:rename-imports": "ts-node ./scripts/rename-mjs.ts",
    "test": "echo \"Error: no test specified\" && exit 1",
    "dev": "tsx watch --clear-screen=false ./src/main.ts  | pino-pretty --colorize --colorizeObjects --singleLine",
    "dev:docker": "nodemon",
-    "build": "tsup",
-    "start": "node dist/main.mjs",
+    "build": "tsup --sourcemap",
+    "build:frontend": "npm run build --prefix ../frontend",
+    "start": "node --enable-source-maps dist/main.mjs",
    "type:check": "tsc --noEmit",
    "lint:fix": "eslint --fix --ext js,ts ./src",
    "lint": "eslint 'src/**/*.ts'",
-    "test:e2e": "vitest run -c vitest.e2e.config.ts",
-    "test:e2e-watch": "vitest -c vitest.e2e.config.ts",
+    "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
+    "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
    "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
    "generate:component": "tsx ./scripts/create-backend-file.ts",
    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
@ -31,6 +59,11 @@
  "author": "",
  "license": "ISC",
  "devDependencies": {
+    "@babel/cli": "^7.18.10",
+    "@babel/core": "^7.18.10",
+    "@babel/plugin-syntax-import-attributes": "^7.24.7",
+    "@babel/preset-env": "^7.18.10",
+    "@babel/preset-react": "^7.24.7",
    "@types/bcrypt": "^5.0.2",
    "@types/jmespath": "^0.15.2",
    "@types/jsonwebtoken": "^9.0.5",
@ -45,9 +78,12 @@
    "@types/picomatch": "^2.3.3",
    "@types/prompt-sync": "^4.2.3",
    "@types/resolve": "^1.20.6",
+    "@types/safe-regex": "^1.1.6",
    "@types/uuid": "^9.0.7",
    "@typescript-eslint/eslint-plugin": "^6.20.0",
    "@typescript-eslint/parser": "^6.20.0",
+    "@yao-pkg/pkg": "^5.12.0",
+    "babel-plugin-transform-import-meta": "^2.2.1",
    "eslint": "^8.56.0",
    "eslint-config-airbnb-base": "^15.0.0",
    "eslint-config-airbnb-typescript": "^17.1.0",
@ -60,7 +96,7 @@
    "pino-pretty": "^10.2.3",
    "prompt-sync": "^4.2.0",
    "rimraf": "^5.0.5",
-    "ts-node": "^10.9.1",
+    "ts-node": "^10.9.2",
    "tsc-alias": "^1.8.8",
    "tsconfig-paths": "^4.2.0",
    "tsup": "^8.0.1",
@ -71,7 +107,9 @@
  },
  "dependencies": {
    "@aws-sdk/client-iam": "^3.525.0",
+    "@aws-sdk/client-kms": "^3.609.0",
    "@aws-sdk/client-secrets-manager": "^3.504.0",
+    "@aws-sdk/client-sts": "^3.600.0",
    "@casl/ability": "^6.5.0",
    "@fastify/cookie": "^9.3.1",
    "@fastify/cors": "^8.5.0",
@ -84,10 +122,14 @@
    "@fastify/swagger": "^8.14.0",
    "@fastify/swagger-ui": "^2.1.0",
    "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/plugin-retry": "^5.0.5",
    "@octokit/rest": "^20.0.2",
    "@octokit/webhooks-types": "^7.3.1",
+    "@peculiar/asn1-schema": "^2.3.8",
+    "@peculiar/x509": "^1.12.1",
    "@serdnam/pino-cloudwatch-transport": "^1.0.4",
-    "@sindresorhus/slugify": "^2.2.1",
+    "@sindresorhus/slugify": "1.1.0",
+    "@team-plain/typescript-sdk": "^4.6.1",
    "@ucast/mongo2js": "^1.3.4",
    "ajv": "^8.12.0",
    "argon2": "^0.31.2",
@ -95,24 +137,30 @@
    "axios": "^1.6.7",
    "axios-retry": "^4.0.0",
    "bcrypt": "^5.1.1",
-    "bullmq": "^5.3.3",
+    "bullmq": "^5.4.2",
    "cassandra-driver": "^4.7.2",
+    "connect-redis": "^7.1.1",
+    "cron": "^3.1.7",
    "dotenv": "^16.4.1",
    "fastify": "^4.26.0",
    "fastify-plugin": "^4.5.1",
+    "google-auth-library": "^9.9.0",
+    "googleapis": "^137.1.0",
    "handlebars": "^4.7.8",
    "ioredis": "^5.3.2",
    "jmespath": "^0.16.0",
    "jsonwebtoken": "^9.0.2",
    "jsrp": "^0.2.4",
+    "jwks-rsa": "^3.1.0",
    "knex": "^3.0.1",
    "ldapjs": "^3.0.7",
    "libsodium-wrappers": "^0.7.13",
    "lodash.isequal": "^4.5.0",
    "ms": "^2.1.3",
-    "mysql2": "^3.9.7",
-    "nanoid": "^5.0.4",
+    "mysql2": "^3.9.8",
+    "nanoid": "^3.3.4",
    "nodemailer": "^6.9.9",
+    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
    "oracledb": "^6.4.0",
    "passport-github": "^1.1.0",
@ -123,9 +171,12 @@
    "pg-query-stream": "^4.5.3",
    "picomatch": "^3.0.1",
    "pino": "^8.16.2",
+    "pkijs": "^3.2.4",
    "posthog-node": "^3.6.2",
    "probot": "^13.0.0",
+    "safe-regex": "^2.1.1",
    "smee-client": "^2.0.0",
+    "tedious": "^18.2.1",
    "tweetnacl": "^1.0.3",
    "tweetnacl-util": "^0.15.1",
    "uuid": "^9.0.1",
--- a/backend/scripts/create-backend-file.ts
+++ b/backend/scripts/create-backend-file.ts
@ -7,14 +7,33 @@ const prompt = promptSync({
  sigint: true
 });

+type ComponentType = 1 | 2 | 3;
+
 console.log(`
 Component List
 --------------
+0. Exit
 1. Service component
 2. DAL component
 3. Router component
 `);
-const componentType = parseInt(prompt("Select a component: "), 10);
+
+function getComponentType(): ComponentType {
+  while (true) {
+    const input = prompt("Select a component (0-3): ");
+    const componentType = parseInt(input, 10);
+
+    if (componentType === 0) {
+      console.log("Exiting the program. Goodbye!");
+      process.exit(0);
+    } else if (componentType === 1 || componentType === 2 || componentType === 3) {
+      return componentType;
+    } else {
+      console.log("Invalid input. Please enter 0, 1, 2, or 3.");
+    }
+  }
+}
+const componentType = getComponentType();

 if (componentType === 1) {
  const componentName = prompt("Enter service name: ");
--- a/backend/scripts/create-migration.ts
+++ b/backend/scripts/create-migration.ts
@ -2,13 +2,14 @@
 import { execSync } from "child_process";
 import path from "path";
 import promptSync from "prompt-sync";
+import slugify from "@sindresorhus/slugify"

 const prompt = promptSync({ sigint: true });

 const migrationName = prompt("Enter name for migration: ");

 // Remove spaces from migration name and replace with hyphens
-const formattedMigrationName = migrationName.replace(/\s+/g, "-");
+const formattedMigrationName = slugify(migrationName);

 execSync(
  `npx knex migrate:make --knexfile ${path.join(__dirname, "../src/db/knexfile.ts")} -x ts ${formattedMigrationName}`,
--- a/backend/scripts/generate-schema-types.ts
+++ b/backend/scripts/generate-schema-types.ts
@ -35,6 +35,8 @@ const getZodPrimitiveType = (type: string) => {
      return "z.coerce.number()";
    case "text":
      return "z.string()";
+    case "bytea":
+      return "zodBuffer";
    default:
      throw new Error(`Invalid type: ${type}`);
  }
@ -96,10 +98,15 @@ const main = async () => {
    const columnNames = Object.keys(columns);

    let schema = "";
+    const zodImportSet = new Set<string>();
    for (let colNum = 0; colNum < columnNames.length; colNum++) {
      const columnName = columnNames[colNum];
      const colInfo = columns[columnName];
      let ztype = getZodPrimitiveType(colInfo.type);
+      if (["zodBuffer"].includes(ztype)) {
+        zodImportSet.add(ztype);
+      }
+
      // don't put optional on id
      if (colInfo.defaultValue && columnName !== "id") {
        const { defaultValue } = colInfo;
@ -121,6 +128,8 @@ const main = async () => {
      .split("_")
      .reduce((prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`, "");

+    const zodImports = Array.from(zodImportSet);
+
    // the insert and update are changed to zod input type to use default cases
    writeFileSync(
      path.join(__dirname, "../src/db/schemas", `${dashcase}.ts`),
@ -131,6 +140,8 @@ const main = async () => {

 import { z } from "zod";

+${zodImports.length ? `import { ${zodImports.join(",")} } from \"@app/lib/zod\";` : ""}
+
 import { TImmutableDBKeys } from "./models";

 export const ${pascalCase}Schema = z.object({${schema}});
--- a/backend/scripts/rename-mjs.ts
+++ b/backend/scripts/rename-mjs.ts
@ -0,0 +1,27 @@
+/* eslint-disable @typescript-eslint/no-shadow */
+import fs from "node:fs";
+import path from "node:path";
+
+function replaceMjsOccurrences(directory: string) {
+  fs.readdir(directory, (err, files) => {
+    if (err) throw err;
+    files.forEach((file) => {
+      const filePath = path.join(directory, file);
+      if (fs.statSync(filePath).isDirectory()) {
+        replaceMjsOccurrences(filePath);
+      } else {
+        fs.readFile(filePath, "utf8", (err, data) => {
+          if (err) throw err;
+          const result = data.replace(/\.mjs/g, ".js");
+          fs.writeFile(filePath, result, "utf8", (err) => {
+            if (err) throw err;
+            // eslint-disable-next-line no-console
+            console.log(`Updated: ${filePath}`);
+          });
+        });
+      }
+    });
+  });
+}
+
+replaceMjsOccurrences("dist");
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@ -6,14 +6,19 @@ import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-ap
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
+import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
+import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
+import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@ -29,16 +34,28 @@ import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
+import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
+import { TCertificateEstServiceFactory } from "@app/services/certificate-est/certificate-est-service";
+import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
+import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
+import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
+import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
+import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
+import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
+import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@ -49,12 +66,15 @@ import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
 import { TSecretImportServiceFactory } from "@app/services/secret-import/secret-import-service";
+import { TSecretReplicationServiceFactory } from "@app/services/secret-replication/secret-replication-service";
+import { TSecretSharingServiceFactory } from "@app/services/secret-sharing/secret-sharing-service";
 import { TSecretTagServiceFactory } from "@app/services/secret-tag/secret-tag-service";
 import { TServiceTokenServiceFactory } from "@app/services/service-token/service-token-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
+import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";

 declare module "fastify" {
@ -74,6 +94,7 @@ declare module "fastify" {
      id: string;
      orgId: string;
    };
+    rateLimits: RateLimitConfiguration;
    // passport data
    passportUser: {
      isUserCompleted: string;
@ -93,17 +114,20 @@ declare module "fastify" {
      permission: TPermissionServiceFactory;
      org: TOrgServiceFactory;
      orgRole: TOrgRoleServiceFactory;
+      oidc: TOidcConfigServiceFactory;
      superAdmin: TSuperAdminServiceFactory;
      user: TUserServiceFactory;
      group: TGroupServiceFactory;
      groupProject: TGroupProjectServiceFactory;
      apiKey: TApiKeyServiceFactory;
+      pkiAlert: TPkiAlertServiceFactory;
      project: TProjectServiceFactory;
      projectMembership: TProjectMembershipServiceFactory;
      projectEnv: TProjectEnvServiceFactory;
      projectKey: TProjectKeyServiceFactory;
      projectRole: TProjectRoleServiceFactory;
      secret: TSecretServiceFactory;
+      secretReplication: TSecretReplicationServiceFactory;
      secretTag: TSecretTagServiceFactory;
      secretImport: TSecretImportServiceFactory;
      projectBot: TProjectBotServiceFactory;
@ -115,8 +139,13 @@ declare module "fastify" {
      identity: TIdentityServiceFactory;
      identityAccessToken: TIdentityAccessTokenServiceFactory;
      identityProject: TIdentityProjectServiceFactory;
+      identityTokenAuth: TIdentityTokenAuthServiceFactory;
      identityUa: TIdentityUaServiceFactory;
+      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
+      identityGcpAuth: TIdentityGcpAuthServiceFactory;
      identityAwsAuth: TIdentityAwsAuthServiceFactory;
+      identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOidcAuth: TIdentityOidcAuthServiceFactory;
      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
      secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@ -128,6 +157,12 @@ declare module "fastify" {
      ldap: TLdapConfigServiceFactory;
      auditLog: TAuditLogServiceFactory;
      auditLogStream: TAuditLogStreamServiceFactory;
+      certificate: TCertificateServiceFactory;
+      certificateTemplate: TCertificateTemplateServiceFactory;
+      certificateAuthority: TCertificateAuthorityServiceFactory;
+      certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
+      certificateEst: TCertificateEstServiceFactory;
+      pkiCollection: TPkiCollectionServiceFactory;
      secretScanning: TSecretScanningServiceFactory;
      license: TLicenseServiceFactory;
      trustedIp: TTrustedIpServiceFactory;
@ -137,6 +172,11 @@ declare module "fastify" {
      dynamicSecretLease: TDynamicSecretLeaseServiceFactory;
      projectUserAdditionalPrivilege: TProjectUserAdditionalPrivilegeServiceFactory;
      identityProjectAdditionalPrivilege: TIdentityProjectAdditionalPrivilegeServiceFactory;
+      secretSharing: TSecretSharingServiceFactory;
+      rateLimit: TRateLimitServiceFactory;
+      userEngagement: TUserEngagementServiceFactory;
+      externalKms: TExternalKmsServiceFactory;
+      orgAdmin: TOrgAdminServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@ -1,4 +1,4 @@
-import { Knex } from "knex";
+import { Knex as KnexOriginal } from "knex";

