fix: remove double delete

.env.example

@@ -123,17 +123,8 @@ INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET=
 INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
-INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_APP_CONFIGURATION_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET=
-
-INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_DEVOPS_CLIENT_SECRET=
+INF_APP_CONNECTION_AZURE_CLIENT_ID=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
 
 # datadog
 SHOULD_USE_DATADOG_TRACER=

.github/workflows/build-docker-image-to-prod.yml

@@ -0,0 +1,123 @@
+name: Release production images (frontend, backend)
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
+      - "!infisical/v*.*.*-postgres"
+
+jobs:
+  backend-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: backend
+          tags: infisical/infisical:test
+          platforms: linux/amd64,linux/arm64
+      - name: ⏻ Spawn backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      - name: 🧪 Test backend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-backend-test
+      - name: ⏻ Shut down backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: backend
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+
+  frontend-image:
+    name: Build frontend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build frontend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
+          context: frontend
+          tags: infisical/frontend:test
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+      - name: ⏻ Spawn frontend container
+        run: |
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+      - name: 🧪 Test frontend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-frontend-test
+      - name: ⏻ Shut down frontend container
+        run: |
+          docker stop infisical-frontend-test
+      - name: 🏗️ Build frontend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: frontend
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            NEXT_INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/nightly-tag-generation.yml

@@ -1,82 +0,0 @@
-name: Generate Nightly Tag
-
-on:
-  schedule:
-    - cron: '0 0 * * *'  # Run daily at midnight UTC
-  workflow_dispatch:  # Allow manual triggering for testing
-
-permissions:
-  contents: write
-
-jobs:
-  create-nightly-tag:
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Fetch all history for tags
-          token: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-      
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-      
-      - name: Generate nightly tag
-        run: |
-          # Get the latest infisical production tag
-          LATEST_STABLE_TAG=$(git tag --list | grep "^v[0-9].*$" | grep -v "nightly" | sort -V | tail -n1)
-          
-          if [ -z "$LATEST_STABLE_TAG" ]; then
-            echo "No infisical production tags found, using v0.1.0"
-            LATEST_STABLE_TAG="v0.1.0"
-          fi
-          
-          echo "Latest production tag: $LATEST_STABLE_TAG"
-          
-          # Get current date in YYYYMMDD format
-          DATE=$(date +%Y%m%d)
-          
-          # Base nightly tag name
-          BASE_TAG="${LATEST_STABLE_TAG}-nightly-${DATE}"
-          
-          # Check if this exact tag already exists
-          if git tag --list | grep -q "^${BASE_TAG}$"; then
-            echo "Base tag ${BASE_TAG} already exists, finding next increment"
-            
-            # Find existing tags for this date and get the highest increment
-            EXISTING_TAGS=$(git tag --list | grep "^${BASE_TAG}" | grep -E '\.[0-9]+$' || true)
-            
-            if [ -z "$EXISTING_TAGS" ]; then
-              # No incremental tags exist, create .1
-              NIGHTLY_TAG="${BASE_TAG}.1"
-            else
-              # Find the highest increment
-              HIGHEST_INCREMENT=$(echo "$EXISTING_TAGS" | sed "s|^${BASE_TAG}\.||" | sort -n | tail -n1)
-              NEXT_INCREMENT=$((HIGHEST_INCREMENT + 1))
-              NIGHTLY_TAG="${BASE_TAG}.${NEXT_INCREMENT}"
-            fi
-          else
-            # Base tag doesn't exist, use it
-            NIGHTLY_TAG="$BASE_TAG"
-          fi
-          
-          echo "Generated nightly tag: $NIGHTLY_TAG"
-          echo "NIGHTLY_TAG=$NIGHTLY_TAG" >> $GITHUB_ENV
-          echo "LATEST_PRODUCTION_TAG=$LATEST_STABLE_TAG" >> $GITHUB_ENV
-
-          git tag "$NIGHTLY_TAG"
-          git push origin "$NIGHTLY_TAG"
-          echo "✅ Created and pushed nightly tag: $NIGHTLY_TAG"
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ env.NIGHTLY_TAG }}
-          name: ${{ env.NIGHTLY_TAG }}
-          draft: false
-          prerelease: true
-          generate_release_notes: true
-          make_latest: false

.github/workflows/release-standalone-docker-img-postgres-offical.yml

@@ -2,9 +2,7 @@ name: Release standalone docker image
 on:
     push:
         tags:
-            - "v*.*.*"
-            - "v*.*.*-nightly-*"
-            - "v*.*.*-nightly-*.*"
+            - "infisical/v*.*.*-postgres"
 
 jobs:
     infisical-tests:
@@ -19,7 +17,7 @@ jobs:
         steps:
             - name: Extract version from tag
               id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
             - name: ☁️ Checkout source
               uses: actions/checkout@v3
               with:
@@ -55,7 +53,7 @@ jobs:
                   push: true
                   context: .
                   tags: |
-                      infisical/infisical:latest
+                      infisical/infisical:latest-postgres
                       infisical/infisical:${{ steps.commit.outputs.short }}
                       infisical/infisical:${{ steps.extract_version.outputs.version }}
                   platforms: linux/amd64,linux/arm64
@@ -71,7 +69,7 @@ jobs:
         steps:
             - name: Extract version from tag
               id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME}"
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
             - name: ☁️ Checkout source
               uses: actions/checkout@v3
               with:
@@ -107,7 +105,7 @@ jobs:
                   push: true
                   context: .
                   tags: |
-                      infisical/infisical-fips:latest
+                      infisical/infisical-fips:latest-postgres
                       infisical/infisical-fips:${{ steps.commit.outputs.short }}
                       infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
                   platforms: linux/amd64,linux/arm64

.github/workflows/release_build_infisical_cli.yml

@@ -0,0 +1,153 @@
+name: Build and release CLI
+
+on:
+  workflow_dispatch:
+
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  cli-integration-tests:
+    name: Run tests before deployment
+    uses: ./.github/workflows/run-cli-tests.yml
+    secrets:
+      CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+      CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+      CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+      CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+      CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+      CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+      CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+      CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+  npm-release:
+    runs-on: ubuntu-latest
+    env:
+      working-directory: ./npm
+    needs:
+      - cli-integration-tests
+      - goreleaser
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        run: |
+          VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+          echo "Version extracted: $VERSION"
+          echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Print version
+        run: echo ${{ env.CLI_VERSION }}
+
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: ./npm/package-lock.json
+      - name: Install dependencies
+        working-directory: ${{ env.working-directory }}
+        run: npm install --ignore-scripts
+
+      - name: Set NPM version
+        working-directory: ${{ env.working-directory }}
+        run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+      - name: Setup NPM
+        working-directory: ${{ env.working-directory }}
+        run: |
+          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+          echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Pack NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm pack
+
+      - name: Publish NPM
+        working-directory: ${{ env.working-directory }}
+        run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  goreleaser:
+    runs-on: ubuntu-latest-8-cores
+    needs: [cli-integration-tests]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: Setup for libssl1.0-dev
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          sudo apt update
+          sudo apt-get install -y libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: v1.26.2-pro
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
+        with:
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Install deb-s3
+        run: gem install deb-s3
+      - name: Configure GPG Key
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

.github/workflows/release_docker_k8_operator.yaml

@@ -44,7 +44,10 @@ jobs:
 
             - name: Generate Helm Chart
               working-directory: k8-operator
-              run: make helm VERSION=${{ steps.extract_version.outputs.version }}
+              run: make helm
+
+            - name: Update Helm Chart Version
+              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
 
             - name: Debug - Check file changes
               run: |

.github/workflows/run-backend-tests.yml

@@ -16,16 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-
-
-      - name: Free up disk space
-        run: |
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf "/usr/local/share/boost"
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          docker system prune -af
-          
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - uses: KengoTODA/actions-setup-docker-compose@v1
@@ -44,8 +34,6 @@ jobs:
         working-directory: backend
       - name: Start postgres and redis
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Start Secret Rotation testing databases
-        run: docker compose -f docker-compose.e2e-dbs.yml up -d --wait --wait-timeout 300
       - name: Run unit test
         run: npm run test:unit
         working-directory: backend
@@ -53,9 +41,6 @@ jobs:
         run: npm run test:e2e
         working-directory: backend
         env:
-          E2E_TEST_ORACLE_DB_19_HOST: ${{ secrets.E2E_TEST_ORACLE_DB_19_HOST }}
-          E2E_TEST_ORACLE_DB_19_USERNAME: ${{ secrets.E2E_TEST_ORACLE_DB_19_USERNAME }}
-          E2E_TEST_ORACLE_DB_19_PASSWORD: ${{ secrets.E2E_TEST_ORACLE_DB_19_PASSWORD }}
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
           AUTH_SECRET: something-random

.github/workflows/run-cli-tests.yml

@@ -0,0 +1,55 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_dispatch:
+
+    workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+
+              run: go test -v -count=1 ./test

.goreleaser.yaml

@@ -0,0 +1,241 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+# before:
+#   hooks:
+#     # You may remove this if you don't use go modules.
+#     - cd cli && go mod tidy
+#     # you may remove this if you don't need go generate
+#     - cd cli && go generate ./...
+before:
+  hooks:
+    - ./cli/scripts/completions.sh
+    - ./cli/scripts/manpages.sh
+
+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
+builds:
+  - id: darwin-build
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    env:
+      - CGO_ENABLED=1
+      - CC=/home/runner/work/osxcross/target/bin/o64-clang
+      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
+    goos:
+      - darwin
+    ignore:
+      - goos: darwin
+        goarch: "386"
+    dir: ./cli
+
+  - id: all-other-builds
+    env:
+      - CGO_ENABLED=0
+    binary: infisical
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+    flags:
+      - -trimpath
+    goos:
+      - freebsd
+      - linux
+      - netbsd
+      - openbsd
+      - windows
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    goarm:
+      - "6"
+      - "7"
+    ignore:
+      - goos: windows
+        goarch: "386"
+      - goos: freebsd
+        goarch: "386"
+    dir: ./cli
+
+archives:
+  - format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*
+
+release:
+  replace_existing_draft: true
+  mode: "replace"
+
+checksum:
+  name_template: "checksums.txt"
+
+snapshot:
+  name_template: "{{ .Version }}-devel"
+
+# publishers:
+#   - name: fury.io
+#     ids:
+#       - infisical
+#     dir: "{{ dir .ArtifactPath }}"
+#     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
+
+brews:
+  - name: infisical
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+  - name: "infisical@{{.Version}}"
+    tap:
+      owner: Infisical
+      name: homebrew-get-cli
+    commit_author:
+      name: "Infisical"
+      email: ai@infisical.com
+    folder: Formula
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    install: |-
+      bin.install "infisical"
+      bash_completion.install "completions/infisical.bash" => "infisical"
+      zsh_completion.install "completions/infisical.zsh" => "_infisical"
+      fish_completion.install "completions/infisical.fish"
+      man1.install "manpages/infisical.1.gz"
+
+nfpms:
+  - id: infisical
+    package_name: infisical
+    builds:
+      - all-other-builds
+    vendor: Infisical, Inc
+    homepage: https://infisical.com/
+    maintainer: Infisical, Inc
+    description: The offical Infisical CLI
+    license: MIT
+    formats:
+      - rpm
+      - deb
+      - apk
+      - archlinux
+    bindir: /usr/bin
+    contents:
+      - src: ./completions/infisical.bash
+        dst: /etc/bash_completion.d/infisical
+      - src: ./completions/infisical.fish
+        dst: /usr/share/fish/vendor_completions.d/infisical.fish
+      - src: ./completions/infisical.zsh
+        dst: /usr/share/zsh/site-functions/_infisical
+      - src: ./manpages/infisical.1.gz
+        dst: /usr/share/man/man1/infisical.1.gz
+
+scoop:
+  bucket:
+    owner: Infisical
+    name: scoop-infisical
+  commit_author:
+    name: "Infisical"
+    email: ai@infisical.com
+  homepage: "https://infisical.com"
+  description: "The official Infisical CLI"
+  license: MIT
+
+winget:
+  - name: infisical
+    publisher: infisical
+    license: MIT
+    homepage: https://infisical.com
+    short_description: "The official Infisical CLI"
+    repository:
+      owner: infisical
+      name: winget-pkgs
+      branch: "infisical-{{.Version}}"
+      pull_request:
+        enabled: true
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
+
+aurs:
+  - name: infisical-bin
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    maintainers:
+      - Infisical, Inc <support@infisical.com>
+    license: MIT
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+    package: |-
+      # bin
+      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+      # license
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+      # completions
+      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+      # man pages
+      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+
+dockers:
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:latest-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+  - dockerfile: docker/alpine
+    goos: linux
+    goarch: amd64
+    use: buildx
+    ids:
+      - all-other-builds
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+      - "infisical/cli:latest-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+
+docker_manifests:
+  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates:
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+  - name_template: "infisical/cli:latest"
+    image_templates:
+      - "infisical/cli:latest-amd64"
+      - "infisical/cli:latest-arm64"

.infisicalignore

@@ -50,4 +50,3 @@ docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
 docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
 docs/integrations/app-connections/railway.mdx:generic-api-key:156
 .github/workflows/validate-db-schemas.yml:generic-api-key:21
-k8-operator/config/samples/universalAuthIdentitySecret.yaml:generic-api-key:8

Dockerfile.fips.standalone-infisical

@@ -34,8 +34,6 @@ ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
 
-ENV NODE_OPTIONS="--max-old-space-size=8192"
-
 # Build
 RUN npm run build
 
@@ -147,11 +145,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips \
-    && cd / \
-    && rm -rf /openssl-build \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && make install_fips
 
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
@@ -192,11 +186,12 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=8192 --force-fips"
+ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 # FIPS mode of operation:
 ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
 ENV FIPS_ENABLED=true
   
 
@@ -211,11 +206,6 @@ EXPOSE 443
 RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
     mv dist/main.mjs.tmp dist/main.mjs
 
-# The OpenSSL library is installed in different locations in different architectures (x86_64 and arm64).
-# This is a workaround to avoid errors when the library is not found.
-RUN ln -sf /usr/local/lib64/ossl-modules /usr/local/lib/ossl-modules || \
-    ln -sf /usr/local/lib/ossl-modules /usr/local/lib64/ossl-modules
-
 USER non-root-user
 
 CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -55,8 +55,6 @@ USER non-root-user
 ##
 FROM base AS backend-build
 
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
 WORKDIR /app
 
 # Install all required dependencies for build
@@ -86,8 +84,6 @@ RUN npm run build
 # Production stage
 FROM base AS backend-runner
 
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
 WORKDIR /app
 
 # Install all required dependencies for runtime
@@ -116,11 +112,6 @@ RUN mkdir frontend-build
 FROM base AS production
 
 RUN apt-get update && apt-get install -y \
-    build-essential \
-    autoconf \
-    automake \
-    libtool \
-    libssl-dev \
     ca-certificates \
     bash \
     curl \
@@ -180,7 +171,6 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true
 ENV STANDALONE_MODE true
 ENV NODE_OPTIONS="--max-old-space-size=1024"
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 
 WORKDIR /backend
 

README.md

@@ -149,8 +149,11 @@ Not sure where to get started? You can:
 
 - Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.
 
-## We are hiring!
+## Resources
 
-If you're reading this, there is a strong chance you like the products we created.
-
-You might also make a great addition to our team. We're growing fast and would love for you to [join us](https://infisical.com/careers).
+- [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
+- [Slack](https://infisical.com/slack) for discussion with the community and Infisical team.
+- [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
+- [Twitter](https://twitter.com/infisical) for fast news
+- [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
+- [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates

backend/Dockerfile.dev.fips

@@ -59,11 +59,7 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && cd openssl-3.1.2 \
     && ./Configure enable-fips \
     && make \
-    && make install_fips \
-    && cd / \
-    && rm -rf /openssl-build \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && make install_fips
 
 # ? App setup
 

backend/e2e-test/mocks/queue.ts

@@ -0,0 +1,33 @@
+import { TQueueServiceFactory } from "@app/queue";
+
+export const mockQueue = (): TQueueServiceFactory => {
+  const queues: Record<string, unknown> = {};
+  const workers: Record<string, unknown> = {};
+  const job: Record<string, unknown> = {};
+  const events: Record<string, unknown> = {};
+
+  return {
+    queue: async (name, jobData) => {
+      job[name] = jobData;
+    },
+    queuePg: async () => {},
+    schedulePg: async () => {},
+    initialize: async () => {},
+    shutdown: async () => undefined,
+    stopRepeatableJob: async () => true,
+    start: (name, jobFn) => {
+      queues[name] = jobFn;
+      workers[name] = jobFn;
+    },
+    startPg: async () => {},
+    listen: (name, event) => {
+      events[name] = event;
+    },
+    getRepeatableJobs: async () => [],
+    clearQueue: async () => {},
+    stopJobById: async () => {},
+    stopJobByIdPg: async () => {},
+    stopRepeatableJobByJobId: async () => true,
+    stopRepeatableJobByKey: async () => true
+  };
+};

backend/e2e-test/routes/v3/secret-rotations.spec.ts

@@ -1,726 +0,0 @@
-/* eslint-disable no-promise-executor-return */
-/* eslint-disable no-await-in-loop */
-import knex from "knex";
-import { v4 as uuidv4 } from "uuid";
-
-import { seedData1 } from "@app/db/seed-data";
-
-enum SecretRotationType {
-  OracleDb = "oracledb",
-  MySQL = "mysql",
-  Postgres = "postgres"
-}
-
-type TGenericSqlCredentials = {
-  host: string;
-  port: number;
-  username: string;
-  password: string;
-  database: string;
-};
-
-type TSecretMapping = {
-  username: string;
-  password: string;
-};
-
-type TDatabaseUserCredentials = {
-  username: string;
-};
-
-const formatSqlUsername = (username: string) => `${username}_${uuidv4().slice(0, 8).replace(/-/g, "").toUpperCase()}`;
-
-const getSecretValue = async (secretKey: string) => {
-  const passwordSecret = await testServer.inject({
-    url: `/api/v3/secrets/raw/${secretKey}`,
-    method: "GET",
-    query: {
-      workspaceId: seedData1.projectV3.id,
-      environment: seedData1.environment.slug
-    },
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    }
-  });
-
-  expect(passwordSecret.statusCode).toBe(200);
-  expect(passwordSecret.json().secret).toBeDefined();
-
-  const passwordSecretJson = JSON.parse(passwordSecret.payload);
-
-  return passwordSecretJson.secret.secretValue as string;
-};
-
-const deleteSecretRotation = async (id: string, type: SecretRotationType) => {
-  const res = await testServer.inject({
-    method: "DELETE",
-    query: {
-      deleteSecrets: "true",
-      revokeGeneratedCredentials: "true"
-    },
-    url: `/api/v2/secret-rotations/${type}-credentials/${id}`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-};
-
-const deleteAppConnection = async (id: string, type: SecretRotationType) => {
-  const res = await testServer.inject({
-    method: "DELETE",
-    url: `/api/v1/app-connections/${type}/${id}`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-};
-
-const createOracleDBAppConnection = async (credentials: TGenericSqlCredentials) => {
-  const createOracleDBAppConnectionReqBody = {
-    credentials: {
-      database: credentials.database,
-      host: credentials.host,
-      username: credentials.username,
-      password: credentials.password,
-      port: credentials.port,
-      sslEnabled: true,
-      sslRejectUnauthorized: true
-    },
-    name: `oracle-db-${uuidv4()}`,
-    description: "Test OracleDB App Connection",
-    gatewayId: null,
-    isPlatformManagedCredentials: false,
-    method: "username-and-password"
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/app-connections/oracledb`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createOracleDBAppConnectionReqBody
-  });
-
-  const json = JSON.parse(res.payload);
-
-  expect(res.statusCode).toBe(200);
-  expect(json.appConnection).toBeDefined();
-
-  return json.appConnection.id as string;
-};
-
-const createMySQLAppConnection = async (credentials: TGenericSqlCredentials) => {
-  const createMySQLAppConnectionReqBody = {
-    name: `mysql-test-${uuidv4()}`,
-    description: "test-mysql",
-    gatewayId: null,
-    method: "username-and-password",
-    credentials: {
-      host: credentials.host,
-      port: credentials.port,
-      database: credentials.database,
-      username: credentials.username,
-      password: credentials.password,
-      sslEnabled: false,
-      sslRejectUnauthorized: true
-    }
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/app-connections/mysql`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createMySQLAppConnectionReqBody
-  });
-
-  const json = JSON.parse(res.payload);
-
-  expect(res.statusCode).toBe(200);
-  expect(json.appConnection).toBeDefined();
-
-  return json.appConnection.id as string;
-};
-
-const createPostgresAppConnection = async (credentials: TGenericSqlCredentials) => {
-  const createPostgresAppConnectionReqBody = {
-    credentials: {
-      host: credentials.host,
-      port: credentials.port,
-      database: credentials.database,
-      username: credentials.username,
-      password: credentials.password,
-      sslEnabled: false,
-      sslRejectUnauthorized: true
-    },
-    name: `postgres-test-${uuidv4()}`,
-    description: "test-postgres",
-    gatewayId: null,
-    method: "username-and-password"
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/app-connections/postgres`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createPostgresAppConnectionReqBody
-  });
-
-  const json = JSON.parse(res.payload);
-
-  expect(res.statusCode).toBe(200);
-  expect(json.appConnection).toBeDefined();
-
-  return json.appConnection.id as string;
-};
-
-const createOracleInfisicalUsers = async (
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[]
-) => {
-  const client = knex({
-    client: "oracledb",
-    connection: {
-      database: credentials.database,
-      port: credentials.port,
-      host: credentials.host,
-      user: credentials.username,
-      password: credentials.password,
-      connectionTimeoutMillis: 10000,
-      ssl: {
-        // @ts-expect-error - this is a valid property for the ssl object
-        sslServerDNMatch: true
-      }
-    }
-  });
-
-  for await (const { username } of userCredentials) {
-    // check if user exists, and if it does, don't create it
-    const existingUser = await client.raw(`SELECT * FROM all_users WHERE username = '${username}'`);
-
-    if (!existingUser.length) {
-      await client.raw(`CREATE USER ${username} IDENTIFIED BY "temporary_password"`);
-    }
-    await client.raw(`GRANT ALL PRIVILEGES TO ${username} WITH ADMIN OPTION`);
-  }
-
-  await client.destroy();
-};
-
-const createMySQLInfisicalUsers = async (
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[]
-) => {
-  const client = knex({
-    client: "mysql2",
-    connection: {
-      database: credentials.database,
-      port: credentials.port,
-      host: credentials.host,
-      user: credentials.username,
-      password: credentials.password,
-      connectionTimeoutMillis: 10000
-    }
-  });
-
-  // Fix: Ensure root has GRANT OPTION privileges
-  try {
-    await client.raw("GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;");
-    await client.raw("FLUSH PRIVILEGES;");
-  } catch (error) {
-    // Ignore if already has privileges
-  }
-
-  for await (const { username } of userCredentials) {
-    // check if user exists, and if it does, dont create it
-
-    const existingUser = await client.raw(`SELECT * FROM mysql.user WHERE user = '${username}'`);
-
-    if (!existingUser[0].length) {
-      await client.raw(`CREATE USER '${username}'@'%' IDENTIFIED BY 'temporary_password';`);
-    }
-
-    await client.raw(`GRANT ALL PRIVILEGES ON \`${credentials.database}\`.* TO '${username}'@'%';`);
-    await client.raw("FLUSH PRIVILEGES;");
-  }
-
-  await client.destroy();
-};
-
-const createPostgresInfisicalUsers = async (
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[]
-) => {
-  const client = knex({
-    client: "pg",
-    connection: {
-      database: credentials.database,
-      port: credentials.port,
-      host: credentials.host,
-      user: credentials.username,
-      password: credentials.password,
-      connectionTimeoutMillis: 10000
-    }
-  });
-
-  for await (const { username } of userCredentials) {
-    // check if user exists, and if it does, don't create it
-    const existingUser = await client.raw("SELECT * FROM pg_catalog.pg_user WHERE usename = ?", [username]);
-
-    if (!existingUser.rows.length) {
-      await client.raw(`CREATE USER "${username}" WITH PASSWORD 'temporary_password'`);
-    }
-
-    await client.raw("GRANT ALL PRIVILEGES ON DATABASE ?? TO ??", [credentials.database, username]);
-  }
-
-  await client.destroy();
-};
-
-const createOracleDBSecretRotation = async (
-  appConnectionId: string,
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[],
-  secretMapping: TSecretMapping
-) => {
-  const now = new Date();
-  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
-
-  await createOracleInfisicalUsers(credentials, userCredentials);
-
-  const createOracleDBSecretRotationReqBody = {
-    parameters: userCredentials.reduce(
-      (acc, user, index) => {
-        acc[`username${index + 1}`] = user.username;
-        return acc;
-      },
-      {} as Record<string, string>
-    ),
-    secretsMapping: {
-      username: secretMapping.username,
-      password: secretMapping.password
-    },
-    name: `test-oracle-${uuidv4()}`,
-    description: "Test OracleDB Secret Rotation",
-    secretPath: "/",
-    isAutoRotationEnabled: true,
-    rotationInterval: 5, // 5 seconds for testing
-    rotateAtUtc: {
-      hours: rotationTime.getUTCHours(),
-      minutes: rotationTime.getUTCMinutes()
-    },
-    connectionId: appConnectionId,
-    environment: seedData1.environment.slug,
-    projectId: seedData1.projectV3.id
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v2/secret-rotations/oracledb-credentials`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createOracleDBSecretRotationReqBody
-  });
-
-  expect(res.statusCode).toBe(200);
-  expect(res.json().secretRotation).toBeDefined();
-
-  return res;
-};
-
-const createMySQLSecretRotation = async (
-  appConnectionId: string,
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[],
-  secretMapping: TSecretMapping
-) => {
-  const now = new Date();
-  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
-
-  await createMySQLInfisicalUsers(credentials, userCredentials);
-
-  const createMySQLSecretRotationReqBody = {
-    parameters: userCredentials.reduce(
-      (acc, user, index) => {
-        acc[`username${index + 1}`] = user.username;
-        return acc;
-      },
-      {} as Record<string, string>
-    ),
-    secretsMapping: {
-      username: secretMapping.username,
-      password: secretMapping.password
-    },
-    name: `test-mysql-rotation-${uuidv4()}`,
-    description: "Test MySQL Secret Rotation",
-    secretPath: "/",
-    isAutoRotationEnabled: true,
-    rotationInterval: 5,
-    rotateAtUtc: {
-      hours: rotationTime.getUTCHours(),
-      minutes: rotationTime.getUTCMinutes()
-    },
-    connectionId: appConnectionId,
-    environment: seedData1.environment.slug,
-    projectId: seedData1.projectV3.id
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v2/secret-rotations/mysql-credentials`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createMySQLSecretRotationReqBody
-  });
-
-  expect(res.statusCode).toBe(200);
-  expect(res.json().secretRotation).toBeDefined();
-
-  return res;
-};
-
-const createPostgresSecretRotation = async (
-  appConnectionId: string,
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[],
-  secretMapping: TSecretMapping
-) => {
-  const now = new Date();
-  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
-
-  await createPostgresInfisicalUsers(credentials, userCredentials);
-
-  const createPostgresSecretRotationReqBody = {
-    parameters: userCredentials.reduce(
-      (acc, user, index) => {
-        acc[`username${index + 1}`] = user.username;
-        return acc;
-      },
-      {} as Record<string, string>
-    ),
-    secretsMapping: {
-      username: secretMapping.username,
-      password: secretMapping.password
-    },
-    name: `test-postgres-rotation-${uuidv4()}`,
-    description: "Test Postgres Secret Rotation",
-    secretPath: "/",
-    isAutoRotationEnabled: true,
-    rotationInterval: 5,
-    rotateAtUtc: {
-      hours: rotationTime.getUTCHours(),
-      minutes: rotationTime.getUTCMinutes()
-    },
-    connectionId: appConnectionId,
-    environment: seedData1.environment.slug,
-    projectId: seedData1.projectV3.id
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v2/secret-rotations/postgres-credentials`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createPostgresSecretRotationReqBody
-  });
-
-  expect(res.statusCode).toBe(200);
-  expect(res.json().secretRotation).toBeDefined();
-
-  return res;
-};
-
-describe("Secret Rotations", async () => {
-  const testCases = [
-    {
-      type: SecretRotationType.MySQL,
-      name: "MySQL (8.4.6) Secret Rotation",
-      dbCredentials: {
-        database: "mysql-test",
-        host: "127.0.0.1",
-        username: "root",
-        password: "mysql-test",
-        port: 3306
-      },
-      secretMapping: {
-        username: formatSqlUsername("MYSQL_USERNAME"),
-        password: formatSqlUsername("MYSQL_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("MYSQL_USER_1")
-        },
-        {
-          username: formatSqlUsername("MYSQL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.MySQL,
-      name: "MySQL (8.0.29) Secret Rotation",
-      dbCredentials: {
-        database: "mysql-test",
-        host: "127.0.0.1",
-        username: "root",
-        password: "mysql-test",
-        port: 3307
-      },
-      secretMapping: {
-        username: formatSqlUsername("MYSQL_USERNAME"),
-        password: formatSqlUsername("MYSQL_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("MYSQL_USER_1")
-        },
-        {
-          username: formatSqlUsername("MYSQL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.MySQL,
-      name: "MySQL (5.7.31) Secret Rotation",
-      dbCredentials: {
-        database: "mysql-test",
-        host: "127.0.0.1",
-        username: "root",
-        password: "mysql-test",
-        port: 3308
-      },
-      secretMapping: {
-        username: formatSqlUsername("MYSQL_USERNAME"),
-        password: formatSqlUsername("MYSQL_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("MYSQL_USER_1")
-        },
-        {
-          username: formatSqlUsername("MYSQL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.OracleDb,
-      name: "OracleDB (23.8) Secret Rotation",
-      dbCredentials: {
-        database: "FREEPDB1",
-        host: "127.0.0.1",
-        username: "system",
-        password: "pdb-password",
-        port: 1521
-      },
-      secretMapping: {
-        username: formatSqlUsername("ORACLEDB_USERNAME"),
-        password: formatSqlUsername("ORACLEDB_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.OracleDb,
-      name: "OracleDB (19.3) Secret Rotation",
-      skippable: true,
-      dbCredentials: {
-        password: process.env.E2E_TEST_ORACLE_DB_19_PASSWORD!,
-        host: process.env.E2E_TEST_ORACLE_DB_19_HOST!,
-        username: process.env.E2E_TEST_ORACLE_DB_19_USERNAME!,
-        port: 1521,
-        database: "ORCLPDB1"
-      },
-      secretMapping: {
-        username: formatSqlUsername("ORACLEDB_USERNAME"),
-        password: formatSqlUsername("ORACLEDB_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.Postgres,
-      name: "Postgres (17) Secret Rotation",
-      dbCredentials: {
-        database: "postgres-test",
-        host: "127.0.0.1",
-        username: "postgres-test",
-        password: "postgres-test",
-        port: 5433
-      },
-      secretMapping: {
-        username: formatSqlUsername("POSTGRES_USERNAME"),
-        password: formatSqlUsername("POSTGRES_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.Postgres,
-      name: "Postgres (16) Secret Rotation",
-      dbCredentials: {
-        database: "postgres-test",
-        host: "127.0.0.1",
-        username: "postgres-test",
-        password: "postgres-test",
-        port: 5434
-      },
-      secretMapping: {
-        username: formatSqlUsername("POSTGRES_USERNAME"),
-        password: formatSqlUsername("POSTGRES_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.Postgres,
-      name: "Postgres (10.12) Secret Rotation",
-      dbCredentials: {
-        database: "postgres-test",
-        host: "127.0.0.1",
-        username: "postgres-test",
-        password: "postgres-test",
-        port: 5435
-      },
-      secretMapping: {
-        username: formatSqlUsername("POSTGRES_USERNAME"),
-        password: formatSqlUsername("POSTGRES_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    }
-  ] as {
-    skippable?: boolean;
-    type: SecretRotationType;
-    name: string;
-    dbCredentials: TGenericSqlCredentials;
-    secretMapping: TSecretMapping;
-    userCredentials: TDatabaseUserCredentials[];
-  }[];
-
-  const createAppConnectionMap = {
-    [SecretRotationType.OracleDb]: createOracleDBAppConnection,
-    [SecretRotationType.MySQL]: createMySQLAppConnection,
-    [SecretRotationType.Postgres]: createPostgresAppConnection
-  };
-
-  const createRotationMap = {
-    [SecretRotationType.OracleDb]: createOracleDBSecretRotation,
-    [SecretRotationType.MySQL]: createMySQLSecretRotation,
-    [SecretRotationType.Postgres]: createPostgresSecretRotation
-  };
-
-  const appConnectionIds: { id: string; type: SecretRotationType }[] = [];
-  const secretRotationIds: { id: string; type: SecretRotationType }[] = [];
-
-  afterAll(async () => {
-    for (const { id, type } of secretRotationIds) {
-      await deleteSecretRotation(id, type);
-    }
-
-    for (const { id, type } of appConnectionIds) {
-      await deleteAppConnection(id, type);
-    }
-  });
-
-  testCases.forEach(({ skippable, dbCredentials, secretMapping, userCredentials, type, name }) => {
-    const shouldSkip = () => {
-      if (skippable) {
-        if (type === SecretRotationType.OracleDb) {
-          if (!process.env.E2E_TEST_ORACLE_DB_19_HOST) {
-            return true;
-          }
-        }
-      }
-
-      return false;
-    };
-
-    if (shouldSkip()) {
-      test.skip(`Skipping Secret Rotation for ${type} (${name}) because E2E_TEST_ORACLE_DB_19_HOST is not set`);
-    } else {
-      test.concurrent(
-        `Create secret rotation for ${name}`,
-        async () => {
-          const appConnectionId = await createAppConnectionMap[type](dbCredentials);
-
-          if (appConnectionId) {
-            appConnectionIds.push({ id: appConnectionId, type });
-          }
-
-          const res = await createRotationMap[type](appConnectionId, dbCredentials, userCredentials, secretMapping);
-
-          const resJson = JSON.parse(res.payload);
-
-          if (resJson.secretRotation) {
-            secretRotationIds.push({ id: resJson.secretRotation.id, type });
-          }
-
-          const startSecretValue = await getSecretValue(secretMapping.password);
-          expect(startSecretValue).toBeDefined();
-
-          let attempts = 0;
-          while (attempts < 60) {
-            const currentSecretValue = await getSecretValue(secretMapping.password);
-
-            if (currentSecretValue !== startSecretValue) {
-              break;
-            }
-
-            attempts += 1;
-            await new Promise((resolve) => setTimeout(resolve, 2_500));
-          }
-
-          if (attempts >= 60) {
-            throw new Error("Secret rotation failed to rotate after 60 attempts");
-          }
-
-          const finalSecretValue = await getSecretValue(secretMapping.password);
-          expect(finalSecretValue).not.toBe(startSecretValue);
-        },
-        {
-          timeout: 300_000
-        }
-      );
-    }
-  });
-});

