misc: sheen hackathon

backend/package-lock.json

@@ -84,6 +84,7 @@
         "nanoid": "^3.3.8",
         "nodemailer": "^6.9.9",
         "odbc": "^2.4.9",
+        "openai": "^4.85.4",
         "openid-client": "^5.6.5",
         "ora": "^7.0.1",
         "oracledb": "^6.4.0",
@@ -11747,6 +11748,17 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
+    "node_modules/agentkeepalive": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/agentkeepalive/-/agentkeepalive-4.6.0.tgz",
+      "integrity": "sha512-kja8j7PjmncONqaTsB8fQ+wE2mSU2DJ9D4XKoJ5PFWIdRMa6SLSN1ff4mOr4jCbfRSsxR4keIiySJU0N9T5hIQ==",
+      "dependencies": {
+        "humanize-ms": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 8.0.0"
+      }
+    },
     "node_modules/aggregate-error": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-3.1.0.tgz",
@@ -14897,6 +14909,23 @@
         "node": ">= 6"
       }
     },
+    "node_modules/form-data-encoder": {
+      "version": "1.7.2",
+      "resolved": "https://registry.npmjs.org/form-data-encoder/-/form-data-encoder-1.7.2.tgz",
+      "integrity": "sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A=="
+    },
+    "node_modules/formdata-node": {
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/formdata-node/-/formdata-node-4.4.1.tgz",
+      "integrity": "sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==",
+      "dependencies": {
+        "node-domexception": "1.0.0",
+        "web-streams-polyfill": "4.0.0-beta.3"
+      },
+      "engines": {
+        "node": ">= 12.20"
+      }
+    },
     "node_modules/forwarded": {
       "version": "0.2.0",
       "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
@@ -15951,6 +15980,14 @@
         "node": ">=10.17.0"
       }
     },
+    "node_modules/humanize-ms": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/humanize-ms/-/humanize-ms-1.2.1.tgz",
+      "integrity": "sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ==",
+      "dependencies": {
+        "ms": "^2.0.0"
+      }
+    },
     "node_modules/iconv-lite": {
       "version": "0.6.3",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
@@ -17892,6 +17929,24 @@
       "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-5.1.0.tgz",
       "integrity": "sha512-eh0GgfEkpnoWDq+VY8OyvYhFEzBk6jIYbRKdIlyTiAXIVJ8PyBaKb0rp7oDtoddbdoHWhq8wwr+XZ81F1rpNdA=="
     },
+    "node_modules/node-domexception": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
+      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/jimmywarting"
+        },
+        {
+          "type": "github",
+          "url": "https://paypal.me/jimmywarting"
+        }
+      ],
+      "engines": {
+        "node": ">=10.5.0"
+      }
+    },
     "node_modules/node-fetch": {
       "version": "2.7.0",
       "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
@@ -18444,6 +18499,43 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/openai": {
+      "version": "4.85.4",
+      "resolved": "https://registry.npmjs.org/openai/-/openai-4.85.4.tgz",
+      "integrity": "sha512-Nki51PBSu+Aryo7WKbdXvfm0X/iKkQS2fq3O0Uqb/O3b4exOZFid2te1BZ52bbO5UwxQZ5eeHJDCTqtrJLPw0w==",
+      "dependencies": {
+        "@types/node": "^18.11.18",
+        "@types/node-fetch": "^2.6.4",
+        "abort-controller": "^3.0.0",
+        "agentkeepalive": "^4.2.1",
+        "form-data-encoder": "1.7.2",
+        "formdata-node": "^4.3.2",
+        "node-fetch": "^2.6.7"
+      },
+      "bin": {
+        "openai": "bin/cli"
+      },
+      "peerDependencies": {
+        "ws": "^8.18.0",
+        "zod": "^3.23.8"
+      },
+      "peerDependenciesMeta": {
+        "ws": {
+          "optional": true
+        },
+        "zod": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/openai/node_modules/@types/node": {
+      "version": "18.19.76",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.76.tgz",
+      "integrity": "sha512-yvR7Q9LdPz2vGpmpJX5LolrgRdWvB67MJKDPSgIIzpFbaf9a1j/f5DnLp5VDyHGMR0QZHlTr1afsD87QCXFHKw==",
+      "dependencies": {
+        "undici-types": "~5.26.4"
+      }
+    },
     "node_modules/openapi-types": {
       "version": "12.1.3",
       "resolved": "https://registry.npmjs.org/openapi-types/-/openapi-types-12.1.3.tgz",
@@ -23790,6 +23882,14 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/web-streams-polyfill": {
+      "version": "4.0.0-beta.3",
+      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-4.0.0-beta.3.tgz",
+      "integrity": "sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==",
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/webidl-conversions": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
@@ -24282,9 +24382,9 @@
       }
     },
     "node_modules/zod": {
-      "version": "3.22.4",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.4.tgz",
-      "integrity": "sha512-iC+8Io04lddc+mVqQ9AZ7OQ2MrUKGN+oIQyq1vemgt46jwCwLfhq7/pwnBnNXXXZb8VTVLKwp9EDkx+ryxIWmg==",
+      "version": "3.24.2",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.24.2.tgz",
+      "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ==",
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }

backend/package.json

@@ -192,6 +192,7 @@
     "nanoid": "^3.3.8",
     "nodemailer": "^6.9.9",
     "odbc": "^2.4.9",
+    "openai": "^4.85.4",
     "openid-client": "^5.6.5",
     "ora": "^7.0.1",
     "oracledb": "^6.4.0",