 import {
  TableName,
@ -32,12 +32,42 @@ import {
  TBackupPrivateKey,
  TBackupPrivateKeyInsert,
  TBackupPrivateKeyUpdate,
+  TCertificateAuthorities,
+  TCertificateAuthoritiesInsert,
+  TCertificateAuthoritiesUpdate,
+  TCertificateAuthorityCerts,
+  TCertificateAuthorityCertsInsert,
+  TCertificateAuthorityCertsUpdate,
+  TCertificateAuthorityCrl,
+  TCertificateAuthorityCrlInsert,
+  TCertificateAuthorityCrlUpdate,
+  TCertificateAuthoritySecret,
+  TCertificateAuthoritySecretInsert,
+  TCertificateAuthoritySecretUpdate,
+  TCertificateBodies,
+  TCertificateBodiesInsert,
+  TCertificateBodiesUpdate,
+  TCertificates,
+  TCertificateSecrets,
+  TCertificateSecretsInsert,
+  TCertificateSecretsUpdate,
+  TCertificatesInsert,
+  TCertificatesUpdate,
+  TCertificateTemplateEstConfigs,
+  TCertificateTemplateEstConfigsInsert,
+  TCertificateTemplateEstConfigsUpdate,
+  TCertificateTemplates,
+  TCertificateTemplatesInsert,
+  TCertificateTemplatesUpdate,
  TDynamicSecretLeases,
  TDynamicSecretLeasesInsert,
  TDynamicSecretLeasesUpdate,
  TDynamicSecrets,
  TDynamicSecretsInsert,
  TDynamicSecretsUpdate,
+  TExternalKms,
+  TExternalKmsInsert,
+  TExternalKmsUpdate,
  TGitAppInstallSessions,
  TGitAppInstallSessionsInsert,
  TGitAppInstallSessionsUpdate,
@ -62,6 +92,18 @@ import {
  TIdentityAwsAuths,
  TIdentityAwsAuthsInsert,
  TIdentityAwsAuthsUpdate,
+  TIdentityAzureAuths,
+  TIdentityAzureAuthsInsert,
+  TIdentityAzureAuthsUpdate,
+  TIdentityGcpAuths,
+  TIdentityGcpAuthsInsert,
+  TIdentityGcpAuthsUpdate,
+  TIdentityKubernetesAuths,
+  TIdentityKubernetesAuthsInsert,
+  TIdentityKubernetesAuthsUpdate,
+  TIdentityOidcAuths,
+  TIdentityOidcAuthsInsert,
+  TIdentityOidcAuthsUpdate,
  TIdentityOrgMemberships,
  TIdentityOrgMembershipsInsert,
  TIdentityOrgMembershipsUpdate,
@ -74,6 +116,9 @@ import {
  TIdentityProjectMemberships,
  TIdentityProjectMembershipsInsert,
  TIdentityProjectMembershipsUpdate,
+  TIdentityTokenAuths,
+  TIdentityTokenAuthsInsert,
+  TIdentityTokenAuthsUpdate,
  TIdentityUaClientSecrets,
  TIdentityUaClientSecretsInsert,
  TIdentityUaClientSecretsUpdate,
@ -89,12 +134,27 @@ import {
  TIntegrations,
  TIntegrationsInsert,
  TIntegrationsUpdate,
+  TInternalKms,
+  TInternalKmsInsert,
+  TInternalKmsUpdate,
+  TKmsKeys,
+  TKmsKeysInsert,
+  TKmsKeysUpdate,
+  TKmsKeyVersions,
+  TKmsKeyVersionsInsert,
+  TKmsKeyVersionsUpdate,
+  TKmsRootConfig,
+  TKmsRootConfigInsert,
+  TKmsRootConfigUpdate,
  TLdapConfigs,
  TLdapConfigsInsert,
  TLdapConfigsUpdate,
  TLdapGroupMaps,
  TLdapGroupMapsInsert,
  TLdapGroupMapsUpdate,
+  TOidcConfigs,
+  TOidcConfigsInsert,
+  TOidcConfigsUpdate,
  TOrganizations,
  TOrganizationsInsert,
  TOrganizationsUpdate,
@ -107,6 +167,15 @@ import {
  TOrgRoles,
  TOrgRolesInsert,
  TOrgRolesUpdate,
+  TPkiAlerts,
+  TPkiAlertsInsert,
+  TPkiAlertsUpdate,
+  TPkiCollectionItems,
+  TPkiCollectionItemsInsert,
+  TPkiCollectionItemsUpdate,
+  TPkiCollections,
+  TPkiCollectionsInsert,
+  TPkiCollectionsUpdate,
  TProjectBots,
  TProjectBotsInsert,
  TProjectBotsUpdate,
@ -131,6 +200,9 @@ import {
  TProjectUserMembershipRoles,
  TProjectUserMembershipRolesInsert,
  TProjectUserMembershipRolesUpdate,
+  TRateLimit,
+  TRateLimitInsert,
+  TRateLimitUpdate,
  TSamlConfigs,
  TSamlConfigsInsert,
  TSamlConfigsUpdate,
@ -147,6 +219,9 @@ import {
  TSecretApprovalRequestSecretTags,
  TSecretApprovalRequestSecretTagsInsert,
  TSecretApprovalRequestSecretTagsUpdate,
+  TSecretApprovalRequestSecretTagsV2,
+  TSecretApprovalRequestSecretTagsV2Insert,
+  TSecretApprovalRequestSecretTagsV2Update,
  TSecretApprovalRequestsInsert,
  TSecretApprovalRequestsReviewers,
  TSecretApprovalRequestsReviewersInsert,
@ -154,6 +229,9 @@ import {
  TSecretApprovalRequestsSecrets,
  TSecretApprovalRequestsSecretsInsert,
  TSecretApprovalRequestsSecretsUpdate,
+  TSecretApprovalRequestsSecretsV2,
+  TSecretApprovalRequestsSecretsV2Insert,
+  TSecretApprovalRequestsSecretsV2Update,
  TSecretApprovalRequestsUpdate,
  TSecretBlindIndexes,
  TSecretBlindIndexesInsert,
@ -167,9 +245,18 @@ import {
  TSecretImports,
  TSecretImportsInsert,
  TSecretImportsUpdate,
+  TSecretReferences,
+  TSecretReferencesInsert,
+  TSecretReferencesUpdate,
+  TSecretReferencesV2,
+  TSecretReferencesV2Insert,
+  TSecretReferencesV2Update,
  TSecretRotationOutputs,
  TSecretRotationOutputsInsert,
  TSecretRotationOutputsUpdate,
+  TSecretRotationOutputV2,
+  TSecretRotationOutputV2Insert,
+  TSecretRotationOutputV2Update,
  TSecretRotations,
  TSecretRotationsInsert,
  TSecretRotationsUpdate,
@ -177,6 +264,9 @@ import {
  TSecretScanningGitRisks,
  TSecretScanningGitRisksInsert,
  TSecretScanningGitRisksUpdate,
+  TSecretSharing,
+  TSecretSharingInsert,
+  TSecretSharingUpdate,
  TSecretsInsert,
  TSecretSnapshotFolders,
  TSecretSnapshotFoldersInsert,
@ -185,6 +275,9 @@ import {
  TSecretSnapshotSecrets,
  TSecretSnapshotSecretsInsert,
  TSecretSnapshotSecretsUpdate,
+  TSecretSnapshotSecretsV2,
+  TSecretSnapshotSecretsV2Insert,
+  TSecretSnapshotSecretsV2Update,
  TSecretSnapshotsInsert,
  TSecretSnapshotsUpdate,
  TSecretsUpdate,
@ -200,6 +293,9 @@ import {
  TSecretVersionTagJunction,
  TSecretVersionTagJunctionInsert,
  TSecretVersionTagJunctionUpdate,
+  TSecretVersionV2TagJunction,
+  TSecretVersionV2TagJunctionInsert,
+  TSecretVersionV2TagJunctionUpdate,
  TServiceTokens,
  TServiceTokensInsert,
  TServiceTokensUpdate,
@ -228,257 +324,457 @@ import {
  TWebhooksInsert,
  TWebhooksUpdate
 } from "@app/db/schemas";
+import {
+  TSecretV2TagJunction,
+  TSecretV2TagJunctionInsert,
+  TSecretV2TagJunctionUpdate
+} from "@app/db/schemas/secret-v2-tag-junction";
+import {
+  TSecretVersionsV2,
+  TSecretVersionsV2Insert,
+  TSecretVersionsV2Update
+} from "@app/db/schemas/secret-versions-v2";
+import { TSecretsV2, TSecretsV2Insert, TSecretsV2Update } from "@app/db/schemas/secrets-v2";
+
+declare module "knex" {
+  namespace Knex {
+    interface QueryInterface {
+      primaryNode(): KnexOriginal;
+      replicaNode(): KnexOriginal;
+    }
+  }
+}

 declare module "knex/types/tables" {
  interface Tables {
-    [TableName.Users]: Knex.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
-    [TableName.Groups]: Knex.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
-    [TableName.UserGroupMembership]: Knex.CompositeTableType<
+    [TableName.Users]: KnexOriginal.CompositeTableType<TUsers, TUsersInsert, TUsersUpdate>;
+    [TableName.Groups]: KnexOriginal.CompositeTableType<TGroups, TGroupsInsert, TGroupsUpdate>;
+    [TableName.CertificateAuthority]: KnexOriginal.CompositeTableType<
+      TCertificateAuthorities,
+      TCertificateAuthoritiesInsert,
+      TCertificateAuthoritiesUpdate
+    >;
+    [TableName.CertificateAuthorityCert]: KnexOriginal.CompositeTableType<
+      TCertificateAuthorityCerts,
+      TCertificateAuthorityCertsInsert,
+      TCertificateAuthorityCertsUpdate
+    >;
+    [TableName.CertificateAuthoritySecret]: KnexOriginal.CompositeTableType<
+      TCertificateAuthoritySecret,
+      TCertificateAuthoritySecretInsert,
+      TCertificateAuthoritySecretUpdate
+    >;
+    [TableName.CertificateAuthorityCrl]: KnexOriginal.CompositeTableType<
+      TCertificateAuthorityCrl,
+      TCertificateAuthorityCrlInsert,
+      TCertificateAuthorityCrlUpdate
+    >;
+    [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
+    [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
+      TCertificateTemplates,
+      TCertificateTemplatesInsert,
+      TCertificateTemplatesUpdate
+    >;
+    [TableName.CertificateTemplateEstConfig]: KnexOriginal.CompositeTableType<
+      TCertificateTemplateEstConfigs,
+      TCertificateTemplateEstConfigsInsert,
+      TCertificateTemplateEstConfigsUpdate
+    >;
+    [TableName.CertificateBody]: KnexOriginal.CompositeTableType<
+      TCertificateBodies,
+      TCertificateBodiesInsert,
+      TCertificateBodiesUpdate
+    >;
+    [TableName.CertificateSecret]: KnexOriginal.CompositeTableType<
+      TCertificateSecrets,
+      TCertificateSecretsInsert,
+      TCertificateSecretsUpdate
+    >;
+    [TableName.PkiAlert]: KnexOriginal.CompositeTableType<TPkiAlerts, TPkiAlertsInsert, TPkiAlertsUpdate>;
+    [TableName.PkiCollection]: KnexOriginal.CompositeTableType<
+      TPkiCollections,
+      TPkiCollectionsInsert,
+      TPkiCollectionsUpdate
+    >;
+    [TableName.PkiCollectionItem]: KnexOriginal.CompositeTableType<
+      TPkiCollectionItems,
+      TPkiCollectionItemsInsert,
+      TPkiCollectionItemsUpdate
+    >;
+    [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
      TUserGroupMembership,
      TUserGroupMembershipInsert,
      TUserGroupMembershipUpdate
    >;
-    [TableName.GroupProjectMembership]: Knex.CompositeTableType<
+    [TableName.GroupProjectMembership]: KnexOriginal.CompositeTableType<
      TGroupProjectMemberships,
      TGroupProjectMembershipsInsert,
      TGroupProjectMembershipsUpdate
    >;
-    [TableName.GroupProjectMembershipRole]: Knex.CompositeTableType<
+    [TableName.GroupProjectMembershipRole]: KnexOriginal.CompositeTableType<
      TGroupProjectMembershipRoles,
      TGroupProjectMembershipRolesInsert,
      TGroupProjectMembershipRolesUpdate
    >;
-    [TableName.UserAliases]: Knex.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
-    [TableName.UserEncryptionKey]: Knex.CompositeTableType<
+    [TableName.UserAliases]: KnexOriginal.CompositeTableType<TUserAliases, TUserAliasesInsert, TUserAliasesUpdate>;
+    [TableName.UserEncryptionKey]: KnexOriginal.CompositeTableType<
      TUserEncryptionKeys,
      TUserEncryptionKeysInsert,
      TUserEncryptionKeysUpdate
    >;
-    [TableName.AuthTokens]: Knex.CompositeTableType<TAuthTokens, TAuthTokensInsert, TAuthTokensUpdate>;
-    [TableName.AuthTokenSession]: Knex.CompositeTableType<
+    [TableName.AuthTokens]: KnexOriginal.CompositeTableType<TAuthTokens, TAuthTokensInsert, TAuthTokensUpdate>;
+    [TableName.AuthTokenSession]: KnexOriginal.CompositeTableType<
      TAuthTokenSessions,
      TAuthTokenSessionsInsert,
      TAuthTokenSessionsUpdate
    >;
-    [TableName.BackupPrivateKey]: Knex.CompositeTableType<
+    [TableName.BackupPrivateKey]: KnexOriginal.CompositeTableType<
      TBackupPrivateKey,
      TBackupPrivateKeyInsert,
      TBackupPrivateKeyUpdate
    >;
-    [TableName.Organization]: Knex.CompositeTableType<TOrganizations, TOrganizationsInsert, TOrganizationsUpdate>;
-    [TableName.OrgMembership]: Knex.CompositeTableType<TOrgMemberships, TOrgMembershipsInsert, TOrgMembershipsUpdate>;
-    [TableName.OrgRoles]: Knex.CompositeTableType<TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate>;
-    [TableName.IncidentContact]: Knex.CompositeTableType<
+    [TableName.Organization]: KnexOriginal.CompositeTableType<
+      TOrganizations,
+      TOrganizationsInsert,
+      TOrganizationsUpdate
+    >;
+    [TableName.OrgMembership]: KnexOriginal.CompositeTableType<
+      TOrgMemberships,
+      TOrgMembershipsInsert,
+      TOrgMembershipsUpdate
+    >;
+    [TableName.OrgRoles]: KnexOriginal.CompositeTableType<TOrgRoles, TOrgRolesInsert, TOrgRolesUpdate>;
+    [TableName.IncidentContact]: KnexOriginal.CompositeTableType<
      TIncidentContacts,
      TIncidentContactsInsert,
      TIncidentContactsUpdate
    >;
-    [TableName.UserAction]: Knex.CompositeTableType<TUserActions, TUserActionsInsert, TUserActionsUpdate>;
-    [TableName.SuperAdmin]: Knex.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
-    [TableName.ApiKey]: Knex.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
-    [TableName.Project]: Knex.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
-    [TableName.ProjectMembership]: Knex.CompositeTableType<
+    [TableName.UserAction]: KnexOriginal.CompositeTableType<TUserActions, TUserActionsInsert, TUserActionsUpdate>;
+    [TableName.SuperAdmin]: KnexOriginal.CompositeTableType<TSuperAdmin, TSuperAdminInsert, TSuperAdminUpdate>;
+    [TableName.ApiKey]: KnexOriginal.CompositeTableType<TApiKeys, TApiKeysInsert, TApiKeysUpdate>;
+    [TableName.Project]: KnexOriginal.CompositeTableType<TProjects, TProjectsInsert, TProjectsUpdate>;
+    [TableName.ProjectMembership]: KnexOriginal.CompositeTableType<
      TProjectMemberships,
      TProjectMembershipsInsert,
      TProjectMembershipsUpdate
    >;
-    [TableName.Environment]: Knex.CompositeTableType<
+    [TableName.Environment]: KnexOriginal.CompositeTableType<
      TProjectEnvironments,
      TProjectEnvironmentsInsert,
      TProjectEnvironmentsUpdate
    >;
-    [TableName.ProjectBot]: Knex.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
-    [TableName.ProjectUserMembershipRole]: Knex.CompositeTableType<
+    [TableName.ProjectBot]: KnexOriginal.CompositeTableType<TProjectBots, TProjectBotsInsert, TProjectBotsUpdate>;
+    [TableName.ProjectUserMembershipRole]: KnexOriginal.CompositeTableType<
      TProjectUserMembershipRoles,
      TProjectUserMembershipRolesInsert,
      TProjectUserMembershipRolesUpdate
    >;
-    [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
-    [TableName.ProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
+    [TableName.ProjectRoles]: KnexOriginal.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
+    [TableName.ProjectUserAdditionalPrivilege]: KnexOriginal.CompositeTableType<
      TProjectUserAdditionalPrivilege,
      TProjectUserAdditionalPrivilegeInsert,
      TProjectUserAdditionalPrivilegeUpdate
    >;
-    [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
-    [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
-    [TableName.SecretBlindIndex]: Knex.CompositeTableType<
+    [TableName.ProjectKeys]: KnexOriginal.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
+    [TableName.Secret]: KnexOriginal.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
+    [TableName.SecretReference]: KnexOriginal.CompositeTableType<
+      TSecretReferences,
+      TSecretReferencesInsert,
+      TSecretReferencesUpdate
+    >;
+    [TableName.SecretBlindIndex]: KnexOriginal.CompositeTableType<
      TSecretBlindIndexes,
      TSecretBlindIndexesInsert,
      TSecretBlindIndexesUpdate
    >;
-    [TableName.SecretVersion]: Knex.CompositeTableType<TSecretVersions, TSecretVersionsInsert, TSecretVersionsUpdate>;
-    [TableName.SecretFolder]: Knex.CompositeTableType<TSecretFolders, TSecretFoldersInsert, TSecretFoldersUpdate>;
-    [TableName.SecretFolderVersion]: Knex.CompositeTableType<
+    [TableName.SecretVersion]: KnexOriginal.CompositeTableType<
+      TSecretVersions,
+      TSecretVersionsInsert,
+      TSecretVersionsUpdate
+    >;
+    [TableName.SecretFolder]: KnexOriginal.CompositeTableType<
+      TSecretFolders,
+      TSecretFoldersInsert,
+      TSecretFoldersUpdate
+    >;
+    [TableName.SecretFolderVersion]: KnexOriginal.CompositeTableType<
      TSecretFolderVersions,
      TSecretFolderVersionsInsert,
      TSecretFolderVersionsUpdate
    >;
-    [TableName.SecretTag]: Knex.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
-    [TableName.SecretImport]: Knex.CompositeTableType<TSecretImports, TSecretImportsInsert, TSecretImportsUpdate>;
-    [TableName.Integration]: Knex.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
-    [TableName.Webhook]: Knex.CompositeTableType<TWebhooks, TWebhooksInsert, TWebhooksUpdate>;
-    [TableName.ServiceToken]: Knex.CompositeTableType<TServiceTokens, TServiceTokensInsert, TServiceTokensUpdate>;
-    [TableName.IntegrationAuth]: Knex.CompositeTableType<
+    [TableName.SecretSharing]: KnexOriginal.CompositeTableType<
+      TSecretSharing,
+      TSecretSharingInsert,
+      TSecretSharingUpdate
+    >;
+    [TableName.RateLimit]: KnexOriginal.CompositeTableType<TRateLimit, TRateLimitInsert, TRateLimitUpdate>;
+    [TableName.SecretTag]: KnexOriginal.CompositeTableType<TSecretTags, TSecretTagsInsert, TSecretTagsUpdate>;
+    [TableName.SecretImport]: KnexOriginal.CompositeTableType<
+      TSecretImports,
+      TSecretImportsInsert,
+      TSecretImportsUpdate
+    >;
+    [TableName.Integration]: KnexOriginal.CompositeTableType<TIntegrations, TIntegrationsInsert, TIntegrationsUpdate>;
+    [TableName.Webhook]: KnexOriginal.CompositeTableType<TWebhooks, TWebhooksInsert, TWebhooksUpdate>;
+    [TableName.ServiceToken]: KnexOriginal.CompositeTableType<
+      TServiceTokens,
+      TServiceTokensInsert,
+      TServiceTokensUpdate
+    >;
+    [TableName.IntegrationAuth]: KnexOriginal.CompositeTableType<
      TIntegrationAuths,
      TIntegrationAuthsInsert,
      TIntegrationAuthsUpdate
    >;
-    [TableName.Identity]: Knex.CompositeTableType<TIdentities, TIdentitiesInsert, TIdentitiesUpdate>;
-    [TableName.IdentityUniversalAuth]: Knex.CompositeTableType<
+    [TableName.Identity]: KnexOriginal.CompositeTableType<TIdentities, TIdentitiesInsert, TIdentitiesUpdate>;
+    [TableName.IdentityTokenAuth]: KnexOriginal.CompositeTableType<
+      TIdentityTokenAuths,
+      TIdentityTokenAuthsInsert,
+      TIdentityTokenAuthsUpdate
+    >;
+    [TableName.IdentityUniversalAuth]: KnexOriginal.CompositeTableType<
      TIdentityUniversalAuths,
      TIdentityUniversalAuthsInsert,
      TIdentityUniversalAuthsUpdate
    >;
-    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
+    [TableName.IdentityKubernetesAuth]: KnexOriginal.CompositeTableType<
+      TIdentityKubernetesAuths,
+      TIdentityKubernetesAuthsInsert,
+      TIdentityKubernetesAuthsUpdate
+    >;
+    [TableName.IdentityGcpAuth]: KnexOriginal.CompositeTableType<
+      TIdentityGcpAuths,
+      TIdentityGcpAuthsInsert,
+      TIdentityGcpAuthsUpdate
+    >;
+    [TableName.IdentityAwsAuth]: KnexOriginal.CompositeTableType<
      TIdentityAwsAuths,
      TIdentityAwsAuthsInsert,
      TIdentityAwsAuthsUpdate
    >;
-    [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
+    [TableName.IdentityAzureAuth]: KnexOriginal.CompositeTableType<
+      TIdentityAzureAuths,
+      TIdentityAzureAuthsInsert,
+      TIdentityAzureAuthsUpdate
+    >;
+    [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
+      TIdentityOidcAuths,
+      TIdentityOidcAuthsInsert,
+      TIdentityOidcAuthsUpdate
+    >;
+    [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
      TIdentityUaClientSecrets,
      TIdentityUaClientSecretsInsert,
      TIdentityUaClientSecretsUpdate
    >;
-    [TableName.IdentityAccessToken]: Knex.CompositeTableType<
+    [TableName.IdentityAccessToken]: KnexOriginal.CompositeTableType<
      TIdentityAccessTokens,
      TIdentityAccessTokensInsert,
      TIdentityAccessTokensUpdate
    >;
-    [TableName.IdentityOrgMembership]: Knex.CompositeTableType<
+    [TableName.IdentityOrgMembership]: KnexOriginal.CompositeTableType<
      TIdentityOrgMemberships,
      TIdentityOrgMembershipsInsert,
      TIdentityOrgMembershipsUpdate
    >;
-    [TableName.IdentityProjectMembership]: Knex.CompositeTableType<
+    [TableName.IdentityProjectMembership]: KnexOriginal.CompositeTableType<
      TIdentityProjectMemberships,
      TIdentityProjectMembershipsInsert,
      TIdentityProjectMembershipsUpdate
    >;
-    [TableName.IdentityProjectMembershipRole]: Knex.CompositeTableType<
+    [TableName.IdentityProjectMembershipRole]: KnexOriginal.CompositeTableType<
      TIdentityProjectMembershipRole,
      TIdentityProjectMembershipRoleInsert,
      TIdentityProjectMembershipRoleUpdate
    >;
-    [TableName.IdentityProjectAdditionalPrivilege]: Knex.CompositeTableType<
+    [TableName.IdentityProjectAdditionalPrivilege]: KnexOriginal.CompositeTableType<
      TIdentityProjectAdditionalPrivilege,
      TIdentityProjectAdditionalPrivilegeInsert,
      TIdentityProjectAdditionalPrivilegeUpdate
    >;