backend/e2e-test/vitest-environment-knex.ts

@@ -18,7 +18,6 @@ import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
-import { bootstrapCheck } from "@app/server/boot-strap-check";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -64,8 +63,6 @@ export default {
       const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
       const keyStore = keyStoreFactory(envCfg);
 
-      await queue.initialize();
-
       const hsmModule = initializeHsmModule(envCfg);
       hsmModule.initialize();
 
@@ -81,13 +78,9 @@ export default {
         envConfig: envCfg
       });
 
-      await bootstrapCheck({ db });
-
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type
-      globalThis.testQueue = queue;
-      // @ts-expect-error type
       globalThis.testSuperAdminDAL = superAdminDAL;
       // @ts-expect-error type
       globalThis.jwtAuthToken = crypto.jwt().sign(
@@ -112,8 +105,6 @@ export default {
     // custom setup
     return {
       async teardown() {
-        // @ts-expect-error type
-        await globalThis.testQueue.shutdown();
         // @ts-expect-error type
         await globalThis.testServer.close();
         // @ts-expect-error type
@@ -121,9 +112,7 @@ export default {
         // @ts-expect-error type
         delete globalThis.testSuperAdminDAL;
         // @ts-expect-error type
-        delete globalThis.jwtAuthToken;
-        // @ts-expect-error type
-        delete globalThis.testQueue;
+        delete globalThis.jwtToken;
         // called after all tests with this env have been run
         await db.migrate.rollback(
           {

backend/package-lock.json

@@ -33,12 +33,11 @@
         "@gitbeaker/rest": "^42.5.0",
         "@google-cloud/kms": "^4.5.0",
         "@infisical/quic": "^1.0.8",
-        "@node-saml/passport-saml": "^5.1.0",
+        "@node-saml/passport-saml": "^5.0.1",
         "@octokit/auth-app": "^7.1.1",
         "@octokit/core": "^5.2.1",
         "@octokit/plugin-paginate-graphql": "^4.0.1",
         "@octokit/plugin-retry": "^5.0.5",
-        "@octokit/request": "8.4.1",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
         "@octopusdeploy/api-client": "^3.4.1",
@@ -62,7 +61,7 @@
         "ajv": "^8.12.0",
         "argon2": "^0.31.2",
         "aws-sdk": "^2.1553.0",
-        "axios": "^1.11.0",
+        "axios": "^1.6.7",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
         "botbuilder": "^4.23.2",
@@ -9574,20 +9573,20 @@
       }
     },
     "node_modules/@node-saml/node-saml": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.1.0.tgz",
-      "integrity": "sha512-t3cJnZ4aC7HhPZ6MGylGZULvUtBOZ6FzuUndaHGXjmIZHXnLfC/7L8a57O9Q9V7AxJGKAiRM5zu2wNm9EsvQpw==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/node-saml/-/node-saml-5.0.1.tgz",
+      "integrity": "sha512-YQzFPEC+CnsfO9AFYnwfYZKIzOLx3kITaC1HrjHVLTo6hxcQhc+LgHODOMvW4VCV95Gwrz1MshRUWCPzkDqmnA==",
       "license": "MIT",
       "dependencies": {
         "@types/debug": "^4.1.12",
-        "@types/qs": "^6.9.18",
+        "@types/qs": "^6.9.11",
         "@types/xml-encryption": "^1.2.4",
         "@types/xml2js": "^0.4.14",
         "@xmldom/is-dom-node": "^1.0.1",
         "@xmldom/xmldom": "^0.8.10",
-        "debug": "^4.4.0",
-        "xml-crypto": "^6.1.2",
-        "xml-encryption": "^3.1.0",
+        "debug": "^4.3.4",
+        "xml-crypto": "^6.0.1",
+        "xml-encryption": "^3.0.2",
         "xml2js": "^0.6.2",
         "xmlbuilder": "^15.1.1",
         "xpath": "^0.0.34"
@@ -9597,9 +9596,9 @@
       }
     },
     "node_modules/@node-saml/node-saml/node_modules/debug": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
-      "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
       "license": "MIT",
       "dependencies": {
         "ms": "^2.1.3"
@@ -9636,14 +9635,14 @@
       }
     },
     "node_modules/@node-saml/passport-saml": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.1.0.tgz",
-      "integrity": "sha512-pBm+iFjv9eihcgeJuSUs4c0AuX1QEFdHwP8w1iaWCfDzXdeWZxUBU5HT2bY2S4dvNutcy+A9hYsH7ZLBGtgwDg==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@node-saml/passport-saml/-/passport-saml-5.0.1.tgz",
+      "integrity": "sha512-fMztg3zfSnjLEgxvpl6HaDMNeh0xeQX4QHiF9e2Lsie2dc4qFE37XYbQZhVmn8XJ2awPpSWLQ736UskYgGU8lQ==",
       "license": "MIT",
       "dependencies": {
-        "@node-saml/node-saml": "^5.1.0",
-        "@types/express": "^4.17.23",
-        "@types/passport": "^1.0.17",
+        "@node-saml/node-saml": "^5.0.1",
+        "@types/express": "^4.17.21",
+        "@types/passport": "^1.0.16",
         "@types/passport-strategy": "^0.2.38",
         "passport": "^0.7.0",
         "passport-strategy": "^1.0.0"
@@ -9778,6 +9777,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-app/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-app/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9824,6 +9835,11 @@
         "node": "14 || >=16.14"
       }
     },
+    "node_modules/@octokit/auth-app/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-app": {
       "version": "8.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-8.1.1.tgz",
@@ -9839,6 +9855,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9877,6 +9905,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/auth-oauth-app/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-device": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-7.1.1.tgz",
@@ -9891,6 +9924,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9929,6 +9974,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/auth-oauth-device/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-oauth-user": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-5.1.1.tgz",
@@ -9944,6 +9994,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -9982,6 +10044,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/auth-oauth-user/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/auth-token": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
@@ -10035,38 +10102,32 @@
         "@octokit/openapi-types": "^24.2.0"
       }
     },
-    "node_modules/@octokit/core/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/@octokit/endpoint": {
-      "version": "10.1.4",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.4.tgz",
-      "integrity": "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA==",
+      "version": "9.0.6",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
+      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^14.0.0",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
         "node": ">= 18"
       }
     },
     "node_modules/@octokit/endpoint/node_modules/@octokit/openapi-types": {
-      "version": "25.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-25.1.0.tgz",
-      "integrity": "sha512-idsIggNXUKkk0+BExUn1dQ92sfysJrje03Q0bv0e+KPLrvyqZF8MnBpFz8UNfYDwB3Ie7Z0TByjWfzxt7vseaA==",
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
       "license": "MIT"
     },
     "node_modules/@octokit/endpoint/node_modules/@octokit/types": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-14.1.0.tgz",
-      "integrity": "sha512-1y6DgTy8Jomcpu33N+p5w58l6xyt55Ar2I91RPiIA0xCJBXyUAhXCcmZaDWSANiha7R9a6qJJ2CRomGPZ6f46g==",
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^25.1.0"
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
     "node_modules/@octokit/graphql": {
@@ -10098,12 +10159,6 @@
         "@octokit/openapi-types": "^24.2.0"
       }
     },
-    "node_modules/@octokit/graphql/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/@octokit/oauth-authorization-url": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/@octokit/oauth-authorization-url/-/oauth-authorization-url-7.1.1.tgz",
@@ -10126,6 +10181,18 @@
         "node": ">= 18"
       }
     },
+    "node_modules/@octokit/oauth-methods/node_modules/@octokit/endpoint": {
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-10.1.1.tgz",
+      "integrity": "sha512-JYjh5rMOwXMJyUpj028cu0Gbp7qe/ihxfJMLc8VZBMMqSwLgOxDI1911gV4Enl1QSavAQNJcwmwBF9M0VvLh6Q==",
+      "dependencies": {
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^7.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/@octokit/oauth-methods/node_modules/@octokit/openapi-types": {
       "version": "22.2.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
@@ -10164,6 +10231,11 @@
         "@octokit/openapi-types": "^22.2.0"
       }
     },
+    "node_modules/@octokit/oauth-methods/node_modules/universal-user-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.2.tgz",
+      "integrity": "sha512-0JCqzSKnStlRRQfCdowvqy3cy0Dvtlb8xecj/H8JFZuCze4rwjPZQOgvFvn0Ws/usCHQFGpyr+pB9adaGwXn4Q=="
+    },
     "node_modules/@octokit/openapi-types": {
       "version": "19.1.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.1.0.tgz",
@@ -10304,54 +10376,31 @@
       }
     },
     "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
-      "license": "MIT"
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
     },
     "node_modules/@octokit/request-error/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
       "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
-      }
-    },
-    "node_modules/@octokit/request/node_modules/@octokit/endpoint": {
-      "version": "9.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
-      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^13.1.0",
-        "universal-user-agent": "^6.0.0"
-      },
-      "engines": {
-        "node": ">= 18"
+        "@octokit/openapi-types": "^22.2.0"
       }
     },
     "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
-      "version": "24.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
-      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
-      "license": "MIT"
+      "version": "22.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.2.0.tgz",
+      "integrity": "sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg=="
     },
     "node_modules/@octokit/request/node_modules/@octokit/types": {
-      "version": "13.10.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
-      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
-      "license": "MIT",
+      "version": "13.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.6.1.tgz",
+      "integrity": "sha512-PHZE9Z+kWXb23Ndik8MKPirBPziOc0D2/3KH1P+6jK5nGWe96kadZuE4jev2/Jq7FvIfTlT2Ltg8Fv2x1v0a5g==",
       "dependencies": {
-        "@octokit/openapi-types": "^24.2.0"
+        "@octokit/openapi-types": "^22.2.0"
       }
     },
-    "node_modules/@octokit/request/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/@octokit/rest": {
       "version": "20.0.2",
       "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-20.0.2.tgz",
@@ -13301,10 +13350,9 @@
       "license": "MIT"
     },
     "node_modules/@types/express": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.23.tgz",
-      "integrity": "sha512-Crp6WY9aTYP3qPi2wGDo9iUe/rceX01UMhnF1jmwDcKCFM6cx7YhGP/Mpr3y9AASpfHixIG0E6azCcL5OcDHsQ==",
-      "license": "MIT",
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.21.tgz",
+      "integrity": "sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==",
       "dependencies": {
         "@types/body-parser": "*",
         "@types/express-serve-static-core": "^4.17.33",
@@ -13474,10 +13522,9 @@
       }
     },
     "node_modules/@types/passport": {
-      "version": "1.0.17",
-      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.17.tgz",
-      "integrity": "sha512-aciLyx+wDwT2t2/kJGJR2AEeBz0nJU4WuRX04Wu9Dqc5lSUtwu0WERPHYsLhF9PtseiAMPBGNUOtFjxZ56prsg==",
-      "license": "MIT",
+      "version": "1.0.16",
+      "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.16.tgz",
+      "integrity": "sha512-FD0qD5hbPWQzaM0wHUnJ/T0BBCJBxCeemtnCwc/ThhTg3x9jfrAcRUmj5Dopza+MfFS9acTe3wk7rcVnRIp/0A==",
       "dependencies": {
         "@types/express": "*"
       }
@@ -13652,16 +13699,14 @@
       }
     },
     "node_modules/@types/request/node_modules/form-data": {
-      "version": "2.5.5",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.5.tgz",
-      "integrity": "sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==",
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.2.tgz",
+      "integrity": "sha512-GgwY0PS7DbXqajuGf4OYlsrIu3zgxD6Vvql43IBhm6MahqA5SK/7mwhtNj2AdH2z35YR34ujJ7BN+3fFC3jP5Q==",
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
-        "combined-stream": "^1.0.8",
-        "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
-        "mime-types": "^2.1.35",
+        "combined-stream": "^1.0.6",
+        "mime-types": "^2.1.12",
         "safe-buffer": "^5.2.1"
       },
       "engines": {
@@ -15185,13 +15230,13 @@
       }
     },
     "node_modules/axios": {
-      "version": "1.11.0",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.11.0.tgz",
-      "integrity": "sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==",
+      "version": "1.7.9",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.9.tgz",
+      "integrity": "sha512-LhLcE7Hbiryz8oMDdDptSrWowmB4Bl6RCt6sIJKpRB4XtVf0iEgewX3au/pJqm+Py1kCASkb/FFKjxQaLtxJvw==",
       "license": "MIT",
       "dependencies": {
         "follow-redirects": "^1.15.6",
-        "form-data": "^4.0.4",
+        "form-data": "^4.0.0",
         "proxy-from-env": "^1.1.0"
       }
     },
@@ -18239,8 +18284,7 @@
     "node_modules/fast-content-type-parse": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-1.1.0.tgz",
-      "integrity": "sha512-fBHHqSTFLVnR61C+gltJuE5GkVQMV0S2nqUO8TJ+5Z3qAKG8vAx4FKai1s5jq/inV1+sREynIWSuQ6HgoSXpDQ==",
-      "license": "MIT"
+      "integrity": "sha512-fBHHqSTFLVnR61C+gltJuE5GkVQMV0S2nqUO8TJ+5Z3qAKG8vAx4FKai1s5jq/inV1+sREynIWSuQ6HgoSXpDQ=="
     },
     "node_modules/fast-copy": {
       "version": "3.0.1",
@@ -18717,15 +18761,13 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
-      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
-      "license": "MIT",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz",
+      "integrity": "sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
         "mime-types": "^2.1.12"
       },
       "engines": {
@@ -24728,12 +24770,6 @@
         "jsonwebtoken": "^9.0.2"
       }
     },
-    "node_modules/octokit-auth-probot/node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
-      "license": "ISC"
-    },
     "node_modules/odbc": {
       "version": "2.4.9",
       "resolved": "https://registry.npmjs.org/odbc/-/odbc-2.4.9.tgz",
@@ -30663,10 +30699,9 @@
       "integrity": "sha512-G5o6f95b5BggDGuUfKDApKaCgNYy2x7OdHY0zSMF081O0EJobw+1130VONhrA7ezGSV2FNOGyM+KQpQZAr9bIQ=="
     },
     "node_modules/universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
-      "license": "ISC"
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ=="
     },
     "node_modules/universalify": {
       "version": "2.0.1",
@@ -31913,9 +31948,9 @@
       "license": "MIT"
     },
     "node_modules/xml-crypto": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.1.2.tgz",
-      "integrity": "sha512-leBOVQdVi8FvPJrMYoum7Ici9qyxfE4kVi+AkpUoYCSXaQF4IlBm1cneTK9oAxR61LpYxTx7lNcsnBIeRpGW2w==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-6.0.1.tgz",
+      "integrity": "sha512-v05aU7NS03z4jlZ0iZGRFeZsuKO1UfEbbYiaeRMiATBFs6Jq9+wqKquEMTn4UTrYZ9iGD8yz3KT4L9o2iF682w==",
       "license": "MIT",
       "dependencies": {
         "@xmldom/is-dom-node": "^1.0.1",

backend/package.json

@@ -153,12 +153,11 @@
     "@gitbeaker/rest": "^42.5.0",
     "@google-cloud/kms": "^4.5.0",
     "@infisical/quic": "^1.0.8",
-    "@node-saml/passport-saml": "^5.1.0",
+    "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/core": "^5.2.1",
     "@octokit/plugin-paginate-graphql": "^4.0.1",
     "@octokit/plugin-retry": "^5.0.5",
-    "@octokit/request": "8.4.1",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
@@ -182,7 +181,7 @@
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",
-    "axios": "^1.11.0",
+    "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
     "botbuilder": "^4.23.2",

backend/scripts/generate-schema-types.ts

@@ -99,7 +99,6 @@ const main = async () => {
     (el) =>
       !el.tableName.includes("_migrations") &&
       !el.tableName.includes("audit_logs_") &&
-      !el.tableName.includes("active_locks") &&
       el.tableName !== "intermediate_audit_logs"
   );
 

backend/src/@types/fastify.d.ts

@@ -12,13 +12,10 @@ import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certifi
 import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/certificate-est-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-types";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-types";
-import { TEventBusService } from "@app/ee/services/event/event-bus-service";
-import { TServerSentEventsService } from "@app/ee/services/event/event-sse-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGithubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
-import { TIdentityAuthTemplateServiceFactory } from "@app/ee/services/identity-auth-template";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
 import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
@@ -96,7 +93,6 @@ import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env
 import { TProjectKeyServiceFactory } from "@app/services/project-key/project-key-service";
 import { TProjectMembershipServiceFactory } from "@app/services/project-membership/project-membership-service";
 import { TProjectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { TReminderServiceFactory } from "@app/services/reminder/reminder-types";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretBlindIndexServiceFactory } from "@app/services/secret-blind-index/secret-blind-index-service";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
@@ -129,15 +125,6 @@ declare module "@fastify/request-context" {
         namespace: string;
         name: string;
       };
-      aws?: {
-        accountId: string;
-        arn: string;
-        userId: string;
-        partition: string;
-        service: string;
-        resourceType: string;
-        resourceName: string;
-      };
     };
     identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
     assumedPrivilegeDetails?: { requesterId: string; actorId: string; actorType: ActorType; projectId: string };
@@ -298,10 +285,6 @@ declare module "fastify" {
       secretScanningV2: TSecretScanningV2ServiceFactory;
       internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
       pkiTemplate: TPkiTemplatesServiceFactory;
-      reminder: TReminderServiceFactory;
-      bus: TEventBusService;
-      sse: TServerSentEventsService;
-      identityAuthTemplate: TIdentityAuthTemplateServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -489,16 +489,6 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import {
-  TAccessApprovalPoliciesEnvironments,
-  TAccessApprovalPoliciesEnvironmentsInsert,
-  TAccessApprovalPoliciesEnvironmentsUpdate
-} from "@app/db/schemas/access-approval-policies-environments";
-import {
-  TIdentityAuthTemplates,
-  TIdentityAuthTemplatesInsert,
-  TIdentityAuthTemplatesUpdate
-} from "@app/db/schemas/identity-auth-templates";
 import {
   TIdentityLdapAuths,
   TIdentityLdapAuthsInsert,
@@ -514,17 +504,6 @@ import {
   TProjectMicrosoftTeamsConfigsInsert,
   TProjectMicrosoftTeamsConfigsUpdate
 } from "@app/db/schemas/project-microsoft-teams-configs";
-import { TReminders, TRemindersInsert, TRemindersUpdate } from "@app/db/schemas/reminders";
-import {
-  TRemindersRecipients,
-  TRemindersRecipientsInsert,
-  TRemindersRecipientsUpdate
-} from "@app/db/schemas/reminders-recipients";
-import {
-  TSecretApprovalPoliciesEnvironments,
-  TSecretApprovalPoliciesEnvironmentsInsert,
-  TSecretApprovalPoliciesEnvironmentsUpdate
-} from "@app/db/schemas/secret-approval-policies-environments";
 import {
   TSecretReminderRecipients,
   TSecretReminderRecipientsInsert,
@@ -883,11 +862,6 @@ declare module "knex/types/tables" {
       TIdentityProjectAdditionalPrivilegeInsert,
       TIdentityProjectAdditionalPrivilegeUpdate
     >;
-    [TableName.IdentityAuthTemplate]: KnexOriginal.CompositeTableType<
-      TIdentityAuthTemplates,
-      TIdentityAuthTemplatesInsert,
-      TIdentityAuthTemplatesUpdate
-    >;
 
     [TableName.AccessApprovalPolicy]: KnexOriginal.CompositeTableType<
       TAccessApprovalPolicies,
@@ -907,12 +881,6 @@ declare module "knex/types/tables" {
       TAccessApprovalPoliciesBypassersUpdate
     >;
 