backend/src/@types/fastify.d.ts

@@ -45,6 +45,7 @@ import { TAuthPasswordFactory } from "@app/services/auth/auth-password-service";
 import { TAuthSignupFactory } from "@app/services/auth/auth-signup-service";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TAutomatedSecurityServiceFactory } from "@app/services/automated-security/automated-security-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
@@ -228,6 +229,7 @@ declare module "fastify" {
       secretSync: TSecretSyncServiceFactory;
       kmip: TKmipServiceFactory;
       kmipOperation: TKmipOperationServiceFactory;
+      automatedSecurity: TAutomatedSecurityServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -29,6 +29,9 @@ import {
   TAuthTokenSessionsUpdate,
   TAuthTokensInsert,
   TAuthTokensUpdate,
+  TAutomatedSecurityReports,
+  TAutomatedSecurityReportsInsert,
+  TAutomatedSecurityReportsUpdate,
   TBackupPrivateKey,
   TBackupPrivateKeyInsert,
   TBackupPrivateKeyUpdate,
@@ -113,6 +116,9 @@ import {
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
+  TIdentityProfile,
+  TIdentityProfileInsert,
+  TIdentityProfileUpdate,
   TIdentityProjectAdditionalPrivilege,
   TIdentityProjectAdditionalPrivilegeInsert,
   TIdentityProjectAdditionalPrivilegeUpdate,
@@ -930,5 +936,15 @@ declare module "knex/types/tables" {
       TKmipClientCertificatesInsert,
       TKmipClientCertificatesUpdate
     >;
+    [TableName.IdentityProfile]: KnexOriginal.CompositeTableType<
+      TIdentityProfile,
+      TIdentityProfileInsert,
+      TIdentityProfileUpdate
+    >;
+    [TableName.AutomatedSecurityReports]: KnexOriginal.CompositeTableType<
+      TAutomatedSecurityReports,
+      TAutomatedSecurityReportsInsert,
+      TAutomatedSecurityReportsUpdate
+    >;
   }
 }

backend/src/db/migrations/20250224015833_identity-profile.ts

@@ -0,0 +1,53 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityProfile))) {
+    await knex.schema.createTable(TableName.IdentityProfile, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("userId");
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.uuid("identityId");
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+
+      t.text("temporalProfile").notNullable(); // access pattern or frequency
+      t.text("scopeProfile").notNullable(); // scope of usage - are they accessing development environment secrets. which paths? are they doing mainly admin work?
+      t.text("usageProfile").notNullable(); // method of usage
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.IdentityProfile);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.AutomatedSecurityReports))) {
+    await knex.schema.createTable(TableName.AutomatedSecurityReports, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("profileId").notNullable();
+      t.foreign("profileId").references("id").inTable(TableName.IdentityProfile).onDelete("CASCADE");
+
+      t.jsonb("event").notNullable();
+
+      t.string("remarks").notNullable();
+      t.string("severity").notNullable();
+      t.string("status").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.AutomatedSecurityReports);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityProfile);
+
+  await knex.schema.dropTableIfExists(TableName.AutomatedSecurityReports);
+}

backend/src/db/schemas/automated-security-reports.ts

@@ -0,0 +1,25 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const AutomatedSecurityReportsSchema = z.object({
+  id: z.string().uuid(),
+  profileId: z.string().uuid(),
+  event: z.unknown(),
+  remarks: z.string(),
+  severity: z.string(),
+  status: z.string(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TAutomatedSecurityReports = z.infer<typeof AutomatedSecurityReportsSchema>;
+export type TAutomatedSecurityReportsInsert = Omit<z.input<typeof AutomatedSecurityReportsSchema>, TImmutableDBKeys>;
+export type TAutomatedSecurityReportsUpdate = Partial<
+  Omit<z.input<typeof AutomatedSecurityReportsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/identity-profile.ts

@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityProfileSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional(),
+  identityId: z.string().uuid().nullable().optional(),
+  temporalProfile: z.string(),
+  scopeProfile: z.string(),
+  usageProfile: z.string(),
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityProfile = z.infer<typeof IdentityProfileSchema>;
+export type TIdentityProfileInsert = Omit<z.input<typeof IdentityProfileSchema>, TImmutableDBKeys>;
+export type TIdentityProfileUpdate = Partial<Omit<z.input<typeof IdentityProfileSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -7,6 +7,7 @@ export * from "./audit-log-streams";
 export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
+export * from "./automated-security-reports";
 export * from "./backup-private-key";
 export * from "./certificate-authorities";
 export * from "./certificate-authority-certs";
@@ -35,6 +36,7 @@ export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
+export * from "./identity-profile";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";

backend/src/db/schemas/models.ts

@@ -80,6 +80,8 @@ export enum TableName {
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
+  IdentityProfile = "identity_profile",
+  AutomatedSecurityReports = "automated_security_reports",
   ResourceMetadata = "resource_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",

backend/src/ee/services/license/license-fns.ts

@@ -25,8 +25,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   customRateLimits: false,
   customAlerts: false,
   secretAccessInsights: false,
-  auditLogs: false,
-  auditLogsRetentionDays: 0,
+  auditLogs: true,
+  auditLogsRetentionDays: 3,
   auditLogStreams: false,
   auditLogStreamLimit: 3,
   samlSSO: false,

backend/src/lib/config/env.ts

@@ -228,7 +228,9 @@ const envSchema = z
           if (!val) return undefined;
           return JSON.parse(val) as string[];
         })
-    )
+    ),
+
+    AI_API_KEY: zpStr(z.string().optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(

backend/src/queue/queue-service.ts

@@ -39,6 +39,7 @@ export enum QueueName {
   DynamicSecretRevocation = "dynamic-secret-revocation",
   CaCrlRotation = "ca-crl-rotation",
   SecretReplication = "secret-replication",
+  AutomatedSecurity = "automated-security",
   SecretSync = "secret-sync", // parent queue to push integration sync, webhook, and secret replication
   ProjectV3Migration = "project-v3-migration",
   AccessTokenStatusUpdate = "access-token-status-update",
@@ -72,7 +73,8 @@ export enum QueueJobs {
   SecretSyncSyncSecrets = "secret-sync-sync-secrets",
   SecretSyncImportSecrets = "secret-sync-import-secrets",
   SecretSyncRemoveSecrets = "secret-sync-remove-secrets",
-  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications"
+  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications",
+  ProfileIdentity = "profile-identity"
 }
 
 export type TQueueJobTypes = {
@@ -195,6 +197,10 @@ export type TQueueJobTypes = {
       };
     };
   };
+  [QueueName.AutomatedSecurity]: {
+    name: QueueJobs.ProfileIdentity;
+    payload: undefined;
+  };
   [QueueName.AppConnectionSecretSync]:
     | {
         name: QueueJobs.SecretSyncSyncSecrets;