-    [TableName.AccessApprovalPolicy]: Knex.CompositeTableType<
+    [TableName.AccessApprovalPolicy]: KnexOriginal.CompositeTableType<
      TAccessApprovalPolicies,
      TAccessApprovalPoliciesInsert,
      TAccessApprovalPoliciesUpdate
    >;

-    [TableName.AccessApprovalPolicyApprover]: Knex.CompositeTableType<
+    [TableName.AccessApprovalPolicyApprover]: KnexOriginal.CompositeTableType<
      TAccessApprovalPoliciesApprovers,
      TAccessApprovalPoliciesApproversInsert,
      TAccessApprovalPoliciesApproversUpdate
    >;

-    [TableName.AccessApprovalRequest]: Knex.CompositeTableType<
+    [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
      TAccessApprovalRequests,
      TAccessApprovalRequestsInsert,
      TAccessApprovalRequestsUpdate
    >;

-    [TableName.AccessApprovalRequestReviewer]: Knex.CompositeTableType<
+    [TableName.AccessApprovalRequestReviewer]: KnexOriginal.CompositeTableType<
      TAccessApprovalRequestsReviewers,
      TAccessApprovalRequestsReviewersInsert,
      TAccessApprovalRequestsReviewersUpdate
    >;

-    [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
-    [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
+    [TableName.ScimToken]: KnexOriginal.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
+    [TableName.SecretApprovalPolicy]: KnexOriginal.CompositeTableType<
      TSecretApprovalPolicies,
      TSecretApprovalPoliciesInsert,
      TSecretApprovalPoliciesUpdate
    >;
-    [TableName.SecretApprovalPolicyApprover]: Knex.CompositeTableType<
+    [TableName.SecretApprovalPolicyApprover]: KnexOriginal.CompositeTableType<
      TSecretApprovalPoliciesApprovers,
      TSecretApprovalPoliciesApproversInsert,
      TSecretApprovalPoliciesApproversUpdate
    >;
-    [TableName.SecretApprovalRequest]: Knex.CompositeTableType<
+    [TableName.SecretApprovalRequest]: KnexOriginal.CompositeTableType<
      TSecretApprovalRequests,
      TSecretApprovalRequestsInsert,
      TSecretApprovalRequestsUpdate
    >;
-    [TableName.SecretApprovalRequestReviewer]: Knex.CompositeTableType<
+    [TableName.SecretApprovalRequestReviewer]: KnexOriginal.CompositeTableType<
      TSecretApprovalRequestsReviewers,
      TSecretApprovalRequestsReviewersInsert,
      TSecretApprovalRequestsReviewersUpdate
    >;
-    [TableName.SecretApprovalRequestSecret]: Knex.CompositeTableType<
+    [TableName.SecretApprovalRequestSecret]: KnexOriginal.CompositeTableType<
      TSecretApprovalRequestsSecrets,
      TSecretApprovalRequestsSecretsInsert,
      TSecretApprovalRequestsSecretsUpdate
    >;
-    [TableName.SecretApprovalRequestSecretTag]: Knex.CompositeTableType<
+    [TableName.SecretApprovalRequestSecretTag]: KnexOriginal.CompositeTableType<
      TSecretApprovalRequestSecretTags,
      TSecretApprovalRequestSecretTagsInsert,
      TSecretApprovalRequestSecretTagsUpdate
    >;
-    [TableName.SecretRotation]: Knex.CompositeTableType<
+    [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
      TSecretRotations,
      TSecretRotationsInsert,
      TSecretRotationsUpdate
    >;
-    [TableName.SecretRotationOutput]: Knex.CompositeTableType<
+    [TableName.SecretRotationOutput]: KnexOriginal.CompositeTableType<
      TSecretRotationOutputs,
      TSecretRotationOutputsInsert,
      TSecretRotationOutputsUpdate
    >;
-    [TableName.Snapshot]: Knex.CompositeTableType<TSecretSnapshots, TSecretSnapshotsInsert, TSecretSnapshotsUpdate>;
-    [TableName.SnapshotSecret]: Knex.CompositeTableType<
+    [TableName.Snapshot]: KnexOriginal.CompositeTableType<
+      TSecretSnapshots,
+      TSecretSnapshotsInsert,
+      TSecretSnapshotsUpdate
+    >;
+    [TableName.SnapshotSecret]: KnexOriginal.CompositeTableType<
      TSecretSnapshotSecrets,
      TSecretSnapshotSecretsInsert,
      TSecretSnapshotSecretsUpdate
    >;
-    [TableName.SnapshotFolder]: Knex.CompositeTableType<
+    [TableName.SnapshotFolder]: KnexOriginal.CompositeTableType<
      TSecretSnapshotFolders,
      TSecretSnapshotFoldersInsert,
      TSecretSnapshotFoldersUpdate
    >;
-    [TableName.DynamicSecret]: Knex.CompositeTableType<TDynamicSecrets, TDynamicSecretsInsert, TDynamicSecretsUpdate>;
-    [TableName.DynamicSecretLease]: Knex.CompositeTableType<
+    [TableName.DynamicSecret]: KnexOriginal.CompositeTableType<
+      TDynamicSecrets,
+      TDynamicSecretsInsert,
+      TDynamicSecretsUpdate
+    >;
+    [TableName.DynamicSecretLease]: KnexOriginal.CompositeTableType<
      TDynamicSecretLeases,
      TDynamicSecretLeasesInsert,
      TDynamicSecretLeasesUpdate
    >;
-    [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
-    [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
-    [TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
-    [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
-    [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
-    [TableName.AuditLogStream]: Knex.CompositeTableType<
+    [TableName.SamlConfig]: KnexOriginal.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
+    [TableName.OidcConfig]: KnexOriginal.CompositeTableType<TOidcConfigs, TOidcConfigsInsert, TOidcConfigsUpdate>;
+    [TableName.LdapConfig]: KnexOriginal.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
+    [TableName.LdapGroupMap]: KnexOriginal.CompositeTableType<
+      TLdapGroupMaps,
+      TLdapGroupMapsInsert,
+      TLdapGroupMapsUpdate
+    >;
+    [TableName.OrgBot]: KnexOriginal.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
+    [TableName.AuditLog]: KnexOriginal.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
+    [TableName.AuditLogStream]: KnexOriginal.CompositeTableType<
      TAuditLogStreams,
      TAuditLogStreamsInsert,
      TAuditLogStreamsUpdate
    >;
-    [TableName.GitAppInstallSession]: Knex.CompositeTableType<
+    [TableName.GitAppInstallSession]: KnexOriginal.CompositeTableType<
      TGitAppInstallSessions,
      TGitAppInstallSessionsInsert,
      TGitAppInstallSessionsUpdate
    >;
-    [TableName.GitAppOrg]: Knex.CompositeTableType<TGitAppOrg, TGitAppOrgInsert, TGitAppOrgUpdate>;
-    [TableName.SecretScanningGitRisk]: Knex.CompositeTableType<
+    [TableName.GitAppOrg]: KnexOriginal.CompositeTableType<TGitAppOrg, TGitAppOrgInsert, TGitAppOrgUpdate>;
+    [TableName.SecretScanningGitRisk]: KnexOriginal.CompositeTableType<
      TSecretScanningGitRisks,
      TSecretScanningGitRisksInsert,
      TSecretScanningGitRisksUpdate
    >;
-    [TableName.TrustedIps]: Knex.CompositeTableType<TTrustedIps, TTrustedIpsInsert, TTrustedIpsUpdate>;
+    [TableName.TrustedIps]: KnexOriginal.CompositeTableType<TTrustedIps, TTrustedIpsInsert, TTrustedIpsUpdate>;
+    [TableName.SecretV2]: KnexOriginal.CompositeTableType<TSecretsV2, TSecretsV2Insert, TSecretsV2Update>;
+    [TableName.SecretVersionV2]: KnexOriginal.CompositeTableType<
+      TSecretVersionsV2,
+      TSecretVersionsV2Insert,
+      TSecretVersionsV2Update
+    >;
+    [TableName.SecretReferenceV2]: KnexOriginal.CompositeTableType<
+      TSecretReferencesV2,
+      TSecretReferencesV2Insert,
+      TSecretReferencesV2Update
+    >;
    // Junction tables
-    [TableName.JnSecretTag]: Knex.CompositeTableType<
+    [TableName.SecretV2JnTag]: KnexOriginal.CompositeTableType<
+      TSecretV2TagJunction,
+      TSecretV2TagJunctionInsert,
+      TSecretV2TagJunctionUpdate
+    >;
+    [TableName.JnSecretTag]: KnexOriginal.CompositeTableType<
      TSecretTagJunction,
      TSecretTagJunctionInsert,
      TSecretTagJunctionUpdate
    >;
-    [TableName.SecretVersionTag]: Knex.CompositeTableType<
+    [TableName.SecretVersionTag]: KnexOriginal.CompositeTableType<
      TSecretVersionTagJunction,
      TSecretVersionTagJunctionInsert,
      TSecretVersionTagJunctionUpdate
    >;
+    [TableName.SecretVersionV2Tag]: KnexOriginal.CompositeTableType<
+      TSecretVersionV2TagJunction,
+      TSecretVersionV2TagJunctionInsert,
+      TSecretVersionV2TagJunctionUpdate
+    >;
+    [TableName.SnapshotSecretV2]: KnexOriginal.CompositeTableType<
+      TSecretSnapshotSecretsV2,
+      TSecretSnapshotSecretsV2Insert,
+      TSecretSnapshotSecretsV2Update
+    >;
+    [TableName.SecretApprovalRequestSecretV2]: KnexOriginal.CompositeTableType<
+      TSecretApprovalRequestsSecretsV2,
+      TSecretApprovalRequestsSecretsV2Insert,
+      TSecretApprovalRequestsSecretsV2Update
+    >;
+    [TableName.SecretApprovalRequestSecretTagV2]: KnexOriginal.CompositeTableType<
+      TSecretApprovalRequestSecretTagsV2,
+      TSecretApprovalRequestSecretTagsV2Insert,
+      TSecretApprovalRequestSecretTagsV2Update
+    >;
+    [TableName.SecretRotationOutputV2]: KnexOriginal.CompositeTableType<
+      TSecretRotationOutputV2,
+      TSecretRotationOutputV2Insert,
+      TSecretRotationOutputV2Update
+    >;
+    // KMS service
+    [TableName.KmsServerRootConfig]: KnexOriginal.CompositeTableType<
+      TKmsRootConfig,
+      TKmsRootConfigInsert,
+      TKmsRootConfigUpdate
+    >;
+    [TableName.InternalKms]: KnexOriginal.CompositeTableType<TInternalKms, TInternalKmsInsert, TInternalKmsUpdate>;
+    [TableName.ExternalKms]: KnexOriginal.CompositeTableType<TExternalKms, TExternalKmsInsert, TExternalKmsUpdate>;
+    [TableName.KmsKey]: KnexOriginal.CompositeTableType<TKmsKeys, TKmsKeysInsert, TKmsKeysUpdate>;
+    [TableName.KmsKeyVersion]: KnexOriginal.CompositeTableType<
+      TKmsKeyVersions,
+      TKmsKeyVersionsInsert,
+      TKmsKeyVersionsUpdate
+    >;
  }
 }
--- a/backend/src/db/instance.ts
+++ b/backend/src/db/instance.ts
@ -1,8 +1,38 @@
-import knex from "knex";
+import knex, { Knex } from "knex";

 export type TDbClient = ReturnType<typeof initDbConnection>;
-export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnectionUri: string; dbRootCert?: string }) => {
-  const db = knex({
+export const initDbConnection = ({
+  dbConnectionUri,
+  dbRootCert,
+  readReplicas = []
+}: {
+  dbConnectionUri: string;
+  dbRootCert?: string;
+  readReplicas?: {
+    dbConnectionUri: string;
+    dbRootCert?: string;
+  }[];
+}) => {
+  // akhilmhdh: the default Knex is knex.Knex<any, any[]>. but when assigned with knex({<config>}) the value is knex.Knex<any, unknown[]>
+  // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[]
+  // eslint-disable-next-line
+  let db: Knex<any, unknown[]>;
+  // eslint-disable-next-line
+  let readReplicaDbs: Knex<any, unknown[]>[];
+  // @ts-expect-error the querybuilder type is expected but our intension is to return  a knex instance
+  knex.QueryBuilder.extend("primaryNode", () => {
+    return db;
+  });
+
+  // @ts-expect-error the querybuilder type is expected but our intension is to return  a knex instance
+  knex.QueryBuilder.extend("replicaNode", () => {
+    if (!readReplicaDbs.length) return db;
+
+    const selectedReplica = readReplicaDbs[Math.floor(Math.random() * readReplicaDbs.length)];
+    return selectedReplica;
+  });
+
+  db = knex({
    client: "pg",
    connection: {
      connectionString: dbConnectionUri,
@ -22,5 +52,21 @@ export const initDbConnection = ({ dbConnectionUri, dbRootCert }: { dbConnection
    }
  });