-    [TableName.AccessApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
-      TAccessApprovalPoliciesEnvironments,
-      TAccessApprovalPoliciesEnvironmentsInsert,
-      TAccessApprovalPoliciesEnvironmentsUpdate
-    >;
-
     [TableName.AccessApprovalRequest]: KnexOriginal.CompositeTableType<
       TAccessApprovalRequests,
       TAccessApprovalRequestsInsert,
@@ -961,11 +929,6 @@ declare module "knex/types/tables" {
       TSecretApprovalRequestSecretTagsInsert,
       TSecretApprovalRequestSecretTagsUpdate
     >;
-    [TableName.SecretApprovalPolicyEnvironment]: KnexOriginal.CompositeTableType<
-      TSecretApprovalPoliciesEnvironments,
-      TSecretApprovalPoliciesEnvironmentsInsert,
-      TSecretApprovalPoliciesEnvironmentsUpdate
-    >;
     [TableName.SecretRotation]: KnexOriginal.CompositeTableType<
       TSecretRotations,
       TSecretRotationsInsert,
@@ -1248,11 +1211,5 @@ declare module "knex/types/tables" {
       TSecretScanningConfigsInsert,
       TSecretScanningConfigsUpdate
     >;
-    [TableName.Reminder]: KnexOriginal.CompositeTableType<TReminders, TRemindersInsert, TRemindersUpdate>;
-    [TableName.ReminderRecipient]: KnexOriginal.CompositeTableType<
-      TRemindersRecipients,
-      TRemindersRecipientsInsert,
-      TRemindersRecipientsUpdate
-    >;
   }
 }

backend/src/db/migrations/20250701202824_add-reminder-table.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.Reminder))) {
-    await knex.schema.createTable(TableName.Reminder, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("secretId").nullable();
-      t.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      t.string("message", 1024).nullable();
-      t.integer("repeatDays").checkPositive().nullable();
-      t.timestamp("nextReminderDate").notNullable();
-      t.timestamps(true, true, true);
-      t.unique("secretId");
-    });
-  }
-
-  if (!(await knex.schema.hasTable(TableName.ReminderRecipient))) {
-    await knex.schema.createTable(TableName.ReminderRecipient, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("reminderId").notNullable();
-      t.foreign("reminderId").references("id").inTable(TableName.Reminder).onDelete("CASCADE");
-      t.uuid("userId").notNullable();
-      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-      t.index("reminderId");
-      t.index("userId");
-      t.unique(["reminderId", "userId"]);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.Reminder);
-  await createOnUpdateTrigger(knex, TableName.ReminderRecipient);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.Reminder);
-  await dropOnUpdateTrigger(knex, TableName.ReminderRecipient);
-  await knex.schema.dropTableIfExists(TableName.ReminderRecipient);
-  await knex.schema.dropTableIfExists(TableName.Reminder);
-}

backend/src/db/migrations/20250717195959_gatewayid-for-app-conn.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.AppConnection, "gatewayId"))) {
-    await knex.schema.alterTable(TableName.AppConnection, (t) => {
-      t.uuid("gatewayId").nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AppConnection, "gatewayId")) {
-    await knex.schema.alterTable(TableName.AppConnection, (t) => {
-      t.dropColumn("gatewayId");
-    });
-  }
-}

backend/src/db/migrations/20250718133527_project-unify-revert.ts

@@ -1,432 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-import { v4 as uuidV4 } from "uuid";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { ProjectType, TableName } from "../schemas";
-
-/* eslint-disable no-await-in-loop,@typescript-eslint/ban-ts-comment */
-
-// Single query to get all projects that need any kind of kickout
-const getProjectsNeedingKickouts = async (
-  knex: Knex
-): Promise<
-  Array<{
-    id: string;
-    defaultProduct: string;
-    needsSecretManager: boolean;
-    needsCertManager: boolean;
-    needsSecretScanning: boolean;
-    needsKms: boolean;
-    needsSsh: boolean;
-  }>
-> => {
-  const result = await knex.raw(
-    `
-SELECT DISTINCT
-  p.id,
-  p."defaultProduct",
-  
-  -- Use CASE with direct joins instead of EXISTS subqueries
-  CASE WHEN p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL THEN true ELSE false END AS "needsSecretManager",
-  CASE WHEN p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL THEN true ELSE false END AS "needsCertManager", 
-  CASE WHEN p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL THEN true ELSE false END AS "needsSecretScanning",
-  CASE WHEN p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL THEN true ELSE false END AS "needsKms",
-  CASE WHEN p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL THEN true ELSE false END AS "needsSsh"
-
-FROM projects p
-LEFT JOIN (
-  SELECT DISTINCT e."projectId", 1 as secret_exists
-  FROM secrets_v2 s
-  JOIN secret_folders sf ON sf.id = s."folderId"
-  JOIN project_environments e ON e.id = sf."envId"
-) s ON s."projectId" = p.id AND p."defaultProduct" != 'secret-manager'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as ca_exists
-  FROM certificate_authorities
-) ca ON ca."projectId" = p.id AND p."defaultProduct" != 'cert-manager'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as ssds_exists
-  FROM secret_scanning_data_sources
-) ssds ON ssds."projectId" = p.id AND p."defaultProduct" != 'secret-scanning'
-
-LEFT JOIN (
-  SELECT DISTINCT "projectId", 1 as kms_exists
-  FROM kms_keys
-  WHERE "isReserved" = false
-) kk ON kk."projectId" = p.id AND p."defaultProduct" != 'kms'
-
-LEFT JOIN (
-  SELECT DISTINCT sca."projectId", 1 as ssh_exists
-  FROM ssh_certificates sc
-  JOIN ssh_certificate_authorities sca ON sca.id = sc."sshCaId"
-) sc ON sc."projectId" = p.id AND p."defaultProduct" != 'ssh'
-
-WHERE p."defaultProduct" IS NOT NULL
-  AND (
-    (p."defaultProduct" != 'secret-manager' AND s.secret_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'cert-manager' AND ca.ca_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'secret-scanning' AND ssds.ssds_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'kms' AND kk.kms_exists IS NOT NULL) OR
-    (p."defaultProduct" != 'ssh' AND sc.ssh_exists IS NOT NULL)
-  )
-    `
-  );
-
-  return result.rows;
-};
-
-const newProject = async (knex: Knex, projectId: string, projectType: ProjectType) => {
-  const newProjectId = uuidV4();
-  const project = await knex(TableName.Project).where("id", projectId).first();
-  await knex(TableName.Project).insert({
-    ...project,
-    type: projectType,
-    defaultProduct: null,
-    // @ts-ignore id is required
-    id: newProjectId,
-    slug: slugify(`${project?.name}-${alphaNumericNanoId(8)}`)
-  });
-
-  const customRoleMapping: Record<string, string> = {};
-  const projectCustomRoles = await knex(TableName.ProjectRoles).where("projectId", projectId);
-  if (projectCustomRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectRoles,
-      projectCustomRoles.map((el) => {
-        const id = uuidV4();
-        customRoleMapping[el.id] = id;
-        return {
-          ...el,
-          id,
-          projectId: newProjectId,
-          permissions: el.permissions ? JSON.stringify(el.permissions) : el.permissions
-        };
-      })
-    );
-  }
-  const groupMembershipMapping: Record<string, string> = {};
-  const groupMemberships = await knex(TableName.GroupProjectMembership).where("projectId", projectId);
-  if (groupMemberships.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembership,
-      groupMemberships.map((el) => {
-        const id = uuidV4();
-        groupMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const groupMembershipRoles = await knex(TableName.GroupProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    groupMemberships.map((el) => el.id)
-  );
-  if (groupMembershipRoles.length) {
-    await knex.batchInsert(
-      TableName.GroupProjectMembershipRole,
-      groupMembershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = groupMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const identityProjectMembershipMapping: Record<string, string> = {};
-  const identities = await knex(TableName.IdentityProjectMembership).where("projectId", projectId);
-  if (identities.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembership,
-      identities.map((el) => {
-        const id = uuidV4();
-        identityProjectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const identitiesRoles = await knex(TableName.IdentityProjectMembershipRole).whereIn(
-    "projectMembershipId",
-    identities.map((el) => el.id)
-  );
-  if (identitiesRoles.length) {
-    await knex.batchInsert(
-      TableName.IdentityProjectMembershipRole,
-      identitiesRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = identityProjectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const projectMembershipMapping: Record<string, string> = {};
-  const projectUserMembers = await knex(TableName.ProjectMembership).where("projectId", projectId);
-  if (projectUserMembers.length) {
-    await knex.batchInsert(
-      TableName.ProjectMembership,
-      projectUserMembers.map((el) => {
-        const id = uuidV4();
-        projectMembershipMapping[el.id] = id;
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-  const membershipRoles = await knex(TableName.ProjectUserMembershipRole).whereIn(
-    "projectMembershipId",
-    projectUserMembers.map((el) => el.id)
-  );
-  if (membershipRoles.length) {
-    await knex.batchInsert(
-      TableName.ProjectUserMembershipRole,
-      membershipRoles.map((el) => {
-        const id = uuidV4();
-        const projectMembershipId = projectMembershipMapping[el.projectMembershipId];
-        const customRoleId = el.customRoleId ? customRoleMapping[el.customRoleId] : el.customRoleId;
-        return { ...el, id, projectMembershipId, customRoleId };
-      })
-    );
-  }
-
-  const kmsKeys = await knex(TableName.KmsKey).where("projectId", projectId).andWhere("isReserved", true);
-  if (kmsKeys.length) {
-    await knex.batchInsert(
-      TableName.KmsKey,
-      kmsKeys.map((el) => {
-        const id = uuidV4();
-        const slug = slugify(alphaNumericNanoId(8).toLowerCase());
-        return { ...el, id, slug, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectBot = await knex(TableName.ProjectBot).where("projectId", projectId).first();
-  if (projectBot) {
-    const newProjectBot = { ...projectBot, id: uuidV4(), projectId: newProjectId };
-    await knex(TableName.ProjectBot).insert(newProjectBot);
-  }
-
-  const projectKeys = await knex(TableName.ProjectKeys).where("projectId", projectId);
-  if (projectKeys.length) {
-    await knex.batchInsert(
-      TableName.ProjectKeys,
-      projectKeys.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectGateways = await knex(TableName.ProjectGateway).where("projectId", projectId);
-  if (projectGateways.length) {
-    await knex.batchInsert(
-      TableName.ProjectGateway,
-      projectGateways.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectSlackConfigs = await knex(TableName.ProjectSlackConfigs).where("projectId", projectId);
-  if (projectSlackConfigs.length) {
-    await knex.batchInsert(
-      TableName.ProjectSlackConfigs,
-      projectSlackConfigs.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const projectMicrosoftTeamsConfigs = await knex(TableName.ProjectMicrosoftTeamsConfigs).where("projectId", projectId);
-  if (projectMicrosoftTeamsConfigs.length) {
-    await knex.batchInsert(
-      TableName.ProjectMicrosoftTeamsConfigs,
-      projectMicrosoftTeamsConfigs.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  const trustedIps = await knex(TableName.TrustedIps).where("projectId", projectId);
-  if (trustedIps.length) {
-    await knex.batchInsert(
-      TableName.TrustedIps,
-      trustedIps.map((el) => {
-        const id = uuidV4();
-        return { ...el, id, projectId: newProjectId };
-      })
-    );
-  }
-
-  return newProjectId;
-};
-
-const kickOutSecretManagerProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretManager);
-  await knex(TableName.IntegrationAuth).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.Environment).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretBlindIndex).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretSync).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretTag).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretReminderRecipients).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.ServiceToken).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutCertManagerProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.CertificateManager);
-  await knex(TableName.CertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.Certificate).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiSubscriber).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiCollection).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.PkiAlert).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutSecretScanningProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SecretScanning);
-  await knex(TableName.SecretScanningConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretScanningDataSource).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SecretScanningFinding).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutKmsProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.KMS);
-  await knex(TableName.KmsKey)
-    .where("projectId", oldProjectId)
-    .andWhere("isReserved", false)
-    .update("projectId", newProjectId);
-  await knex(TableName.KmipClient).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const kickOutSshProject = async (knex: Knex, oldProjectId: string) => {
-  const newProjectId = await newProject(knex, oldProjectId, ProjectType.SSH);
-  await knex(TableName.SshHost).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.ProjectSshConfig).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SshCertificateAuthority).where("projectId", oldProjectId).update("projectId", newProjectId);
-  await knex(TableName.SshHostGroup).where("projectId", oldProjectId).update("projectId", newProjectId);
-};
-
-const BATCH_SIZE = 1000;
-const MIGRATION_TIMEOUT = 30 * 60 * 1000; // 30 minutes
-
-export async function up(knex: Knex): Promise<void> {
-  const result = await knex.raw("SHOW statement_timeout");
-  const originalTimeout = result.rows[0].statement_timeout;
-
-  try {
-    await knex.raw(`SET statement_timeout = ${MIGRATION_TIMEOUT}`);
-
-    const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-    if (hasTemplateTypeColumn) {
-      await knex(TableName.ProjectTemplates).whereNull("type").update({
-        type: ProjectType.SecretManager
-      });
-      await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-        t.string("type").notNullable().defaultTo(ProjectType.SecretManager).alter();
-      });
-    }
-
-    const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-    const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-    if (hasTypeColumn && hasDefaultTypeColumn) {
-      await knex(TableName.Project).update({
-        // eslint-disable-next-line
-        // @ts-ignore this is because this field is created later
-        type: knex.raw(`"defaultProduct"`)
-      });
-
-      await knex.schema.alterTable(TableName.Project, (t) => {
-        t.string("type").notNullable().alter();
-        t.string("defaultProduct").nullable().alter();
-      });
-
-      // Get all projects that need kickouts in a single query
-      const projectsNeedingKickouts = await getProjectsNeedingKickouts(knex);
-
-      // Process projects in batches to avoid overwhelming the database
-      for (let i = 0; i < projectsNeedingKickouts.length; i += projectsNeedingKickouts.length) {
-        const batch = projectsNeedingKickouts.slice(i, i + BATCH_SIZE);
-        const processedIds: string[] = [];
-
-        for (const project of batch) {
-          const kickoutPromises: Promise<void>[] = [];
-
-          // Only add kickouts that are actually needed (flags are pre-computed)
-          if (project.needsSecretManager) {
-            kickoutPromises.push(kickOutSecretManagerProject(knex, project.id));
-          }
-          if (project.needsCertManager) {
-            kickoutPromises.push(kickOutCertManagerProject(knex, project.id));
-          }
-          if (project.needsKms) {
-            kickoutPromises.push(kickOutKmsProject(knex, project.id));
-          }
-          if (project.needsSsh) {
-            kickoutPromises.push(kickOutSshProject(knex, project.id));
-          }
-          if (project.needsSecretScanning) {
-            kickoutPromises.push(kickOutSecretScanningProject(knex, project.id));
-          }
-
-          // Execute all kickouts in parallel and handle any failures gracefully
-          if (kickoutPromises.length > 0) {
-            const results = await Promise.allSettled(kickoutPromises);
-
-            // Log any failures for debugging
-            results.forEach((res) => {
-              if (res.status === "rejected") {
-                throw new Error(`Migration failed for project ${project.id}: ${res.reason}`);
-              }
-            });
-          }
-
-          processedIds.push(project.id);
-        }
-
-        // Clear defaultProduct for the processed batch
-        if (processedIds.length > 0) {
-          await knex(TableName.Project).whereIn("id", processedIds).update("defaultProduct", null);
-        }
-      }
-    }
-  } finally {
-    await knex.raw(`SET statement_timeout = '${originalTimeout}'`);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
-  const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
-  if (hasTypeColumn && hasDefaultTypeColumn) {
-    await knex(TableName.Project).update({
-      // eslint-disable-next-line
-      // @ts-ignore this is because this field is created later
-      defaultProduct: knex.raw(`
-    CASE 
-      WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager' 
-      ELSE "type" 
-    END
-  `)
-    });
-
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.string("type").nullable().alter();
-      t.string("defaultProduct").notNullable().alter();
-    });
-  }
-
-  const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
-  if (hasTemplateTypeColumn) {
-    await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-      t.string("type").nullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250721101756_bump-aws-arn-field-size.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.string("allowedPrincipalArns", 4096).notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
-  if (hasColumn) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.string("allowedPrincipalArns", 2048).notNullable().alter();
-    });
-  }
-}

backend/src/db/migrations/20250722152841_add-policies-environments-table.ts

@@ -1,96 +0,0 @@
-import { Knex } from "knex";
-
-import { selectAllTableCols } from "@app/lib/knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyEnvironment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment);
-      t.timestamps(true, true, true);
-      t.unique(["policyId", "envId"]);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
-
-    const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
-      .select(selectAllTableCols(TableName.AccessApprovalPolicy))
-      .whereNotNull(`${TableName.AccessApprovalPolicy}.envId`);
-
-    const accessApprovalPolicies = existingAccessApprovalPolicies.map(async (policy) => {
-      await knex(TableName.AccessApprovalPolicyEnvironment).insert({
-        policyId: policy.id,
-        envId: policy.envId
-      });
-    });
-
-    await Promise.all(accessApprovalPolicies);
-  }
-  if (!(await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment))) {
-    await knex.schema.createTable(TableName.SecretApprovalPolicyEnvironment, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.SecretApprovalPolicy).onDelete("CASCADE");
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment);
-      t.timestamps(true, true, true);
-      t.unique(["policyId", "envId"]);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
-
-    const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
-      .select(selectAllTableCols(TableName.SecretApprovalPolicy))
-      .whereNotNull(`${TableName.SecretApprovalPolicy}.envId`);
-
-    const secretApprovalPolicies = existingSecretApprovalPolicies.map(async (policy) => {
-      await knex(TableName.SecretApprovalPolicyEnvironment).insert({
-        policyId: policy.id,
-        envId: policy.envId
-      });
-    });
-
-    await Promise.all(secretApprovalPolicies);
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
-  });
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-
-    // Add the new foreign key constraint with ON DELETE SET NULL
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("SET NULL");
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.AccessApprovalPolicyEnvironment)) {
-    await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyEnvironment);
-    await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyEnvironment);
-  }
-  if (await knex.schema.hasTable(TableName.SecretApprovalPolicyEnvironment)) {
-    await knex.schema.dropTableIfExists(TableName.SecretApprovalPolicyEnvironment);
-    await dropOnUpdateTrigger(knex, TableName.SecretApprovalPolicyEnvironment);
-  }
-
-  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-  });
-
-  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
-    t.dropForeign(["envId"]);
-    t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-  });
-}

backend/src/db/migrations/20250723220500_remove-srp.ts

@@ -1,18 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.UserEncryptionKey, (table) => {
-    table.text("encryptedPrivateKey").nullable().alter();
-    table.text("publicKey").nullable().alter();
-    table.text("iv").nullable().alter();
-    table.text("tag").nullable().alter();
-    table.text("salt").nullable().alter();
-    table.text("verifier").nullable().alter();
-  });
-}
-
-export async function down(): Promise<void> {
-  // do nothing for now to avoid breaking down migrations
-}

backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts

@@ -1,112 +0,0 @@
-/* eslint-disable no-await-in-loop */
-import { Knex } from "knex";
-
-import { chunkArray } from "@app/lib/fn";
-import { initLogger, logger } from "@app/lib/logger";
-
-import { TableName } from "../schemas";
-import { TReminders, TRemindersInsert } from "../schemas/reminders";
-
-export async function up(knex: Knex): Promise<void> {
-  logger.info("Initializing secret reminders migration");
-  const hasReminderTable = await knex.schema.hasTable(TableName.Reminder);
-
-  if (hasReminderTable) {
-    const secretsWithLatestVersions = await knex(TableName.SecretV2)
-      .whereNotNull(`${TableName.SecretV2}.reminderRepeatDays`)
-      .whereRaw(`"${TableName.SecretV2}"."reminderRepeatDays" > 0`)
-      .innerJoin(TableName.SecretVersionV2, (qb) => {
-        void qb
-          .on(`${TableName.SecretVersionV2}.secretId`, "=", `${TableName.SecretV2}.id`)
-          .andOn(`${TableName.SecretVersionV2}.reminderRepeatDays`, "=", `${TableName.SecretV2}.reminderRepeatDays`);
-      })
-      .whereIn([`${TableName.SecretVersionV2}.secretId`, `${TableName.SecretVersionV2}.version`], (qb) => {
-        void qb
-          .select(["v2.secretId", knex.raw("MIN(v2.version) as version")])
-          .from(`${TableName.SecretVersionV2} as v2`)
-          .innerJoin(`${TableName.SecretV2} as s2`, "v2.secretId", "s2.id")
-          .whereRaw(`v2."reminderRepeatDays" = s2."reminderRepeatDays"`)
-          .whereNotNull("v2.reminderRepeatDays")
-          .whereRaw(`v2."reminderRepeatDays" > 0`)
-          .groupBy("v2.secretId");
-      })
-      // Add LEFT JOIN with Reminder table to check for existing reminders
-      .leftJoin(TableName.Reminder, `${TableName.Reminder}.secretId`, `${TableName.SecretV2}.id`)
-      // Only include secrets that don't already have reminders
-      .whereNull(`${TableName.Reminder}.secretId`)
-      .select(
-        knex.ref("id").withSchema(TableName.SecretV2).as("secretId"),
-        knex.ref("reminderRepeatDays").withSchema(TableName.SecretV2).as("reminderRepeatDays"),
-        knex.ref("reminderNote").withSchema(TableName.SecretV2).as("reminderNote"),
-        knex.ref("createdAt").withSchema(TableName.SecretVersionV2).as("createdAt")
-      );
-
-    logger.info(`Found ${secretsWithLatestVersions.length} reminders to migrate`);
-
-    const reminderInserts: TRemindersInsert[] = [];
-    if (secretsWithLatestVersions.length > 0) {
-      secretsWithLatestVersions.forEach((secret) => {
-        if (!secret.reminderRepeatDays) return;
-
-        const now = new Date();
-        const createdAt = new Date(secret.createdAt);
-        let nextReminderDate = new Date(createdAt);
-        nextReminderDate.setDate(nextReminderDate.getDate() + secret.reminderRepeatDays);
-
-        // If the next reminder date is in the past, calculate the proper next occurrence
-        if (nextReminderDate < now) {
-          const daysSinceCreation = Math.floor((now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24));
-          const daysIntoCurrentCycle = daysSinceCreation % secret.reminderRepeatDays;
-          const daysUntilNextReminder = secret.reminderRepeatDays - daysIntoCurrentCycle;
-
-          nextReminderDate = new Date(now);
-          nextReminderDate.setDate(now.getDate() + daysUntilNextReminder);
-        }
-
-        reminderInserts.push({
-          secretId: secret.secretId,
-          message: secret.reminderNote,
-          repeatDays: secret.reminderRepeatDays,
-          nextReminderDate
-        });
-      });
-
-      const commitBatches = chunkArray(reminderInserts, 2000);
-      for (const commitBatch of commitBatches) {
-        const insertedReminders = (await knex
-          .batchInsert(TableName.Reminder, commitBatch)
-          .returning("*")) as TReminders[];
-
-        const insertedReminderSecretIds = insertedReminders.map((reminder) => reminder.secretId).filter(Boolean);
-
-        const recipients = await knex(TableName.SecretReminderRecipients)
-          .whereRaw(`??.?? IN (${insertedReminderSecretIds.map(() => "?").join(",")})`, [
-            TableName.SecretReminderRecipients,
-            "secretId",
-            ...insertedReminderSecretIds
-          ])
-          .select(
-            knex.ref("userId").withSchema(TableName.SecretReminderRecipients).as("userId"),
-            knex.ref("secretId").withSchema(TableName.SecretReminderRecipients).as("secretId")
-          );
-        const reminderRecipients = recipients.map((recipient) => ({
-          reminderId: insertedReminders.find((reminder) => reminder.secretId === recipient.secretId)?.id,
-          userId: recipient.userId
-        }));
-
-        const filteredRecipients = reminderRecipients.filter((recipient) => Boolean(recipient.reminderId));
-        await knex.batchInsert(TableName.ReminderRecipient, filteredRecipients);
-      }
-      logger.info(`Successfully migrated ${reminderInserts.length} secret reminders`);
-    }
-
-    logger.info("Secret reminders migration completed");
-  } else {
-    logger.warn("Reminder table does not exist, skipping migration");
-  }
-}
-
-export async function down(): Promise<void> {
-  initLogger();
-  logger.info("Rollback not implemented for secret reminders fix migration");
-}

backend/src/db/migrations/20250725171821_add-secret-detection-ignore-values.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues"))) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.specificType("secretDetectionIgnoreValues", "text[]");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Project, "secretDetectionIgnoreValues")) {
-    await knex.schema.alterTable(TableName.Project, (t) => {
-      t.dropColumn("secretDetectionIgnoreValues");
-    });
-  }
-}

backend/src/db/migrations/20250730162101_add-start-from-reminder.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Reminder, "fromDate"))) {
-    await knex.schema.alterTable(TableName.Reminder, (t) => {
-      t.timestamp("fromDate", { useTz: true }).nullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Reminder, "fromDate")) {
-    await knex.schema.alterTable(TableName.Reminder, (t) => {
-      t.dropColumn("fromDate");
-    });
-  }
-}

backend/src/db/migrations/20250801170240_add-identity-auth-template.ts

@@ -1,36 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAuthTemplate))) {
-    await knex.schema.createTable(TableName.IdentityAuthTemplate, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.binary("templateFields").notNullable();
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.string("name", 64).notNullable();
-      t.string("authMethod").notNullable();
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.IdentityAuthTemplate);
-  }
-  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "templateId"))) {
-    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
-      t.uuid("templateId").nullable();
-      t.foreign("templateId").references("id").inTable(TableName.IdentityAuthTemplate).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "templateId")) {
-    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
-      t.dropForeign(["templateId"]);
-      t.dropColumn("templateId");
-    });
-  }
-  await knex.schema.dropTableIfExists(TableName.IdentityAuthTemplate);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAuthTemplate);
-}

backend/src/db/migrations/20250805151349_last-logged-auth-method.ts

@@ -1,65 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
-  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
-    TableName.IdentityOrgMembership,
-    "lastLoginAuthMethod"
-  );
-  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
-  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
-  if (!lastUserLoggedInAuthMethod || !lastUserLoggedInTime) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      if (!lastUserLoggedInAuthMethod) {
-        t.string("lastLoginAuthMethod").nullable();
-      }
-      if (!lastUserLoggedInTime) {
-        t.datetime("lastLoginTime").nullable();
-      }
-    });
-  }
-
-  if (!lastIdentityLoggedInAuthMethod || !lastIdentityLoggedInTime) {
-    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
-      if (!lastIdentityLoggedInAuthMethod) {
-        t.string("lastLoginAuthMethod").nullable();
-      }
-      if (!lastIdentityLoggedInTime) {
-        t.datetime("lastLoginTime").nullable();
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const lastUserLoggedInAuthMethod = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginAuthMethod");
-  const lastIdentityLoggedInAuthMethod = await knex.schema.hasColumn(
-    TableName.IdentityOrgMembership,
-    "lastLoginAuthMethod"
-  );
-  const lastUserLoggedInTime = await knex.schema.hasColumn(TableName.OrgMembership, "lastLoginTime");
-  const lastIdentityLoggedInTime = await knex.schema.hasColumn(TableName.IdentityOrgMembership, "lastLoginTime");
-  if (lastUserLoggedInAuthMethod || lastUserLoggedInTime) {
-    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
-      if (lastUserLoggedInAuthMethod) {
-        t.dropColumn("lastLoginAuthMethod");
-      }
-      if (lastUserLoggedInTime) {
-        t.dropColumn("lastLoginTime");
-      }
-    });
-  }
-
-  if (lastIdentityLoggedInAuthMethod || lastIdentityLoggedInTime) {
-    await knex.schema.alterTable(TableName.IdentityOrgMembership, (t) => {
-      if (lastIdentityLoggedInAuthMethod) {
-        t.dropColumn("lastLoginAuthMethod");
-      }
-      if (lastIdentityLoggedInTime) {
-        t.dropColumn("lastLoginTime");
-      }
-    });
-  }
-}

backend/src/db/migrations/20250808021941_access-policy-max-time-period.ts

@@ -1,19 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas/models";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod"))) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.string("maxTimePeriod").nullable(); // Ex: 1h - Null is permanent
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "maxTimePeriod")) {
-    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
-      t.dropColumn("maxTimePeriod");
-    });
-  }
-}

backend/src/db/migrations/20250813020335_access-request-edit-cols.ts

@@ -1,38 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
-  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
-
-  if (!hasEditNoteCol || !hasEditedByUserId) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      if (!hasEditedByUserId) {
-        t.uuid("editedByUserId").nullable();
-        t.foreign("editedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-      }
-
-      if (!hasEditNoteCol) {
-        t.string("editNote").nullable();
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEditNoteCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editNote");
-  const hasEditedByUserId = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "editedByUserId");
-
-  if (hasEditNoteCol || hasEditedByUserId) {
-    await knex.schema.alterTable(TableName.AccessApprovalRequest, (t) => {
-      if (hasEditedByUserId) {
-        t.dropColumn("editedByUserId");
-      }
-
-      if (hasEditNoteCol) {
-        t.dropColumn("editNote");
-      }
-    });
-  }
-}

backend/src/db/migrations/utils/env-config.ts

@@ -53,7 +53,7 @@ export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory
 
   let envCfg = Object.freeze(parsedEnv.data);
 