backend/src/server/routes/index.ts

@@ -105,6 +105,9 @@ import { authPaswordServiceFactory } from "@app/services/auth/auth-password-serv
 import { authSignupServiceFactory } from "@app/services/auth/auth-signup-service";
 import { tokenDALFactory } from "@app/services/auth-token/auth-token-dal";
 import { tokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { automatedSecurityReportDALFactory } from "@app/services/automated-security/automated-security-report-dal";
+import { automatedSecurityServiceFactory } from "@app/services/automated-security/automated-security-service";
+import { identityProfileDALFactory } from "@app/services/automated-security/identity-profile-dal";
 import { certificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { certificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { certificateServiceFactory } from "@app/services/certificate/certificate-service";
@@ -392,6 +395,8 @@ export const registerRoutes = async (
   const kmipClientCertificateDAL = kmipClientCertificateDALFactory(db);
   const kmipOrgConfigDAL = kmipOrgConfigDALFactory(db);
   const kmipOrgServerCertificateDAL = kmipOrgServerCertificateDALFactory(db);
+  const automatedSecurityReportDAL = automatedSecurityReportDALFactory(db);
+  const identityProfileDAL = identityProfileDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -1242,6 +1247,7 @@ export const registerRoutes = async (
     permissionService,
     licenseService
   });
+
   const identityUaService = identityUaServiceFactory({
     identityOrgMembershipDAL,
     permissionService,
@@ -1250,6 +1256,7 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
+
   const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
     identityKubernetesAuthDAL,
     identityOrgMembershipDAL,
@@ -1457,6 +1464,15 @@ export const registerRoutes = async (
     permissionService
   });
 
+  const automatedSecurityService = automatedSecurityServiceFactory({
+    auditLogDAL,
+    automatedSecurityReportDAL,
+    identityProfileDAL,
+    orgDAL,
+    queueService,
+    permissionService
+  });
+
   await superAdminService.initServerCfg();
 
   // setup the communication with license key server
@@ -1557,7 +1573,8 @@ export const registerRoutes = async (
     appConnection: appConnectionService,
     secretSync: secretSyncService,
     kmip: kmipService,
-    kmipOperation: kmipOperationService
+    kmipOperation: kmipOperationService,
+    automatedSecurity: automatedSecurityService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/automated-security-router.ts

@@ -0,0 +1,72 @@
+import z from "zod";
+
+import { AutomatedSecurityReportsSchema } from "@app/db/schemas";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerAutomatedSecurityRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/trigger",
+    handler: async () => {
+      return server.services.automatedSecurity.processSecurityJob();
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/reports",
+    schema: {
+      response: {
+        200: AutomatedSecurityReportsSchema.extend({
+          userId: z.string().nullish(),
+          name: z.string().nullish()
+        }).array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      return server.services.automatedSecurity.getReports(req.permission.orgId);
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/reports/:id/status",
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: AutomatedSecurityReportsSchema.extend({
+          userId: z.string().nullish(),
+          name: z.string().nullish()
+        }).array()
+      },
+      body: z.object({
+        status: z.enum(["ignored", "resolved"])
+      })
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      return server.services.automatedSecurity.patchSecurityReportStatus(req.params.id, req.body.status);
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/project-permission/analyze",
+    schema: {
+      body: z.object({
+        projectId: z.string(),
+        userId: z.string()
+      }),
+      response: {
+        200: z.any()
+      }
+    },
+    handler: async (req) => {
+      return server.services.automatedSecurity.analyzeIdentityProjectPermission(req.body.userId, req.body.projectId);
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -8,6 +8,7 @@ import { registerSecretSyncRouter, SECRET_SYNC_REGISTER_ROUTER_MAP } from "@app/
 
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
+import { registerAutomatedSecurityRouter } from "./automated-security-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerCaRouter } from "./certificate-authority-router";
 import { registerCertRouter } from "./certificate-router";
@@ -141,4 +142,6 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     },
     { prefix: "/secret-syncs" }
   );
+
+  await server.register(registerAutomatedSecurityRouter, { prefix: "/automated-security" });
 };

backend/src/services/automated-security/automated-security-report-dal.ts

@@ -0,0 +1,49 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TAutomatedSecurityReportDALFactory = ReturnType<typeof automatedSecurityReportDALFactory>;
+
+export const automatedSecurityReportDALFactory = (db: TDbClient) => {
+  const automatedSecurityReportOrm = ormify(db, TableName.AutomatedSecurityReports);
+
+  const findByOrg = (orgId: string, status = "pending") => {
+    return db(TableName.AutomatedSecurityReports)
+      .join(
+        TableName.IdentityProfile,
+        `${TableName.IdentityProfile}.id`,
+        `${TableName.AutomatedSecurityReports}.profileId`
+      )
+      .join(TableName.Users, `${TableName.Users}.id`, `${TableName.IdentityProfile}.userId`)
+      .where(`${TableName.IdentityProfile}.orgId`, "=", orgId)
+      .where(`${TableName.AutomatedSecurityReports}.status`, "=", status)
+      .select(
+        selectAllTableCols(TableName.AutomatedSecurityReports),
+        db.ref("userId").withSchema(TableName.IdentityProfile).as("userId"),
+        db.ref("email").withSchema(TableName.Users).as("name")
+      );
+  };
+
+  const findById = (id: string) => {
+    return db(TableName.AutomatedSecurityReports)
+      .join(
+        TableName.IdentityProfile,
+        `${TableName.IdentityProfile}.id`,
+        `${TableName.AutomatedSecurityReports}.profileId`
+      )
+      .join(TableName.Users, `${TableName.Users}.id`, `${TableName.IdentityProfile}.userId`)
+      .where(`${TableName.AutomatedSecurityReports}.id`, "=", id)
+      .select(
+        selectAllTableCols(TableName.AutomatedSecurityReports),
+        selectAllTableCols(TableName.IdentityProfile),
+        db.ref("email").withSchema(TableName.Users).as("name")
+      )
+      .first();
+  };
+
+  return {
+    ...automatedSecurityReportOrm,
+    findByOrg,
+    findById
+  };
+};