+  readReplicaDbs = readReplicas.map((el) => {
+    const replicaDbCertificate = el.dbRootCert || dbRootCert;
+    return knex({
+      client: "pg",
+      connection: {
+        connectionString: el.dbConnectionUri,
+        ssl: replicaDbCertificate
+          ? {
+              rejectUnauthorized: true,
+              ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii")
+            }
+          : false
+      }
+    });
+  });
+
  return db;
 };
--- a/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
+++ b/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
--- a/backend/src/db/migrations/20240514041650_identity-gcp-auth.ts
+++ b/backend/src/db/migrations/20240514041650_identity-gcp-auth.ts
@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
+    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+      t.string("allowedServiceAccounts").notNullable();
+      t.string("allowedProjects").notNullable();
+      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
+}
--- a/backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts
+++ b/backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
+    await knex.schema.createTable(TableName.SecretReference, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("environment").notNullable();
+      t.string("secretPath").notNullable();
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretReference);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretReference);
+  await dropOnUpdateTrigger(knex, TableName.SecretReference);
+}
--- a/backend/src/db/migrations/20240518142614_kubernetes-auth.ts
+++ b/backend/src/db/migrations/20240518142614_kubernetes-auth.ts
@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
+    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("kubernetesHost").notNullable();
+      t.text("encryptedCaCert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.text("encryptedTokenReviewerJwt").notNullable();
+      t.string("tokenReviewerJwtIV").notNullable();
+      t.string("tokenReviewerJwtTag").notNullable();
+      t.string("allowedNamespaces").notNullable();
+      t.string("allowedNames").notNullable();
+      t.string("allowedAudience").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
+}
--- a/backend/src/db/migrations/20240520064127_add-integration-sync-status.ts
+++ b/backend/src/db/migrations/20240520064127_add-integration-sync-status.ts
@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
+  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
+  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
+
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    if (!hasIsSyncedColumn) {
+      t.boolean("isSynced").nullable();
+    }
+
+    if (!hasSyncMessageColumn) {
+      t.text("syncMessage").nullable();
+    }
+
+    if (!hasLastSyncJobId) {
+      t.string("lastSyncJobId").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
+  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
+  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
+
+  await knex.schema.alterTable(TableName.Integration, (t) => {
+    if (hasIsSyncedColumn) {
+      t.dropColumn("isSynced");
+    }
+
+    if (hasSyncMessageColumn) {
+      t.dropColumn("syncMessage");
+    }
+
+    if (hasLastSyncJobId) {
+      t.dropColumn("lastSyncJobId");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts
+++ b/backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts
@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.index("projectId");
+      if (doesOrgIdExist) t.index("orgId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
+  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesProjectIdExist) t.dropIndex("projectId");
+      if (doesOrgIdExist) t.dropIndex("orgId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts
+++ b/backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts
@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
+
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522204414_index-secret-version-envId.ts
+++ b/backend/src/db/migrations/20240522204414_index-secret-version-envId.ts
@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.index("envId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
+
+  if (await knex.schema.hasTable(TableName.SecretVersion)) {
+    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
+      if (doesEnvIdExist) t.dropIndex("envId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts
+++ b/backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts
+++ b/backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.index("snapshotId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
+  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
+    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
+      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts
+++ b/backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
+  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
+
+  if (await knex.schema.hasTable(TableName.Secret)) {
+    await knex.schema.alterTable(TableName.Secret, (t) => {
+      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
+    });
+  }
+}
--- a/backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts
+++ b/backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts
@ -0,0 +1,22 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.index("expiresAt");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
+
+  if (await knex.schema.hasTable(TableName.AuditLog)) {
+    await knex.schema.alterTable(TableName.AuditLog, (t) => {
+      if (doesExpireAtExist) t.dropIndex("expiresAt");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240527073740_identity-azure-auth.ts
+++ b/backend/src/db/migrations/20240527073740_identity-azure-auth.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
+    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("tenantId").notNullable();
+      t.string("resource").notNullable();
+      t.string("allowedServicePrincipalIds").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
+}
--- a/backend/src/db/migrations/20240528153905_add-user-account-mfa-locking.ts
+++ b/backend/src/db/migrations/20240528153905_add-user-account-mfa-locking.ts
@ -0,0 +1,43 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasConsecutiveFailedMfaAttempts = await knex.schema.hasColumn(TableName.Users, "consecutiveFailedMfaAttempts");
+  const hasIsLocked = await knex.schema.hasColumn(TableName.Users, "isLocked");
+  const hasTemporaryLockDateEnd = await knex.schema.hasColumn(TableName.Users, "temporaryLockDateEnd");
+
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (!hasConsecutiveFailedMfaAttempts) {
+      t.integer("consecutiveFailedMfaAttempts").defaultTo(0);
+    }
+
+    if (!hasIsLocked) {
+      t.boolean("isLocked").defaultTo(false);
+    }
+
+    if (!hasTemporaryLockDateEnd) {
+      t.dateTime("temporaryLockDateEnd").nullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasConsecutiveFailedMfaAttempts = await knex.schema.hasColumn(TableName.Users, "consecutiveFailedMfaAttempts");
+  const hasIsLocked = await knex.schema.hasColumn(TableName.Users, "isLocked");
+  const hasTemporaryLockDateEnd = await knex.schema.hasColumn(TableName.Users, "temporaryLockDateEnd");
+
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (hasConsecutiveFailedMfaAttempts) {
+      t.dropColumn("consecutiveFailedMfaAttempts");
+    }
+
+    if (hasIsLocked) {
+      t.dropColumn("isLocked");
+    }
+
+    if (hasTemporaryLockDateEnd) {
+      t.dropColumn("temporaryLockDateEnd");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240528190137_secret_sharing.ts
+++ b/backend/src/db/migrations/20240528190137_secret_sharing.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretSharing))) {
+    await knex.schema.createTable(TableName.SecretSharing, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.text("encryptedValue").notNullable();
+      t.text("iv").notNullable();
+      t.text("tag").notNullable();
+      t.text("hashedHex").notNullable();
+      t.timestamp("expiresAt").notNullable();
+      t.uuid("userId").notNullable();
+      t.uuid("orgId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretSharing);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretSharing);
+}
--- a/backend/src/db/migrations/20240529060752_snap-shot-secret-index-secretversionid.ts
+++ b/backend/src/db/migrations/20240529060752_snap-shot-secret-index-secretversionid.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSecretVersionIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "secretVersionId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSecretVersionIdExist) t.index("secretVersionId");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSecretVersionIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "secretVersionId");
+  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
+    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
+      if (doesSecretVersionIdExist) t.dropIndex("secretVersionId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240529203152_secret_sharing.ts
+++ b/backend/src/db/migrations/20240529203152_secret_sharing.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretSharing))) {
+    await knex.schema.createTable(TableName.SecretSharing, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.text("encryptedValue").notNullable();
+      t.text("iv").notNullable();
+      t.text("tag").notNullable();
+      t.text("hashedHex").notNullable();
+      t.timestamp("expiresAt").notNullable();
+      t.uuid("userId").notNullable();
+      t.uuid("orgId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretSharing);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretSharing);
+}
--- a/backend/src/db/migrations/20240530044702_universal-text-in-secret-sharing.ts
+++ b/backend/src/db/migrations/20240530044702_universal-text-in-secret-sharing.ts
@ -0,0 +1,33 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasExpiresAfterViewsColumn = await knex.schema.hasColumn(TableName.SecretSharing, "expiresAfterViews");
+  const hasSecretNameColumn = await knex.schema.hasColumn(TableName.SecretSharing, "name");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+    if (!hasExpiresAfterViewsColumn) {
+      t.integer("expiresAfterViews");
+    }
+
+    if (hasSecretNameColumn) {
+      t.dropColumn("name");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasExpiresAfterViewsColumn = await knex.schema.hasColumn(TableName.SecretSharing, "expiresAfterViews");
+  const hasSecretNameColumn = await knex.schema.hasColumn(TableName.SecretSharing, "name");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+    if (hasExpiresAfterViewsColumn) {
+      t.dropColumn("expiresAfterViews");
+    }
+
+    if (!hasSecretNameColumn) {
+      t.string("name").notNullable();
+    }
+  });
+}
--- a/backend/src/db/migrations/20240531220007_secret-replication.ts
+++ b/backend/src/db/migrations/20240531220007_secret-replication.ts
@ -0,0 +1,85 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSecretImportIsReplicationExist = await knex.schema.hasColumn(TableName.SecretImport, "isReplication");
+  const doesSecretImportIsReplicationSuccessExist = await knex.schema.hasColumn(
+    TableName.SecretImport,
+    "isReplicationSuccess"
+  );
+  const doesSecretImportReplicationStatusExist = await knex.schema.hasColumn(
+    TableName.SecretImport,
+    "replicationStatus"
+  );
+  const doesSecretImportLastReplicatedExist = await knex.schema.hasColumn(TableName.SecretImport, "lastReplicated");
+  const doesSecretImportIsReservedExist = await knex.schema.hasColumn(TableName.SecretImport, "isReserved");
+
+  if (await knex.schema.hasTable(TableName.SecretImport)) {
+    await knex.schema.alterTable(TableName.SecretImport, (t) => {
+      if (!doesSecretImportIsReplicationExist) t.boolean("isReplication").defaultTo(false);
+      if (!doesSecretImportIsReplicationSuccessExist) t.boolean("isReplicationSuccess").nullable();
+      if (!doesSecretImportReplicationStatusExist) t.text("replicationStatus").nullable();
+      if (!doesSecretImportLastReplicatedExist) t.datetime("lastReplicated").nullable();
+      if (!doesSecretImportIsReservedExist) t.boolean("isReserved").defaultTo(false);
+    });
+  }
+
+  const doesSecretFolderReservedExist = await knex.schema.hasColumn(TableName.SecretFolder, "isReserved");
+  if (await knex.schema.hasTable(TableName.SecretFolder)) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      if (!doesSecretFolderReservedExist) t.boolean("isReserved").defaultTo(false);
+    });
+  }
+
+  const doesSecretApprovalRequestIsReplicatedExist = await knex.schema.hasColumn(
+    TableName.SecretApprovalRequest,
+    "isReplicated"
+  );
+  if (await knex.schema.hasTable(TableName.SecretApprovalRequest)) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
+      if (!doesSecretApprovalRequestIsReplicatedExist) t.boolean("isReplicated");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesSecretImportIsReplicationExist = await knex.schema.hasColumn(TableName.SecretImport, "isReplication");
+  const doesSecretImportIsReplicationSuccessExist = await knex.schema.hasColumn(
+    TableName.SecretImport,
+    "isReplicationSuccess"
+  );
+  const doesSecretImportReplicationStatusExist = await knex.schema.hasColumn(
+    TableName.SecretImport,
+    "replicationStatus"
+  );
+  const doesSecretImportLastReplicatedExist = await knex.schema.hasColumn(TableName.SecretImport, "lastReplicated");
+  const doesSecretImportIsReservedExist = await knex.schema.hasColumn(TableName.SecretImport, "isReserved");
+
+  if (await knex.schema.hasTable(TableName.SecretImport)) {
+    await knex.schema.alterTable(TableName.SecretImport, (t) => {
+      if (doesSecretImportIsReplicationExist) t.dropColumn("isReplication");
+      if (doesSecretImportIsReplicationSuccessExist) t.dropColumn("isReplicationSuccess");
+      if (doesSecretImportReplicationStatusExist) t.dropColumn("replicationStatus");
+      if (doesSecretImportLastReplicatedExist) t.dropColumn("lastReplicated");
+      if (doesSecretImportIsReservedExist) t.dropColumn("isReserved");
+    });
+  }
+
+  const doesSecretFolderReservedExist = await knex.schema.hasColumn(TableName.SecretFolder, "isReserved");
+  if (await knex.schema.hasTable(TableName.SecretFolder)) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      if (doesSecretFolderReservedExist) t.dropColumn("isReserved");
+    });
+  }
+
+  const doesSecretApprovalRequestIsReplicatedExist = await knex.schema.hasColumn(
+    TableName.SecretApprovalRequest,
+    "isReplicated"
+  );
+  if (await knex.schema.hasTable(TableName.SecretApprovalRequest)) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
+      if (doesSecretApprovalRequestIsReplicatedExist) t.dropColumn("isReplicated");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240603075514_kms.ts
+++ b/backend/src/db/migrations/20240603075514_kms.ts
@ -0,0 +1,56 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.KmsServerRootConfig))) {
+    await knex.schema.createTable(TableName.KmsServerRootConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.binary("encryptedRootKey").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.KmsServerRootConfig);
+
+  if (!(await knex.schema.hasTable(TableName.KmsKey))) {
+    await knex.schema.createTable(TableName.KmsKey, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.binary("encryptedKey").notNullable();
+      t.string("encryptionAlgorithm").notNullable();
+      t.integer("version").defaultTo(1).notNullable();
+      t.string("description");
+      t.boolean("isDisabled").defaultTo(false);
+      t.boolean("isReserved").defaultTo(true);
+      t.string("projectId");
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.KmsKey);
+
+  if (!(await knex.schema.hasTable(TableName.KmsKeyVersion))) {
+    await knex.schema.createTable(TableName.KmsKeyVersion, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.binary("encryptedKey").notNullable();
+      t.integer("version").notNullable();
+      t.uuid("kmsKeyId").notNullable();
+      t.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.KmsKeyVersion);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.KmsServerRootConfig);
+  await dropOnUpdateTrigger(knex, TableName.KmsServerRootConfig);
+
+  await knex.schema.dropTableIfExists(TableName.KmsKeyVersion);
+  await dropOnUpdateTrigger(knex, TableName.KmsKeyVersion);
+
+  await knex.schema.dropTableIfExists(TableName.KmsKey);
+  await dropOnUpdateTrigger(knex, TableName.KmsKey);
+}
--- a/backend/src/db/migrations/20240609133400_private-key-handoff.ts
+++ b/backend/src/db/migrations/20240609133400_private-key-handoff.ts
@ -0,0 +1,61 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesPasswordFieldExist = await knex.schema.hasColumn(TableName.UserEncryptionKey, "hashedPassword");
+  const doesPrivateKeyFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKey"
+  );
+  const doesPrivateKeyIVFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyIV"
+  );
+  const doesPrivateKeyTagFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyTag"
+  );
+  const doesPrivateKeyEncodingFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyEncoding"
+  );
+  if (await knex.schema.hasTable(TableName.UserEncryptionKey)) {
+    await knex.schema.alterTable(TableName.UserEncryptionKey, (t) => {
+      if (!doesPasswordFieldExist) t.string("hashedPassword");
+      if (!doesPrivateKeyFieldExist) t.text("serverEncryptedPrivateKey");
+      if (!doesPrivateKeyIVFieldExist) t.text("serverEncryptedPrivateKeyIV");
+      if (!doesPrivateKeyTagFieldExist) t.text("serverEncryptedPrivateKeyTag");
+      if (!doesPrivateKeyEncodingFieldExist) t.text("serverEncryptedPrivateKeyEncoding");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesPasswordFieldExist = await knex.schema.hasColumn(TableName.UserEncryptionKey, "hashedPassword");
+  const doesPrivateKeyFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKey"
+  );
+  const doesPrivateKeyIVFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyIV"
+  );
+  const doesPrivateKeyTagFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyTag"
+  );
+  const doesPrivateKeyEncodingFieldExist = await knex.schema.hasColumn(
+    TableName.UserEncryptionKey,
+    "serverEncryptedPrivateKeyEncoding"
+  );
+  if (await knex.schema.hasTable(TableName.UserEncryptionKey)) {
+    await knex.schema.alterTable(TableName.UserEncryptionKey, (t) => {
+      if (doesPasswordFieldExist) t.dropColumn("hashedPassword");
+      if (doesPrivateKeyFieldExist) t.dropColumn("serverEncryptedPrivateKey");
+      if (doesPrivateKeyIVFieldExist) t.dropColumn("serverEncryptedPrivateKeyIV");
+      if (doesPrivateKeyTagFieldExist) t.dropColumn("serverEncryptedPrivateKeyTag");
+      if (doesPrivateKeyEncodingFieldExist) t.dropColumn("serverEncryptedPrivateKeyEncoding");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240610181521_add-consecutive-failed-password-attempts-user.ts
+++ b/backend/src/db/migrations/20240610181521_add-consecutive-failed-password-attempts-user.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasConsecutiveFailedPasswordAttempts = await knex.schema.hasColumn(
+    TableName.Users,
+    "consecutiveFailedPasswordAttempts"
+  );
+
+  await knex.schema.alterTable(TableName.Users, (tb) => {
+    if (!hasConsecutiveFailedPasswordAttempts) {
+      tb.integer("consecutiveFailedPasswordAttempts").defaultTo(0);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasConsecutiveFailedPasswordAttempts = await knex.schema.hasColumn(
+    TableName.Users,
+    "consecutiveFailedPasswordAttempts"
+  );
+
+  await knex.schema.alterTable(TableName.Users, (tb) => {
+    if (hasConsecutiveFailedPasswordAttempts) {
+      tb.dropColumn("consecutiveFailedPasswordAttempts");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240612200518_add-pit-version-limit.ts
+++ b/backend/src/db/migrations/20240612200518_add-pit-version-limit.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasPitVersionLimitColumn = await knex.schema.hasColumn(TableName.Project, "pitVersionLimit");
+  await knex.schema.alterTable(TableName.Project, (tb) => {
+    if (!hasPitVersionLimitColumn) {
+      tb.integer("pitVersionLimit").notNullable().defaultTo(10);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasPitVersionLimitColumn = await knex.schema.hasColumn(TableName.Project, "pitVersionLimit");
+  await knex.schema.alterTable(TableName.Project, (tb) => {
+    if (hasPitVersionLimitColumn) {
+      tb.dropColumn("pitVersionLimit");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240614010847_custom-rate-limits-for-self-hosting.ts
+++ b/backend/src/db/migrations/20240614010847_custom-rate-limits-for-self-hosting.ts
@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.RateLimit))) {
+    await knex.schema.createTable(TableName.RateLimit, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("readRateLimit").defaultTo(600).notNullable();
+      t.integer("writeRateLimit").defaultTo(200).notNullable();
+      t.integer("secretsRateLimit").defaultTo(60).notNullable();
+      t.integer("authRateLimit").defaultTo(60).notNullable();
+      t.integer("inviteUserRateLimit").defaultTo(30).notNullable();
+      t.integer("mfaRateLimit").defaultTo(20).notNullable();
+      t.integer("creationLimit").defaultTo(30).notNullable();
+      t.integer("publicEndpointLimit").defaultTo(30).notNullable();
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.RateLimit);
+
+    // create init rate limit entry with defaults
+    await knex(TableName.RateLimit).insert({});
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.RateLimit);
+  await dropOnUpdateTrigger(knex, TableName.RateLimit);
+}
--- a/backend/src/db/migrations/20240614115952_tag-machine-identity.ts
+++ b/backend/src/db/migrations/20240614115952_tag-machine-identity.ts
@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { ActorType } from "@app/services/auth/auth-type";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCreatedByActorType = await knex.schema.hasColumn(TableName.SecretTag, "createdByActorType");
+  await knex.schema.alterTable(TableName.SecretTag, (tb) => {
+    if (!hasCreatedByActorType) {
+      tb.string("createdByActorType").notNullable().defaultTo(ActorType.USER);
+      tb.dropForeign("createdBy");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCreatedByActorType = await knex.schema.hasColumn(TableName.SecretTag, "createdByActorType");
+  await knex.schema.alterTable(TableName.SecretTag, (tb) => {
+    if (hasCreatedByActorType) {
+      tb.dropColumn("createdByActorType");
+      tb.foreign("createdBy").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240614154212_certificate-mgmt.ts
+++ b/backend/src/db/migrations/20240614154212_certificate-mgmt.ts
@ -0,0 +1,137 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Project)) {
+    const doesProjectCertificateKeyIdExist = await knex.schema.hasColumn(TableName.Project, "kmsCertificateKeyId");
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      if (!doesProjectCertificateKeyIdExist) {
+        t.uuid("kmsCertificateKeyId").nullable();
+        t.foreign("kmsCertificateKeyId").references("id").inTable(TableName.KmsKey);
+      }
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.CertificateAuthority))) {
+    await knex.schema.createTable(TableName.CertificateAuthority, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("parentCaId").nullable();
+      t.foreign("parentCaId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("type").notNullable(); // root / intermediate
+      t.string("status").notNullable(); // active / pending-certificate
+      t.string("friendlyName").notNullable();
+      t.string("organization").notNullable();
+      t.string("ou").notNullable();
+      t.string("country").notNullable();
+      t.string("province").notNullable();
+      t.string("locality").notNullable();