-  const fipsEnabled = await crypto.initialize(superAdminDAL, envCfg);
+  const fipsEnabled = await crypto.initialize(superAdminDAL);
 
   // Fix for 128-bit entropy encryption key expansion issue:
   // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.

backend/src/db/schemas/access-approval-policies-environments.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesEnvironmentsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesEnvironments = z.infer<typeof AccessApprovalPoliciesEnvironmentsSchema>;
-export type TAccessApprovalPoliciesEnvironmentsInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesEnvironmentsUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-policies.ts

@@ -17,8 +17,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
   deletedAt: z.date().nullable().optional(),
-  allowedSelfApprovals: z.boolean().default(true),
-  maxTimePeriod: z.string().nullable().optional()
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/access-approval-requests.ts

@@ -20,9 +20,7 @@ export const AccessApprovalRequestsSchema = z.object({
   requestedByUserId: z.string().uuid(),
   note: z.string().nullable().optional(),
   privilegeDeletedAt: z.date().nullable().optional(),
-  status: z.string().default("pending"),
-  editedByUserId: z.string().uuid().nullable().optional(),
-  editNote: z.string().nullable().optional()
+  status: z.string().default("pending")
 });
 
 export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;

backend/src/db/schemas/app-connections.ts

@@ -20,8 +20,7 @@ export const AppConnectionsSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional()
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/db/schemas/identity-auth-templates.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAuthTemplatesSchema = z.object({
-  id: z.string().uuid(),
-  templateFields: zodBuffer,
-  orgId: z.string().uuid(),
-  name: z.string(),
-  authMethod: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TIdentityAuthTemplates = z.infer<typeof IdentityAuthTemplatesSchema>;
-export type TIdentityAuthTemplatesInsert = Omit<z.input<typeof IdentityAuthTemplatesSchema>, TImmutableDBKeys>;
-export type TIdentityAuthTemplatesUpdate = Partial<Omit<z.input<typeof IdentityAuthTemplatesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -25,8 +25,7 @@ export const IdentityLdapAuthsSchema = z.object({
   allowedFields: z.unknown().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  accessTokenPeriod: z.coerce.number().default(0),
-  templateId: z.string().uuid().nullable().optional()
+  accessTokenPeriod: z.coerce.number().default(0)
 });
 
 export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;

backend/src/db/schemas/identity-org-memberships.ts

@@ -14,9 +14,7 @@ export const IdentityOrgMembershipsSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  lastLoginAuthMethod: z.string().nullable().optional(),
-  lastLoginTime: z.date().nullable().optional()
+  identityId: z.string().uuid()
 });
 
 export type TIdentityOrgMemberships = z.infer<typeof IdentityOrgMembershipsSchema>;

backend/src/db/schemas/models.ts

@@ -91,7 +91,6 @@ export enum TableName {
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
-  IdentityAuthTemplate = "identity_auth_templates",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
   ResourceMetadata = "resource_metadata",
@@ -101,7 +100,6 @@ export enum TableName {
   AccessApprovalPolicyBypasser = "access_approval_policies_bypassers",
   AccessApprovalRequest = "access_approval_requests",
   AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
-  AccessApprovalPolicyEnvironment = "access_approval_policies_environments",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalPolicyBypasser = "secret_approval_policies_bypassers",
@@ -109,7 +107,6 @@ export enum TableName {
   SecretApprovalRequestReviewer = "secret_approval_requests_reviewers",
   SecretApprovalRequestSecret = "secret_approval_requests_secrets",
   SecretApprovalRequestSecretTag = "secret_approval_request_secret_tags",
-  SecretApprovalPolicyEnvironment = "secret_approval_policies_environments",
   SecretRotation = "secret_rotations",
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
@@ -163,7 +160,7 @@ export enum TableName {
   SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings",
   MicrosoftTeamsIntegrations = "microsoft_teams_integrations",
   ProjectMicrosoftTeamsConfigs = "project_microsoft_teams_configs",
-  SecretReminderRecipients = "secret_reminder_recipients", // TODO(Carlos): Remove this in the future after migrating to the new reminder recipients table
+  SecretReminderRecipients = "secret_reminder_recipients",
   GithubOrgSyncConfig = "github_org_sync_configs",
   FolderCommit = "folder_commits",
   FolderCommitChanges = "folder_commit_changes",
@@ -175,10 +172,7 @@ export enum TableName {
   SecretScanningResource = "secret_scanning_resources",
   SecretScanningScan = "secret_scanning_scans",
   SecretScanningFinding = "secret_scanning_findings",
-  SecretScanningConfig = "secret_scanning_configs",
-  // reminders
-  Reminder = "reminders",
-  ReminderRecipient = "reminders_recipients"
+  SecretScanningConfig = "secret_scanning_configs"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt" | "commitId";
@@ -273,16 +267,6 @@ export enum ProjectType {
   SecretScanning = "secret-scanning"
 }
 
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  SecretScanning = ProjectType.SecretScanning,
-  // project operations that happen on all types
-  Any = "any"
-}
-
 export enum SortDirection {
   ASC = "asc",
   DESC = "desc"

backend/src/db/schemas/org-memberships.ts

@@ -19,9 +19,7 @@ export const OrgMembershipsSchema = z.object({
   roleId: z.string().uuid().nullable().optional(),
   projectFavorites: z.string().array().nullable().optional(),
   isActive: z.boolean().default(true),
-  lastInvitedAt: z.date().nullable().optional(),
-  lastLoginAuthMethod: z.string().nullable().optional(),
-  lastLoginTime: z.date().nullable().optional()
+  lastInvitedAt: z.date().nullable().optional()
 });
 
 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;

backend/src/db/schemas/project-templates.ts

@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  type: z.string().default("secret-manager")
+  type: z.string().nullable().optional()
 });
 
 export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;

backend/src/db/schemas/projects.ts

@@ -25,13 +25,12 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string(),
+  type: z.string().nullable().optional(),
   enforceCapitalization: z.boolean().default(false),
   hasDeleteProtection: z.boolean().default(false).nullable().optional(),
   secretSharing: z.boolean().default(true),
   showSnapshotsLegacy: z.boolean().default(false),
-  defaultProduct: z.string().nullable().optional(),
-  secretDetectionIgnoreValues: z.string().array().nullable().optional()
+  defaultProduct: z.string().default("secret-manager")
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/reminders-recipients.ts

@@ -1,20 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const RemindersRecipientsSchema = z.object({
-  id: z.string().uuid(),
-  reminderId: z.string().uuid(),
-  userId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TRemindersRecipients = z.infer<typeof RemindersRecipientsSchema>;
-export type TRemindersRecipientsInsert = Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>;
-export type TRemindersRecipientsUpdate = Partial<Omit<z.input<typeof RemindersRecipientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/reminders.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const RemindersSchema = z.object({
-  id: z.string().uuid(),
-  secretId: z.string().uuid().nullable().optional(),
-  message: z.string().nullable().optional(),
-  repeatDays: z.number().nullable().optional(),
-  nextReminderDate: z.date(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  fromDate: z.date().nullable().optional()
-});
-
-export type TReminders = z.infer<typeof RemindersSchema>;
-export type TRemindersInsert = Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>;
-export type TRemindersUpdate = Partial<Omit<z.input<typeof RemindersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-policies-environments.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretApprovalPoliciesEnvironmentsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  envId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretApprovalPoliciesEnvironments = z.infer<typeof SecretApprovalPoliciesEnvironmentsSchema>;
-export type TSecretApprovalPoliciesEnvironmentsInsert = Omit<
-  z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>,
-  TImmutableDBKeys
->;
-export type TSecretApprovalPoliciesEnvironmentsUpdate = Partial<
-  Omit<z.input<typeof SecretApprovalPoliciesEnvironmentsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/user-encryption-keys.ts

@@ -15,12 +15,12 @@ export const UserEncryptionKeysSchema = z.object({
   protectedKey: z.string().nullable().optional(),
   protectedKeyIV: z.string().nullable().optional(),
   protectedKeyTag: z.string().nullable().optional(),
-  publicKey: z.string().nullable().optional(),
-  encryptedPrivateKey: z.string().nullable().optional(),
-  iv: z.string().nullable().optional(),
-  tag: z.string().nullable().optional(),
-  salt: z.string().nullable().optional(),
-  verifier: z.string().nullable().optional(),
+  publicKey: z.string(),
+  encryptedPrivateKey: z.string(),
+  iv: z.string(),
+  tag: z.string(),
+  salt: z.string(),
+  verifier: z.string(),
   userId: z.string().uuid(),
   hashedPassword: z.string().nullable().optional(),
   serverEncryptedPrivateKey: z.string().nullable().optional(),

backend/src/db/seed-data.ts

@@ -115,10 +115,6 @@ export const generateUserSrpKeys = async (password: string) => {
 };
 
 export const getUserPrivateKey = async (password: string, user: TUserEncryptionKeys) => {
-  if (!user.encryptedPrivateKey || !user.iv || !user.tag || !user.salt) {
-    throw new Error("User encrypted private key not found");
-  }
-
   const derivedKey = await argon2.hash(password, {
     salt: Buffer.from(user.salt),
     memoryCost: 65536,

backend/src/db/seeds/1-user.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
-import { initEnvConfig } from "@app/lib/config/env";
-import { initLogger, logger } from "@app/lib/logger";
+import { crypto } from "@app/lib/crypto";
+import { initLogger } from "@app/lib/logger";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { AuthMethod } from "../../services/auth/auth-type";
@@ -17,7 +17,7 @@ export async function seed(knex: Knex): Promise<void> {
   initLogger();
 
   const superAdminDAL = superAdminDALFactory(knex);
-  await initEnvConfig(superAdminDAL, logger);
+  await crypto.initialize(superAdminDAL);
 
   await knex(TableName.SuperAdmin).insert([
     // eslint-disable-next-line
@@ -25,7 +25,6 @@ export async function seed(knex: Knex): Promise<void> {
     { id: "00000000-0000-0000-0000-000000000000", initialized: true, allowSignUp: true }
   ]);
   // Inserts seed entries
-
   const [user] = await knex(TableName.Users)
     .insert([
       {

backend/src/db/seeds/3-project.ts

@@ -1,28 +1,9 @@
 import { Knex } from "knex";
 
-import { initEnvConfig } from "@app/lib/config/env";
 import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
-import { generateUserSrpKeys } from "@app/lib/crypto/srp";
-import { initLogger, logger } from "@app/lib/logger";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { AuthMethod } from "@app/services/auth/auth-type";
-import { assignWorkspaceKeysToMembers, createProjectKey } from "@app/services/project/project-fns";
-import { projectKeyDALFactory } from "@app/services/project-key/project-key-dal";
-import { projectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
-import { userDALFactory } from "@app/services/user/user-dal";
 
-import {
-  OrgMembershipRole,
-  OrgMembershipStatus,
-  ProjectMembershipRole,
-  ProjectType,
-  SecretEncryptionAlgo,
-  SecretKeyEncoding,
-  TableName
-} from "../schemas";
-import { seedData1 } from "../seed-data";
+import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
+import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
 
 export const DEFAULT_PROJECT_ENVS = [
   { name: "Development", slug: "dev" },
@@ -30,159 +11,12 @@ export const DEFAULT_PROJECT_ENVS = [
   { name: "Production", slug: "prod" }
 ];
 
-const createUserWithGhostUser = async (
-  orgId: string,
-  projectId: string,
-  userId: string,
-  userOrgMembershipId: string,
-  knex: Knex
-) => {
-  const projectKeyDAL = projectKeyDALFactory(knex);
-  const userDAL = userDALFactory(knex);
-  const projectMembershipDAL = projectMembershipDALFactory(knex);
-  const projectUserMembershipRoleDAL = projectUserMembershipRoleDALFactory(knex);
-
-  const email = `sudo-${alphaNumericNanoId(16)}-${orgId}@infisical.com`; // We add a nanoid because the email is unique. And we have to create a new ghost user each time, so we can have access to the private key.
-
-  const password = crypto.randomBytes(128).toString("hex");
-
-  const [ghostUser] = await knex(TableName.Users)
-    .insert({
-      isGhost: true,
-      authMethods: [AuthMethod.EMAIL],
-      username: email,
-      email,
-      isAccepted: true
-    })
-    .returning("*");
-
-  const encKeys = await generateUserSrpKeys(email, password);
-
-  await knex(TableName.UserEncryptionKey)
-    .insert({ userId: ghostUser.id, encryptionVersion: 2, publicKey: encKeys.publicKey })
-    .onConflict("userId")
-    .merge();
-
-  await knex(TableName.OrgMembership)
-    .insert({
-      orgId,
-      userId: ghostUser.id,
-      role: OrgMembershipRole.Admin,
-      status: OrgMembershipStatus.Accepted,
-      isActive: true
-    })
-    .returning("*");
-
-  const [projectMembership] = await knex(TableName.ProjectMembership)
-    .insert({
-      userId: ghostUser.id,
-      projectId
-    })
-    .returning("*");
-
-  await knex(TableName.ProjectUserMembershipRole).insert({
-    projectMembershipId: projectMembership.id,
-    role: ProjectMembershipRole.Admin
-  });
-
-  const { key: encryptedProjectKey, iv: encryptedProjectKeyIv } = createProjectKey({
-    publicKey: encKeys.publicKey,
-    privateKey: encKeys.plainPrivateKey
-  });
-
-  await knex(TableName.ProjectKeys).insert({
-    projectId,
-    receiverId: ghostUser.id,
-    encryptedKey: encryptedProjectKey,
-    nonce: encryptedProjectKeyIv,
-    senderId: ghostUser.id
-  });
-
-  const { iv, tag, ciphertext, encoding, algorithm } = crypto
-    .encryption()
-    .symmetric()
-    .encryptWithRootEncryptionKey(encKeys.plainPrivateKey);
-
-  await knex(TableName.ProjectBot).insert({
-    name: "Infisical Bot (Ghost)",
-    projectId,
-    tag,
-    iv,
-    encryptedProjectKey,
-    encryptedProjectKeyNonce: encryptedProjectKeyIv,
-    encryptedPrivateKey: ciphertext,
-    isActive: true,
-    publicKey: encKeys.publicKey,
-    senderId: ghostUser.id,
-    algorithm,
-    keyEncoding: encoding
-  });
-
-  const latestKey = await projectKeyDAL.findLatestProjectKey(ghostUser.id, projectId, knex);
-
-  if (!latestKey) {
-    throw new Error("Latest key not found for user");
-  }
-
-  const user = await userDAL.findUserEncKeyByUserId(userId, knex);
-
-  if (!user || !user.publicKey) {
-    throw new Error("User not found");
-  }
-
-  const [projectAdmin] = assignWorkspaceKeysToMembers({
-    decryptKey: latestKey,
-    userPrivateKey: encKeys.plainPrivateKey,
-    members: [
-      {
-        userPublicKey: user.publicKey,
-        orgMembershipId: userOrgMembershipId
-      }
-    ]
-  });
-
-  // Create a membership for the user
-  const userProjectMembership = await projectMembershipDAL.create(
-    {
-      projectId,
-      userId: user.id
-    },
-    knex
-  );
-  await projectUserMembershipRoleDAL.create(
-    { projectMembershipId: userProjectMembership.id, role: ProjectMembershipRole.Admin },
-    knex
-  );
-
-  // Create a project key for the user
-  await projectKeyDAL.create(
-    {
-      encryptedKey: projectAdmin.workspaceEncryptedKey,
-      nonce: projectAdmin.workspaceEncryptedNonce,
-      senderId: ghostUser.id,
-      receiverId: user.id,
-      projectId
-    },
-    knex
-  );
-
-  return {
-    user: ghostUser,
-    keys: encKeys
-  };
-};
-
 export async function seed(knex: Knex): Promise<void> {
   // Deletes ALL existing entries
   await knex(TableName.Project).del();
   await knex(TableName.Environment).del();
   await knex(TableName.SecretFolder).del();
 
-  initLogger();
-
-  const superAdminDAL = superAdminDALFactory(knex);
-  await initEnvConfig(superAdminDAL, logger);
-
   const [project] = await knex(TableName.Project)
     .insert({
       name: seedData1.project.name,
@@ -195,24 +29,29 @@ export async function seed(knex: Knex): Promise<void> {
     })
     .returning("*");
 
-  const userOrgMembership = await knex(TableName.OrgMembership)
-    .where({
-      orgId: seedData1.organization.id,
+  const projectMembership = await knex(TableName.ProjectMembership)
+    .insert({
+      projectId: project.id,
       userId: seedData1.id
     })
-    .first();
+    .returning("*");
+  await knex(TableName.ProjectUserMembershipRole).insert({
+    role: ProjectMembershipRole.Admin,
+    projectMembershipId: projectMembership[0].id
+  });
 
-  if (!userOrgMembership) {
-    throw new Error("User org membership not found");
-  }
   const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();
   if (!user) throw new Error("User not found");
 
-  if (!user.publicKey) {
-    throw new Error("User public key not found");
-  }
-
-  await createUserWithGhostUser(seedData1.organization.id, project.id, seedData1.id, userOrgMembership.id, knex);
+  const userPrivateKey = await getUserPrivateKey(seedData1.password, user);
+  const projectKey = buildUserProjectKey(userPrivateKey, user.publicKey);
+  await knex(TableName.ProjectKeys).insert({
+    projectId: project.id,
+    nonce: projectKey.nonce,
+    encryptedKey: projectKey.ciphertext,
+    receiverId: seedData1.id,
+    senderId: seedData1.id
+  });
 
   // create default environments and default folders
   const envs = await knex(TableName.Environment)

backend/src/db/seeds/5-machine-identity.ts

@@ -1,9 +1,6 @@
 import { Knex } from "knex";
 
-import { initEnvConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { initLogger, logger } from "@app/lib/logger";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";
@@ -13,11 +10,6 @@ export async function seed(knex: Knex): Promise<void> {
   await knex(TableName.Identity).del();
   await knex(TableName.IdentityOrgMembership).del();
 
-  initLogger();
-
-  const superAdminDAL = superAdminDALFactory(knex);
-  await initEnvConfig(superAdminDAL, logger);
-
   // Inserts seed entries
   await knex(TableName.Identity).insert([
     {

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -3,32 +3,12 @@ import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { ms } from "@app/lib/ms";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
-const maxTimePeriodSchema = z
-  .string()
-  .trim()
-  .nullish()
-  .transform((val, ctx) => {
-    if (val === undefined) return undefined;
-    if (!val || val === "permanent") return null;
-    const parsedMs = ms(val);
-
-    if (typeof parsedMs !== "number" || parsedMs <= 0) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
-      });
-      return z.NEVER;
-    }
-    return val;
-  });
-
 export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/",
@@ -37,67 +17,52 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .min(1, { message: "Secret path cannot be empty" })
-            .transform(removeTrailingSlash),
-          environment: z.string().optional(),
-          environments: z.string().array().optional(),
-          approvers: z
-            .discriminatedUnion("type", [
-              z.object({
-                type: z.literal(ApproverType.Group),
-                id: z.string(),
-                sequence: z.number().int().default(1)
-              }),
-              z.object({
-                type: z.literal(ApproverType.User),
-                id: z.string().optional(),
-                username: z.string().optional(),
-                sequence: z.number().int().default(1)
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 approvers")
-            .min(1, { message: "At least one approver should be provided" })
-            .refine(
-              // @ts-expect-error this is ok
-              (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
-              "Must provide either username or id"
-            ),
-          bypassers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(BypasserType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 bypassers")
-            .optional(),
-          approvalsRequired: z
-            .object({
-              numberOfApprovals: z.number().int(),
-              stepNumber: z.number().int()
+      body: z.object({
+        projectSlug: z.string().trim(),
+        name: z.string().optional(),
+        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
+        environment: z.string(),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({
+              type: z.literal(ApproverType.Group),
+              id: z.string(),
+              sequence: z.number().int().default(1)
+            }),
+            z.object({
+              type: z.literal(ApproverType.User),
+              id: z.string().optional(),
+              username: z.string().optional(),
+              sequence: z.number().int().default(1)
             })
-            .array()
-            .optional(),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true),
-          maxTimePeriod: maxTimePeriodSchema
-        })
-        .refine(
-          (val) => Boolean(val.environment) || Boolean(val.environments),
-          "Must provide either environment or environments"
-        ),
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 approvers")
+          .min(1, { message: "At least one approver should be provided" })
+          .refine(
+            // @ts-expect-error this is ok
+            (el) => el.every((i) => Boolean(i?.id) || Boolean(i?.username)),
+            "Must provide either username or id"
+          ),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
+        approvalsRequired: z
+          .object({
+            numberOfApprovals: z.number().int(),
+            stepNumber: z.number().int()
+          })
+          .array()
+          .optional(),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -113,8 +78,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name:
-          req.body.name ?? `${req.body.environment || req.body.environments?.join("-").substring(0, 250)}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -145,8 +109,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
                 .array()
                 .nullable()
                 .optional(),
-              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array(),
-              maxTimePeriod: z.string().nullable().optional()
+              bypassers: z.object({ type: z.nativeEnum(BypasserType), id: z.string().nullable().optional() }).array()
             })
             .array()
             .nullable()
@@ -248,15 +211,13 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).optional(),
         enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
         allowedSelfApprovals: z.boolean().default(true),
-        environments: z.array(z.string()).optional(),
         approvalsRequired: z
           .object({
             numberOfApprovals: z.number().int(),
             stepNumber: z.number().int()
           })
           .array()
-          .optional(),
-        maxTimePeriod: maxTimePeriodSchema
+          .optional()
       }),
       response: {
         200: z.object({
@@ -337,8 +298,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
               })
               .array()
               .nullable()
-              .optional(),
-            maxTimePeriod: z.string().nullable().optional()
+              .optional()
           })
         })
       }