backend/src/services/automated-security/automated-security-service.ts

@@ -0,0 +1,540 @@
+import { OpenAI } from "openai";
+import { zodResponseFormat } from "openai/helpers/zod";
+import z from "zod";
+
+import { ActionProjectType, TAuditLogs } from "@app/db/schemas";
+import { TAuditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+
+import { AuthMethod } from "../auth/auth-type";
+import { TOrgDALFactory } from "../org/org-dal";
+import { TAutomatedSecurityReportDALFactory } from "./automated-security-report-dal";
+import { TIdentityProfileDALFactory } from "./identity-profile-dal";
+
+type TAutomatedSecurityServiceFactoryDep = {
+  auditLogDAL: TAuditLogDALFactory;
+  automatedSecurityReportDAL: TAutomatedSecurityReportDALFactory;
+  permissionService: TPermissionServiceFactory;
+  identityProfileDAL: TIdentityProfileDALFactory;
+  queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById" | "stopRepeatableJob">;
+  orgDAL: TOrgDALFactory;
+};
+
+export type TAutomatedSecurityServiceFactory = ReturnType<typeof automatedSecurityServiceFactory>;
+
+export const ProfileIdentityResponseSchema = z.object({
+  temporalProfile: z.string(),
+  scopeProfile: z.string(),
+  usageProfile: z.string()
+});
+
+enum AnomalySeverity {
+  LOW = "LOW",
+  MEDIUM = "MEDIUM",
+  HIGH = "HIGH",
+  NONE = "NONE"
+}
+
+export const AnomalyResponseSchema = z.object({
+  results: z
+    .object({
+      auditLogId: z.string(),
+      reason: z.string(),
+      severity: z.nativeEnum(AnomalySeverity),
+      isAnomalous: z.boolean()
+    })
+    .array()
+});
+
+export const CaslRuleAnalysisSchema = z.object({
+  results: z
+    .object({
+      rule: z.string(),
+      classification: z.string(),
+      justification: z.string()
+    })
+    .array()
+});
+
+export const automatedSecurityServiceFactory = ({
+  auditLogDAL,
+  automatedSecurityReportDAL,
+  identityProfileDAL,
+  permissionService,
+  queueService,
+  orgDAL
+}: TAutomatedSecurityServiceFactoryDep) => {
+  const getReports = async (orgId: string) => {
+    const automatedReports = await automatedSecurityReportDAL.findByOrg(orgId, "pending");
+
+    return automatedReports;
+  };
+
+  const patchSecurityReportStatus = async (id: string, status: "resolved" | "ignored") => {
+    const appCfg = getConfig();
+
+    const securityReport = await automatedSecurityReportDAL.findById(id);
+    if (!securityReport) {
+      throw new NotFoundError({
+        message: "Cannot find security report"
+      });
+    }
+
+    if (status === "ignored") {
+      const openAiClient = new OpenAI({
+        apiKey: appCfg.AI_API_KEY
+      });
+
+      const profileResponse = await openAiClient.beta.chat.completions.parse({
+        model: "gpt-4o",
+        messages: [
+          {
+            role: "system",
+            content: `You are a security behavior analysis system that builds and maintains behavioral profiles.
+                            Your task is to analyze security events and prior profile information to generate cumulative profiles.
+                            Focus on three aspects:
+                            1. Temporal patterns (WHEN/HOW OFTEN)
+                            2. Scope patterns (WHAT/WHERE)
+                            3. Usage patterns (HOW)
+      
+                            Build comprehensive profiles:
+                            - Each profile should be 5-7 sentences to capture both established and emerging patterns
+                            - Core patterns get 1-2 sentences
+                            - Notable exceptions get 1-2 sentences
+                            - Emerging behaviors get 1-2 sentences
+                            - Key correlations get 1 sentence
+                            
+                            Build profiles incrementally:
+                            - ALWAYS retain existing profile information unless directly contradicted
+                            - Add ANY new observed patterns, even from limited samples
+                            - Mark patterns as "emerging" if based on few observations
+                            - Use qualifiers like "occasionally" or "sometimes" for sparse patterns
+                            - Never dismiss patterns as insignificant due to sample size
+                            - Maintain history of both frequent and rare behaviors
+      
+                            When updating profiles:
+                            - Keep all historical patterns unless explicitly contradicted
+                            - Add new patterns with appropriate frequency qualifiers
+                            - Note both common and occasional behaviors
+                            - Use tentative language for new patterns ("appears to", "beginning to")
+                            - Highlight any changes or new observations
+                                          
+                            
+                            Remember that dates being passed in are in ISO format`
+          },
+          {
+            role: "user",
+            content: `Current behavioral profiles:
+                          ${JSON.stringify(
+                            {
+                              temporalProfile: securityReport.temporalProfile,
+                              scopeProfile: securityReport.scopeProfile,
+                              usageProfile: securityReport.usageProfile
+                            },
+                            null,
+                            2
+                          )}
+                    
+                          New security event to analyze:
+                          ${JSON.stringify(securityReport.event)}
+                    
+                          Generate updated profiles that preserve ALL existing patterns and add new observations.
+                          Use appropriate qualifiers for frequency but include all behaviors.
+                          
+                          Return exactly in this format:
+                          temporalProfile: "..."
+                          scopeProfile: "..."
+                          usageProfile: "..."`
+          }
+        ],
+        response_format: zodResponseFormat(ProfileIdentityResponseSchema, "profile_identity_response_schema")
+      });
+
+      const parsedResponse = profileResponse.choices[0].message.parsed;
+
+      await identityProfileDAL.updateById(securityReport.profileId, {
+        temporalProfile: parsedResponse?.temporalProfile ?? "",
+        usageProfile: parsedResponse?.usageProfile ?? "",
+        scopeProfile: parsedResponse?.scopeProfile ?? ""
+      });
+    }
+
+    await automatedSecurityReportDAL.updateById(id, {
+      status
+    });
+  };
+
+  const processSecurityJob = async () => {
+    const appCfg = getConfig();
+    const orgs = await orgDAL.find({
+      id: "1edc8c6e-8a39-499e-89a2-5d26149149cb"
+    });
+
+    await Promise.allSettled(
+      orgs.map(async (org) => {
+        const orgUsers = await orgDAL.findAllOrgMembers(org.id);
+
+        const dateNow = new Date();
+        const startDate = new Date(dateNow);
+
+        startDate.setMinutes(dateNow.getMinutes() - 30);
+
+        await Promise.all(
+          orgUsers.map(async (orgUser) => {
+            try {
+              const openAiClient = new OpenAI({
+                apiKey: appCfg.AI_API_KEY
+              });
+
+              const auditLogEvents = await auditLogDAL.find({