+      t.string("commonName").notNullable();
+      t.string("dn").notNullable();
+      t.string("serialNumber").nullable().unique();
+      t.integer("maxPathLength").nullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("notBefore").nullable();
+      t.datetime("notAfter").nullable();
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.CertificateAuthorityCert))) {
+    // table to keep track of certificates belonging to CA
+    await knex.schema.createTable(TableName.CertificateAuthorityCert, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("caId").notNullable().unique();
+      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("encryptedCertificate").notNullable();
+      t.binary("encryptedCertificateChain").notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.CertificateAuthoritySecret))) {
+    await knex.schema.createTable(TableName.CertificateAuthoritySecret, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("caId").notNullable().unique();
+      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("encryptedPrivateKey").notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.CertificateAuthorityCrl))) {
+    await knex.schema.createTable(TableName.CertificateAuthorityCrl, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("caId").notNullable().unique();
+      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.binary("encryptedCrl").notNullable();
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.Certificate))) {
+    await knex.schema.createTable(TableName.Certificate, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("caId").notNullable();
+      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.string("status").notNullable(); // active / pending-certificate
+      t.string("serialNumber").notNullable().unique();
+      t.string("friendlyName").notNullable();
+      t.string("commonName").notNullable();
+      t.datetime("notBefore").notNullable();
+      t.datetime("notAfter").notNullable();
+      t.datetime("revokedAt").nullable();
+      t.integer("revocationReason").nullable(); // integer based on crl reason in RFC 5280
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.CertificateBody))) {
+    await knex.schema.createTable(TableName.CertificateBody, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("certId").notNullable().unique();
+      t.foreign("certId").references("id").inTable(TableName.Certificate).onDelete("CASCADE");
+      t.binary("encryptedCertificate").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.CertificateAuthority);
+  await createOnUpdateTrigger(knex, TableName.CertificateAuthorityCert);
+  await createOnUpdateTrigger(knex, TableName.CertificateAuthoritySecret);
+  await createOnUpdateTrigger(knex, TableName.Certificate);
+  await createOnUpdateTrigger(knex, TableName.CertificateBody);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // project
+  if (await knex.schema.hasTable(TableName.Project)) {
+    const doesProjectCertificateKeyIdExist = await knex.schema.hasColumn(TableName.Project, "kmsCertificateKeyId");
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      if (doesProjectCertificateKeyIdExist) t.dropColumn("kmsCertificateKeyId");
+    });
+  }
+
+  // certificates
+  await knex.schema.dropTableIfExists(TableName.CertificateBody);
+  await dropOnUpdateTrigger(knex, TableName.CertificateBody);
+
+  await knex.schema.dropTableIfExists(TableName.Certificate);
+  await dropOnUpdateTrigger(knex, TableName.Certificate);
+
+  // certificate authorities
+  await knex.schema.dropTableIfExists(TableName.CertificateAuthoritySecret);
+  await dropOnUpdateTrigger(knex, TableName.CertificateAuthoritySecret);
+
+  await knex.schema.dropTableIfExists(TableName.CertificateAuthorityCrl);
+  await dropOnUpdateTrigger(knex, TableName.CertificateAuthorityCrl);
+
+  await knex.schema.dropTableIfExists(TableName.CertificateAuthorityCert);
+  await dropOnUpdateTrigger(knex, TableName.CertificateAuthorityCert);
+
+  await knex.schema.dropTableIfExists(TableName.CertificateAuthority);
+  await dropOnUpdateTrigger(knex, TableName.CertificateAuthority);
+}
--- a/backend/src/db/migrations/20240614184133_make-secret-sharing-public.ts
+++ b/backend/src/db/migrations/20240614184133_make-secret-sharing-public.ts
@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasOrgIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "orgId");
+  const hasUserIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "userId");
+
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+      if (hasOrgIdColumn) t.uuid("orgId").nullable().alter();
+      if (hasUserIdColumn) t.uuid("userId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasOrgIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "orgId");
+  const hasUserIdColumn = await knex.schema.hasColumn(TableName.SecretSharing, "userId");
+
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+      if (hasOrgIdColumn) t.uuid("orgId").notNullable().alter();
+      if (hasUserIdColumn) t.uuid("userId").notNullable().alter();
+    });
+  }
+}
--- a/backend/src/db/migrations/20240624161942_add-oidc-auth.ts
+++ b/backend/src/db/migrations/20240624161942_add-oidc-auth.ts
@ -0,0 +1,49 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.OidcConfig))) {
+    await knex.schema.createTable(TableName.OidcConfig, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("discoveryURL");
+      tb.string("issuer");
+      tb.string("authorizationEndpoint");
+      tb.string("jwksUri");
+      tb.string("tokenEndpoint");
+      tb.string("userinfoEndpoint");
+      tb.text("encryptedClientId").notNullable();
+      tb.string("configurationType").notNullable();
+      tb.string("clientIdIV").notNullable();
+      tb.string("clientIdTag").notNullable();
+      tb.text("encryptedClientSecret").notNullable();
+      tb.string("clientSecretIV").notNullable();
+      tb.string("clientSecretTag").notNullable();
+      tb.string("allowedEmailDomains").nullable();
+      tb.boolean("isActive").notNullable();
+      tb.timestamps(true, true, true);
+      tb.uuid("orgId").notNullable().unique();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails"))) {
+      await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
+        tb.boolean("trustOidcEmails").defaultTo(false);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.OidcConfig);
+
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustOidcEmails")) {
+      await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+        t.dropColumn("trustOidcEmails");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts
+++ b/backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts
@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const DEFAULT_AUTH_ORG_ID_FIELD = "defaultAuthOrgId";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (!hasDefaultOrgColumn) {
+      t.uuid(DEFAULT_AUTH_ORG_ID_FIELD).nullable();
+      t.foreign(DEFAULT_AUTH_ORG_ID_FIELD).references("id").inTable(TableName.Organization).onDelete("SET NULL");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasDefaultOrgColumn) {
+      t.dropForeign([DEFAULT_AUTH_ORG_ID_FIELD]);
+      t.dropColumn(DEFAULT_AUTH_ORG_ID_FIELD);
+    }
+  });
+}
--- a/backend/src/db/migrations/20240624221840_certificate-alt-names.ts
+++ b/backend/src/db/migrations/20240624221840_certificate-alt-names.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasAltNamesColumn = await knex.schema.hasColumn(TableName.Certificate, "altNames");
+    if (!hasAltNamesColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("altNames").defaultTo("");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "altNames")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropColumn("altNames");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240626111536_integration-auth-aws-assume-role.ts
+++ b/backend/src/db/migrations/20240626111536_integration-auth-aws-assume-role.ts
@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAwsAssumeRoleCipherText = await knex.schema.hasColumn(
+    TableName.IntegrationAuth,
+    "awsAssumeIamRoleArnCipherText"
+  );
+  const hasAwsAssumeRoleIV = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnIV");
+  const hasAwsAssumeRoleTag = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnTag");
+  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
+    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
+      if (!hasAwsAssumeRoleCipherText) t.text("awsAssumeIamRoleArnCipherText");
+      if (!hasAwsAssumeRoleIV) t.text("awsAssumeIamRoleArnIV");
+      if (!hasAwsAssumeRoleTag) t.text("awsAssumeIamRoleArnTag");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAwsAssumeRoleCipherText = await knex.schema.hasColumn(
+    TableName.IntegrationAuth,
+    "awsAssumeIamRoleArnCipherText"
+  );
+  const hasAwsAssumeRoleIV = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnIV");
+  const hasAwsAssumeRoleTag = await knex.schema.hasColumn(TableName.IntegrationAuth, "awsAssumeIamRoleArnTag");
+  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
+    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
+      if (hasAwsAssumeRoleCipherText) t.dropColumn("awsAssumeIamRoleArnCipherText");
+      if (hasAwsAssumeRoleIV) t.dropColumn("awsAssumeIamRoleArnIV");
+      if (hasAwsAssumeRoleTag) t.dropColumn("awsAssumeIamRoleArnTag");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240626115035_admin-login-method-config.ts
+++ b/backend/src/db/migrations/20240626115035_admin-login-method-config.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "enabledLoginMethods"))) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (tb) => {
+      tb.specificType("enabledLoginMethods", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "enabledLoginMethods")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("enabledLoginMethods");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240626171758_add-ldap-unique-user-attribute.ts
+++ b/backend/src/db/migrations/20240626171758_add-ldap-unique-user-attribute.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute"))) {
+    await knex.schema.alterTable(TableName.LdapConfig, (tb) => {
+      tb.string("uniqueUserAttribute").notNullable().defaultTo("");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.LdapConfig, "uniqueUserAttribute")) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      t.dropColumn("uniqueUserAttribute");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240626171943_configurable-audit-log-retention.ts
+++ b/backend/src/db/migrations/20240626171943_configurable-audit-log-retention.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays"))) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.integer("auditLogsRetentionDays").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Project, "auditLogsRetentionDays")) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("auditLogsRetentionDays");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240627173239_add-oidc-updated-at-trigger.ts
+++ b/backend/src/db/migrations/20240627173239_add-oidc-updated-at-trigger.ts
@ -0,0 +1,12 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  await createOnUpdateTrigger(knex, TableName.OidcConfig);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.OidcConfig);
+}
--- a/backend/src/db/migrations/20240701143900_member-project-favorite.ts
+++ b/backend/src/db/migrations/20240701143900_member-project-favorite.ts
@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.OrgMembership, "projectFavorites"))) {
+    await knex.schema.alterTable(TableName.OrgMembership, (tb) => {
+      tb.specificType("projectFavorites", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OrgMembership, "projectFavorites")) {
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.dropColumn("projectFavorites");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240702055253_add-encrypted-webhook-url.ts
+++ b/backend/src/db/migrations/20240702055253_add-encrypted-webhook-url.ts
@ -0,0 +1,53 @@
+import { Knex } from "knex";
+
+import { WebhookType } from "@app/services/webhook/webhook-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasUrlCipherText = await knex.schema.hasColumn(TableName.Webhook, "urlCipherText");
+  const hasUrlIV = await knex.schema.hasColumn(TableName.Webhook, "urlIV");
+  const hasUrlTag = await knex.schema.hasColumn(TableName.Webhook, "urlTag");
+  const hasType = await knex.schema.hasColumn(TableName.Webhook, "type");
+
+  if (await knex.schema.hasTable(TableName.Webhook)) {
+    await knex.schema.alterTable(TableName.Webhook, (tb) => {
+      if (!hasUrlCipherText) {
+        tb.text("urlCipherText");
+      }
+      if (!hasUrlIV) {
+        tb.string("urlIV");
+      }
+      if (!hasUrlTag) {
+        tb.string("urlTag");
+      }
+      if (!hasType) {
+        tb.string("type").defaultTo(WebhookType.GENERAL);
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasUrlCipherText = await knex.schema.hasColumn(TableName.Webhook, "urlCipherText");
+  const hasUrlIV = await knex.schema.hasColumn(TableName.Webhook, "urlIV");
+  const hasUrlTag = await knex.schema.hasColumn(TableName.Webhook, "urlTag");
+  const hasType = await knex.schema.hasColumn(TableName.Webhook, "type");
+
+  if (await knex.schema.hasTable(TableName.Webhook)) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (hasUrlCipherText) {
+        t.dropColumn("urlCipherText");
+      }
+      if (hasUrlIV) {
+        t.dropColumn("urlIV");
+      }
+      if (hasUrlTag) {
+        t.dropColumn("urlTag");
+      }
+      if (hasType) {
+        t.dropColumn("type");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20240702131735_secret-approval-groups.ts
+++ b/backend/src/db/migrations/20240702131735_secret-approval-groups.ts
@ -0,0 +1,188 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // migrate secret approval policy approvers to user id
+  const hasApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+  const hasApproverId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverId");
+  if (!hasApproverUserId) {
+    // add the new fields
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
+      // if (hasApproverId) tb.setNullable("approverId");
+      tb.uuid("approverUserId");
+      tb.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+
+    // convert project membership id => user id
+    await knex(TableName.SecretApprovalPolicyApprover).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      approverUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.SecretApprovalPolicyApprover}.approverId`]))
+    });
+    // drop the old field
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
+      if (hasApproverId) tb.dropColumn("approverId");
+      tb.uuid("approverUserId").notNullable().alter();
+    });
+  }
+
+  // migrate secret approval request committer and statusChangeBy to user id
+  const hasSecretApprovalRequestTable = await knex.schema.hasTable(TableName.SecretApprovalRequest);
+  const hasCommitterUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
+  const hasCommitterId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerId");
+  const hasStatusChangeBy = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeBy");
+  const hasStatusChangedByUserId = await knex.schema.hasColumn(
+    TableName.SecretApprovalRequest,
+    "statusChangedByUserId"
+  );
+  if (hasSecretApprovalRequestTable) {
+    // new fields
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      // if (hasCommitterId) tb.setNullable("committerId");
+      if (!hasCommitterUserId) {
+        tb.uuid("committerUserId");
+        tb.foreign("committerUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+      }
+      if (!hasStatusChangedByUserId) {
+        tb.uuid("statusChangedByUserId");
+        tb.foreign("statusChangedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+      }
+    });
+
+    // copy the assigned project membership => user id to new fields
+    await knex(TableName.SecretApprovalRequest).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      committerUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.SecretApprovalRequest}.committerId`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      statusChangedByUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.SecretApprovalRequest}.statusChangeBy`]))
+    });
+    // drop old fields
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      if (hasStatusChangeBy) tb.dropColumn("statusChangeBy");
+      if (hasCommitterId) tb.dropColumn("committerId");
+      tb.uuid("committerUserId").notNullable().alter();
+    });
+  }
+
+  // migrate secret approval request reviewer to user id
+  const hasMemberId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "member");
+  const hasReviewerUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "reviewerUserId");
+  if (!hasReviewerUserId) {
+    // new fields
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
+      // if (hasMemberId) tb.setNullable("member");
+      tb.uuid("reviewerUserId");
+      tb.foreign("reviewerUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+    // copy project membership => user id to new fields
+    await knex(TableName.SecretApprovalRequestReviewer).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      reviewerUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.SecretApprovalRequestReviewer}.member`]))
+    });
+    // drop table
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
+      if (hasMemberId) tb.dropColumn("member");
+      tb.uuid("reviewerUserId").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+  const hasApproverId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverId");
+  if (hasApproverUserId) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
+      if (!hasApproverId) {
+        tb.uuid("approverId");
+        tb.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      }
+    });
+
+    if (!hasApproverId) {
+      await knex(TableName.SecretApprovalPolicyApprover).update({
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        approverId: knex(TableName.ProjectMembership)
+          .select("id")
+          .where("userId", knex.raw("??", [`${TableName.SecretApprovalPolicyApprover}.approverUserId`]))
+      });
+      await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (tb) => {
+        tb.dropColumn("approverUserId");
+        tb.uuid("approverId").notNullable().alter();
+      });
+    }
+  }
+
+  const hasSecretApprovalRequestTable = await knex.schema.hasTable(TableName.SecretApprovalRequest);
+  const hasCommitterUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
+  const hasCommitterId = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerId");
+  const hasStatusChangeBy = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeBy");
+  const hasStatusChangedByUser = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangedByUserId");
+  if (hasSecretApprovalRequestTable) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      // if (hasCommitterId) tb.uuid("committerId").notNullable().alter();
+      if (!hasCommitterId) {
+        tb.uuid("committerId");
+        tb.foreign("committerId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      }
+      if (!hasStatusChangeBy) {
+        tb.uuid("statusChangeBy");
+        tb.foreign("statusChangeBy").references("id").inTable(TableName.ProjectMembership).onDelete("SET NULL");
+      }
+    });
+
+    await knex(TableName.SecretApprovalRequest).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      committerId: knex(TableName.ProjectMembership)
+        .select("id")
+        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.committerUserId`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      statusChangeBy: knex(TableName.ProjectMembership)
+        .select("id")
+        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.statusChangedByUserId`]))
+    });
+
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      if (hasCommitterUserId) tb.dropColumn("committerUserId");
+      if (hasStatusChangedByUser) tb.dropColumn("statusChangedByUserId");
+      if (hasCommitterId) tb.uuid("committerId").notNullable().alter();
+    });
+  }
+
+  const hasMemberId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "member");
+  const hasReviewerUserId = await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "reviewerUserId");
+  if (hasReviewerUserId) {
+    if (!hasMemberId) {
+      await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
+        // if (hasMemberId) tb.uuid("member").notNullable().alter();
+        tb.uuid("member");
+        tb.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      });
+    }
+    await knex(TableName.SecretApprovalRequestReviewer).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      member: knex(TableName.ProjectMembership)
+        .select("id")
+        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequestReviewer}.reviewerUserId`]))
+    });
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (tb) => {
+      tb.uuid("member").notNullable().alter();
+      tb.dropColumn("reviewerUserId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240702175124_identity-token-auth.ts
+++ b/backend/src/db/migrations/20240702175124_identity-token-auth.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.createTable(TableName.IdentityTokenAuth, (t) => {
+    t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+    t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+    t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+    t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+    t.jsonb("accessTokenTrustedIps").notNullable();
+    t.timestamps(true, true, true);
+    t.uuid("identityId").notNullable().unique();
+    t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+  });
+
+  await createOnUpdateTrigger(knex, TableName.IdentityTokenAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityTokenAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityTokenAuth);
+}
--- a/backend/src/db/migrations/20240704161322_identity-access-token-name.ts
+++ b/backend/src/db/migrations/20240704161322_identity-access-token-name.ts
@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityAccessToken)) {
+    const hasNameColumn = await knex.schema.hasColumn(TableName.IdentityAccessToken, "name");
+    if (!hasNameColumn) {
+      await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+        t.string("name").nullable();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityAccessToken)) {
+    if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "name")) {
+      await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+        t.dropColumn("name");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240708100026_external-kms.ts
+++ b/backend/src/db/migrations/20240708100026_external-kms.ts
@ -0,0 +1,256 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+const createInternalKmsTableAndBackfillData = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+
+  // building the internal kms table by filling from old kms table
+  if (doesOldKmsKeyTableExist && !doesInternalKmsTableExist) {
+    await knex.schema.createTable(TableName.InternalKms, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.binary("encryptedKey").notNullable();
+      tb.string("encryptionAlgorithm").notNullable();
+      tb.integer("version").defaultTo(1).notNullable();
+      tb.uuid("kmsKeyId").unique().notNullable();
+      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+
+    // copy the old kms and backfill
+    const oldKmsKey = await knex(TableName.KmsKey).select("version", "encryptedKey", "encryptionAlgorithm", "id");
+    if (oldKmsKey.length) {
+      await knex(TableName.InternalKms).insert(
+        oldKmsKey.map((el) => ({
+          encryptionAlgorithm: el.encryptionAlgorithm,
+          encryptedKey: el.encryptedKey,
+          kmsKeyId: el.id,
+          version: el.version