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
-import { ms } from "@app/lib/ms";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -27,23 +26,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
       body: z.object({
         permissions: z.any().array(),
         isTemporary: z.boolean(),
-        temporaryRange: z
-          .string()
-          .optional()
-          .transform((val, ctx) => {
-            if (!val || val === "permanent") return undefined;
-
-            const parsedMs = ms(val);
-
-            if (typeof parsedMs !== "number" || parsedMs <= 0) {
-              ctx.addIssue({
-                code: z.ZodIssueCode.custom,
-                message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
-              });
-              return z.NEVER;
-            }
-            return val;
-          }),
+        temporaryRange: z.string().optional(),
         note: z.string().max(255).optional()
       }),
       querystring: z.object({
@@ -145,8 +128,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               envId: z.string(),
               enforcementLevel: z.string(),
               deletedAt: z.date().nullish(),
-              allowedSelfApprovals: z.boolean(),
-              maxTimePeriod: z.string().nullable().optional()
+              allowedSelfApprovals: z.boolean()
             }),
             reviewers: z
               .object({
@@ -207,47 +189,4 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
       return { review };
     }
   });
-
-  server.route({
-    url: "/:requestId",
-    method: "PATCH",
-    schema: {
-      params: z.object({
-        requestId: z.string().trim()
-      }),
-      body: z.object({
-        temporaryRange: z.string().transform((val, ctx) => {
-          const parsedMs = ms(val);
-
-          if (typeof parsedMs !== "number" || parsedMs <= 0) {
-            ctx.addIssue({
-              code: z.ZodIssueCode.custom,
-              message: "Invalid time period format or value. Must be a positive duration (e.g., '1h', '30m', '2d')."
-            });
-            return z.NEVER;
-          }
-          return val;
-        }),
-        editNote: z.string().max(255)
-      }),
-      response: {
-        200: z.object({
-          approval: AccessApprovalRequestsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { request } = await server.services.accessApprovalRequest.updateAccessApprovalRequest({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        temporaryRange: req.body.temporaryRange,
-        editNote: req.body.editNote,
-        requestId: req.params.requestId
-      });
-      return { approval: request };
-    }
-  });
 };

backend/src/ee/routes/v1/identity-template-router.ts

@@ -1,391 +0,0 @@
-import { z } from "zod";
-
-import { IdentityAuthTemplatesSchema } from "@app/db/schemas/identity-auth-templates";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import {
-  IdentityAuthTemplateMethod,
-  TEMPLATE_SUCCESS_MESSAGES,
-  TEMPLATE_VALIDATION_MESSAGES
-} from "@app/ee/services/identity-auth-template/identity-auth-template-enums";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const ldapTemplateFieldsSchema = z.object({
-  url: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.URL_REQUIRED),
-  bindDN: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.BIND_DN_REQUIRED),
-  bindPass: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.BIND_PASSWORD_REQUIRED),
-  searchBase: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.LDAP.SEARCH_BASE_REQUIRED),
-  ldapCaCertificate: z.string().trim().optional()
-});
-
-export const registerIdentityTemplateRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Create identity auth template",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        name: z
-          .string()
-          .trim()
-          .min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_REQUIRED)
-          .max(64, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_MAX_LENGTH),
-        authMethod: z.nativeEnum(IdentityAuthTemplateMethod),
-        templateFields: ldapTemplateFieldsSchema
-      }),
-      response: {
-        200: IdentityAuthTemplatesSchema.extend({
-          templateFields: z.record(z.string(), z.unknown())
-        })
-      }
-    },
-    handler: async (req) => {
-      const template = await server.services.identityAuthTemplate.createTemplate({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        name: req.body.name,
-        authMethod: req.body.authMethod,
-        templateFields: req.body.templateFields
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_CREATE,
-          metadata: {
-            templateId: template.id,
-            name: template.name
-          }
-        }
-      });
-
-      return template;
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:templateId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Update identity auth template",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        templateId: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_ID_REQUIRED)
-      }),
-      body: z.object({
-        name: z
-          .string()
-          .trim()
-          .min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_REQUIRED)
-          .max(64, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_NAME_MAX_LENGTH)
-          .optional(),
-        templateFields: ldapTemplateFieldsSchema.partial().optional()
-      }),
-      response: {
-        200: IdentityAuthTemplatesSchema.extend({
-          templateFields: z.record(z.string(), z.unknown())
-        })
-      }
-    },
-    handler: async (req) => {
-      const template = await server.services.identityAuthTemplate.updateTemplate({
-        templateId: req.params.templateId,
-        name: req.body.name,
-        templateFields: req.body.templateFields,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_UPDATE,
-          metadata: {
-            templateId: template.id,
-            name: template.name
-          }
-        }
-      });
-
-      return template;
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:templateId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Delete identity auth template",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        templateId: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_ID_REQUIRED)
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    handler: async (req) => {
-      const template = await server.services.identityAuthTemplate.deleteTemplate({
-        templateId: req.params.templateId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_DELETE,
-          metadata: {
-            templateId: template.id,
-            name: template.name
-          }
-        }
-      });
-
-      return { message: TEMPLATE_SUCCESS_MESSAGES.DELETED };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:templateId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Get identity auth template by ID",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        templateId: z.string().min(1, TEMPLATE_VALIDATION_MESSAGES.TEMPLATE_ID_REQUIRED)
-      }),
-      response: {
-        200: IdentityAuthTemplatesSchema.extend({
-          templateFields: ldapTemplateFieldsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const template = await server.services.identityAuthTemplate.getTemplate({
-        templateId: req.params.templateId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return template;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/search",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "List identity auth templates",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      querystring: z.object({
-        limit: z.coerce.number().positive().max(100).default(5).optional(),
-        offset: z.coerce.number().min(0).default(0).optional(),
-        search: z.string().optional()
-      }),
-      response: {
-        200: z.object({
-          templates: IdentityAuthTemplatesSchema.extend({
-            templateFields: ldapTemplateFieldsSchema
-          }).array(),
-          totalCount: z.number()
-        })
-      }
-    },
-    handler: async (req) => {
-      const { templates, totalCount } = await server.services.identityAuthTemplate.listTemplates({
-        limit: req.query.limit,
-        offset: req.query.offset,
-        search: req.query.search,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return { templates, totalCount };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Get identity auth templates by authentication method",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      querystring: z.object({
-        authMethod: z.nativeEnum(IdentityAuthTemplateMethod)
-      }),
-      response: {
-        200: IdentityAuthTemplatesSchema.extend({
-          templateFields: ldapTemplateFieldsSchema
-        }).array()
-      }
-    },
-    handler: async (req) => {
-      const templates = await server.services.identityAuthTemplate.getTemplatesByAuthMethod({
-        authMethod: req.query.authMethod,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return templates;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:templateId/usage",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Get template usage by template ID",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        templateId: z.string()
-      }),
-      response: {
-        200: z
-          .object({
-            identityId: z.string(),
-            identityName: z.string()
-          })
-          .array()
-      }
-    },
-    handler: async (req) => {
-      const templates = await server.services.identityAuthTemplate.findTemplateUsages({
-        templateId: req.params.templateId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return templates;
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/:templateId/delete-usage",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      hide: false,
-      description: "Unlink identity auth template usage",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        templateId: z.string()
-      }),
-      body: z.object({
-        identityIds: z.string().array()
-      }),
-      response: {
-        200: z
-          .object({
-            authId: z.string(),
-            identityId: z.string(),
-            identityName: z.string()
-          })
-          .array()
-      }
-    },
-    handler: async (req) => {
-      const templates = await server.services.identityAuthTemplate.unlinkTemplateUsage({
-        templateId: req.params.templateId,
-        identityIds: req.body.identityIds,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      return templates;
-    }
-  });
-};

backend/src/ee/routes/v1/index.ts

@@ -13,7 +13,6 @@ import { registerGatewayRouter } from "./gateway-router";
 import { registerGithubOrgSyncRouter } from "./github-org-sync-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
-import { registerIdentityTemplateRouter } from "./identity-template-router";
 import { registerKmipRouter } from "./kmip-router";
 import { registerKmipSpecRouter } from "./kmip-spec-router";
 import { registerLdapRouter } from "./ldap-router";
@@ -126,7 +125,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerExternalKmsRouter, {
     prefix: "/external-kms"
   });
-  await server.register(registerIdentityTemplateRouter, { prefix: "/identity-templates" });
 
   await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
 

backend/src/ee/routes/v1/ldap-router.ts

@@ -379,17 +379,14 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
 
   server.route({
     method: "POST",
-    url: "/config/test-connection",
+    url: "/config/:configId/test-connection",
     config: {
       rateLimit: readLimit
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
-      body: z.object({
-        url: z.string().trim(),
-        bindDN: z.string().trim(),
-        bindPass: z.string().trim(),
-        caCert: z.string().trim()
+      params: z.object({
+        configId: z.string().trim()
       }),
       response: {
         200: z.boolean()
@@ -402,9 +399,8 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         orgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        ...req.body
+        ldapConfigId: req.params.configId
       });
-
       return result;
     }
   });

backend/src/ee/routes/v1/pit-router.ts

@@ -3,14 +3,11 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { isValidFolderName } from "@app/lib/validator";
-import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
-import { SecretNameSchema } from "@app/server/lib/schemas";
+import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const commitHistoryItemSchema = z.object({
   id: z.string(),
@@ -416,166 +413,4 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
       return result;
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/batch/commit",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      hide: true,
-      description: "Commit changes",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        message: z
-          .string()
-          .trim()
-          .min(1)
-          .max(255)
-          .refine((message) => message.trim() !== "", {
-            message: "Commit message cannot be empty"
-          }),
-        changes: z.object({
-          secrets: z.object({
-            create: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema,
-                  secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
-                  secretComment: z.string().trim().optional().default(""),
-                  skipMultilineEncoding: z.boolean().optional(),
-                  metadata: z.record(z.string()).optional(),
-                  secretMetadata: ResourceMetadataSchema.optional(),
-                  tagIds: z.string().array().optional()
-                })
-              )
-              .optional(),
-            update: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema,
-                  newSecretName: SecretNameSchema.optional(),
-                  secretValue: z
-                    .string()
-                    .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
-                    .optional(),
-                  secretComment: z.string().trim().optional().default(""),
-                  skipMultilineEncoding: z.boolean().optional(),
-                  metadata: z.record(z.string()).optional(),
-                  secretMetadata: ResourceMetadataSchema.optional(),
-                  tagIds: z.string().array().optional()
-                })
-              )
-              .optional(),
-            delete: z
-              .array(
-                z.object({
-                  secretKey: SecretNameSchema
-                })
-              )
-              .optional()
-          }),
-          folders: z.object({
-            create: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  description: z.string().optional()
-                })
-              )
-              .optional(),
-            update: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  description: z.string().nullable().optional(),
-                  id: z.string()
-                })
-              )
-              .optional(),
-            delete: z
-              .array(
-                z.object({
-                  folderName: z
-                    .string()
-                    .trim()
-                    .refine((name) => isValidFolderName(name), {
-                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-                    }),
-                  id: z.string()
-                })
-              )
-              .optional()
-          })
-        })
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const result = await server.services.pit.processNewCommitRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        projectId: req.body.projectId,
-        environment: req.body.environment,
-        secretPath: req.body.secretPath,
-        message: req.body.message,
-        changes: {
-          secrets: req.body.changes.secrets,
-          folders: req.body.changes.folders
-        }
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: req.body.projectId,
-        event: {
-          type: EventType.PIT_PROCESS_NEW_COMMIT_RAW,
-          metadata: {
-            commitId: result.commitId,
-            approvalId: result.approvalId,
-            projectId: req.body.projectId,
-            environment: req.body.environment,
-            secretPath: req.body.secretPath,
-            message: req.body.message
-          }
-        }
-      });
-
-      for await (const event of result.secretMutationEvents) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          orgId: req.permission.orgId,
-          projectId: req.body.projectId,
-          event
-        });
-      }
-
-      return { message: "success" };
-    }
-  });
 };

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
+import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
 import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
@@ -104,9 +104,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
       hide: false,
       tags: [ApiDocsTags.ProjectTemplates],
       description: "List project templates for the current organization.",
-      querystring: z.object({
-        type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
-      }),
       response: {
         200: z.object({
           projectTemplates: SanitizedProjectTemplateSchema.array()
@@ -115,10 +112,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(
-        req.permission,
-        req.query.type
-      );
+      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
 
       const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
 
@@ -197,7 +191,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
           .describe(ProjectTemplates.CREATE.name),
         description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
         roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
-        type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
         environments: ProjectTemplateEnvironmentsSchema.describe(ProjectTemplates.CREATE.environments).optional()
       }),
       response: {

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -17,45 +17,34 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       rateLimit: writeLimit
     },
     schema: {
-      body: z
-        .object({
-          workspaceId: z.string(),
-          name: z.string().optional(),
-          environment: z.string().optional(),
-          environments: z.string().array().optional(),
-          secretPath: z
-            .string()
-            .min(1, { message: "Secret path cannot be empty" })
-            .transform((val) => removeTrailingSlash(val)),
-          approvers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(ApproverType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .min(1, { message: "At least one approver should be provided" })
-            .max(100, "Cannot have more than 100 approvers"),
-          bypassers: z
-            .discriminatedUnion("type", [
-              z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
-              z.object({
-                type: z.literal(BypasserType.User),
-                id: z.string().optional(),
-                username: z.string().optional()
-              })
-            ])
-            .array()
-            .max(100, "Cannot have more than 100 bypassers")
-            .optional(),
-          approvals: z.number().min(1).default(1),
-          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
-          allowedSelfApprovals: z.boolean().default(true)
-        })
-        .refine((data) => data.environment || data.environments, "At least one environment should be provided"),
+      body: z.object({
+        workspaceId: z.string(),
+        name: z.string().optional(),
+        environment: z.string(),
+        secretPath: z
+          .string()
+          .min(1, { message: "Secret path cannot be empty" })
+          .transform((val) => removeTrailingSlash(val)),
+        approvers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
+            z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .min(1, { message: "At least one approver should be provided" })
+          .max(100, "Cannot have more than 100 approvers"),
+        bypassers: z
+          .discriminatedUnion("type", [
+            z.object({ type: z.literal(BypasserType.Group), id: z.string() }),
+            z.object({ type: z.literal(BypasserType.User), id: z.string().optional(), username: z.string().optional() })
+          ])
+          .array()
+          .max(100, "Cannot have more than 100 bypassers")
+          .optional(),
+        approvals: z.number().min(1).default(1),
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
+      }),
       response: {
         200: z.object({
           approval: sapPubSchema
@@ -71,7 +60,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment || req.body.environments?.join(",")}-${nanoid(3)}`,
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
         enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
@@ -114,8 +103,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           .optional()
           .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
-        allowedSelfApprovals: z.boolean().default(true),
-        environments: z.array(z.string()).optional()
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -6,7 +6,6 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
-import { registerOktaClientSecretRotationRouter } from "./okta-client-secret-rotation-router";
 import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -23,6 +22,5 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
-  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
-  [SecretRotation.OktaClientSecret]: registerOktaClientSecretRotationRouter
+  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/okta-client-secret-rotation-router.ts

@@ -1,19 +0,0 @@
-import {
-  CreateOktaClientSecretRotationSchema,
-  OktaClientSecretRotationGeneratedCredentialsSchema,
-  OktaClientSecretRotationSchema,
-  UpdateOktaClientSecretRotationSchema
-} from "@app/ee/services/secret-rotation-v2/okta-client-secret";
-import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
-
-import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
-
-export const registerOktaClientSecretRotationRouter = async (server: FastifyZodProvider) =>
-  registerSecretRotationEndpoints({
-    type: SecretRotation.OktaClientSecret,
-    server,
-    responseSchema: OktaClientSecretRotationSchema,
-    createSchema: CreateOktaClientSecretRotationSchema,
-    updateSchema: UpdateOktaClientSecretRotationSchema,
-    generatedCredentialsSchema: OktaClientSecretRotationGeneratedCredentialsSchema
-  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-endpoints.ts

@@ -315,12 +315,10 @@ export const registerSecretRotationEndpoints = <
       querystring: z.object({
         deleteSecrets: z
           .enum(["true", "false"])
-          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).deleteSecrets),
         revokeGeneratedCredentials: z
           .enum(["true", "false"])
-          .optional()
           .transform((value) => value === "true")
           .describe(SecretRotations.DELETE(type).revokeGeneratedCredentials)
       }),

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -7,7 +7,6 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
-import { OktaClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -24,8 +23,7 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,
-  LdapPasswordRotationListItemSchema,
-  OktaClientSecretRotationListItemSchema
+  LdapPasswordRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router.ts

@@ -1,16 +0,0 @@
-import { registerSecretScanningEndpoints } from "@app/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-endpoints";
-import {
-  CreateGitLabDataSourceSchema,
-  GitLabDataSourceSchema,
-  UpdateGitLabDataSourceSchema
-} from "@app/ee/services/secret-scanning-v2/gitlab";
-import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
-
-export const registerGitLabSecretScanningRouter = async (server: FastifyZodProvider) =>
-  registerSecretScanningEndpoints({
-    type: SecretScanningDataSource.GitLab,
-    server,
-    responseSchema: GitLabDataSourceSchema,
-    createSchema: CreateGitLabDataSourceSchema,
-    updateSchema: UpdateGitLabDataSourceSchema
-  });

backend/src/ee/routes/v2/secret-scanning-v2-routers/index.ts

@@ -1,4 +1,3 @@
-import { registerGitLabSecretScanningRouter } from "@app/ee/routes/v2/secret-scanning-v2-routers/gitlab-secret-scanning-router";
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 
 import { registerBitbucketSecretScanningRouter } from "./bitbucket-secret-scanning-router";
@@ -11,6 +10,5 @@ export const SECRET_SCANNING_REGISTER_ROUTER_MAP: Record<
   (server: FastifyZodProvider) => Promise<void>
 > = {
   [SecretScanningDataSource.GitHub]: registerGitHubSecretScanningRouter,
-  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter,
-  [SecretScanningDataSource.GitLab]: registerGitLabSecretScanningRouter
+  [SecretScanningDataSource.Bitbucket]: registerBitbucketSecretScanningRouter
 };

backend/src/ee/routes/v2/secret-scanning-v2-routers/secret-scanning-v2-router.ts

@@ -4,7 +4,6 @@ import { SecretScanningConfigsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { BitbucketDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/bitbucket";
 import { GitHubDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/github";
-import { GitLabDataSourceListItemSchema } from "@app/ee/services/secret-scanning-v2/gitlab";
 import {
   SecretScanningFindingStatus,
   SecretScanningScanStatus
@@ -25,8 +24,7 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const SecretScanningDataSourceOptionsSchema = z.discriminatedUnion("type", [
   GitHubDataSourceListItemSchema,
-  BitbucketDataSourceListItemSchema,
-  GitLabDataSourceListItemSchema
+  BitbucketDataSourceListItemSchema
 ]);
 
 export const registerSecretScanningV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -26,7 +26,6 @@ export interface TAccessApprovalPolicyDALFactory
     >,
     customFilter?: {
       policyId?: string;
-      envId?: string;
     },
     tx?: Knex
   ) => Promise<
@@ -56,7 +55,11 @@ export interface TAccessApprovalPolicyDALFactory
       allowedSelfApprovals: boolean;
       secretPath: string;
       deletedAt?: Date | null | undefined;
-      maxTimePeriod?: string | null;
+      environment: {
+        id: string;
+        name: string;
+        slug: string;
+      };
       projectId: string;
       bypassers: (
         | {
@@ -69,11 +72,6 @@ export interface TAccessApprovalPolicyDALFactory
             type: BypasserType.Group;
           }
       )[];
-      environments: {
-        id: string;
-        name: string;
-        slug: string;
-      }[];
     }[]
   >;
   findById: (
@@ -97,12 +95,11 @@ export interface TAccessApprovalPolicyDALFactory
         allowedSelfApprovals: boolean;
         secretPath: string;
         deletedAt?: Date | null | undefined;
-        maxTimePeriod?: string | null;
-        environments: {
+        environment: {
           id: string;
           name: string;
           slug: string;
-        }[];
+        };
         projectId: string;
       }
     | undefined
@@ -143,30 +140,9 @@ export interface TAccessApprovalPolicyDALFactory
         allowedSelfApprovals: boolean;
         secretPath: string;
         deletedAt?: Date | null | undefined;
-        maxTimePeriod?: string | null;
       }
     | undefined
   >;
-  findPolicyByEnvIdAndSecretPath: (
-    { envIds, secretPath }: { envIds: string[]; secretPath: string },
-    tx?: Knex
-  ) => Promise<{
-    name: string;
-    id: string;
-    createdAt: Date;
-    updatedAt: Date;
-    approvals: number;
-    enforcementLevel: string;
-    allowedSelfApprovals: boolean;
-    secretPath: string;
-    deletedAt?: Date | null | undefined;
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
-    projectId: string;
-  }>;
 }
 
 export interface TAccessApprovalPolicyServiceFactory {
@@ -391,7 +367,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
     customFilter?: {
       policyId?: string;
-      envId?: string;
     }
   ) => {
     const result = await tx(TableName.AccessApprovalPolicy)
@@ -402,17 +377,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
         }
       })
-      .join(
-        TableName.AccessApprovalPolicyEnvironment,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
-      )
-      .join(TableName.Environment, `${TableName.AccessApprovalPolicyEnvironment}.envId`, `${TableName.Environment}.id`)
-      .where((qb) => {
-        if (customFilter?.envId) {
-          void qb.where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", customFilter.envId);
-        }
-      })
+      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .leftJoin(
         TableName.AccessApprovalPolicyApprover,
         `${TableName.AccessApprovalPolicy}.id`,
@@ -439,7 +404,7 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
       .select(tx.ref("bypasserGroupId").withSchema(TableName.AccessApprovalPolicyBypasser))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("environmentId"))
+      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
       .select(tx.ref("projectId").withSchema(TableName.Environment))
       .select(selectAllTableCols(TableName.AccessApprovalPolicy));
 
@@ -483,15 +448,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               sequence: approverSequence,
               approvalsRequired
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -514,6 +470,11 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
         data: docs,
         key: "id",
         parentMapper: (data) => ({
+          environment: {
+            id: data.envId,
+            name: data.envName,
+            slug: data.envSlug
+          },
           projectId: data.projectId,
           ...AccessApprovalPoliciesSchema.parse(data)
           // secretPath: data.secretPath || undefined,
@@ -556,15 +517,6 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
               id,
               type: BypasserType.Group as const
             })
-          },
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
           }
         ]
       });
@@ -593,20 +545,14 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
           // eslint-disable-next-line @typescript-eslint/no-misused-promises
           buildFindFilter(
             {
+              envId,
               secretPath
             },
             TableName.AccessApprovalPolicy
           )
         )
-        .join(
-          TableName.AccessApprovalPolicyEnvironment,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .where(`${TableName.AccessApprovalPolicyEnvironment}.envId`, "=", envId)
         .orderBy("deletedAt", "desc")
         .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
         .first();
 
       return result;
@@ -615,81 +561,5 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient): TAccessApprovalPo
     }
   };
 
-  const findPolicyByEnvIdAndSecretPath: TAccessApprovalPolicyDALFactory["findPolicyByEnvIdAndSecretPath"] = async (
-    { envIds, secretPath },
-    tx
-  ) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicy)
-        .join(
-          TableName.AccessApprovalPolicyEnvironment,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .join(
-          TableName.Environment,
-          `${TableName.AccessApprovalPolicyEnvironment}.envId`,
-          `${TableName.Environment}.id`
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              $in: {
-                envId: envIds
-              }
-            },
-            TableName.AccessApprovalPolicyEnvironment
-          )
-        )
-        .where(
-          // eslint-disable-next-line @typescript-eslint/no-misused-promises
-          buildFindFilter(
-            {
-              secretPath
-            },
-            TableName.AccessApprovalPolicy
-          )
-        )
-        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
-        .orderBy("deletedAt", "desc")
-        .orderByRaw(`"deletedAt" IS NULL`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicy))
-        .select(db.ref("name").withSchema(TableName.Environment).as("envName"))
-        .select(db.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-        .select(db.ref("id").withSchema(TableName.Environment).as("environmentId"))
-        .select(db.ref("projectId").withSchema(TableName.Environment));
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          projectId: data.projectId,
-          ...AccessApprovalPoliciesSchema.parse(data)
-        }),
-        childrenMapper: [
-          {
-            key: "environmentId",
-            label: "environments" as const,
-            mapper: ({ environmentId: id, envName, envSlug }) => ({
-              id,
-              name: envName,
-              slug: envSlug
-            })
-          }
-        ]
-      });
-      return formattedDocs?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findPolicyByEnvIdAndSecretPath" });
-    }
-  };
-
-  return {
-    ...accessApprovalPolicyOrm,
-    find,
-    findById,
-    softDeleteById,
-    findLastValidPolicy,
-    findPolicyByEnvIdAndSecretPath
-  };
+  return { ...accessApprovalPolicyOrm, find, findById, softDeleteById, findLastValidPolicy };
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-environment-dal.ts

@@ -1,32 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyEnvironmentDALFactory = ReturnType<typeof accessApprovalPolicyEnvironmentDALFactory>;
-
-export const accessApprovalPolicyEnvironmentDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyEnvironmentOrm = ormify(db, TableName.AccessApprovalPolicyEnvironment);
-
-  const findAvailablePoliciesByEnvId = async (envId: string, tx?: Knex) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.AccessApprovalPolicyEnvironment)
-        .join(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalPolicyEnvironment}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter({ envId }, TableName.AccessApprovalPolicyEnvironment))
-        .whereNull(`${TableName.AccessApprovalPolicy}.deletedAt`)
-        .select(selectAllTableCols(TableName.AccessApprovalPolicyEnvironment));
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "findAvailablePoliciesByEnvId" });
-    }
-  };
-
-  return { ...accessApprovalPolicyEnvironmentOrm, findAvailablePoliciesByEnvId };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -21,7 +20,6 @@ import {
   TAccessApprovalPolicyBypasserDALFactory
 } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { TAccessApprovalPolicyEnvironmentDALFactory } from "./access-approval-policy-environment-dal";
 import {
   ApproverType,
   BypasserType,
@@ -46,14 +44,12 @@ type TAccessApprovalPolicyServiceFactoryDep = {
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "delete">;
   accessApprovalRequestReviewerDAL: Pick<TAccessApprovalRequestReviewerDALFactory, "update" | "delete">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find">;
-  accessApprovalPolicyEnvironmentDAL: TAccessApprovalPolicyEnvironmentDALFactory;
 };
 
 export const accessApprovalPolicyServiceFactory = ({
   accessApprovalPolicyDAL,
   accessApprovalPolicyApproverDAL,
   accessApprovalPolicyBypasserDAL,
-  accessApprovalPolicyEnvironmentDAL,
   groupDAL,
   permissionService,
   projectEnvDAL,
@@ -66,22 +62,21 @@ export const accessApprovalPolicyServiceFactory = ({
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
   const $policyExists = async ({
     envId,
-    envIds,
     secretPath,
     policyId
   }: {
-    envId?: string;
-    envIds?: string[];
+    envId: string;
     secretPath: string;
     policyId?: string;
   }) => {
-    if (!envId && !envIds) {
-      throw new BadRequestError({ message: "Must provide either envId or envIds" });
-    }
-    const policy = await accessApprovalPolicyDAL.findPolicyByEnvIdAndSecretPath({
-      secretPath,
-      envIds: envId ? [envId] : (envIds as string[])
-    });
+    const policy = await accessApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
     return policyId ? policy && policy.id !== policyId : Boolean(policy);
   };
 
@@ -97,11 +92,9 @@ export const accessApprovalPolicyServiceFactory = ({
     bypassers,
     projectSlug,
     environment,
-    environments,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    maxTimePeriod
+    approvalsRequired
   }) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
@@ -123,31 +116,20 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
-    const mergedEnvs = (environment ? [environment] : environments) || [];
-    if (mergedEnvs.length === 0) {
-      throw new BadRequestError({ message: "Must provide either environment or environments" });
-    }
-    const envs = await projectEnvDAL.find({ $in: { slug: mergedEnvs }, projectId: project.id });
-    if (!envs.length || envs.length !== mergedEnvs.length) {
-      const notFoundEnvs = mergedEnvs.filter((env) => !envs.find((el) => el.slug === env));
-      throw new NotFoundError({ message: `One or more environments not found: ${notFoundEnvs.join(", ")}` });
-    }
+    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
+    if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
-    for (const env of envs) {
-      // eslint-disable-next-line no-await-in-loop
-      if (await $policyExists({ envId: env.id, secretPath })) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
     }
 
     let approverUserIds = userApprovers;
@@ -215,20 +197,15 @@ export const accessApprovalPolicyServiceFactory = ({
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
-          envId: envs[0].id,
+          envId: env.id,
           approvals,
           secretPath,
           name,
           enforcementLevel,
-          allowedSelfApprovals,
-          maxTimePeriod
+          allowedSelfApprovals
         },
         tx
       );
-      await accessApprovalPolicyEnvironmentDAL.insertMany(
-        envs.map((el) => ({ policyId: doc.id, envId: el.id })),
-        tx
-      );
 
       if (approverUserIds.length) {
         await accessApprovalPolicyApproverDAL.insertMany(
@@ -281,7 +258,7 @@ export const accessApprovalPolicyServiceFactory = ({
       return doc;
     });
 
-    return { ...accessApproval, environments: envs, projectId: project.id, environment: envs[0] };
+    return { ...accessApproval, environment: env, projectId: project.id };
   };
 
   const getAccessApprovalPolicyByProjectSlug: TAccessApprovalPolicyServiceFactory["getAccessApprovalPolicyByProjectSlug"] =
@@ -295,15 +272,11 @@ export const accessApprovalPolicyServiceFactory = ({
         actorId,
         projectId: project.id,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
       });
 
       const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
-      return accessApprovalPolicies.map((policy) => ({
-        ...policy,
-        environment: policy.environments[0]
-      }));
+      return accessApprovalPolicies;
     };
 
   const updateAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["updateAccessApprovalPolicy"] = async ({
@@ -319,9 +292,7 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    environments,
-    maxTimePeriod
+    approvalsRequired
   }: TUpdateAccessApprovalPolicy) => {
     const groupApprovers = approvers.filter((approver) => approver.type === ApproverType.Group);
 