+                actorId: orgUser.user.id,
+                orgId: org.id,
+                startDate: startDate.toISOString(),
+                limit: 100
+              });
+
+              if (!auditLogEvents.length) {
+                return;
+              }
+
+              let normalEvents: TAuditLogs[] = auditLogEvents;
+
+              const identityProfile = await identityProfileDAL.transaction(async (tx) => {
+                const profile = await identityProfileDAL.findOne(
+                  {
+                    userId: orgUser.user.id
+                  },
+                  tx
+                );
+
+                if (!profile) {
+                  return identityProfileDAL.create(
+                    {
+                      userId: orgUser.user.id,
+                      temporalProfile: "",
+                      usageProfile: "",
+                      scopeProfile: "",
+                      orgId: org.id
+                    },
+                    tx
+                  );
+                }
+
+                return profile;
+              });
+
+              if (identityProfile.usageProfile && identityProfile.scopeProfile && identityProfile.temporalProfile) {
+                logger.info("Checking for anomalies...");
+                const anomalyResponse = await openAiClient.beta.chat.completions.parse({
+                  model: "gpt-4o",
+                  messages: [
+                    {
+                      role: "system",
+                      content: `
+                        You are a security analysis system that uses behavioral profiles to identify potentially suspicious activity for an identity.
+                
+                        Understanding Identity Profiles:
+                        - Temporal Profile: When and how frequently the identity normally operates
+                        - Scope Profile: What resources and permissions the identity typically uses
+                        - Usage Profile: How the identity normally interacts with systems
+                
+                        Security Analysis Rules:
+                        HIGH Severity - Clear security concerns:
+                        - Actions well outside the identity's normal scope of access
+                        - Resource access patterns suggesting compromise
+                        - Violation of critical security boundaries
+                        
+                        MEDIUM Severity - Requires investigation:
+                        - Significant expansion of identity's normal access patterns
+                        - Unusual combination of valid permissions
+                        - Behavior suggesting possible credential misuse
+                        
+                        NONE Severity (Default) - Expected behavior:
+                        - Actions within established identity patterns
+                        - Minor variations in normal behavior
+                        - Business-justified changes in access patterns
+                        - New but authorized behavior extensions
+                
+                        Note: LOW severity should not be used - an action either 
+                        indicates a security concern (HIGH/MEDIUM) or it doesn't (NONE).
+                
+                        Analysis Process:
+                        1. Compare event against identity's established profiles
+                        2. Evaluate if deviations suggest potential security risks
+                        3. Consider business context and authorization
+                        4. Mark as anomalous ONLY if the deviation suggests security risk`
+                    },
+                    {
+                      role: "user",
+                      content: `Given these established behavioral profiles for an identity:
+                
+                temporalProfile: "${identityProfile.temporalProfile}"
+                scopeProfile: "${identityProfile.scopeProfile}"
+                usageProfile: "${identityProfile.usageProfile}"
+                
+                Analyze these events for anomalies:
+                ${JSON.stringify(auditLogEvents, null, 2)}
+                      
+                Return response in this exact JSON format:
+                { results: [
+                    {
+                      "auditLogId": "event-123",
+                      "isAnomalous": false,
+                      "reason": "",
+                      "severity": "NONE"
+                    },
+                    {
+                      "auditLogId": "event-124",
+                      "isAnomalous": true,
+                      "reason": "Accessing production secrets outside business hours",
+                      "severity": "HIGH"
+                    }
+                  ]}
+                  `
+                    }
+                  ],
+                  response_format: zodResponseFormat(AnomalyResponseSchema, "anomaly_response_schema")
+                });
+
+                const parsedAnomalyResponse = anomalyResponse.choices[0].message.parsed;
+                const anomalyEvents = parsedAnomalyResponse?.results?.filter((val) => val.isAnomalous);
+                console.log("ANOMALY EVENTS:", anomalyEvents);
+
+                const anomalyEventMap = anomalyEvents?.reduce((accum, item) => {
+                  return { ...accum, [item.auditLogId]: item };
+                }, {}) as {
+                  [x: string]: {
+                    reason: string;
+                    severity: string;
+                  };
+                };
+
+                const anomalousEventIds = anomalyEvents?.map((evt) => evt.auditLogId);
+                normalEvents = auditLogEvents.filter((evt) => !anomalousEventIds?.includes(evt.id));
+
+                await Promise.all(
+                  (auditLogEvents ?? [])?.map(async (evt) => {
+                    const anomalyDetails = anomalyEventMap[evt.id];
+                    if (!anomalyDetails) {
+                      return;
+                    }
+
+                    await automatedSecurityReportDAL.create({
+                      status: "pending",
+                      profileId: identityProfile.id,
+                      remarks: anomalyDetails.reason,
+                      severity: anomalyDetails.severity,
+                      event: JSON.stringify(evt, null, 2)
+                    });
+                  })
+                );
+              }
+
+              console.log("Calibrating identity profile");
+              // profile identity
+              const profileResponse = await openAiClient.beta.chat.completions.parse({
+                model: "gpt-4o",
+                messages: [
+                  {
+                    role: "system",
+                    content: `You are a security behavior analysis system that builds and maintains behavioral profiles.
+                      Your task is to analyze security events and prior profile information to generate cumulative profiles.
+                      Focus on three aspects:
+                      1. Temporal patterns (WHEN/HOW OFTEN)
+                      2. Scope patterns (WHAT/WHERE)
+                      3. Usage patterns (HOW)
+
+                      Build comprehensive profiles:
+                      - Each profile should be 5-7 sentences to capture both established and emerging patterns