+        }))
+      );
+    }
+  }
+};
+
+const renameKmsKeyVersionTableAsInternalKmsKeyVersion = async (knex: Knex) => {
+  const doesOldKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
+  const doesNewKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
+
+  if (doesOldKmsKeyVersionTableExist && !doesNewKmsKeyVersionTableExist) {
+    // because we haven't started using versioning for kms thus no data exist
+    await knex.schema.renameTable(TableName.KmsKeyVersion, TableName.InternalKmsKeyVersion);
+    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "kmsKeyId");
+    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "internalKmsId");
+
+    await knex.schema.alterTable(TableName.InternalKmsKeyVersion, (tb) => {
+      if (hasKmsKeyIdColumn) tb.dropColumn("kmsKeyId");
+      if (!hasInternalKmsIdColumn) {
+        tb.uuid("internalKmsId").notNullable();
+        tb.foreign("internalKmsId").references("id").inTable(TableName.InternalKms).onDelete("CASCADE");
+      }
+    });
+  }
+};
+
+const createExternalKmsKeyTable = async (knex: Knex) => {
+  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
+  if (!doesExternalKmsServiceExist) {
+    await knex.schema.createTable(TableName.ExternalKms, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("provider").notNullable();
+      tb.binary("encryptedProviderInputs").notNullable();
+      tb.string("status");
+      tb.string("statusDetails");
+      tb.uuid("kmsKeyId").unique().notNullable();
+      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+  }
+};
+
+const removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+
+  // building the internal kms table by filling from old kms table
+  if (doesOldKmsKeyTableExist) {
+    const hasSlugColumn = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
+    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
+    const hasTimestamps = await knex.schema.hasColumn(TableName.KmsKey, "createdAt");
+    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (!hasSlugColumn) tb.string("slug", 32);
+      if (hasEncryptedKeyColumn) tb.dropColumn("encryptedKey");
+      if (hasEncryptionAlgorithmColumn) tb.dropColumn("encryptionAlgorithm");
+      if (hasVersionColumn) tb.dropColumn("version");
+      if (!hasTimestamps) tb.timestamps(true, true, true);
+    });
+
+    // backfill all org id in kms key because its gonna be changed to non nullable
+    if (hasProjectId && hasOrgId) {
+      await knex(TableName.KmsKey)
+        .whereNull("orgId")
+        .update({
+          // eslint-disable-next-line
+          // @ts-ignore because generate schema happens after this
+          orgId: knex(TableName.Project)
+            .select("orgId")
+            .where("id", knex.raw("??", [`${TableName.KmsKey}.projectId`]))
+        });
+    }
+
+    // backfill slugs in kms
+    const missingSlugs = await knex(TableName.KmsKey).whereNull("slug").select("id");
+    if (missingSlugs.length) {
+      await knex(TableName.KmsKey)
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        .insert(missingSlugs.map(({ id }) => ({ id, slug: slugify(alphaNumericNanoId(8).toLowerCase()) })))
+        .onConflict("id")
+        .merge();
+    }
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (hasOrgId) tb.uuid("orgId").notNullable().alter();
+      tb.string("slug", 32).notNullable().alter();
+      if (hasProjectId) tb.dropColumn("projectId");
+      if (hasOrgId) tb.unique(["orgId", "slug"]);
+    });
+  }
+};
+
+/*
+ * The goal for this migration is split the existing kms key into three table
+ * the kms-key table would be a container table that contains
+ * the internal kms key table and external kms table
+ */
+export async function up(knex: Knex): Promise<void> {
+  await createInternalKmsTableAndBackfillData(knex);
+  await renameKmsKeyVersionTableAsInternalKmsKeyVersion(knex);
+  await removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData(knex);
+  await createExternalKmsKeyTable(knex);
+
+  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
+  if (!doesOrgKmsKeyExist) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.uuid("kmsDefaultKeyId").nullable();
+      tb.foreign("kmsDefaultKeyId").references("id").inTable(TableName.KmsKey);
+    });
+  }
+
+  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
+  if (!doesProjectKmsSecretManagerKeyExist) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.uuid("kmsSecretManagerKeyId").nullable();
+      tb.foreign("kmsSecretManagerKeyId").references("id").inTable(TableName.KmsKey);
+    });
+  }
+}
+
+const renameInternalKmsKeyVersionBackToKmsKeyVersion = async (knex: Knex) => {
+  const doesInternalKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
+  const doesKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
+  if (doesInternalKmsKeyVersionTableExist && !doesKmsKeyVersionTableExist) {
+    // because we haven't started using versioning for kms thus no data exist
+    await knex.schema.renameTable(TableName.InternalKmsKeyVersion, TableName.KmsKeyVersion);
+    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "internalKmsId");
+    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "kmsKeyId");
+
+    await knex.schema.alterTable(TableName.KmsKeyVersion, (tb) => {
+      if (hasInternalKmsIdColumn) tb.dropColumn("internalKmsId");
+      if (!hasKmsKeyIdColumn) {
+        tb.uuid("kmsKeyId").notNullable();
+        tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+      }
+    });
+  }
+};
+
+const bringBackKmsKeyFields = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesOldKmsKeyTableExist && doesInternalKmsTableExist) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
+    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
+    const hasNullableOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (!hasEncryptedKeyColumn) tb.binary("encryptedKey");
+      if (!hasEncryptionAlgorithmColumn) tb.string("encryptionAlgorithm");
+      if (!hasVersionColumn) tb.integer("version").defaultTo(1);
+      if (hasNullableOrgId) tb.uuid("orgId").nullable().alter();
+      if (!hasProjectIdColumn) {
+        tb.string("projectId");
+        tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      }
+      if (hasSlug) tb.dropColumn("slug");
+    });
+  }
+};
+
+const backfillKmsKeyFromInternalKmsTable = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesInternalKmsTableExist && doesOldKmsKeyTableExist) {
+    // backfill kms key with internal kms data
+    await knex(TableName.KmsKey).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      encryptedKey: knex(TableName.InternalKms)
+        .select("encryptedKey")
+        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      encryptionAlgorithm: knex(TableName.InternalKms)
+        .select("encryptionAlgorithm")
+        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      projectId: knex(TableName.Project)
+        .select("id")
+        .where("kmsCertificateKeyId", knex.raw("??", [`${TableName.KmsKey}.id`]))
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
+  if (doesOrgKmsKeyExist) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.dropColumn("kmsDefaultKeyId");
+    });
+  }
+
+  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
+  if (doesProjectKmsSecretManagerKeyExist) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.dropColumn("kmsSecretManagerKeyId");
+    });
+  }
+
+  await renameInternalKmsKeyVersionBackToKmsKeyVersion(knex);
+  await bringBackKmsKeyFields(knex);
+  await backfillKmsKeyFromInternalKmsTable(knex);
+
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  if (doesOldKmsKeyTableExist) {
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      tb.binary("encryptedKey").notNullable().alter();
+      tb.string("encryptionAlgorithm").notNullable().alter();
+    });
+  }
+
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesInternalKmsTableExist) await knex.schema.dropTable(TableName.InternalKms);
+
+  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
+  if (doesExternalKmsServiceExist) await knex.schema.dropTable(TableName.ExternalKms);
+}
--- a/backend/src/db/migrations/20240710045107_identity-oidc-auth.ts
+++ b/backend/src/db/migrations/20240710045107_identity-oidc-auth.ts
@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityOidcAuth))) {
+    await knex.schema.createTable(TableName.IdentityOidcAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("oidcDiscoveryUrl").notNullable();
+      t.text("encryptedCaCert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.string("boundIssuer").notNullable();
+      t.string("boundAudiences").notNullable();
+      t.jsonb("boundClaims").notNullable();
+      t.string("boundSubject");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.IdentityOidcAuth);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityOidcAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityOidcAuth);
+}
--- a/backend/src/db/migrations/20240715113110_org-membership-active-status.ts
+++ b/backend/src/db/migrations/20240715113110_org-membership-active-status.ts
@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.OrgMembership)) {
+    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.boolean("isActive").notNullable().defaultTo(true);
+      if (doesUserIdExist && doesOrgIdExist) t.index(["userId", "orgId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.OrgMembership)) {
+    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.dropColumn("isActive");
+      if (doesUserIdExist && doesOrgIdExist) t.dropIndex(["userId", "orgId"]);
+    });
+  }
+}
--- a/backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts
+++ b/backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { EnforcementLevel } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
+      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
+      table.dropColumn("enforcementLevel");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts
+++ b/backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { EnforcementLevel } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
+      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
+  if (hasColumn) {
+    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
+      table.dropColumn("enforcementLevel");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts
+++ b/backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts
@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { SecretSharingAccessType } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretSharing, (table) => {
+      table.string("accessType").notNullable().defaultTo(SecretSharingAccessType.Anyone);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretSharing, (table) => {
+      table.dropColumn("accessType");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts
+++ b/backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
+      table.string("bypassReason").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
+      table.dropColumn("bypassReason");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240724101056_access-request-groups.ts
+++ b/backend/src/db/migrations/20240724101056_access-request-groups.ts
@ -0,0 +1,294 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // ---------- ACCESS APPROVAL POLICY APPROVER ------------
+  const hasApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasApproverId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverId");
+
+  if (!hasApproverUserId) {
+    // add the new fields
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
+      // if (hasApproverId) tb.setNullable("approverId");
+      tb.uuid("approverUserId");
+      tb.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+
+    // convert project membership id => user id
+    await knex(TableName.AccessApprovalPolicyApprover).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      approverUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.AccessApprovalPolicyApprover}.approverId`]))
+    });
+    // drop the old field
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
+      if (hasApproverId) tb.dropColumn("approverId");
+      tb.uuid("approverUserId").notNullable().alter();
+    });
+  }
+
+  // ---------- ACCESS APPROVAL REQUEST ------------
+  const hasAccessApprovalRequestTable = await knex.schema.hasTable(TableName.AccessApprovalRequest);
+  const hasRequestedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+  const hasRequestedBy = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedBy");
+
+  if (hasAccessApprovalRequestTable) {
+    // new fields
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      if (!hasRequestedByUserId) {
+        tb.uuid("requestedByUserId");
+        tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+      }
+    });
+
+    // copy the assigned project membership => user id to new fields
+    await knex(TableName.AccessApprovalRequest).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      requestedByUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.AccessApprovalRequest}.requestedBy`]))
+    });
+    // drop old fields
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      if (hasRequestedBy) {
+        // DROP AT A LATER TIME
+        // tb.dropColumn("requestedBy");
+
+        // ADD ALLOW NULLABLE FOR NOW
+        tb.uuid("requestedBy").nullable().alter();
+      }
+      tb.uuid("requestedByUserId").notNullable().alter();
+    });
+  }
+
+  // ---------- ACCESS APPROVAL REQUEST REVIEWER ------------
+  const hasMemberId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "member");
+  const hasReviewerUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "reviewerUserId");
+  if (!hasReviewerUserId) {
+    // new fields
+    await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
+      // if (hasMemberId) tb.setNullable("member");
+      tb.uuid("reviewerUserId");
+      tb.foreign("reviewerUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+    // copy project membership => user id to new fields
+    await knex(TableName.AccessApprovalRequestReviewer).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      reviewerUserId: knex(TableName.ProjectMembership)
+        .select("userId")
+        .where("id", knex.raw("??", [`${TableName.AccessApprovalRequestReviewer}.member`]))
+    });
+    // drop table
+    await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
+      if (hasMemberId) {
+        // DROP AT A LATER TIME
+        // tb.dropColumn("member");
+
+        // ADD ALLOW NULLABLE FOR NOW
+        tb.uuid("member").nullable().alter();
+      }
+      tb.uuid("reviewerUserId").notNullable().alter();
+    });
+  }
+
+  // ---------- PROJECT USER ADDITIONAL PRIVILEGE ------------
+  const projectUserAdditionalPrivilegeHasProjectMembershipId = await knex.schema.hasColumn(
+    TableName.ProjectUserAdditionalPrivilege,
+    "projectMembershipId"
+  );
+
+  const projectUserAdditionalPrivilegeHasUserId = await knex.schema.hasColumn(
+    TableName.ProjectUserAdditionalPrivilege,
+    "userId"
+  );
+
+  if (!projectUserAdditionalPrivilegeHasUserId) {
+    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
+      tb.uuid("userId");
+      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+
+      tb.string("projectId");
+      tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+    });
+
+    await knex(TableName.ProjectUserAdditionalPrivilege)
+      .update({
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        userId: knex(TableName.ProjectMembership)
+          .select("userId")
+          .where("id", knex.raw("??", [`${TableName.ProjectUserAdditionalPrivilege}.projectMembershipId`])),
+
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        projectId: knex(TableName.ProjectMembership)
+          .select("projectId")
+          .where("id", knex.raw("??", [`${TableName.ProjectUserAdditionalPrivilege}.projectMembershipId`]))
+      })
+      .whereNotNull("projectMembershipId");
+
+    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
+      tb.uuid("userId").notNullable().alter();
+      tb.string("projectId").notNullable().alter();
+    });
+  }
+
+  if (projectUserAdditionalPrivilegeHasProjectMembershipId) {
+    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
+      // DROP AT A LATER TIME
+      // tb.dropColumn("projectMembershipId");
+
+      // ADD ALLOW NULLABLE FOR NOW
+      tb.uuid("projectMembershipId").nullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // We remove project user additional privileges first, because it may delete records in the database where the project membership is not found.
+  // The project membership won't be found on records created by group members. In those cades we just delete the record and continue.
+  // When the additionl privilege record is deleted, it will cascade delete the access request created by the group member.
+
+  // ---------- PROJECT USER ADDITIONAL PRIVILEGE ------------
+  const hasUserId = await knex.schema.hasColumn(TableName.ProjectUserAdditionalPrivilege, "userId");
+  const hasProjectMembershipId = await knex.schema.hasColumn(
+    TableName.ProjectUserAdditionalPrivilege,
+    "projectMembershipId"
+  );
+
+  // If it doesn't have the userId field, then the up migration has not run
+  if (!hasUserId) {
+    return;
+  }
+
+  await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
+    if (!hasProjectMembershipId) {
+      tb.uuid("projectMembershipId");
+      tb.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+    }
+  });
+
+  if (!hasProjectMembershipId) {
+    // First, update records where a matching project membership exists
+    await knex(TableName.ProjectUserAdditionalPrivilege).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      projectMembershipId: knex(TableName.ProjectMembership)
+        .select("id")
+        .where("userId", knex.raw("??", [`${TableName.ProjectUserAdditionalPrivilege}.userId`]))
+    });
+
+    await knex(TableName.AccessApprovalRequest).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      projectMembershipId: knex(TableName.ProjectMembership)
+        .select("id")
+        .where("userId", knex.raw("??", [`${TableName.SecretApprovalRequest}.userId`]))
+    });
+
+    await knex.schema.alterTable(TableName.ProjectUserAdditionalPrivilege, (tb) => {
+      tb.dropColumn("userId");
+      tb.dropColumn("projectId");
+
+      tb.uuid("projectMembershipId").notNullable().alter();
+    });
+  }
+
+  // Then, delete records where no matching project membership was found
+  await knex(TableName.ProjectUserAdditionalPrivilege).whereNull("projectMembershipId").delete();
+  await knex(TableName.AccessApprovalRequest).whereNull("requestedBy").delete();
+
+  // ---------- ACCESS APPROVAL POLICY APPROVER ------------
+  const hasApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasApproverId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverId");
+
+  if (hasApproverUserId) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
+      if (!hasApproverId) {
+        tb.uuid("approverId");
+        tb.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+      }
+    });
+
+    if (!hasApproverId) {
+      await knex(TableName.AccessApprovalPolicyApprover).update({
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        approverId: knex(TableName.ProjectMembership)
+          .select("id")
+          .where("userId", knex.raw("??", [`${TableName.AccessApprovalPolicyApprover}.approverUserId`]))
+      });
+      await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (tb) => {
+        tb.dropColumn("approverUserId");
+
+        tb.uuid("approverId").notNullable().alter();
+      });
+    }
+
+    // ---------- ACCESS APPROVAL REQUEST ------------
+    const hasAccessApprovalRequestTable = await knex.schema.hasTable(TableName.AccessApprovalRequest);
+    const hasRequestedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+    const hasRequestedBy = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedBy");
+
+    if (hasAccessApprovalRequestTable) {
+      await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+        if (!hasRequestedBy) {
+          tb.uuid("requestedBy");
+          tb.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+        }
+      });
+
+      // Try to find a project membership based on the AccessApprovalRequest.requestedByUserId and AccessApprovalRequest.policyId(reference to AccessApprovalRequestPolicy).envId(reference to Environment).projectId(reference to Project)
+      // If a project membership is found, set the AccessApprovalRequest.requestedBy to the project membership id
+      // If a project membership is not found, remove the AccessApprovalRequest record
+
+      await knex(TableName.AccessApprovalRequest).update({
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        requestedBy: knex(TableName.ProjectMembership)
+          .select("id")
+          .where("userId", knex.raw("??", [`${TableName.AccessApprovalRequest}.requestedByUserId`]))
+      });
+
+      // Then, delete records where no matching project membership was found
+      await knex(TableName.AccessApprovalRequest).whereNull("requestedBy").delete();
+
+      await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+        if (hasRequestedByUserId) {
+          tb.dropColumn("requestedByUserId");
+        }
+        if (hasRequestedBy) tb.uuid("requestedBy").notNullable().alter();
+      });
+    }
+
+    // ---------- ACCESS APPROVAL REQUEST REVIEWER ------------
+    const hasMemberId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "member");
+    const hasReviewerUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequestReviewer, "reviewerUserId");
+
+    if (hasReviewerUserId) {
+      if (!hasMemberId) {
+        await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
+          tb.uuid("member");
+          tb.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
+        });
+      }
+      await knex(TableName.AccessApprovalRequestReviewer).update({
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        member: knex(TableName.ProjectMembership)
+          .select("id")
+          .where("userId", knex.raw("??", [`${TableName.AccessApprovalRequestReviewer}.reviewerUserId`]))
+      });
+      await knex.schema.alterTable(TableName.AccessApprovalRequestReviewer, (tb) => {
+        tb.dropColumn("reviewerUserId");
+
+        tb.uuid("member").notNullable().alter();
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240728010334_secret-sharing-name.ts
+++ b/backend/src/db/migrations/20240728010334_secret-sharing-name.ts
@ -0,0 +1,39 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
+    if (!doesNameExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.string("name").nullable();
+      });
+    }
+
+    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
+    if (!doesLastViewedAtExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.timestamp("lastViewedAt").nullable();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const doesNameExist = await knex.schema.hasColumn(TableName.SecretSharing, "name");
+    if (doesNameExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("name");
+      });
+    }
+
+    const doesLastViewedAtExist = await knex.schema.hasColumn(TableName.SecretSharing, "lastViewedAt");
+    if (doesLastViewedAtExist) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("lastViewedAt");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240730181830_add-org-kms-data-key.ts
+++ b/backend/src/db/migrations/20240730181830_add-org-kms-data-key.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmsDataKeyCol = await knex.schema.hasColumn(TableName.Organization, "kmsEncryptedDataKey");
+  await knex.schema.alterTable(TableName.Organization, (tb) => {
+    if (!hasKmsDataKeyCol) {