@@ -349,27 +320,16 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    let envs = accessApprovalPolicy.environments;
     if (
-      environments &&
-      (environments.length !== envs.length || environments.some((env) => !envs.find((el) => el.slug === env)))
+      await $policyExists({
+        envId: accessApprovalPolicy.envId,
+        secretPath: secretPath || accessApprovalPolicy.secretPath,
+        policyId: accessApprovalPolicy.id
+      })
     ) {
-      envs = await projectEnvDAL.find({ $in: { slug: environments }, projectId: accessApprovalPolicy.projectId });
-    }
-
-    for (const env of envs) {
-      if (
-        // eslint-disable-next-line no-await-in-loop
-        await $policyExists({
-          envId: env.id,
-          secretPath: secretPath || accessApprovalPolicy.secretPath,
-          policyId: accessApprovalPolicy.id
-        })
-      ) {
-        throw new BadRequestError({
-          message: `A policy for secret path '${secretPath || accessApprovalPolicy.secretPath}' already exists in environment '${env.slug}'`
-        });
-      }
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
+      });
     }
 
     const { permission } = await permissionService.getProjectPermission({
@@ -377,8 +337,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
@@ -464,8 +423,7 @@ export const accessApprovalPolicyServiceFactory = ({
           secretPath,
           name,
           enforcementLevel,
-          allowedSelfApprovals,
-          maxTimePeriod
+          allowedSelfApprovals
         },
         tx
       );
@@ -526,14 +484,6 @@ export const accessApprovalPolicyServiceFactory = ({
         );
       }
 
-      if (environments) {
-        await accessApprovalPolicyEnvironmentDAL.delete({ policyId: doc.id }, tx);
-        await accessApprovalPolicyEnvironmentDAL.insertMany(
-          envs.map((env) => ({ policyId: doc.id, envId: env.id })),
-          tx
-        );
-      }
-
       await accessApprovalPolicyBypasserDAL.delete({ policyId: doc.id }, tx);
 
       if (bypasserUserIds.length) {
@@ -563,8 +513,7 @@ export const accessApprovalPolicyServiceFactory = ({
 
     return {
       ...updatedPolicy,
-      environments: accessApprovalPolicy.environments,
-      environment: accessApprovalPolicy.environments[0],
+      environment: accessApprovalPolicy.environment,
       projectId: accessApprovalPolicy.projectId
     };
   };
@@ -584,8 +533,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -615,10 +563,7 @@ export const accessApprovalPolicyServiceFactory = ({
       }
     });
 
-    return {
-      ...policy,
-      environment: policy.environments[0]
-    };
+    return policy;
   };
 
   const getAccessPolicyCountByEnvSlug: TAccessApprovalPolicyServiceFactory["getAccessPolicyCountByEnvSlug"] = async ({
@@ -638,8 +583,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -648,13 +592,11 @@ export const accessApprovalPolicyServiceFactory = ({
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
     if (!environment) throw new NotFoundError({ message: `Environment with slug '${envSlug}' not found` });
 
-    const policies = await accessApprovalPolicyDAL.find(
-      {
-        projectId: project.id,
-        deletedAt: null
-      },
-      { envId: environment.id }
-    );
+    const policies = await accessApprovalPolicyDAL.find({
+      envId: environment.id,
+      projectId: project.id,
+      deletedAt: null
+    });
     if (!policies) throw new NotFoundError({ message: `No policies found in environment with slug '${envSlug}'` });
 
     return { count: policies.length };
@@ -680,16 +622,12 @@ export const accessApprovalPolicyServiceFactory = ({
       actorId,
       projectId: policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
-    return {
-      ...policy,
-      environment: policy.environments[0]
-    };
+    return policy;
   };
 
   return {

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -26,8 +26,7 @@ export enum BypasserType {
 export type TCreateAccessApprovalPolicy = {
   approvals: number;
   secretPath: string;
-  environment?: string;
-  environments?: string[];
+  environment: string;
   approvers: (
     | { type: ApproverType.Group; id: string; sequence?: number }
     | { type: ApproverType.User; id?: string; username?: string; sequence?: number }
@@ -41,7 +40,6 @@ export type TCreateAccessApprovalPolicy = {
   enforcementLevel: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
-  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAccessApprovalPolicy = {
@@ -60,8 +58,6 @@ export type TUpdateAccessApprovalPolicy = {
   enforcementLevel?: EnforcementLevel;
   allowedSelfApprovals: boolean;
   approvalsRequired?: { numberOfApprovals: number; stepNumber: number }[];
-  environments?: string[];
-  maxTimePeriod?: string | null;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {
@@ -106,8 +102,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     environment,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    maxTimePeriod
+    approvalsRequired
   }: TCreateAccessApprovalPolicy) => Promise<{
     environment: {
       name: string;
@@ -118,15 +113,6 @@ export interface TAccessApprovalPolicyServiceFactory {
       slug: string;
       position: number;
     };
-    environments: {
-      name: string;
-      id: string;
-      createdAt: Date;
-      updatedAt: Date;
-      projectId: string;
-      slug: string;
-      position: number;
-    }[];
     projectId: string;
     name: string;
     id: string;
@@ -138,7 +124,6 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath: string;
     deletedAt?: Date | null | undefined;
-    maxTimePeriod?: string | null;
   }>;
   deleteAccessApprovalPolicy: ({
     policyId,
@@ -163,17 +148,11 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath: string;
     deletedAt?: Date | null | undefined;
-    maxTimePeriod?: string | null;
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
   }>;
   updateAccessApprovalPolicy: ({
@@ -189,20 +168,13 @@ export interface TAccessApprovalPolicyServiceFactory {
     approvals,
     enforcementLevel,
     allowedSelfApprovals,
-    approvalsRequired,
-    environments,
-    maxTimePeriod
+    approvalsRequired
   }: TUpdateAccessApprovalPolicy) => Promise<{
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
     name: string;
     id: string;
@@ -214,7 +186,6 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath?: string | null | undefined;
     deletedAt?: Date | null | undefined;
-    maxTimePeriod?: string | null;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
     actorId,
@@ -249,17 +220,11 @@ export interface TAccessApprovalPolicyServiceFactory {
       allowedSelfApprovals: boolean;
       secretPath: string;
       deletedAt?: Date | null | undefined;
-      maxTimePeriod?: string | null;
       environment: {
         id: string;
         name: string;
         slug: string;
       };
-      environments: {
-        id: string;
-        name: string;
-        slug: string;
-      }[];
       projectId: string;
       bypassers: (
         | {
@@ -306,17 +271,11 @@ export interface TAccessApprovalPolicyServiceFactory {
     allowedSelfApprovals: boolean;
     secretPath: string;
     deletedAt?: Date | null | undefined;
-    maxTimePeriod?: string | null;
     environment: {
       id: string;
       name: string;
       slug: string;
     };
-    environments: {
-      id: string;
-      name: string;
-      slug: string;
-    }[];
     projectId: string;
     bypassers: (
       | {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -63,10 +63,9 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
           enforcementLevel: string;
           allowedSelfApprovals: boolean;
           deletedAt: Date | null | undefined;
-          maxTimePeriod?: string | null;
         };
         projectId: string;
-        environments: string[];
+        environment: string;
         requestedByUser: {
           userId: string;
           email: string | null | undefined;
@@ -162,7 +161,6 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
         allowedSelfApprovals: boolean;
         envId: string;
         deletedAt: Date | null | undefined;
-        maxTimePeriod?: string | null;
       };
       projectId: string;
       environment: string;
@@ -299,8 +297,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
             db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
             db.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
             db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId"),
-            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
-            db.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
+            db.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
           )
           .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
           .select(db.ref("sequence").withSchema(TableName.AccessApprovalPolicyApprover).as("approverSequence"))
@@ -367,8 +364,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
               enforcementLevel: doc.policyEnforcementLevel,
               allowedSelfApprovals: doc.policyAllowedSelfApprovals,
               envId: doc.policyEnvId,
-              deletedAt: doc.policyDeletedAt,
-              maxTimePeriod: doc.policyMaxTimePeriod
+              deletedAt: doc.policyDeletedAt
             },
             requestedByUser: {
               userId: doc.requestedByUserId,
@@ -519,17 +515,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         `accessApprovalReviewerUser.id`
       )
 
-      .leftJoin(
-        TableName.AccessApprovalPolicyEnvironment,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyEnvironment}.policyId`
-      )
-
-      .leftJoin(
-        TableName.Environment,
-        `${TableName.AccessApprovalPolicyEnvironment}.envId`,
-        `${TableName.Environment}.id`
-      )
+      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
       .select(selectAllTableCols(TableName.AccessApprovalRequest))
       .select(
         tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover),
@@ -578,8 +564,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
         tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("allowedSelfApprovals").withSchema(TableName.AccessApprovalPolicy).as("policyAllowedSelfApprovals"),
         tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt"),
-        tx.ref("maxTimePeriod").withSchema(TableName.AccessApprovalPolicy).as("policyMaxTimePeriod")
+        tx.ref("deletedAt").withSchema(TableName.AccessApprovalPolicy).as("policyDeletedAt")
       );
 
   const findById: TAccessApprovalRequestDALFactory["findById"] = async (id, tx) => {
@@ -600,8 +585,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
             secretPath: el.policySecretPath,
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals,
-            deletedAt: el.policyDeletedAt,
-            maxTimePeriod: el.policyMaxTimePeriod
+            deletedAt: el.policyDeletedAt
           },
           requestedByUser: {
             userId: el.requestedByUserId,
@@ -699,11 +683,6 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
               lastName,
               username
             })
-          },
-          {
-            key: "environment",
-            label: "environments" as const,
-            mapper: ({ environment }) => environment
           }
         ]
       });

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import msFn from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -54,7 +54,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
   accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find" | "findLastValidPolicy">;
   accessApprovalRequestReviewerDAL: Pick<
     TAccessApprovalRequestReviewerDALFactory,
-    "create" | "find" | "findOne" | "transaction" | "delete"
+    "create" | "find" | "findOne" | "transaction"
   >;
   groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
@@ -86,25 +86,6 @@ export const accessApprovalRequestServiceFactory = ({
   projectMicrosoftTeamsConfigDAL,
   projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep): TAccessApprovalRequestServiceFactory => {
-  const $getEnvironmentFromPermissions = (permissions: unknown): string | null => {
-    if (!Array.isArray(permissions) || permissions.length === 0) {
-      return null;
-    }
-
-    const firstPermission = permissions[0] as unknown[];
-    if (!Array.isArray(firstPermission) || firstPermission.length < 3) {
-      return null;
-    }
-
-    const metadata = firstPermission[2] as Record<string, unknown>;
-    if (typeof metadata === "object" && metadata !== null && "environment" in metadata) {
-      const env = metadata.environment;
-      return typeof env === "string" ? env : null;
-    }
-
-    return null;
-  };
-
   const createAccessApprovalRequest: TAccessApprovalRequestServiceFactory["createAccessApprovalRequest"] = async ({
     isTemporary,
     temporaryRange,
@@ -126,8 +107,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -156,15 +136,6 @@ export const accessApprovalRequestServiceFactory = ({
       throw new BadRequestError({ message: "The policy linked to this request has been deleted" });
     }
 
-    // Check if the requested time falls under policy.maxTimePeriod
-    if (policy.maxTimePeriod) {
-      if (!temporaryRange || ms(temporaryRange) > ms(policy.maxTimePeriod)) {
-        throw new BadRequestError({
-          message: `Requested access time range is limited to ${policy.maxTimePeriod} by policy`
-        });
-      }
-    }
-
     const approverIds: string[] = [];
     const approverGroupIds: string[] = [];
 
@@ -245,7 +216,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
+      const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
 
       await triggerWorkflowIntegrationNotification({
         input: {
@@ -301,155 +272,6 @@ export const accessApprovalRequestServiceFactory = ({
     return { request: approval };
   };
 
-  const updateAccessApprovalRequest: TAccessApprovalRequestServiceFactory["updateAccessApprovalRequest"] = async ({
-    temporaryRange,
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    editNote,
-    requestId
-  }) => {
-    const cfg = getConfig();
-
-    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) {
-      throw new NotFoundError({ message: `Access request with ID '${requestId}' not found` });
-    }
-
-    const { policy, requestedByUser } = accessApprovalRequest;
-    if (policy.deletedAt) {
-      throw new BadRequestError({
-        message: "The policy associated with this access request has been deleted."
-      });
-    }
-
-    const { membership, hasRole } = await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: accessApprovalRequest.projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
-
-    if (!membership) {
-      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
-    }
-
-    const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-
-    if (!hasRole(ProjectMembershipRole.Admin) && !isApprover) {
-      throw new ForbiddenRequestError({ message: "You are not authorized to modify this request" });
-    }
-
-    const project = await projectDAL.findById(accessApprovalRequest.projectId);
-
-    if (!project) {
-      throw new NotFoundError({
-        message: `The project associated with this access request was not found. [projectId=${accessApprovalRequest.projectId}]`
-      });
-    }
-
-    if (accessApprovalRequest.status !== ApprovalStatus.PENDING) {
-      throw new BadRequestError({ message: "The request has been closed" });
-    }
-
-    const editedByUser = await userDAL.findById(actorId);
-
-    if (!editedByUser) throw new NotFoundError({ message: "Editing user not found" });
-
-    if (accessApprovalRequest.isTemporary && accessApprovalRequest.temporaryRange) {
-      if (ms(temporaryRange) > ms(accessApprovalRequest.temporaryRange)) {
-        throw new BadRequestError({ message: "Updated access duration must be less than current access duration" });
-      }
-    }
-
-    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({
-      permissions: accessApprovalRequest.permissions
-    });
-
-    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
-      const approvalRequest = await accessApprovalRequestDAL.updateById(
-        requestId,
-        {
-          temporaryRange,
-          isTemporary: true,
-          editNote,
-          editedByUserId: actorId
-        },
-        tx
-      );
-
-      // reset review progress
-      await accessApprovalRequestReviewerDAL.delete(
-        {
-          requestId
-        },
-        tx
-      );
-
-      const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
-      const editorFullName = `${editedByUser.firstName} ${editedByUser.lastName}`;
-      const approvalUrl = `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`;
-
-      await triggerWorkflowIntegrationNotification({
-        input: {
-          notification: {
-            type: TriggerFeature.ACCESS_REQUEST_UPDATED,
-            payload: {
-              projectName: project.name,
-              requesterFullName,
-              isTemporary: true,
-              requesterEmail: requestedByUser.email as string,
-              secretPath,
-              environment: envSlug,
-              permissions: accessTypes,
-              approvalUrl,
-              editNote,
-              editorEmail: editedByUser.email as string,
-              editorFullName
-            }
-          },
-          projectId: project.id
-        },
-        dependencies: {
-          projectDAL,
-          projectSlackConfigDAL,
-          kmsService,
-          microsoftTeamsService,
-          projectMicrosoftTeamsConfigDAL
-        }
-      });
-
-      await smtpService.sendMail({
-        recipients: policy.approvers
-          .filter((approver) => Boolean(approver.email) && approver.userId !== editedByUser.id)
-          .map((approver) => approver.email!),
-        subjectLine: "Access Approval Request Updated",
-        substitutions: {
-          projectName: project.name,
-          requesterFullName,
-          requesterEmail: requestedByUser.email,
-          isTemporary: true,
-          expiresIn: msFn(ms(temporaryRange || ""), { long: true }),
-          secretPath,
-          environment: envSlug,
-          permissions: accessTypes,
-          approvalUrl,
-          editNote,
-          editorFullName,
-          editorEmail: editedByUser.email
-        },
-        template: SmtpTemplates.AccessApprovalRequestUpdated
-      });
-
-      return approvalRequest;
-    });
-
-    return { request: approval };
-  };
-
   const listApprovalRequests: TAccessApprovalRequestServiceFactory["listApprovalRequests"] = async ({
     projectSlug,
     authorUserId,
@@ -467,8 +289,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -485,15 +306,6 @@ export const accessApprovalRequestServiceFactory = ({
       requests = requests.filter((request) => request.environment === envSlug);
     }
 
-    requests = requests.map((request) => {
-      const permissionEnvironment = $getEnvironmentFromPermissions(request.permissions);
-
-      if (permissionEnvironment) {
-        request.environmentName = permissionEnvironment;
-      }
-      return request;
-    });
-
     return { requests };
   };
 
@@ -511,34 +323,19 @@ export const accessApprovalRequestServiceFactory = ({
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy, environments, permissions } = accessApprovalRequest;
+    const { policy, environment } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
 
-    const permissionEnvironment = $getEnvironmentFromPermissions(permissions);
-    if (
-      !permissionEnvironment ||
-      (!environments.includes(permissionEnvironment) && status === ApprovalStatus.APPROVED)
-    ) {
-      throw new BadRequestError({
-        message: `The original policy ${policy.name} is not attached to environment '${permissionEnvironment}'.`
-      });
-    }
-    const environment = await projectEnvDAL.findOne({
-      projectId: accessApprovalRequest.projectId,
-      slug: permissionEnvironment
-    });
-
     const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     if (!membership) {
@@ -753,8 +550,8 @@ export const accessApprovalRequestServiceFactory = ({
                   requesterEmail: actingUser.email,
                   bypassReason: bypassReason || "No reason provided",
                   secretPath: policy.secretPath || "/",
-                  environment: environment?.name || permissionEnvironment,
-                  approvalUrl: `${cfg.SITE_URL}/projects/secret-management/${project.id}/approval`,
+                  environment,
+                  approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
                   requestType: "access"
                 },
                 template: SmtpTemplates.AccessSecretRequestBypassed
@@ -785,8 +582,7 @@ export const accessApprovalRequestServiceFactory = ({
       actorId,
       projectId: project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -799,7 +595,6 @@ export const accessApprovalRequestServiceFactory = ({
 
   return {
     createAccessApprovalRequest,
-    updateAccessApprovalRequest,
     listApprovalRequests,
     reviewAccessRequest,
     getCount

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -30,12 +30,6 @@ export type TCreateAccessApprovalRequestDTO = {
   note?: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TUpdateAccessApprovalRequestDTO = {
-  requestId: string;
-  temporaryRange: string;
-  editNote: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TListApprovalRequestsDTO = {
   projectSlug: string;
   authorUserId?: string;
@@ -60,23 +54,6 @@ export interface TAccessApprovalRequestServiceFactory {
       privilegeDeletedAt?: Date | null | undefined;
     };
   }>;
-  updateAccessApprovalRequest: (arg: TUpdateAccessApprovalRequestDTO) => Promise<{
-    request: {
-      status: string;
-      id: string;
-      createdAt: Date;
-      updatedAt: Date;
-      policyId: string;
-      isTemporary: boolean;
-      requestedByUserId: string;
-      privilegeId?: string | null | undefined;
-      requestedBy?: string | null | undefined;
-      temporaryRange?: string | null | undefined;
-      permissions?: unknown;
-      note?: string | null | undefined;
-      privilegeDeletedAt?: Date | null | undefined;
-    };
-  }>;
   listApprovalRequests: (arg: TListApprovalRequestsDTO) => Promise<{
     requests: {
       policy: {
@@ -105,7 +82,6 @@ export interface TAccessApprovalRequestServiceFactory {
         allowedSelfApprovals: boolean;
         envId: string;
         deletedAt: Date | null | undefined;
-        maxTimePeriod?: string | null;
       };
       projectId: string;
       environment: string;

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -45,10 +45,7 @@ export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion(
 ]);
 
 export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, {
-    supportsPlatformManagedCredentials: true,
-    supportsGateways: true
-  })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
 );
 
 export const UpdateOracleDBConnectionSchema = z
@@ -57,12 +54,7 @@ export const UpdateOracleDBConnectionSchema = z
       AppConnections.UPDATE(AppConnection.OracleDB).credentials
     )
   })
-  .and(
-    GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, {
-      supportsPlatformManagedCredentials: true,
-      supportsGateways: true
-    })
-  );
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
 
 export const OracleDBConnectionListItemSchema = z.object({
   name: z.literal("OracleDB"),

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -38,8 +37,7 @@ export const assumePrivilegeServiceFactory = ({
       actorId: actorPermissionDetails.id,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
     });
 
     if (targetActorType === ActorType.USER) {
@@ -60,8 +58,7 @@ export const assumePrivilegeServiceFactory = ({
       actorId: targetActorId,
       projectId,
       actorAuthMethod: actorPermissionDetails.authMethod,
-      actorOrgId: actorPermissionDetails.orgId,
-      actionProjectType: ActionProjectType.Any
+      actorOrgId: actorPermissionDetails.orgId
     });
 
     const appCfg = getConfig();

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -1,10 +1,8 @@
 // weird commonjs-related error in the CI requires us to do the import like this
 import knex from "knex";
-import { v4 as uuidv4 } from "uuid";
 
 import { TDbClient } from "@app/db";
 import { TableName, TAuditLogs } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
 import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, TOrmify } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
@@ -152,70 +150,43 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
   // delete all audit log that have expired
   const pruneAuditLog: TAuditLogDALFactory["pruneAuditLog"] = async (tx) => {
-    const runPrune = async (dbClient: knex.Knex) => {
-      const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
-      const MAX_RETRY_ON_FAILURE = 3;
+    const AUDIT_LOG_PRUNE_BATCH_SIZE = 10000;
+    const MAX_RETRY_ON_FAILURE = 3;
 
-      const today = new Date();
-      let deletedAuditLogIds: { id: string }[] = [];
-      let numberOfRetryOnFailure = 0;
-      let isRetrying = false;
+    const today = new Date();
+    let deletedAuditLogIds: { id: string }[] = [];
+    let numberOfRetryOnFailure = 0;
+    let isRetrying = false;
 
-      logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
-      do {
-        try {
-          const findExpiredLogSubQuery = dbClient(TableName.AuditLog)
-            .where("expiresAt", "<", today)
-            .where("createdAt", "<", today) // to use audit log partition
-            .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
-            .select("id")
-            .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
+    logger.info(`${QueueName.DailyResourceCleanUp}: audit log started`);
+    do {
+      try {
+        const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
+          .where("expiresAt", "<", today)
+          .where("createdAt", "<", today) // to use audit log partition
+          .orderBy(`${TableName.AuditLog}.createdAt`, "desc")
+          .select("id")
+          .limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
 
-          // eslint-disable-next-line no-await-in-loop
-          deletedAuditLogIds = await dbClient(TableName.AuditLog)
-            .whereIn("id", findExpiredLogSubQuery)
-            .del()
-            .returning("id");
-          numberOfRetryOnFailure = 0; // reset
-        } catch (error) {
-          numberOfRetryOnFailure += 1;
-          logger.error(error, "Failed to delete audit log on pruning");
-        } finally {
-          // eslint-disable-next-line no-await-in-loop
-          await new Promise((resolve) => {
-            setTimeout(resolve, 10); // time to breathe for db
-          });
-        }
-        isRetrying = numberOfRetryOnFailure > 0;
-      } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
-      logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
-    };
-
-    if (tx) {
-      await runPrune(tx);
-    } else {
-      const QUERY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
-      await db.transaction(async (trx) => {
-        await trx.raw(`SET statement_timeout = ${QUERY_TIMEOUT_MS}`);
-        await runPrune(trx);
-      });
-    }
+        // eslint-disable-next-line no-await-in-loop
+        deletedAuditLogIds = await (tx || db)(TableName.AuditLog)
+          .whereIn("id", findExpiredLogSubQuery)
+          .del()
+          .returning("id");
+        numberOfRetryOnFailure = 0; // reset
+      } catch (error) {
+        numberOfRetryOnFailure += 1;
+        logger.error(error, "Failed to delete audit log on pruning");
+      } finally {
+        // eslint-disable-next-line no-await-in-loop
+        await new Promise((resolve) => {
+          setTimeout(resolve, 10); // time to breathe for db
+        });
+      }
+      isRetrying = numberOfRetryOnFailure > 0;
+    } while (deletedAuditLogIds.length > 0 || (isRetrying && numberOfRetryOnFailure < MAX_RETRY_ON_FAILURE));
+    logger.info(`${QueueName.DailyResourceCleanUp}: audit log completed`);
   };
 
-  const create: TAuditLogDALFactory["create"] = async (tx) => {
-    const config = getConfig();
-
-    if (config.DISABLE_AUDIT_LOG_STORAGE) {
-      return {
-        ...tx,
-        id: uuidv4(),
-        createdAt: new Date(),
-        updatedAt: new Date()
-      };
-    }
-
-    return auditLogOrm.create(tx);
-  };
-
-  return { ...auditLogOrm, create, pruneAuditLog, find };
+  return { ...auditLogOrm, pruneAuditLog, find };
 };

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,6 +1,7 @@
 import { AxiosError, RawAxiosRequestHeaders } from "axios";
 
 import { SecretKeyEncoding } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
@@ -37,15 +38,132 @@ export const auditLogQueueServiceFactory = async ({
   licenseService,
   auditLogStreamDAL
 }: TAuditLogQueueServiceFactoryDep): Promise<TAuditLogQueueServiceFactory> => {
+  const appCfg = getConfig();
+
   const pushToLog = async (data: TCreateAuditLogDTO) => {
-    await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
-      removeOnFail: {
-        count: 3
-      },
-      removeOnComplete: true
-    });
+    if (appCfg.USE_PG_QUEUE && appCfg.SHOULD_INIT_PG_QUEUE) {
+      await queueService.queuePg<QueueName.AuditLog>(QueueJobs.AuditLog, data, {
+        retryLimit: 10,
+        retryBackoff: true
+      });
+    } else {
+      await queueService.queue<QueueName.AuditLog>(QueueName.AuditLog, QueueJobs.AuditLog, data, {
+        removeOnFail: {
+          count: 3
+        },
+        removeOnComplete: true
+      });
+    }
   };
 