+                      - Core patterns get 1-2 sentences
+                      - Notable exceptions get 1-2 sentences
+                      - Emerging behaviors get 1-2 sentences
+                      - Key correlations get 1 sentence
+                      
+                      Build profiles incrementally:
+                      - ALWAYS retain existing profile information unless directly contradicted
+                      - Add ANY new observed patterns, even from limited samples
+                      - Mark patterns as "emerging" if based on few observations
+                      - Use qualifiers like "occasionally" or "sometimes" for sparse patterns
+                      - Never dismiss patterns as insignificant due to sample size
+                      - Maintain history of both frequent and rare behaviors
+
+                      When updating profiles:
+                      - Keep all historical patterns unless explicitly contradicted
+                      - Add new patterns with appropriate frequency qualifiers
+                      - Note both common and occasional behaviors
+                      - Use tentative language for new patterns ("appears to", "beginning to")
+                      - Highlight any changes or new observations
+                                    
+                      
+                      Remember that dates being passed in are in ISO format`
+                  },
+                  {
+                    role: "user",
+                    content: `Current behavioral profiles:
+                    ${JSON.stringify(
+                      {
+                        temporalProfile: identityProfile.temporalProfile,
+                        scopeProfile: identityProfile.scopeProfile,
+                        usageProfile: identityProfile.usageProfile
+                      },
+                      null,
+                      2
+                    )}
+              
+                    New security events to analyze:
+                    ${JSON.stringify(normalEvents, null, 2)}
+              
+                    Generate updated profiles that preserve ALL existing patterns and add new observations.
+                    Use appropriate qualifiers for frequency but include all behaviors.
+                    
+                    Return exactly in this format:
+                    temporalProfile: "..."
+                    scopeProfile: "..."
+                    usageProfile: "..."`
+                  }
+                ],
+                response_format: zodResponseFormat(ProfileIdentityResponseSchema, "profile_identity_response_schema")
+              });
+
+              const parsedResponse = profileResponse.choices[0].message.parsed;
+
+              await identityProfileDAL.updateById(identityProfile.id, {
+                temporalProfile: parsedResponse?.temporalProfile ?? "",
+                usageProfile: parsedResponse?.usageProfile ?? "",
+                scopeProfile: parsedResponse?.scopeProfile ?? ""
+              });
+
+              console.log("FINISH");
+            } catch (err) {
+              logger.error(err);
+
+              throw err;
+            }
+          })
+        );
+      })
+    );
+  };
+
+  const analyzeIdentityProjectPermission = async (userId: string, projectId: string) => {
+    const appCfg = getConfig();
+    const userProjectPermission = await permissionService.getUserProjectPermission({
+      userId,
+      projectId,
+      authMethod: AuthMethod.EMAIL,
+      actionProjectType: ActionProjectType.Any,
+      userOrgId: "1edc8c6e-8a39-499e-89a2-5d26149149cb"
+    });
+
+    const identityProfile = await identityProfileDAL.findOne({
+      userId
+    });
+
+    const openAiClient = new OpenAI({
+      apiKey: appCfg.AI_API_KEY
+    });
+
+    const caslRuleAnalysisResponse = await openAiClient.beta.chat.completions.parse({
+      model: "gpt-4o",
+      messages: [
+        {
+          role: "system",
+          content: `You are a security analysis system that evaluates CASL permission rules against behavioral profiles.
+        
+        Your task is to identify CASL rules that appear unnecessary based on the identity's observed behavior.
+        
+        Analysis process:
+        1. Review the identity's behavioral profiles (temporal, scope, usage)
+        2. Examine current CASL permission rules
+        3. Identify rules that grant permissions never or rarely used based on the profiles
+        4. Consider business context and security implications before marking rules as unnecessary
+        
+        Classification criteria:
+        - UNNECESSARY: Rule grants permissions never observed in the behavior profile
+        - OVERPROVISIONED: Rule grants broader access than typically used
+        - QUESTIONABLE: Rule grants permissions used very rarely (<5% of activity)
+        
+        Provide justification for each classification based on specific patterns in the profiles.
+        Consider both explicit patterns (directly mentioned) and implicit patterns (strongly implied).
+        
+        Remember that security is the priority - when in doubt, mark a rule as QUESTIONABLE rather than UNNECESSARY.`
+        },
+        {
+          role: "user",
+          content: `Identity Behavioral Profiles:
+      ${JSON.stringify(
+        {
+          temporalProfile: identityProfile.temporalProfile,
+          scopeProfile: identityProfile.scopeProfile,
+          usageProfile: identityProfile.usageProfile
+        },
+        null,
+        2
+      )}
+      
+      Current CASL Permission Rules:
+      ${JSON.stringify(userProjectPermission.permission.rules, null, 2)}
+      
+      Analyze these rules against the behavioral profiles and identify which rules appear unnecessary.
+      
+      Return in this exact format:
+      {
+        "results": [
+          {
+            "rule": "create secret",
+            "classification": "UNNECESSARY",
+            "justification": "No evidence in profile of needing this resource",
+          },
+          {
+            "rule": "delete secret",
+            "classification": "NECESSARY",
+            "justification": "Regular access pattern in usage profile",
+          }
+        ]
+      }`
+        }
+      ],
+      response_format: zodResponseFormat(CaslRuleAnalysisSchema, "casl_rule_analysis_schema")
+    });
+
+    return caslRuleAnalysisResponse.choices[0].message.parsed;
+  };
+
+  const startJob = async () => {
+    await queueService.stopRepeatableJob(
+      QueueName.AutomatedSecurity,
+      QueueJobs.ProfileIdentity,
+      { pattern: "0 0 * * *", utc: true },
+      QueueName.AutomatedSecurity // just a job id
+    );
+
+    await queueService.queue(QueueName.AutomatedSecurity, QueueJobs.ProfileIdentity, undefined, {
+      delay: 5000,
+      jobId: QueueName.AutomatedSecurity,
+      repeat: { pattern: "0 0 * * *", utc: true }
+    });
+  };
+
+  queueService.start(QueueName.AutomatedSecurity, async (job) => {
+    if (job.name === QueueJobs.ProfileIdentity) {
+      await processSecurityJob();
+    }
+  });
+
+  queueService.listen(QueueName.AutomatedSecurity, "failed", (job, err) => {
+    logger.error(err, "Failed to process job", job?.data);
+  });
+
+  return {
+    processSecurityJob,
+    patchSecurityReportStatus,
+    analyzeIdentityProjectPermission,
+    startJob,
+    getReports
+  };
+};