+      tb.binary("kmsEncryptedDataKey");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmsDataKeyCol = await knex.schema.hasColumn(TableName.Organization, "kmsEncryptedDataKey");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (hasKmsDataKeyCol) {
+      t.dropColumn("kmsEncryptedDataKey");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240730181840_add-project-data-key.ts
+++ b/backend/src/db/migrations/20240730181840_add-project-data-key.ts
@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmsSecretManagerEncryptedDataKey = await knex.schema.hasColumn(
+    TableName.Project,
+    "kmsSecretManagerEncryptedDataKey"
+  );
+
+  await knex.schema.alterTable(TableName.Project, (tb) => {
+    if (!hasKmsSecretManagerEncryptedDataKey) {
+      tb.binary("kmsSecretManagerEncryptedDataKey");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmsSecretManagerEncryptedDataKey = await knex.schema.hasColumn(
+    TableName.Project,
+    "kmsSecretManagerEncryptedDataKey"
+  );
+
+  await knex.schema.alterTable(TableName.Project, (t) => {
+    if (hasKmsSecretManagerEncryptedDataKey) {
+      t.dropColumn("kmsSecretManagerEncryptedDataKey");
+    }
+  });
+}
--- a/backend/src/db/migrations/20240730181850_secret-v2.ts
+++ b/backend/src/db/migrations/20240730181850_secret-v2.ts
@ -0,0 +1,181 @@
+/* eslint-disable @typescript-eslint/ban-ts-comment */
+import { Knex } from "knex";
+
+import { SecretType, TableName } from "../schemas";
+import { createJunctionTable, createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesSecretV2TableExist = await knex.schema.hasTable(TableName.SecretV2);
+  if (!doesSecretV2TableExist) {
+    await knex.schema.createTable(TableName.SecretV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("version").defaultTo(1).notNullable();
+      t.string("type").notNullable().defaultTo(SecretType.Shared);
+      t.string("key", 500).notNullable();
+      t.binary("encryptedValue");
+      t.binary("encryptedComment");
+      t.string("reminderNote");
+      t.integer("reminderRepeatDays");
+      t.boolean("skipMultilineEncoding").defaultTo(false);
+      t.jsonb("metadata");
+      t.uuid("userId");
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.uuid("folderId").notNullable();
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+      t.index(["folderId", "userId"]);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.SecretV2);
+
+  // many to many relation between tags
+  await createJunctionTable(knex, TableName.SecretV2JnTag, TableName.SecretV2, TableName.SecretTag);
+
+  const doesSecretV2VersionTableExist = await knex.schema.hasTable(TableName.SecretVersionV2);
+  if (!doesSecretV2VersionTableExist) {
+    await knex.schema.createTable(TableName.SecretVersionV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("version").defaultTo(1).notNullable();
+      t.string("type").notNullable().defaultTo(SecretType.Shared);
+      t.string("key", 500).notNullable();
+      t.binary("encryptedValue");
+      t.binary("encryptedComment");
+      t.string("reminderNote");
+      t.integer("reminderRepeatDays");
+      t.boolean("skipMultilineEncoding").defaultTo(false);
+      t.jsonb("metadata");
+      // to avoid orphan rows
+      t.uuid("envId");
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      t.uuid("secretId").notNullable();
+      t.uuid("folderId").notNullable();
+      t.uuid("userId");
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+  await createOnUpdateTrigger(knex, TableName.SecretVersionV2);
+
+  if (!(await knex.schema.hasTable(TableName.SecretReferenceV2))) {
+    await knex.schema.createTable(TableName.SecretReferenceV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("environment").notNullable();
+      t.string("secretPath").notNullable();
+      t.string("secretKey", 500).notNullable();
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+    });
+  }
+
+  await createJunctionTable(knex, TableName.SecretVersionV2Tag, TableName.SecretVersionV2, TableName.SecretTag);
+
+  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestSecretV2))) {
+    await knex.schema.createTable(TableName.SecretApprovalRequestSecretV2, (t) => {
+      // everything related  to secret
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.integer("version").defaultTo(1);
+      t.string("key", 500).notNullable();
+      t.binary("encryptedValue");
+      t.binary("encryptedComment");
+      t.string("reminderNote");
+      t.integer("reminderRepeatDays");
+      t.boolean("skipMultilineEncoding").defaultTo(false);
+      t.jsonb("metadata");
+      t.timestamps(true, true, true);
+      // commit details
+      t.uuid("requestId").notNullable();
+      t.foreign("requestId").references("id").inTable(TableName.SecretApprovalRequest).onDelete("CASCADE");
+      t.string("op").notNullable();
+      t.uuid("secretId");
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("SET NULL");
+      t.uuid("secretVersion");
+      t.foreign("secretVersion").references("id").inTable(TableName.SecretVersionV2).onDelete("SET NULL");
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretApprovalRequestSecretTagV2))) {
+    await knex.schema.createTable(TableName.SecretApprovalRequestSecretTagV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.SecretApprovalRequestSecretV2).onDelete("CASCADE");
+      t.uuid("tagId").notNullable();
+      t.foreign("tagId").references("id").inTable(TableName.SecretTag).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SnapshotSecretV2))) {
+    await knex.schema.createTable(TableName.SnapshotSecretV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("envId").index().notNullable();
+      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
+      // not a relation kept like that to keep it when rolled back
+      t.uuid("secretVersionId").index().notNullable();
+      t.foreign("secretVersionId").references("id").inTable(TableName.SecretVersionV2).onDelete("CASCADE");
+      t.uuid("snapshotId").index().notNullable();
+      t.foreign("snapshotId").references("id").inTable(TableName.Snapshot).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
+    const hasEncryptedAccess = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccess");
+    const hasEncryptedAccessId = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccessId");
+    const hasEncryptedRefresh = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedRefresh");
+    const hasEncryptedAwsIamAssumRole = await knex.schema.hasColumn(
+      TableName.IntegrationAuth,
+      "encryptedAwsAssumeIamRoleArn"
+    );
+    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
+      if (!hasEncryptedAccess) t.binary("encryptedAccess");
+      if (!hasEncryptedAccessId) t.binary("encryptedAccessId");
+      if (!hasEncryptedRefresh) t.binary("encryptedRefresh");
+      if (!hasEncryptedAwsIamAssumRole) t.binary("encryptedAwsAssumeIamRoleArn");
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretRotationOutputV2))) {
+    await knex.schema.createTable(TableName.SecretRotationOutputV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("key").notNullable();
+      t.uuid("secretId").notNullable();
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
+      t.uuid("rotationId").notNullable();
+      t.foreign("rotationId").references("id").inTable(TableName.SecretRotation).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SnapshotSecretV2);
+  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestSecretTagV2);
+  await knex.schema.dropTableIfExists(TableName.SecretApprovalRequestSecretV2);
+
+  await knex.schema.dropTableIfExists(TableName.SecretV2JnTag);
+  await knex.schema.dropTableIfExists(TableName.SecretReferenceV2);
+
+  await knex.schema.dropTableIfExists(TableName.SecretRotationOutputV2);
+
+  await dropOnUpdateTrigger(knex, TableName.SecretVersionV2);
+  await knex.schema.dropTableIfExists(TableName.SecretVersionV2Tag);
+  await knex.schema.dropTableIfExists(TableName.SecretVersionV2);
+
+  await dropOnUpdateTrigger(knex, TableName.SecretV2);
+  await knex.schema.dropTableIfExists(TableName.SecretV2);
+
+  if (await knex.schema.hasTable(TableName.IntegrationAuth)) {
+    const hasEncryptedAccess = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccess");
+    const hasEncryptedAccessId = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedAccessId");
+    const hasEncryptedRefresh = await knex.schema.hasColumn(TableName.IntegrationAuth, "encryptedRefresh");
+    const hasEncryptedAwsIamAssumRole = await knex.schema.hasColumn(
+      TableName.IntegrationAuth,
+      "encryptedAwsAssumeIamRoleArn"
+    );
+    await knex.schema.alterTable(TableName.IntegrationAuth, (t) => {
+      if (hasEncryptedAccess) t.dropColumn("encryptedAccess");
+      if (hasEncryptedAccessId) t.dropColumn("encryptedAccessId");
+      if (hasEncryptedRefresh) t.dropColumn("encryptedRefresh");
+      if (hasEncryptedAwsIamAssumRole) t.dropColumn("encryptedAwsAssumeIamRoleArn");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240802181855_ca-cert-version.ts
+++ b/backend/src/db/migrations/20240802181855_ca-cert-version.ts
@ -0,0 +1,117 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
+    const hasActiveCaCertIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthority, "activeCaCertId");
+    if (!hasActiveCaCertIdColumn) {
+      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+        t.uuid("activeCaCertId").nullable();
+        t.foreign("activeCaCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+      });
+
+      await knex.raw(`
+        UPDATE "${TableName.CertificateAuthority}" ca
+        SET "activeCaCertId" = cac.id
+        FROM "${TableName.CertificateAuthorityCert}" cac
+        WHERE ca.id = cac."caId"
+      `);
+    }
+  }
+
+  if (await knex.schema.hasTable(TableName.CertificateAuthorityCert)) {
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "version");
+    if (!hasVersionColumn) {
+      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
+        t.integer("version").nullable();
+        t.dropUnique(["caId"]);
+      });
+
+      await knex(TableName.CertificateAuthorityCert).update({ version: 1 }).whereNull("version");
+
+      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
+        t.integer("version").notNullable().alter();
+      });
+    }
+
+    const hasCaSecretIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "caSecretId");
+    if (!hasCaSecretIdColumn) {
+      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
+        t.uuid("caSecretId").nullable();
+        t.foreign("caSecretId").references("id").inTable(TableName.CertificateAuthoritySecret).onDelete("CASCADE");
+      });
+
+      await knex.raw(`
+        UPDATE "${TableName.CertificateAuthorityCert}" cert
+        SET "caSecretId" = (
+          SELECT sec.id
+          FROM "${TableName.CertificateAuthoritySecret}" sec
+          WHERE sec."caId" = cert."caId"
+        )
+      `);
+
+      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
+        t.uuid("caSecretId").notNullable().alter();
+      });
+    }
+  }
+
+  if (await knex.schema.hasTable(TableName.CertificateAuthoritySecret)) {
+    await knex.schema.alterTable(TableName.CertificateAuthoritySecret, (t) => {
+      t.dropUnique(["caId"]);
+    });
+  }
+
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caCertId").nullable();
+      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+    });
+
+    await knex.raw(`
+        UPDATE "${TableName.Certificate}" cert
+        SET "caCertId" = (
+          SELECT caCert.id
+          FROM "${TableName.CertificateAuthorityCert}" caCert
+          WHERE caCert."caId" = cert."caId"
+        )
+      `);
+
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caCertId").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
+    if (await knex.schema.hasColumn(TableName.CertificateAuthority, "activeCaCertId")) {
+      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
+        t.dropColumn("activeCaCertId");
+      });
+    }
+  }
+
+  if (await knex.schema.hasTable(TableName.CertificateAuthorityCert)) {
+    if (await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "version")) {
+      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
+        t.dropColumn("version");
+      });
+    }
+
+    if (await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "caSecretId")) {
+      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
+        t.dropColumn("caSecretId");
+      });
+    }
+  }
+
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "caCertId")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropColumn("caCertId");
+      });
+    }
+  }
+}
--- a/backend/src/db/migrations/20240806113425_remove-creation-limit-rate-limit.ts
+++ b/backend/src/db/migrations/20240806113425_remove-creation-limit-rate-limit.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
+  await knex.schema.alterTable(TableName.RateLimit, (t) => {
+    if (hasCreationLimitCol) {
+      t.dropColumn("creationLimit");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
+  await knex.schema.alterTable(TableName.RateLimit, (t) => {
+    if (!hasCreationLimitCol) {
+      t.integer("creationLimit").defaultTo(30).notNullable();
+    }
+  });
+}
--- a/backend/src/db/migrations/20240806185442_drop-tag-name.ts
+++ b/backend/src/db/migrations/20240806185442_drop-tag-name.ts
@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasNameField = await knex.schema.hasColumn(TableName.SecretTag, "name");
+  if (hasNameField) {
+    await knex.schema.alterTable(TableName.SecretTag, (t) => {
+      t.dropColumn("name");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasNameField = await knex.schema.hasColumn(TableName.SecretTag, "name");
+  if (!hasNameField) {
+    await knex.schema.alterTable(TableName.SecretTag, (t) => {
+      t.string("name");
+    });
+  }
+}
--- a/backend/src/db/migrations/20240818024923_cert-alerting.ts
+++ b/backend/src/db/migrations/20240818024923_cert-alerting.ts
@ -0,0 +1,62 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.PkiCollection))) {
+    await knex.schema.createTable(TableName.PkiCollection, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.string("name").notNullable();
+      t.string("description").notNullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.PkiCollection);
+
+  if (!(await knex.schema.hasTable(TableName.PkiCollectionItem))) {
+    await knex.schema.createTable(TableName.PkiCollectionItem, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.uuid("pkiCollectionId").notNullable();
+      t.foreign("pkiCollectionId").references("id").inTable(TableName.PkiCollection).onDelete("CASCADE");
+      t.uuid("caId").nullable();
+      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      t.uuid("certId").nullable();
+      t.foreign("certId").references("id").inTable(TableName.Certificate).onDelete("CASCADE");
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.PkiCollectionItem);
+
+  if (!(await knex.schema.hasTable(TableName.PkiAlert))) {
+    await knex.schema.createTable(TableName.PkiAlert, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.timestamps(true, true, true);
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      t.uuid("pkiCollectionId").notNullable();
+      t.foreign("pkiCollectionId").references("id").inTable(TableName.PkiCollection).onDelete("CASCADE");
+      t.string("name").notNullable();
+      t.integer("alertBeforeDays").notNullable();
+      t.string("recipientEmails").notNullable();
+      t.unique(["name", "projectId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.PkiAlert);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.PkiAlert);
+  await dropOnUpdateTrigger(knex, TableName.PkiAlert);
+
+  await knex.schema.dropTableIfExists(TableName.PkiCollectionItem);
+  await dropOnUpdateTrigger(knex, TableName.PkiCollectionItem);
+
+  await knex.schema.dropTableIfExists(TableName.PkiCollection);
+  await dropOnUpdateTrigger(knex, TableName.PkiCollection);
+}
--- a/backend/src/db/migrations/20240818184238_add-certificate-template.ts
+++ b/backend/src/db/migrations/20240818184238_add-certificate-template.ts
@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCertificateTemplateTable = await knex.schema.hasTable(TableName.CertificateTemplate);
+  if (!hasCertificateTemplateTable) {
+    await knex.schema.createTable(TableName.CertificateTemplate, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.uuid("caId").notNullable();
+      tb.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
+      tb.uuid("pkiCollectionId");
+      tb.foreign("pkiCollectionId").references("id").inTable(TableName.PkiCollection).onDelete("SET NULL");
+      tb.string("name").notNullable();
+      tb.string("commonName").notNullable();
+      tb.string("subjectAlternativeName").notNullable();
+      tb.string("ttl").notNullable();
+      tb.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.CertificateTemplate);
+  }
+
+  const doesCertificateTableHaveTemplateId = await knex.schema.hasColumn(
+    TableName.Certificate,
+    "certificateTemplateId"
+  );
+
+  if (!doesCertificateTableHaveTemplateId) {
+    await knex.schema.alterTable(TableName.Certificate, (tb) => {
+      tb.uuid("certificateTemplateId");
+      tb.foreign("certificateTemplateId").references("id").inTable(TableName.CertificateTemplate).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesCertificateTableHaveTemplateId = await knex.schema.hasColumn(
+    TableName.Certificate,
+    "certificateTemplateId"
+  );
+
+  if (doesCertificateTableHaveTemplateId) {
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.dropColumn("certificateTemplateId");
+    });
+  }
+
+  const hasCertificateTemplateTable = await knex.schema.hasTable(TableName.CertificateTemplate);
+  if (hasCertificateTemplateTable) {
+    await knex.schema.dropTable(TableName.CertificateTemplate);
+    await dropOnUpdateTrigger(knex, TableName.CertificateTemplate);
+  }
+}
--- a/backend/src/db/migrations/20240819092916_certificate-template-est-configuration.ts
+++ b/backend/src/db/migrations/20240819092916_certificate-template-est-configuration.ts
@ -0,0 +1,26 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasEstConfigTable = await knex.schema.hasTable(TableName.CertificateTemplateEstConfig);
+  if (!hasEstConfigTable) {
+    await knex.schema.createTable(TableName.CertificateTemplateEstConfig, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.uuid("certificateTemplateId").notNullable().unique();
+      tb.foreign("certificateTemplateId").references("id").inTable(TableName.CertificateTemplate).onDelete("CASCADE");
+      tb.binary("encryptedCaChain").notNullable();
+      tb.string("hashedPassphrase").notNullable();
+      tb.boolean("isEnabled").notNullable();
+      tb.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.CertificateTemplateEstConfig);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.CertificateTemplateEstConfig);
+  await dropOnUpdateTrigger(knex, TableName.CertificateTemplateEstConfig);
+}
--- a/backend/src/db/migrations/20240821212643_crl-ca-secret-binding.ts
+++ b/backend/src/db/migrations/20240821212643_crl-ca-secret-binding.ts
@ -0,0 +1,36 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.CertificateAuthorityCrl)) {
+    const hasCaSecretIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCrl, "caSecretId");
+    if (!hasCaSecretIdColumn) {
+      await knex.schema.alterTable(TableName.CertificateAuthorityCrl, (t) => {
+        t.uuid("caSecretId").nullable();
+        t.foreign("caSecretId").references("id").inTable(TableName.CertificateAuthoritySecret).onDelete("CASCADE");
+      });
+
+      await knex.raw(`
+        UPDATE "${TableName.CertificateAuthorityCrl}" crl
+        SET "caSecretId" = (
+          SELECT sec.id
+          FROM "${TableName.CertificateAuthoritySecret}" sec
+          WHERE sec."caId" = crl."caId"
+        )
+      `);
+
+      await knex.schema.alterTable(TableName.CertificateAuthorityCrl, (t) => {
+        t.uuid("caSecretId").notNullable().alter();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.CertificateAuthorityCrl)) {
+    await knex.schema.alterTable(TableName.CertificateAuthorityCrl, (t) => {
+      t.dropColumn("caSecretId");
+    });
+  }
+}
--- a/backend/src/db/migrations/utils/kms.ts
+++ b/backend/src/db/migrations/utils/kms.ts
@ -0,0 +1,105 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { randomSecureBytes } from "@app/lib/crypto";
+import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+const getInstanceRootKey = async (knex: Knex) => {
+  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
+  // if root key its base64 encoded
+  const isBase64 = !process.env.ENCRYPTION_KEY;
+  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
+  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
+
+  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
+  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
+  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+  if (kmsRootConfig) {
+    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
+    // set the flag so that other instancen nodes can start
+    return decryptedRootKey;
+  }
+
+  const newRootKey = randomSecureBytes(32);
+  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
+  await knex(TableName.KmsServerRootConfig).insert({
+    encryptedRootKey,
+    // eslint-disable-next-line
+    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
+    id: KMS_ROOT_CONFIG_UUID
+  });
+  return encryptedRootKey;
+};
+
+export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
+  const KMS_VERSION = "v01";
+  const KMS_VERSION_BLOB_LENGTH = 3;
+  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+  const project = await knex(TableName.Project).where({ id: projectId }).first();
+  if (!project) throw new Error("Missing project id");
+
+  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
+
+  let secretManagerKmsKey;
+  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
+  if (projectSecretManagerKmsId) {
+    const kmsDoc = await knex(TableName.KmsKey)
+      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
+      .first();
+    if (!kmsDoc) throw new Error("missing kms");
+    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
+  } else {
+    const [kmsDoc] = await knex(TableName.KmsKey)
+      .insert({
+        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
+        orgId: project.orgId,
+        isReserved: false
+      })
+      .returning("*");
+
+    secretManagerKmsKey = randomSecureBytes(32);
+    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
+    await knex(TableName.InternalKms).insert({
+      version: 1,
+      encryptedKey: encryptedKeyMaterial,
+      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+      kmsKeyId: kmsDoc.id
+    });
+  }
+
+  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
+  let dataKey: Buffer;
+  if (!encryptedSecretManagerDataKey) {
+    dataKey = randomSecureBytes();
+    // the below versioning we do it automatically in kms service
+    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
+    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+    await knex(TableName.Project)
+      .where({ id: projectId })
+      .update({
+        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
+      });
+  } else {
+    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
+  }
+
+  return {
+    encryptor: ({ plainText }: { plainText: Buffer }) => {
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
+
+      // Buffer#1 encrypted text + Buffer#2 version number
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
+      return { cipherTextBlob };
+    },
+    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
+      return decryptedBlob;
+    }
+  };
+};
--- a/backend/src/db/schemas/access-approval-policies-approvers.ts
+++ b/backend/src/db/schemas/access-approval-policies-approvers.ts
@ -9,10 +9,10 @@ import { TImmutableDBKeys } from "./models";