+  if (appCfg.SHOULD_INIT_PG_QUEUE) {
+    await queueService.startPg<QueueName.AuditLog>(
+      QueueJobs.AuditLog,
+      async ([job]) => {
+        const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
+        let { orgId } = job.data;
+        const MS_IN_DAY = 24 * 60 * 60 * 1000;
+        let project;
+
+        if (!orgId) {
+          // it will never be undefined for both org and project id
+          // TODO(akhilmhdh): use caching here in dal to avoid db calls
+          project = await projectDAL.findById(projectId as string);
+          orgId = project.orgId;
+        }
+
+        const plan = await licenseService.getPlan(orgId);
+        if (plan.auditLogsRetentionDays === 0) {
+          // skip inserting if audit log retention is 0 meaning its not supported
+          return;
+        }
+
+        // For project actions, set TTL to project-level audit log retention config
+        // This condition ensures that the plan's audit log retention days cannot be bypassed
+        const ttlInDays =
+          project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+            ? project.auditLogsRetentionDays
+            : plan.auditLogsRetentionDays;
+
+        const ttl = ttlInDays * MS_IN_DAY;
+
+        const auditLog = await auditLogDAL.create({
+          actor: actor.type,
+          actorMetadata: actor.metadata,
+          userAgent,
+          projectId,
+          projectName: project?.name,
+          ipAddress,
+          orgId,
+          eventType: event.type,
+          expiresAt: new Date(Date.now() + ttl),
+          eventMetadata: event.metadata,
+          userAgentType
+        });
+
+        const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
+        await Promise.allSettled(
+          logStreams.map(
+            async ({
+              url,
+              encryptedHeadersTag,
+              encryptedHeadersIV,
+              encryptedHeadersKeyEncoding,
+              encryptedHeadersCiphertext
+            }) => {
+              const streamHeaders =
+                encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
+                  ? (JSON.parse(
+                      crypto
+                        .encryption()
+                        .symmetric()
+                        .decryptWithRootEncryptionKey({
+                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                          iv: encryptedHeadersIV,
+                          tag: encryptedHeadersTag,
+                          ciphertext: encryptedHeadersCiphertext
+                        })
+                    ) as LogStreamHeaders[])
+                  : [];
+
+              const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
+
+              if (streamHeaders.length)
+                streamHeaders.forEach(({ key, value }) => {
+                  headers[key] = value;
+                });
+
+              try {
+                const response = await request.post(
+                  url,
+                  { ...providerSpecificPayload(url), ...auditLog },
+                  {
+                    headers,
+                    // request timeout
+                    timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                    // connection timeout
+                    signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+                  }
+                );
+                return response;
+              } catch (error) {
+                logger.error(
+                  `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+                );
+                return error;
+              }
+            }
+          )
+        );
+      },
+      {
+        batchSize: 1,
+        workerCount: 30,
+        pollingIntervalSeconds: 0.5
+      }
+    );
+  }
+
   queueService.start(QueueName.AuditLog, async (job) => {
     const { actor, event, ipAddress, projectId, userAgent, userAgentType } = job.data;
     let { orgId } = job.data;
@@ -60,87 +178,88 @@ export const auditLogQueueServiceFactory = async ({
     }
 
     const plan = await licenseService.getPlan(orgId);
-
-    // skip inserting if audit log retention is 0 meaning its not supported
-    if (plan.auditLogsRetentionDays !== 0) {
-      // For project actions, set TTL to project-level audit log retention config
-      // This condition ensures that the plan's audit log retention days cannot be bypassed
-      const ttlInDays =
-        project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
-          ? project.auditLogsRetentionDays
-          : plan.auditLogsRetentionDays;
-
-      const ttl = ttlInDays * MS_IN_DAY;
-
-      const auditLog = await auditLogDAL.create({
-        actor: actor.type,
-        actorMetadata: actor.metadata,
-        userAgent,
-        projectId,
-        projectName: project?.name,
-        ipAddress,
-        orgId,
-        eventType: event.type,
-        expiresAt: new Date(Date.now() + ttl),
-        eventMetadata: event.metadata,
-        userAgentType
-      });
-
-      const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
-      await Promise.allSettled(
-        logStreams.map(
-          async ({
-            url,
-            encryptedHeadersTag,
-            encryptedHeadersIV,
-            encryptedHeadersKeyEncoding,
-            encryptedHeadersCiphertext
-          }) => {
-            const streamHeaders =
-              encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
-                ? (JSON.parse(
-                    crypto
-                      .encryption()
-                      .symmetric()
-                      .decryptWithRootEncryptionKey({
-                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                        iv: encryptedHeadersIV,
-                        tag: encryptedHeadersTag,
-                        ciphertext: encryptedHeadersCiphertext
-                      })
-                  ) as LogStreamHeaders[])
-                : [];
-
-            const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-
-            if (streamHeaders.length)
-              streamHeaders.forEach(({ key, value }) => {
-                headers[key] = value;
-              });
-
-            try {
-              const response = await request.post(
-                url,
-                { ...providerSpecificPayload(url), ...auditLog },
-                {
-                  headers,
-                  // request timeout
-                  timeout: AUDIT_LOG_STREAM_TIMEOUT,
-                  // connection timeout
-                  signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-                }
-              );
-              return response;
-            } catch (error) {
-              logger.error(
-                `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
-              );
-              return error;
-            }
-          }
-        )
-      );
+    if (plan.auditLogsRetentionDays === 0) {
+      // skip inserting if audit log retention is 0 meaning its not supported
+      return;
     }
+
+    // For project actions, set TTL to project-level audit log retention config
+    // This condition ensures that the plan's audit log retention days cannot be bypassed
+    const ttlInDays =
+      project?.auditLogsRetentionDays && project.auditLogsRetentionDays < plan.auditLogsRetentionDays
+        ? project.auditLogsRetentionDays
+        : plan.auditLogsRetentionDays;
+
+    const ttl = ttlInDays * MS_IN_DAY;
+
+    const auditLog = await auditLogDAL.create({
+      actor: actor.type,
+      actorMetadata: actor.metadata,
+      userAgent,
+      projectId,
+      projectName: project?.name,
+      ipAddress,
+      orgId,
+      eventType: event.type,
+      expiresAt: new Date(Date.now() + ttl),
+      eventMetadata: event.metadata,
+      userAgentType
+    });
+
+    const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
+    await Promise.allSettled(
+      logStreams.map(
+        async ({
+          url,
+          encryptedHeadersTag,
+          encryptedHeadersIV,
+          encryptedHeadersKeyEncoding,
+          encryptedHeadersCiphertext
+        }) => {
+          const streamHeaders =
+            encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
+              ? (JSON.parse(
+                  crypto
+                    .encryption()
+                    .symmetric()
+                    .decryptWithRootEncryptionKey({
+                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                      iv: encryptedHeadersIV,
+                      tag: encryptedHeadersTag,
+                      ciphertext: encryptedHeadersCiphertext
+                    })
+                ) as LogStreamHeaders[])
+              : [];
+
+          const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
+
+          if (streamHeaders.length)
+            streamHeaders.forEach(({ key, value }) => {
+              headers[key] = value;
+            });
+
+          try {
+            const response = await request.post(
+              url,
+              { ...providerSpecificPayload(url), ...auditLog },
+              {
+                headers,
+                // request timeout
+                timeout: AUDIT_LOG_STREAM_TIMEOUT,
+                // connection timeout
+                signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
+              }
+            );
+            return response;
+          } catch (error) {
+            logger.error(
+              `Failed to stream audit log [url=${url}] for org [orgId=${orgId}] [error=${(error as AxiosError).message}]`
+            );
+            return error;
+          }
+        }
+      )
+    );
   });
 
   return {

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { requestContext } from "@fastify/request-context";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -38,8 +37,7 @@ export const auditLogServiceFactory = ({
         actorId,
         projectId: filter.projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
+        actorOrgId
       });
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -161,9 +161,6 @@ export enum EventType {
   CREATE_IDENTITY = "create-identity",
   UPDATE_IDENTITY = "update-identity",
   DELETE_IDENTITY = "delete-identity",
-  MACHINE_IDENTITY_AUTH_TEMPLATE_CREATE = "machine-identity-auth-template-create",
-  MACHINE_IDENTITY_AUTH_TEMPLATE_UPDATE = "machine-identity-auth-template-update",
-  MACHINE_IDENTITY_AUTH_TEMPLATE_DELETE = "machine-identity-auth-template-delete",
   LOGIN_IDENTITY_UNIVERSAL_AUTH = "login-identity-universal-auth",
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
@@ -452,7 +449,6 @@ export enum EventType {
   PIT_REVERT_COMMIT = "pit-revert-commit",
   PIT_GET_FOLDER_STATE = "pit-get-folder-state",
   PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
-  PIT_PROCESS_NEW_COMMIT_RAW = "pit-process-new-commit-raw",
   SECRET_SCANNING_DATA_SOURCE_LIST = "secret-scanning-data-source-list",
   SECRET_SCANNING_DATA_SOURCE_CREATE = "secret-scanning-data-source-create",
   SECRET_SCANNING_DATA_SOURCE_UPDATE = "secret-scanning-data-source-update",
@@ -471,11 +467,7 @@ export enum EventType {
 
   CREATE_PROJECT = "create-project",
   UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project",
-
-  CREATE_SECRET_REMINDER = "create-secret-reminder",
-  GET_SECRET_REMINDER = "get-secret-reminder",
-  DELETE_SECRET_REMINDER = "delete-secret-reminder"
+  DELETE_PROJECT = "delete-project"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -833,30 +825,6 @@ interface LoginIdentityUniversalAuthEvent {
   };
 }
 
-interface MachineIdentityAuthTemplateCreateEvent {
-  type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_CREATE;
-  metadata: {
-    templateId: string;
-    name: string;
-  };
-}
-
-interface MachineIdentityAuthTemplateUpdateEvent {
-  type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_UPDATE;
-  metadata: {
-    templateId: string;
-    name: string;
-  };
-}
-
-interface MachineIdentityAuthTemplateDeleteEvent {
-  type: EventType.MACHINE_IDENTITY_AUTH_TEMPLATE_DELETE;
-  metadata: {
-    templateId: string;
-    name: string;
-  };
-}
-
 interface AddIdentityUniversalAuthEvent {
   type: EventType.ADD_IDENTITY_UNIVERSAL_AUTH;
   metadata: {
@@ -1352,7 +1320,6 @@ interface AddIdentityLdapAuthEvent {
     accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
     allowedFields?: TAllowedFields[];
     url: string;
-    templateId?: string | null;
   };
 }
 
@@ -1366,7 +1333,6 @@ interface UpdateIdentityLdapAuthEvent {
     accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
     allowedFields?: TAllowedFields[];
     url?: string;
-    templateId?: string | null;
   };
 }
 
@@ -1580,9 +1546,8 @@ interface UpdateFolderEvent {
   metadata: {
     environment: string;
     folderId: string;
-    oldFolderName?: string;
+    oldFolderName: string;
     newFolderName: string;
-    newFolderDescription?: string;
     folderPath: string;
   };
 }
@@ -3257,18 +3222,6 @@ interface PitCompareFolderStatesEvent {
   };
 }
 
-interface PitProcessNewCommitRawEvent {
-  type: EventType.PIT_PROCESS_NEW_COMMIT_RAW;
-  metadata: {
-    projectId: string;
-    environment: string;
-    secretPath: string;
-    message: string;
-    approvalId?: string;
-    commitId?: string;
-  };
-}
-
 interface SecretScanningDataSourceListEvent {
   type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST;
   metadata: {
@@ -3359,31 +3312,6 @@ interface SecretScanningConfigUpdateEvent {
   };
 }
 
-interface SecretReminderCreateEvent {
-  type: EventType.CREATE_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-    message?: string | null;
-    repeatDays?: number | null;
-    nextReminderDate?: string | null;
-    recipients?: string[] | null;
-  };
-}
-
-interface SecretReminderGetEvent {
-  type: EventType.GET_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-  };
-}
-
-interface SecretReminderDeleteEvent {
-  type: EventType.DELETE_SECRET_REMINDER;
-  metadata: {
-    secretId: string;
-  };
-}
-
 interface SecretScanningConfigReadEvent {
   type: EventType.SECRET_SCANNING_CONFIG_GET;
   metadata?: Record<string, never>; // not needed, based off projectId
@@ -3468,9 +3396,6 @@ export type Event =
   | UpdateIdentityEvent
   | DeleteIdentityEvent
   | LoginIdentityUniversalAuthEvent
-  | MachineIdentityAuthTemplateCreateEvent
-  | MachineIdentityAuthTemplateUpdateEvent
-  | MachineIdentityAuthTemplateDeleteEvent
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
   | DeleteIdentityUniversalAuthEvent
@@ -3733,7 +3658,6 @@ export type Event =
   | PitRevertCommitEvent
   | PitCompareFolderStatesEvent
   | PitGetFolderStateEvent
-  | PitProcessNewCommitRawEvent
   | SecretScanningDataSourceListEvent
   | SecretScanningDataSourceGetEvent
   | SecretScanningDataSourceCreateEvent
@@ -3750,7 +3674,4 @@ export type Event =
   | OrgUpdateEvent
   | ProjectCreateEvent
   | ProjectUpdateEvent
-  | ProjectDeleteEvent
-  | SecretReminderCreateEvent
-  | SecretReminderGetEvent
-  | SecretReminderDeleteEvent;
+  | ProjectDeleteEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -78,8 +77,7 @@ export const certificateAuthorityCrlServiceFactory = ({
       actorId,
       projectId: ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import RE2 from "re2";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -85,8 +84,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -202,8 +200,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -300,8 +297,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
@@ -389,8 +385,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -437,8 +432,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -9,7 +9,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
   const appCfg = getConfig();
 
-  if (appCfg.isDevelopmentMode || appCfg.isTestMode) return [host];
+  if (appCfg.isDevelopmentMode) return [host];
 
   if (isGateway) return [host];
 

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import {
@@ -79,8 +78,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
@@ -209,8 +207,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -361,8 +358,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -427,8 +423,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -492,8 +487,7 @@ export const dynamicSecretServiceFactory = ({
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
+        actorOrgId
       });
 
       // verify user has access to each env in request
@@ -536,8 +530,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
@@ -585,8 +578,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
@@ -623,8 +615,7 @@ export const dynamicSecretServiceFactory = ({
       actorId: actor.id,
       projectId,
       actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId: actor.orgId
     });
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
@@ -668,8 +659,7 @@ export const dynamicSecretServiceFactory = ({
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
+      actorOrgId
     });
 
     const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -15,7 +15,6 @@ import { z } from "zod";
 import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
@@ -171,29 +170,14 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
   };
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    try {
-      await ElastiCacheUserManager(
-        {
-          accessKeyId: providerInputs.accessKeyId,
-          secretAccessKey: providerInputs.secretAccessKey
-        },
-        providerInputs.region
-      ).verifyCredentials(providerInputs.clusterName);
-      return true;
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [
-          providerInputs.accessKeyId,
-          providerInputs.secretAccessKey,
-          providerInputs.clusterName,
-          providerInputs.region
-        ]
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await ElastiCacheUserManager(
+      {
+        accessKeyId: providerInputs.accessKeyId,
+        secretAccessKey: providerInputs.secretAccessKey
+      },
+      providerInputs.region
+    ).verifyCredentials(providerInputs.clusterName);
+    return true;
   };
 
   const create = async (data: {
@@ -222,37 +206,21 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
 
     const parsedStatement = CreateElastiCacheUserSchema.parse(JSON.parse(creationStatement));
 
-    try {
-      await ElastiCacheUserManager(
-        {
-          accessKeyId: providerInputs.accessKeyId,
-          secretAccessKey: providerInputs.secretAccessKey
-        },
-        providerInputs.region
-      ).createUser(parsedStatement, providerInputs.clusterName);
+    await ElastiCacheUserManager(
+      {
+        accessKeyId: providerInputs.accessKeyId,
+        secretAccessKey: providerInputs.secretAccessKey
+      },
+      providerInputs.region
+    ).createUser(parsedStatement, providerInputs.clusterName);
 
-      return {
-        entityId: leaseUsername,
-        data: {
-          DB_USERNAME: leaseUsername,
-          DB_PASSWORD: leasePassword
-        }
-      };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [
-          leaseUsername,
-          leasePassword,
-          providerInputs.accessKeyId,
-          providerInputs.secretAccessKey,
-          providerInputs.clusterName
-        ]
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return {
+      entityId: leaseUsername,
+      data: {
+        DB_USERNAME: leaseUsername,
+        DB_PASSWORD: leasePassword
+      }
+    };
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
@@ -261,25 +229,15 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
     const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username: entityId });
     const parsedStatement = DeleteElasticCacheUserSchema.parse(JSON.parse(revokeStatement));
 
-    try {
-      await ElastiCacheUserManager(
-        {
-          accessKeyId: providerInputs.accessKeyId,
-          secretAccessKey: providerInputs.secretAccessKey
-        },
-        providerInputs.region
-      ).deleteUser(parsedStatement);
+    await ElastiCacheUserManager(
+      {
+        accessKeyId: providerInputs.accessKeyId,
+        secretAccessKey: providerInputs.secretAccessKey
+      },
+      providerInputs.region
+    ).deleteUser(parsedStatement);
 
-      return { entityId };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [entityId, providerInputs.accessKeyId, providerInputs.secretAccessKey, providerInputs.clusterName]
-      });
-      throw new BadRequestError({
-        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return { entityId };
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -23,7 +23,6 @@ import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { AwsIamAuthType, DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
@@ -119,39 +118,22 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown, { projectId }: { projectId: string }) => {
     const providerInputs = await validateProviderInputs(inputs);
-    try {
-      const client = await $getClient(providerInputs, projectId);
-      const isConnected = await client
-        .send(new GetUserCommand({}))
-        .then(() => true)
-        .catch((err) => {
-          const message = (err as Error)?.message;
-          if (
-            (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
-            // assume role will throw an error asking to provider username, but if so this has access in aws correctly
-            message.includes("Must specify userName when calling with non-User credentials")
-          ) {
-            return true;
-          }
-          throw err;
-        });
-      return isConnected;
-    } catch (err) {
-      const sensitiveTokens = [];
-      if (providerInputs.method === AwsIamAuthType.AccessKey) {
-        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
-      }
-      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
-        sensitiveTokens.push(providerInputs.roleArn);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: sensitiveTokens
+    const client = await $getClient(providerInputs, projectId);
+    const isConnected = await client
+      .send(new GetUserCommand({}))
+      .then(() => true)
+      .catch((err) => {
+        const message = (err as Error)?.message;
+        if (
+          (providerInputs.method === AwsIamAuthType.AssumeRole || providerInputs.method === AwsIamAuthType.IRSA) &&
+          // assume role will throw an error asking to provider username, but if so this has access in aws correctly
+          message.includes("Must specify userName when calling with non-User credentials")
+        ) {
+          return true;
+        }
+        throw err;
       });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return isConnected;
   };
 
   const create = async (data: {
@@ -180,81 +162,62 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       awsTags.push(...additionalTags);
     }
 
-    try {
-      const createUserRes = await client.send(
-        new CreateUserCommand({
-          Path: awsPath,
-          PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-          Tags: awsTags,
-          UserName: username
-        })
+    const createUserRes = await client.send(
+      new CreateUserCommand({
+        Path: awsPath,
+        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
+        Tags: awsTags,
+        UserName: username
+      })
+    );
+
+    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
+    if (userGroups) {
+      await Promise.all(
+        userGroups
+          .split(",")
+          .filter(Boolean)
+          .map((group) =>
+            client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
+          )
       );
-
-      if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
-      if (userGroups) {
-        await Promise.all(
-          userGroups
-            .split(",")
-            .filter(Boolean)
-            .map((group) =>
-              client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
-            )
-        );
-      }
-      if (policyArns) {
-        await Promise.all(
-          policyArns
-            .split(",")
-            .filter(Boolean)
-            .map((policyArn) =>
-              client.send(
-                new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn })
-              )
-            )
-        );
-      }
-      if (policyDocument) {
-        await client.send(
-          new PutUserPolicyCommand({
-            UserName: createUserRes.User.UserName,
-            PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
-            PolicyDocument: policyDocument
-          })
-        );
-      }
-
-      const createAccessKeyRes = await client.send(
-        new CreateAccessKeyCommand({
-          UserName: createUserRes.User.UserName
-        })
-      );
-      if (!createAccessKeyRes.AccessKey)
-        throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
-
-      return {
-        entityId: username,
-        data: {
-          ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
-          SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
-          USERNAME: username
-        }
-      };
-    } catch (err) {
-      const sensitiveTokens = [username];
-      if (providerInputs.method === AwsIamAuthType.AccessKey) {
-        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
-      }
-      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
-        sensitiveTokens.push(providerInputs.roleArn);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: sensitiveTokens
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
     }
+    if (policyArns) {
+      await Promise.all(
+        policyArns
+          .split(",")
+          .filter(Boolean)
+          .map((policyArn) =>
+            client.send(new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn }))
+          )
+      );
+    }
+    if (policyDocument) {
+      await client.send(
+        new PutUserPolicyCommand({
+          UserName: createUserRes.User.UserName,
+          PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
+          PolicyDocument: policyDocument
+        })
+      );
+    }
+
+    const createAccessKeyRes = await client.send(
+      new CreateAccessKeyCommand({
+        UserName: createUserRes.User.UserName
+      })
+    );
+    if (!createAccessKeyRes.AccessKey)
+      throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
+
+    return {
+      entityId: username,
+      data: {
+        ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
+        SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
+        USERNAME: username
+      }
+    };
   };
 
   const revoke = async (inputs: unknown, entityId: string, metadata: { projectId: string }) => {
@@ -315,25 +278,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       )
     );
 
-    try {
-      await client.send(new DeleteUserCommand({ UserName: username }));
-      return { entityId: username };
-    } catch (err) {
-      const sensitiveTokens = [username];
-      if (providerInputs.method === AwsIamAuthType.AccessKey) {
-        sensitiveTokens.push(providerInputs.accessKey, providerInputs.secretAccessKey);
-      }
-      if (providerInputs.method === AwsIamAuthType.AssumeRole) {
-        sensitiveTokens.push(providerInputs.roleArn);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: sensitiveTokens
-      });
-      throw new BadRequestError({
-        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await client.send(new DeleteUserCommand({ UserName: username }));
+    return { entityId: username };
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {

backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts

@@ -2,7 +2,6 @@ import axios from "axios";
 import { customAlphabet } from "nanoid";
 
 import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 
 import { AzureEntraIDSchema, TDynamicProviderFns } from "./models";
 
@@ -52,82 +51,45 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    try {
-      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-      return data.success;
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.clientSecret, providerInputs.applicationId, providerInputs.tenantId]
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    return data.success;
   };
 
   const create = async ({ inputs }: { inputs: unknown }) => {
     const providerInputs = await validateProviderInputs(inputs);
+    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    if (!data.success) {
+      throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
+    }
 
     const password = generatePassword();
-    try {
-      const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
-      if (!data.success) {
-        throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
-      }
 
-      const response = await axios.patch(
-        `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
-        {
-          passwordProfile: {
-            forceChangePasswordNextSignIn: false,
-            password
-          }
-        },
-        {
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${data.token}`
-          }
-        }
-      );
-      if (response.status !== 204) {
-        throw new BadRequestError({ message: "Failed to update password" });
-      }
-
-      return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [
-          providerInputs.clientSecret,
-          providerInputs.applicationId,
-          providerInputs.userId,
-          providerInputs.email,
+    const response = await axios.patch(
+      `${MSFT_GRAPH_API_URL}/users/${providerInputs.userId}`,
+      {
+        passwordProfile: {
+          forceChangePasswordNextSignIn: false,
           password
-        ]
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
+        }
+      },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${data.token}`
+        }
+      }
+    );
+    if (response.status !== 204) {
+      throw new BadRequestError({ message: "Failed to update password" });
     }
+
+    return { entityId: providerInputs.userId, data: { email: providerInputs.email, password } };
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    try {
-      // Creates a new password
-      await create({ inputs });
-      return { entityId };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.clientSecret, providerInputs.applicationId, entityId]
-      });
-      throw new BadRequestError({
-        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    // Creates a new password
+    await create({ inputs });
+    return { entityId };
   };
 
   const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -3,8 +3,6 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
@@ -73,24 +71,9 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    try {
-      const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
-      await client.shutdown();
-      return isConnected;
-    } catch (err) {
-      const tokens = [providerInputs.password, providerInputs.username];
-      if (providerInputs.keyspace) {
-        tokens.push(providerInputs.keyspace);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens
-      });
-      await client.shutdown();
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
+    await client.shutdown();
+    return isConnected;
   };
 
   const create = async (data: {
@@ -106,39 +89,23 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
     const { keyspace } = providerInputs;
+    const expiration = new Date(expireAt).toISOString();
 
-    try {
-      const expiration = new Date(expireAt).toISOString();
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password,
+      expiration,
+      keyspace
+    });
 
-      const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
-        username,
-        password,
-        expiration,
-        keyspace
-      });
-
-      const queries = creationStatement.toString().split(";").filter(Boolean);
-      for (const query of queries) {
-        // eslint-disable-next-line
-        await client.execute(query);
-      }
-      await client.shutdown();
-
-      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
-    } catch (err) {
-      const tokens = [username, password];
-      if (keyspace) {
-        tokens.push(keyspace);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens
-      });
-      await client.shutdown();
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
+    const queries = creationStatement.toString().split(";").filter(Boolean);
+    for (const query of queries) {
+      // eslint-disable-next-line
+      await client.execute(query);
     }
+    await client.shutdown();
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
@@ -148,29 +115,14 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     const username = entityId;
     const { keyspace } = providerInputs;
 
-    try {
-      const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
-      const queries = revokeStatement.toString().split(";").filter(Boolean);
-      for (const query of queries) {
-        // eslint-disable-next-line
-        await client.execute(query);
-      }
-      await client.shutdown();
-      return { entityId: username };
-    } catch (err) {
-      const tokens = [username];
-      if (keyspace) {
-        tokens.push(keyspace);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens
-      });
-      await client.shutdown();
-      throw new BadRequestError({
-        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-      });
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace });
+    const queries = revokeStatement.toString().split(";").filter(Boolean);
+    for (const query of queries) {
+      // eslint-disable-next-line
+      await client.execute(query);
     }
+    await client.shutdown();
+    return { entityId: username };
   };
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
@@ -178,36 +130,21 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     if (!providerInputs.renewStatement) return { entityId };
 
     const client = await $getClient(providerInputs);
+
+    const expiration = new Date(expireAt).toISOString();
     const { keyspace } = providerInputs;
 
-    try {
-      const expiration = new Date(expireAt).toISOString();
-
-      const renewStatement = handlebars.compile(providerInputs.renewStatement)({
-        username: entityId,
-        keyspace,
-        expiration
-      });
-      const queries = renewStatement.toString().split(";").filter(Boolean);
-      for await (const query of queries) {
-        await client.execute(query);
-      }
-      await client.shutdown();
-      return { entityId };
-    } catch (err) {
-      const tokens = [entityId];
-      if (keyspace) {
-        tokens.push(keyspace);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens
-      });
-      await client.shutdown();
-      throw new BadRequestError({
-        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
-      });
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+      username: entityId,
+      keyspace,
+      expiration
+    });
+    const queries = renewStatement.toString().split(";").filter(Boolean);
+    for await (const query of queries) {
+      await client.execute(query);
     }
+    await client.shutdown();
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/couchbase.ts