backend/src/services/automated-security/identity-profile-dal.ts

@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityProfileDALFactory = ReturnType<typeof identityProfileDALFactory>;
+
+export const identityProfileDALFactory = (db: TDbClient) => {
+  const identityProfileOrm = ormify(db, TableName.IdentityProfile);
+
+  return identityProfileOrm;
+};

frontend/src/components/v2/Dropdown/Dropdown.tsx

@@ -20,7 +20,7 @@ export const DropdownMenuContent = forwardRef<HTMLDivElement, DropdownMenuConten
     return (
       <DropdownMenuPrimitive.Portal>
         <DropdownMenuPrimitive.Content
-          sideOffset={-8}
+          sideOffset={10}
           {...props}
           ref={forwardedRef}
           className={twMerge(

frontend/src/hooks/api/automated-security/index.tsx

@@ -0,0 +1,2 @@
+export * from "./mutations";
+export * from "./queries";

frontend/src/hooks/api/automated-security/mutations.ts

@@ -0,0 +1,20 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { automatedSecurityKeys } from "./queries";
+
+export const usePatchSecurityReportStatus = (orgId: string) => {
+  const queryClient = useQueryClient();
+
+  return useMutation({
+    mutationFn: async ({ id, status }: { id: string; status: string }) => {
+      await apiRequest.patch(`/api/v1/automated-security/reports/${id}/status`, {
+        status
+      });
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: automatedSecurityKeys.getReports(orgId) });
+    }
+  });
+};

frontend/src/hooks/api/automated-security/queries.tsx

@@ -0,0 +1,29 @@
+import { useQuery } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+export const automatedSecurityKeys = {
+  getReports: (orgId: string) => [{ orgId }, "organization-security-reports"] as const
+};
+
+export const useGetAutomatedSecurityReports = (orgId: string) => {
+  return useQuery({
+    queryKey: automatedSecurityKeys.getReports(orgId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<
+        {
+          id: string;
+          profileId: string;
+          event: string;
+          remarks: string;
+          severity: string;
+          status: string;
+          userId: string;
+          name: string;
+        }[]
+      >("/api/v1/automated-security/reports");
+
+      return data;
+    }
+  });
+};

frontend/src/layouts/OrganizationLayout/components/MenuIconButton/MenuIconButton.tsx

@@ -20,46 +20,44 @@ export const MenuIconButton = <T extends ElementType = "button">({
   ComponentPropsWithRef<T> & { lottieIconMode?: "reverse" | "forward" }): JSX.Element => {
   const iconRef = useRef<DotLottie | null>(null);
   return (
-    <div className={!isSelected ? "hover:px-1" : ""}>
-      <Item
-        type="button"
-        role="menuitem"
-        className={twMerge(
-          "group relative flex w-full cursor-pointer flex-col items-center justify-center rounded my-1 p-2 font-inter text-sm text-bunker-100 transition-all duration-150 hover:bg-mineshaft-700",
-          isSelected && "bg-bunker-800 hover:bg-mineshaft-600 rounded-none",
-          isDisabled && "cursor-not-allowed hover:bg-transparent",
-          className
-        )}
-        onMouseEnter={() => iconRef.current?.play()}
-        onMouseLeave={() => iconRef.current?.stop()}
-        ref={inputRef}
-        {...props}
-      >
-        <div
-          className={`${
-            isSelected ? "opacity-100" : "opacity-0"
-          } absolute left-0 h-full w-1 bg-primary transition-all duration-150`}
-        />
-        {icon && (
-          <div className="my-auto mb-2 h-6 w-6">
-            <DotLottieReact
-              dotLottieRefCallback={(el) => {
-                iconRef.current = el;
-              }}
-              src={`/lotties/${icon}.json`}
-              loop
-              className="h-full w-full"
-              mode={lottieIconMode}
-            />
-          </div>
-        )}
-        <div
-          className="flex-grow justify-center break-words text-center"
-          style={{ fontSize: "10px" }}
-        >
-          {children}
+    <Item
+      type="button"
+      role="menuitem"
+      className={twMerge(
+        "group relative flex w-full cursor-pointer flex-col items-center justify-center rounded p-2 font-inter text-sm text-bunker-100 transition-all duration-150 hover:bg-mineshaft-700",
+        isSelected && "bg-bunker-800 hover:bg-mineshaft-600",
+        isDisabled && "cursor-not-allowed hover:bg-transparent",
+        className
+      )}
+      onMouseEnter={() => iconRef.current?.play()}
+      onMouseLeave={() => iconRef.current?.stop()}
+      ref={inputRef}
+      {...props}
+    >
+      <div
+        className={`${
+          isSelected ? "opacity-100" : "opacity-0"
+        } absolute -left-[0.28rem] h-full w-1 rounded-md bg-primary transition-all duration-150`}
+      />
+      {icon && (
+        <div className="my-auto mb-2 h-6 w-6">
+          <DotLottieReact
+            dotLottieRefCallback={(el) => {
+              iconRef.current = el;
+            }}
+            src={`/lotties/${icon}.json`}
+            loop
+            className="h-full w-full"
+            mode={lottieIconMode}
+          />
         </div>
-      </Item>
-    </div>
+      )}
+      <div
+        className="flex-grow justify-center break-words text-center"
+        style={{ fontSize: "10px" }}
+      >
+        {children}
+      </div>
+    </Item>
   );
 };

frontend/src/layouts/OrganizationLayout/components/MinimizedOrgSidebar/MinimizedOrgSidebar.tsx