 export const AccessApprovalPoliciesApproversSchema = z.object({
  id: z.string().uuid(),
-  approverId: z.string().uuid(),
  policyId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  approverUserId: z.string().uuid()
 });

 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
--- a/backend/src/db/schemas/access-approval-policies.ts
+++ b/backend/src/db/schemas/access-approval-policies.ts
@ -14,7 +14,8 @@ export const AccessApprovalPoliciesSchema = z.object({
  secretPath: z.string().nullable().optional(),
  envId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  enforcementLevel: z.string().default("hard")
 });

 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
--- a/backend/src/db/schemas/access-approval-requests-reviewers.ts
+++ b/backend/src/db/schemas/access-approval-requests-reviewers.ts
@ -9,11 +9,12 @@ import { TImmutableDBKeys } from "./models";

 export const AccessApprovalRequestsReviewersSchema = z.object({
  id: z.string().uuid(),
-  member: z.string().uuid(),
+  member: z.string().uuid().nullable().optional(),
  status: z.string(),
  requestId: z.string().uuid(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  reviewerUserId: z.string().uuid()
 });

 export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
--- a/backend/src/db/schemas/access-approval-requests.ts
+++ b/backend/src/db/schemas/access-approval-requests.ts
@ -11,12 +11,13 @@ export const AccessApprovalRequestsSchema = z.object({
  id: z.string().uuid(),
  policyId: z.string().uuid(),
  privilegeId: z.string().uuid().nullable().optional(),
-  requestedBy: z.string().uuid(),
+  requestedBy: z.string().uuid().nullable().optional(),
  isTemporary: z.boolean(),
  temporaryRange: z.string().nullable().optional(),
  permissions: z.unknown(),
  createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  requestedByUserId: z.string().uuid()
 });

 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
--- a/backend/src/db/schemas/certificate-authorities.ts
+++ b/backend/src/db/schemas/certificate-authorities.ts
@ -0,0 +1,38 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateAuthoritiesSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  parentCaId: z.string().uuid().nullable().optional(),
+  projectId: z.string(),
+  type: z.string(),
+  status: z.string(),
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional()
+});
+
+export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;
+export type TCertificateAuthoritiesInsert = Omit<z.input<typeof CertificateAuthoritiesSchema>, TImmutableDBKeys>;
+export type TCertificateAuthoritiesUpdate = Partial<
+  Omit<z.input<typeof CertificateAuthoritiesSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/certificate-authority-certs.ts
+++ b/backend/src/db/schemas/certificate-authority-certs.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateAuthorityCertsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  caId: z.string().uuid(),
+  encryptedCertificate: zodBuffer,
+  encryptedCertificateChain: zodBuffer,
+  version: z.number(),
+  caSecretId: z.string().uuid()
+});
+
+export type TCertificateAuthorityCerts = z.infer<typeof CertificateAuthorityCertsSchema>;
+export type TCertificateAuthorityCertsInsert = Omit<z.input<typeof CertificateAuthorityCertsSchema>, TImmutableDBKeys>;
+export type TCertificateAuthorityCertsUpdate = Partial<
+  Omit<z.input<typeof CertificateAuthorityCertsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/certificate-authority-crl.ts
+++ b/backend/src/db/schemas/certificate-authority-crl.ts
@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateAuthorityCrlSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  caId: z.string().uuid(),
+  encryptedCrl: zodBuffer,
+  caSecretId: z.string().uuid()
+});
+
+export type TCertificateAuthorityCrl = z.infer<typeof CertificateAuthorityCrlSchema>;
+export type TCertificateAuthorityCrlInsert = Omit<z.input<typeof CertificateAuthorityCrlSchema>, TImmutableDBKeys>;
+export type TCertificateAuthorityCrlUpdate = Partial<
+  Omit<z.input<typeof CertificateAuthorityCrlSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/certificate-authority-secret.ts
+++ b/backend/src/db/schemas/certificate-authority-secret.ts
@ -0,0 +1,27 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateAuthoritySecretSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  caId: z.string().uuid(),
+  encryptedPrivateKey: zodBuffer
+});
+
+export type TCertificateAuthoritySecret = z.infer<typeof CertificateAuthoritySecretSchema>;
+export type TCertificateAuthoritySecretInsert = Omit<
+  z.input<typeof CertificateAuthoritySecretSchema>,
+  TImmutableDBKeys
+>;
+export type TCertificateAuthoritySecretUpdate = Partial<
+  Omit<z.input<typeof CertificateAuthoritySecretSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/certificate-bodies.ts
+++ b/backend/src/db/schemas/certificate-bodies.ts
@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateBodiesSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  certId: z.string().uuid(),
+  encryptedCertificate: zodBuffer
+});
+
+export type TCertificateBodies = z.infer<typeof CertificateBodiesSchema>;
+export type TCertificateBodiesInsert = Omit<z.input<typeof CertificateBodiesSchema>, TImmutableDBKeys>;
+export type TCertificateBodiesUpdate = Partial<Omit<z.input<typeof CertificateBodiesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/certificate-secrets.ts
+++ b/backend/src/db/schemas/certificate-secrets.ts
@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateSecretsSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  certId: z.string().uuid(),
+  pk: z.string(),
+  sk: z.string()
+});
+
+export type TCertificateSecrets = z.infer<typeof CertificateSecretsSchema>;
+export type TCertificateSecretsInsert = Omit<z.input<typeof CertificateSecretsSchema>, TImmutableDBKeys>;
+export type TCertificateSecretsUpdate = Partial<Omit<z.input<typeof CertificateSecretsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/certificate-template-est-configs.ts
+++ b/backend/src/db/schemas/certificate-template-est-configs.ts
@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateTemplateEstConfigsSchema = z.object({
+  id: z.string().uuid(),
+  certificateTemplateId: z.string().uuid(),
+  encryptedCaChain: zodBuffer,
+  hashedPassphrase: z.string(),
+  isEnabled: z.boolean(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;
+export type TCertificateTemplateEstConfigsInsert = Omit<
+  z.input<typeof CertificateTemplateEstConfigsSchema>,
+  TImmutableDBKeys
+>;
+export type TCertificateTemplateEstConfigsUpdate = Partial<
+  Omit<z.input<typeof CertificateTemplateEstConfigsSchema>, TImmutableDBKeys>
+>;
--- a/backend/src/db/schemas/certificate-templates.ts
+++ b/backend/src/db/schemas/certificate-templates.ts
@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificateTemplatesSchema = z.object({
+  id: z.string().uuid(),
+  caId: z.string().uuid(),
+  pkiCollectionId: z.string().uuid().nullable().optional(),
+  name: z.string(),
+  commonName: z.string(),
+  subjectAlternativeName: z.string(),
+  ttl: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TCertificateTemplates = z.infer<typeof CertificateTemplatesSchema>;
+export type TCertificateTemplatesInsert = Omit<z.input<typeof CertificateTemplatesSchema>, TImmutableDBKeys>;
+export type TCertificateTemplatesUpdate = Partial<Omit<z.input<typeof CertificateTemplatesSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/certificates.ts
+++ b/backend/src/db/schemas/certificates.ts
@ -0,0 +1,30 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const CertificatesSchema = z.object({
+  id: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  caId: z.string().uuid(),
+  status: z.string(),
+  serialNumber: z.string(),
+  friendlyName: z.string(),
+  commonName: z.string(),
+  notBefore: z.date(),
+  notAfter: z.date(),
+  revokedAt: z.date().nullable().optional(),
+  revocationReason: z.number().nullable().optional(),
+  altNames: z.string().default("").nullable().optional(),
+  caCertId: z.string().uuid(),
+  certificateTemplateId: z.string().uuid().nullable().optional()
+});
+
+export type TCertificates = z.infer<typeof CertificatesSchema>;
+export type TCertificatesInsert = Omit<z.input<typeof CertificatesSchema>, TImmutableDBKeys>;
+export type TCertificatesUpdate = Partial<Omit<z.input<typeof CertificatesSchema>, TImmutableDBKeys>>;
--- a/Show More
+++ b/Show More