@@ -1,289 +0,0 @@
-import crypto from "node:crypto";
-
-import axios from "axios";
-import RE2 from "re2";
-
-import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator/validate-url";
-
-import { DynamicSecretCouchbaseSchema, PasswordRequirements, TDynamicProviderFns } from "./models";
-import { compileUsernameTemplate } from "./templateUtils";
-
-type TCreateCouchbaseUser = {
-  name: string;
-  password: string;
-  access: {
-    privileges: string[];
-    resources: {
-      buckets: {
-        name: string;
-        scopes?: {
-          name: string;
-          collections?: string[];
-        }[];
-      }[];
-    };
-  }[];
-};
-
-type CouchbaseUserResponse = {
-  id: string;
-  uuid?: string;
-};
-
-const sanitizeCouchbaseUsername = (username: string): string => {
-  // Couchbase username restrictions:
-  // - Cannot contain: ) ( > < , ; : " \ / ] [ ? = } {
-  // - Cannot begin with @ character
-
-  const forbiddenCharsPattern = new RE2('[\\)\\(><,;:"\\\\\\[\\]\\?=\\}\\{]', "g");
-  let sanitized = forbiddenCharsPattern.replace(username, "-");
-
-  const leadingAtPattern = new RE2("^@+");
-  sanitized = leadingAtPattern.replace(sanitized, "");
-
-  if (!sanitized || sanitized.length === 0) {
-    return alphaNumericNanoId(12);
-  }
-
-  return sanitized;
-};
-
-/**
- * Normalizes bucket configuration to handle wildcard (*) access consistently.
- *
- * Key behaviors:
- * - If "*" appears anywhere (string or array), grants access to ALL buckets, scopes, and collections
- *
- * @param buckets - Either a string or array of bucket configurations
- * @returns Normalized bucket resources for Couchbase API
- */
-const normalizeBucketConfiguration = (
-  buckets:
-    | string
-    | Array<{
-        name: string;
-        scopes?: Array<{
-          name: string;
-          collections?: string[];
-        }>;
-      }>
-) => {
-  if (typeof buckets === "string") {
-    // Simple string format - either "*" or comma-separated bucket names
-    const bucketNames = buckets
-      .split(",")
-      .map((bucket) => bucket.trim())
-      .filter((bucket) => bucket.length > 0);
-
-    // If "*" is present anywhere, grant access to all buckets, scopes, and collections
-    if (bucketNames.includes("*") || buckets === "*") {
-      return [{ name: "*" }];
-    }
-    return bucketNames.map((bucketName) => ({ name: bucketName }));
-  }
-
-  // Array of bucket objects with scopes and collections
-  // Check if any bucket is "*" - if so, grant access to all buckets, scopes, and collections
-  const hasWildcardBucket = buckets.some((bucket) => bucket.name === "*");
-
-  if (hasWildcardBucket) {
-    return [{ name: "*" }];
-  }
-
-  return buckets.map((bucket) => ({
-    name: bucket.name,
-    scopes: bucket.scopes?.map((scope) => ({
-      name: scope.name,
-      collections: scope.collections || []
-    }))
-  }));
-};
-
-const generateUsername = (usernameTemplate?: string | null, identity?: { name: string }) => {
-  const randomUsername = alphaNumericNanoId(12);
-  if (!usernameTemplate) return sanitizeCouchbaseUsername(randomUsername);
-
-  const compiledUsername = compileUsernameTemplate({
-    usernameTemplate,
-    randomUsername,
-    identity
-  });
-
-  return sanitizeCouchbaseUsername(compiledUsername);
-};
-
-const generatePassword = (requirements?: PasswordRequirements): string => {
-  const {
-    length = 12,
-    required = { lowercase: 1, uppercase: 1, digits: 1, symbols: 1 },
-    allowedSymbols = "!@#$%^()_+-=[]{}:,?/~`"
-  } = requirements || {};
-
-  const lowercase = "abcdefghijklmnopqrstuvwxyz";
-  const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-  const digits = "0123456789";
-  const symbols = allowedSymbols;
-
-  let password = "";
-  let remaining = length;
-
-  // Add required characters
-  for (let i = 0; i < required.lowercase; i += 1) {
-    password += lowercase[crypto.randomInt(lowercase.length)];
-    remaining -= 1;
-  }
-  for (let i = 0; i < required.uppercase; i += 1) {
-    password += uppercase[crypto.randomInt(uppercase.length)];
-    remaining -= 1;
-  }
-  for (let i = 0; i < required.digits; i += 1) {
-    password += digits[crypto.randomInt(digits.length)];
-    remaining -= 1;
-  }
-  for (let i = 0; i < required.symbols; i += 1) {
-    password += symbols[crypto.randomInt(symbols.length)];
-    remaining -= 1;
-  }
-
-  // Fill remaining with random characters from all sets
-  const allChars = lowercase + uppercase + digits + symbols;
-  for (let i = 0; i < remaining; i += 1) {
-    password += allChars[crypto.randomInt(allChars.length)];
-  }
-
-  // Shuffle the password
-  return password
-    .split("")
-    .sort(() => crypto.randomInt(3) - 1)
-    .join("");
-};
-
-const couchbaseApiRequest = async (
-  method: string,
-  url: string,
-  apiKey: string,
-  data?: unknown
-): Promise<CouchbaseUserResponse> => {
-  await blockLocalAndPrivateIpAddresses(url);
-
-  try {
-    const response = await axios({
-      method: method.toLowerCase() as "get" | "post" | "put" | "delete",
-      url,
-      headers: {
-        Authorization: `Bearer ${apiKey}`,
-        "Content-Type": "application/json"
-      },
-      data: data || undefined,
-      timeout: 30000
-    });
-
-    return response.data as CouchbaseUserResponse;
-  } catch (err) {
-    const sanitizedErrorMessage = sanitizeString({
-      unsanitizedString: (err as Error)?.message,
-      tokens: [apiKey]
-    });
-    throw new BadRequestError({
-      message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-    });
-  }
-};
-
-export const CouchbaseProvider = (): TDynamicProviderFns => {
-  const validateProviderInputs = async (inputs: object) => {
-    const providerInputs = DynamicSecretCouchbaseSchema.parse(inputs);
-
-    await blockLocalAndPrivateIpAddresses(providerInputs.url);
-
-    return providerInputs;
-  };
-
-  const validateConnection = async (inputs: unknown): Promise<boolean> => {
-    try {
-      const providerInputs = await validateProviderInputs(inputs as object);
-
-      // Test connection by trying to get organization info
-      const url = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}`;
-      await couchbaseApiRequest("GET", url, providerInputs.auth.apiKey);
-
-      return true;
-    } catch (error) {
-      throw new BadRequestError({
-        message: `Failed to connect to Couchbase: ${error instanceof Error ? error.message : "Unknown error"}`
-      });
-    }
-  };
-
-  const create = async ({
-    inputs,
-    usernameTemplate,
-    identity
-  }: {
-    inputs: unknown;
-    usernameTemplate?: string | null;
-    identity?: { name: string };
-  }) => {
-    const providerInputs = await validateProviderInputs(inputs as object);
-
-    const username = generateUsername(usernameTemplate, identity);
-
-    const password = generatePassword(providerInputs.passwordRequirements);
-
-    const createUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users`;
-
-    const bucketResources = normalizeBucketConfiguration(providerInputs.buckets);
-
-    const userData: TCreateCouchbaseUser = {
-      name: username,
-      password,
-      access: [
-        {
-          privileges: providerInputs.roles,
-          resources: {
-            buckets: bucketResources
-          }
-        }
-      ]
-    };
-
-    const response = await couchbaseApiRequest("POST", createUserUrl, providerInputs.auth.apiKey, userData);
-
-    const userUuid = response?.id || response?.uuid || username;
-
-    return {
-      entityId: userUuid,
-      data: {
-        username,
-        password
-      }
-    };
-  };
-
-  const revoke = async (inputs: unknown, entityId: string) => {
-    const providerInputs = await validateProviderInputs(inputs as object);
-
-    const deleteUserUrl = `${providerInputs.url}/v4/organizations/${providerInputs.orgId}/projects/${providerInputs.projectId}/clusters/${providerInputs.clusterId}/users/${encodeURIComponent(entityId)}`;
-
-    await couchbaseApiRequest("DELETE", deleteUserUrl, providerInputs.auth.apiKey);
-
-    return { entityId };
-  };
-
-  const renew = async (_inputs: unknown, entityId: string) => {
-    // Couchbase Cloud API doesn't support renewing user credentials
-    // The user remains valid until explicitly deleted
-    return { entityId };
-  };
-
-  return {
-    validateProviderInputs,
-    validateConnection,
-    create,
-    revoke,
-    renew
-  };
-};

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -2,8 +2,6 @@ import { Client as ElasticSearchClient } from "@elastic/elasticsearch";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
-import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -65,24 +63,12 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    try {
-      const infoResponse = await connection.info().then(() => true);
-      return infoResponse;
-    } catch (err) {
-      const tokens = [];
-      if (providerInputs.auth.type === ElasticSearchAuthTypes.ApiKey) {
-        tokens.push(providerInputs.auth.apiKey, providerInputs.auth.apiKeyId);
-      } else {
-        tokens.push(providerInputs.auth.username, providerInputs.auth.password);
-      }
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    const infoResponse = await connection
+      .info()
+      .then(() => true)
+      .catch(() => false);
+
+    return infoResponse;
   };
 
   const create = async (data: { inputs: unknown; usernameTemplate?: string | null; identity?: { name: string } }) => {
@@ -93,49 +79,27 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
     const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
 
-    try {
-      await connection.security.putUser({
-        username,
-        password,
-        full_name: "Managed by Infisical.com",
-        roles: providerInputs.roles
-      });
+    await connection.security.putUser({
+      username,
+      password,
+      full_name: "Managed by Infisical.com",
+      roles: providerInputs.roles
+    });
 
-      await connection.close();
-      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [username, password]
-      });
-      await connection.close();
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await connection.close();
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
     const connection = await $getClient(providerInputs);
 
-    try {
-      await connection.security.deleteUser({
-        username: entityId
-      });
+    await connection.security.deleteUser({
+      username: entityId
+    });
 
-      await connection.close();
-      return { entityId };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [entityId]
-      });
-      await connection.close();
-      throw new BadRequestError({
-        message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await connection.close();
+    return { entityId };
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {

backend/src/ee/services/dynamic-secret/providers/gcp-iam.ts

@@ -3,7 +3,6 @@ import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { DynamicSecretGcpIamSchema, TDynamicProviderFns } from "./models";
@@ -66,18 +65,8 @@ export const GcpIamProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    try {
-      await $getToken(providerInputs.serviceAccountEmail, 10);
-      return true;
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.serviceAccountEmail]
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await $getToken(providerInputs.serviceAccountEmail, 10);
+    return true;
   };
 
   const create = async (data: { inputs: unknown; expireAt: number }) => {
@@ -85,23 +74,13 @@ export const GcpIamProvider = (): TDynamicProviderFns => {
 
     const providerInputs = await validateProviderInputs(inputs);
 
-    try {
-      const now = Math.floor(Date.now() / 1000);
-      const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = Math.max(Math.floor(expireAt / 1000) - now, 0);
 
-      const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
-      const entityId = alphaNumericNanoId(32);
+    const token = await $getToken(providerInputs.serviceAccountEmail, ttl);
+    const entityId = alphaNumericNanoId(32);
 
-      return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.serviceAccountEmail]
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return { entityId, data: { SERVICE_ACCOUNT_EMAIL: providerInputs.serviceAccountEmail, TOKEN: token } };
   };
 
   const revoke = async (_inputs: unknown, entityId: string) => {
@@ -110,21 +89,10 @@ export const GcpIamProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
-    try {
-      // To renew a token it must be re-created
-      const data = await create({ inputs, expireAt });
+    // To renew a token it must be re-created
+    const data = await create({ inputs, expireAt });
 
-      return { ...data, entityId };
-    } catch (err) {
-      const providerInputs = await validateProviderInputs(inputs);
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.serviceAccountEmail]
-      });
-      throw new BadRequestError({
-        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return { ...data, entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -3,7 +3,6 @@ import jwt from "jsonwebtoken";
 
 import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 
@@ -90,46 +89,26 @@ export const GithubProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    try {
-      await $generateGitHubInstallationAccessToken(providerInputs);
-      return true;
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await $generateGitHubInstallationAccessToken(providerInputs);
+    return true;
   };
 
   const create = async (data: { inputs: unknown }) => {
     const { inputs } = data;
     const providerInputs = await validateProviderInputs(inputs);
 
-    try {
-      const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
-      const entityId = alphaNumericNanoId(32);
+    const ghTokenData = await $generateGitHubInstallationAccessToken(providerInputs);
+    const entityId = alphaNumericNanoId(32);
 
-      return {
-        entityId,
-        data: {
-          TOKEN: ghTokenData.token,
-          EXPIRES_AT: ghTokenData.expires_at,
-          PERMISSIONS: ghTokenData.permissions,
-          REPOSITORY_SELECTION: ghTokenData.repository_selection
-        }
-      };
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.privateKey, String(providerInputs.appId), String(providerInputs.installationId)]
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return {
+      entityId,
+      data: {
+        TOKEN: ghTokenData.token,
+        EXPIRES_AT: ghTokenData.expires_at,
+        PERMISSIONS: ghTokenData.permissions,
+        REPOSITORY_SELECTION: ghTokenData.repository_selection
+      }
+    };
   };
 
   const revoke = async () => {

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -5,7 +5,6 @@ import { AwsElastiCacheDatabaseProvider } from "./aws-elasticache";
 import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
-import { CouchbaseProvider } from "./couchbase";
 import { ElasticSearchProvider } from "./elastic-search";
 import { GcpIamProvider } from "./gcp-iam";
 import { GithubProvider } from "./github";
@@ -47,6 +46,5 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService }),
   [DynamicSecretProviders.Vertica]: VerticaProvider({ gatewayService }),
   [DynamicSecretProviders.GcpIam]: GcpIamProvider(),
-  [DynamicSecretProviders.Github]: GithubProvider(),
-  [DynamicSecretProviders.Couchbase]: CouchbaseProvider()
+  [DynamicSecretProviders.Github]: GithubProvider()
 });

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -2,8 +2,7 @@ import axios, { AxiosError } from "axios";
 import handlebars from "handlebars";
 import https from "https";
 
-import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { GatewayHttpProxyActions, GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
@@ -357,12 +356,8 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
         errorMessage = (error.response?.data as { message: string }).message;
       }
 
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: errorMessage,
-        tokens: [providerInputs.clusterToken || ""]
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
+      throw new InternalServerError({
+        message: `Failed to validate connection: ${errorMessage}`
       });
     }
   };
@@ -607,12 +602,8 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
         errorMessage = (error.response?.data as { message: string }).message;
       }
 
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: errorMessage,
-        tokens: [providerInputs.clusterToken || ""]
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
+      throw new InternalServerError({
+        message: `Failed to create dynamic secret: ${errorMessage}`
       });
     }
   };
@@ -692,65 +683,50 @@ export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO):
     };
 
     if (providerInputs.credentialType === KubernetesCredentialType.Dynamic) {
-      try {
-        const rawUrl =
-          providerInputs.authMethod === KubernetesAuthMethod.Gateway
-            ? GATEWAY_AUTH_DEFAULT_URL
-            : providerInputs.url || "";
+      const rawUrl =
+        providerInputs.authMethod === KubernetesAuthMethod.Gateway
+          ? GATEWAY_AUTH_DEFAULT_URL
+          : providerInputs.url || "";
 
-        const url = new URL(rawUrl);
-        const k8sGatewayHost = url.hostname;
-        const k8sPort = url.port ? Number(url.port) : 443;
-        const k8sHost = `${url.protocol}//${url.hostname}`;
+      const url = new URL(rawUrl);
+      const k8sGatewayHost = url.hostname;
+      const k8sPort = url.port ? Number(url.port) : 443;
+      const k8sHost = `${url.protocol}//${url.hostname}`;
 
-        const httpsAgent =
-          providerInputs.ca && providerInputs.sslEnabled
-            ? new https.Agent({
-                ca: providerInputs.ca,
-                rejectUnauthorized: true
-              })
-            : undefined;
+      const httpsAgent =
+        providerInputs.ca && providerInputs.sslEnabled
+          ? new https.Agent({
+              ca: providerInputs.ca,
+              rejectUnauthorized: true
+            })
+          : undefined;
 
-        if (providerInputs.gatewayId) {
-          if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
-            await $gatewayProxyWrapper(
-              {
-                gatewayId: providerInputs.gatewayId,
-                targetHost: k8sHost,
-                targetPort: k8sPort,
-                httpsAgent,
-                reviewTokenThroughGateway: true
-              },
-              serviceAccountDynamicCallback
-            );
-          } else {
-            await $gatewayProxyWrapper(
-              {
-                gatewayId: providerInputs.gatewayId,
-                targetHost: k8sGatewayHost,
-                targetPort: k8sPort,
-                httpsAgent,
-                reviewTokenThroughGateway: false
-              },
-              serviceAccountDynamicCallback
-            );
-          }
+      if (providerInputs.gatewayId) {
+        if (providerInputs.authMethod === KubernetesAuthMethod.Gateway) {
+          await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sHost,
+              targetPort: k8sPort,
+              httpsAgent,
+              reviewTokenThroughGateway: true
+            },
+            serviceAccountDynamicCallback
+          );
         } else {
-          await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
+          await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sGatewayHost,
+              targetPort: k8sPort,
+              httpsAgent,
+              reviewTokenThroughGateway: false
+            },
+            serviceAccountDynamicCallback
+          );
         }
-      } catch (error) {
-        let errorMessage = error instanceof Error ? error.message : "Unknown error";
-        if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
-          errorMessage = (error.response?.data as { message: string }).message;
-        }
-
-        const sanitizedErrorMessage = sanitizeString({
-          unsanitizedString: errorMessage,
-          tokens: [entityId, providerInputs.clusterToken || ""]
-        });
-        throw new BadRequestError({
-          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-        });
+      } else {
+        await serviceAccountDynamicCallback(k8sHost, k8sPort, httpsAgent);
       }
     }
 

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -6,7 +6,6 @@ import RE2 from "re2";
 import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
@@ -92,18 +91,8 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    try {
-      const client = await $getClient(providerInputs);
-      return client.connected;
-    } catch (err) {
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: (err as Error)?.message,
-        tokens: [providerInputs.bindpass, providerInputs.binddn]
-      });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    const client = await $getClient(providerInputs);
+    return client.connected;
   };
 
   const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
@@ -216,11 +205,11 @@ export const LdapProvider = (): TDynamicProviderFns => {
     if (providerInputs.credentialType === LdapCredentialType.Static) {
       const dnRegex = new RE2("^dn:\\s*(.+)", "m");
       const dnMatch = dnRegex.exec(providerInputs.rotationLdif);
-      const username = dnMatch?.[1];
-      if (!username) throw new BadRequestError({ message: "Username not found from Ldif" });
-      const password = generatePassword();
 
       if (dnMatch) {
+        const username = dnMatch[1];
+        const password = generatePassword();
+
         const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });
 
         try {
@@ -228,11 +217,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
           return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
         } catch (err) {
-          const sanitizedErrorMessage = sanitizeString({
-            unsanitizedString: (err as Error)?.message,
-            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
-          });
-          throw new BadRequestError({ message: sanitizedErrorMessage });
+          throw new BadRequestError({ message: (err as Error).message });
         }
       } else {
         throw new BadRequestError({
@@ -253,11 +238,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
           const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
           await executeLdif(client, rollbackLdif);
         }
-        const sanitizedErrorMessage = sanitizeString({
-          unsanitizedString: (err as Error)?.message,
-          tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
-        });
-        throw new BadRequestError({ message: sanitizedErrorMessage });
+        throw new BadRequestError({ message: (err as Error).message });
       }
     }
   };
@@ -281,11 +262,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
           return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
         } catch (err) {
-          const sanitizedErrorMessage = sanitizeString({
-            unsanitizedString: (err as Error)?.message,
-            tokens: [username, password, providerInputs.binddn, providerInputs.bindpass]
-          });
-          throw new BadRequestError({ message: sanitizedErrorMessage });
+          throw new BadRequestError({ message: (err as Error).message });
         }
       } else {
         throw new BadRequestError({
@@ -301,7 +278,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
     return { entityId };
   };
 
-  const renew = async (_inputs: unknown, entityId: string) => {
+  const renew = async (inputs: unknown, entityId: string) => {
     // No renewal necessary
     return { entityId };
   };

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -505,91 +505,6 @@ export const DynamicSecretGithubSchema = z.object({
     .describe("The private key generated for your GitHub App.")
 });
 
-export const DynamicSecretCouchbaseSchema = z.object({
-  url: z.string().url().trim().min(1).describe("Couchbase Cloud API URL"),
-  orgId: z.string().trim().min(1).describe("Organization ID"),
-  projectId: z.string().trim().min(1).describe("Project ID"),
-  clusterId: z.string().trim().min(1).describe("Cluster ID"),
-  roles: z.array(z.string().trim().min(1)).min(1).describe("Roles to assign to the user"),
-  buckets: z
-    .union([
-      z
-        .string()
-        .trim()
-        .min(1)
-        .default("*")
-        .refine((val) => {
-          if (val.includes(",")) {
-            const buckets = val
-              .split(",")
-              .map((b) => b.trim())
-              .filter((b) => b.length > 0);
-            if (buckets.includes("*") && buckets.length > 1) {
-              return false;
-            }
-          }
-          return true;
-        }, "Cannot combine '*' with other bucket names"),
-      z
-        .array(
-          z.object({
-            name: z.string().trim().min(1).describe("Bucket name"),
-            scopes: z
-              .array(
-                z.object({
-                  name: z.string().trim().min(1).describe("Scope name"),
-                  collections: z.array(z.string().trim().min(1)).optional().describe("Collection names")
-                })
-              )
-              .optional()
-              .describe("Scopes within the bucket")
-          })
-        )
-        .refine((buckets) => {
-          const hasWildcard = buckets.some((bucket) => bucket.name === "*");
-          if (hasWildcard && buckets.length > 1) {
-            return false;
-          }
-          return true;
-        }, "Cannot combine '*' bucket with other buckets")
-    ])
-    .default("*")
-    .describe(
-      "Bucket configuration: '*' for all buckets, scopes, and collections or array of bucket objects with specific scopes and collections"
-    ),
-  passwordRequirements: z
-    .object({
-      length: z.number().min(8, "Password must be at least 8 characters").max(128),
-      required: z
-        .object({
-          lowercase: z.number().min(1, "At least 1 lowercase character required"),
-          uppercase: z.number().min(1, "At least 1 uppercase character required"),
-          digits: z.number().min(1, "At least 1 digit required"),
-          symbols: z.number().min(1, "At least 1 special character required")
-        })
-        .refine((data) => {
-          const total = Object.values(data).reduce((sum, count) => sum + count, 0);
-          return total <= 128;
-        }, "Sum of required characters cannot exceed 128"),
-      allowedSymbols: z
-        .string()
-        .refine((symbols) => {
-          const forbiddenChars = ["<", ">", ";", ".", "*", "&", "|", "£"];
-          return !forbiddenChars.some((char) => symbols?.includes(char));
-        }, "Cannot contain: < > ; . * & | £")
-        .optional()
-    })
-    .refine((data) => {
-      const total = Object.values(data.required).reduce((sum, count) => sum + count, 0);
-      return total <= data.length;
-    }, "Sum of required characters cannot exceed the total length")
-    .optional()
-    .describe("Password generation requirements for Couchbase"),
-  auth: z.object({
-    apiKey: z.string().trim().min(1).describe("Couchbase Cloud API Key")
-  })
-});
-
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -609,8 +524,7 @@ export enum DynamicSecretProviders {
   Kubernetes = "kubernetes",
   Vertica = "vertica",
   GcpIam = "gcp-iam",
-  Github = "github",
-  Couchbase = "couchbase"
+  Github = "github"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -632,8 +546,7 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Vertica), inputs: DynamicSecretVerticaSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.GcpIam), inputs: DynamicSecretGcpIamSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Couchbase), inputs: DynamicSecretCouchbaseSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Github), inputs: DynamicSecretGithubSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts

@@ -3,8 +3,6 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
 import { createDigestAuthRequestInterceptor } from "@app/lib/axios/digest-auth";
-import { BadRequestError } from "@app/lib/errors";
-import { sanitizeString } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
 import { DynamicSecretMongoAtlasSchema, TDynamicProviderFns } from "./models";
@@ -51,25 +49,19 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await $getClient(providerInputs);
 
-    try {
-      const isConnected = await client({
-        method: "GET",
-        url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
-        params: { itemsPerPage: 1 }
-      }).then(() => true);
-      return isConnected;
-    } catch (error) {
-      const errorMessage = (error as AxiosError).response
-        ? JSON.stringify((error as AxiosError).response?.data)
-        : (error as Error)?.message;
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: errorMessage,
-        tokens: [providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
+    const isConnected = await client({
+      method: "GET",
+      url: `v2/groups/${providerInputs.groupId}/databaseUsers`,
+      params: { itemsPerPage: 1 }
+    })
+      .then(() => true)
+      .catch((error) => {
+        if ((error as AxiosError).response) {
+          throw new Error(JSON.stringify((error as AxiosError).response?.data));
+        }
+        throw error;
       });
-      throw new BadRequestError({
-        message: `Failed to connect with provider: ${sanitizedErrorMessage}`
-      });
-    }
+    return isConnected;
   };
 
   const create = async (data: {
@@ -85,39 +77,25 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     const username = generateUsername(usernameTemplate, identity);
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
-    try {
-      await client({
-        method: "POST",
-        url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
-        data: {
-          roles: providerInputs.roles,
-          scopes: providerInputs.scopes,
-          deleteAfterDate: expiration,
-          username,
-          password,
-          databaseName: "admin",
-          groupId: providerInputs.groupId
-        }
-      });
-      return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
-    } catch (error) {
-      const errorMessage = (error as AxiosError).response
-        ? JSON.stringify((error as AxiosError).response?.data)
-        : (error as Error)?.message;
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: errorMessage,
-        tokens: [
-          username,
-          password,
-          providerInputs.adminPublicKey,
-          providerInputs.adminPrivateKey,
-          providerInputs.groupId
-        ]
-      });
-      throw new BadRequestError({
-        message: `Failed to create lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await client({
+      method: "POST",
+      url: `/v2/groups/${providerInputs.groupId}/databaseUsers`,
+      data: {
+        roles: providerInputs.roles,
+        scopes: providerInputs.scopes,
+        deleteAfterDate: expiration,
+        username,
+        password,
+        databaseName: "admin",
+        groupId: providerInputs.groupId
+      }
+    }).catch((error) => {
+      if ((error as AxiosError).response) {
+        throw new Error(JSON.stringify((error as AxiosError).response?.data));
+      }
+      throw error;
+    });
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
@@ -133,23 +111,15 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
       throw err;
     });
     if (isExisting) {
-      try {
-        await client({
-          method: "DELETE",
-          url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
-        });
-      } catch (error) {
-        const errorMessage = (error as AxiosError).response
-          ? JSON.stringify((error as AxiosError).response?.data)
-          : (error as Error)?.message;
-        const sanitizedErrorMessage = sanitizeString({
-          unsanitizedString: errorMessage,
-          tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
-        });
-        throw new BadRequestError({
-          message: `Failed to revoke lease from provider: ${sanitizedErrorMessage}`
-        });
-      }
+      await client({
+        method: "DELETE",
+        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`
+      }).catch((error) => {
+        if ((error as AxiosError).response) {
+          throw new Error(JSON.stringify((error as AxiosError).response?.data));
+        }
+        throw error;
+      });
     }
 
     return { entityId: username };
@@ -162,29 +132,21 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     const username = entityId;
     const expiration = new Date(expireAt).toISOString();
 
-    try {
-      await client({
-        method: "PATCH",
-        url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
-        data: {
-          deleteAfterDate: expiration,
-          databaseName: "admin",
-          groupId: providerInputs.groupId
-        }
-      });
-      return { entityId: username };
-    } catch (error) {
-      const errorMessage = (error as AxiosError).response
-        ? JSON.stringify((error as AxiosError).response?.data)
-        : (error as Error)?.message;
-      const sanitizedErrorMessage = sanitizeString({
-        unsanitizedString: errorMessage,
-        tokens: [username, providerInputs.adminPublicKey, providerInputs.adminPrivateKey, providerInputs.groupId]
-      });
-      throw new BadRequestError({
-        message: `Failed to renew lease from provider: ${sanitizedErrorMessage}`
-      });
-    }
+    await client({
+      method: "PATCH",
+      url: `/v2/groups/${providerInputs.groupId}/databaseUsers/admin/${username}`,
+      data: {
+        deleteAfterDate: expiration,
+        databaseName: "admin",
+        groupId: providerInputs.groupId
+      }
+    }).catch((error) => {
+      if ((error as AxiosError).response) {
+        throw new Error(JSON.stringify((error as AxiosError).response?.data));
+      }
+      throw error;
+    });
+    return { entityId: username };
   };
 
   return {