@@ -84,10 +84,6 @@ export const MinimizedOrgSidebar = () => {
   const [requiredMfaMethod, setRequiredMfaMethod] = useState(MfaMethod.EMAIL);
   const [mfaSuccessCallback, setMfaSuccessCallback] = useState<() => void>(() => {});
   const { subscription } = useSubscription();
-  const [open, setOpen] = useState(false);
-  const [openSupport, setOpenSupport] = useState(false);
-  const [openUser, setOpenUser] = useState(false);
-  const [openOrg, setOpenOrg] = useState(false);
 
   const { user } = useUser();
   const { mutateAsync } = useGetOrgTrialUrl();
@@ -164,29 +160,23 @@ export const MinimizedOrgSidebar = () => {
       >
         <nav className="items-between flex h-full flex-col justify-between overflow-y-auto dark:[color-scheme:dark]">
           <div>
-            <div className="flex items-center hover:bg-mineshaft-700">
-              <DropdownMenu open={openOrg} onOpenChange={setOpenOrg} modal>
-                <DropdownMenuTrigger
-                  onMouseEnter={() => setOpenOrg(true)}
-                  onMouseLeave={() => setOpenOrg(false)}
-                  asChild
-                >
-                  <div className="flex w-full items-center justify-center rounded-md border border-none border-mineshaft-600 p-3 pb-5 pt-6 transition-all">
+            <div className="flex cursor-pointer items-center p-2 pt-4 hover:bg-mineshaft-700">
+              <DropdownMenu modal>
+                <DropdownMenuTrigger asChild>
+                  <div className="flex w-full items-center justify-center rounded-md border border-none border-mineshaft-600 p-1 transition-all">
                     <div className="flex h-8 w-8 items-center justify-center rounded-md bg-primary">
                       {currentOrg?.name.charAt(0)}
                     </div>
                   </div>
                 </DropdownMenuTrigger>
                 <DropdownMenuContent
-                  onMouseEnter={() => setOpenOrg(true)}
-                  onMouseLeave={() => setOpenOrg(false)}
                   align="start"
                   side="right"
-                  className="mt-6 cursor-default p-1 shadow-mineshaft-600 drop-shadow-md"
-                  style={{ minWidth: "220px" }}
+                  className="p-1 shadow-mineshaft-600 drop-shadow-md"
+                  style={{ minWidth: "320px" }}
                 >
-                  <div className="px-0.5 py-1">
-                    <div className="flex w-full items-center justify-center rounded-md border border-mineshaft-600 bg-gradient-to-tr from-primary-500/5 to-mineshaft-800 p-1 transition-all duration-300">
+                  <div className="px-2 py-1">
+                    <div className="flex w-full items-center justify-center rounded-md border border-mineshaft-600 p-1 transition-all duration-150 hover:bg-mineshaft-700">
                       <div className="mr-2 flex h-8 w-8 items-center justify-center rounded-md bg-primary text-black">
                         {currentOrg?.name.charAt(0)}
                       </div>
@@ -251,7 +241,7 @@ export const MinimizedOrgSidebar = () => {
                 </DropdownMenuContent>
               </DropdownMenu>
             </div>
-            <div className="space-y-1">
+            <div className="space-y-1 px-1">
               <Link to="/organization/secret-manager/overview">
                 {({ isActive }) => (
                   <MenuIconButton
@@ -261,7 +251,7 @@ export const MinimizedOrgSidebar = () => {
                     }
                     icon="sliding-carousel"
                   >
-                    Secrets
+                    Secret Manager
                   </MenuIconButton>
                 )}
               </Link>
@@ -274,7 +264,7 @@ export const MinimizedOrgSidebar = () => {
                     }
                     icon="note"
                   >
-                    PKI
+                    Cert Manager
                   </MenuIconButton>
                 )}
               </Link>
@@ -306,41 +296,31 @@ export const MinimizedOrgSidebar = () => {
               <Link to="/organization/secret-scanning">
                 {({ isActive }) => (
                   <MenuIconButton isSelected={isActive} icon="secret-scan">
-                    Scanner
+                    Secret Scanning
                   </MenuIconButton>
                 )}
               </Link>
               <Link to="/organization/secret-sharing">
                 {({ isActive }) => (
                   <MenuIconButton isSelected={isActive} icon="lock-closed">
-                    Share
+                    Secret Sharing
                   </MenuIconButton>
                 )}
               </Link>
               <div className="my-1 w-full bg-mineshaft-500" style={{ height: "1px" }} />
-              <DropdownMenu open={open} onOpenChange={setOpen}>
-                <DropdownMenuTrigger
-                  onMouseEnter={() => setOpen(true)}
-                  onMouseLeave={() => setOpen(false)}
-                  asChild
-                >
+              <DropdownMenu>
+                <DropdownMenuTrigger asChild>
                   <div className="w-full">
                     <MenuIconButton
                       lottieIconMode="reverse"
                       icon="settings-cog"
                       isSelected={isMoreSelected}
                     >
-                      Admin
+                      Org Controls
                     </MenuIconButton>
                   </div>
                 </DropdownMenuTrigger>
-                <DropdownMenuContent
-                  onMouseEnter={() => setOpen(true)}
-                  onMouseLeave={() => setOpen(false)}
-                  align="start"
-                  side="right"
-                  className="p-1"
-                >
+                <DropdownMenuContent align="start" side="right" className="p-1">
                   <DropdownMenuLabel>Organization Options</DropdownMenuLabel>
                   <Link to="/organization/access-management">
                     <DropdownMenuItem icon={<FontAwesomeIcon className="w-3" icon={faUsers} />}>
@@ -368,6 +348,11 @@ export const MinimizedOrgSidebar = () => {
                       Audit Logs
                     </DropdownMenuItem>
                   </Link>
+                  <Link to="/organization/automated-security">
+                    <DropdownMenuItem icon={<FontAwesomeIcon className="w-3" icon={faCog} />}>
+                      Automated Security
+                    </DropdownMenuItem>
+                  </Link>
                   <Link to="/organization/settings">
                     <DropdownMenuItem icon={<FontAwesomeIcon className="w-3" icon={faCog} />}>
                       Organization Settings
@@ -384,24 +369,14 @@ export const MinimizedOrgSidebar = () => {
                 : "mb-4"
             } flex w-full cursor-default flex-col items-center px-1 text-sm text-mineshaft-400`}
           >
-            <DropdownMenu open={openSupport} onOpenChange={setOpenSupport}>
-              <DropdownMenuTrigger
-                onMouseEnter={() => setOpenSupport(true)}
-                onMouseLeave={() => setOpenSupport(false)}
-                className="w-full"
-              >
+            <DropdownMenu>
+              <DropdownMenuTrigger className="w-full">
                 <MenuIconButton>
                   <FontAwesomeIcon icon={faInfoCircle} className="mb-3 text-lg" />
                   Support
                 </MenuIconButton>
               </DropdownMenuTrigger>
-              <DropdownMenuContent
-                onMouseEnter={() => setOpenSupport(true)}
-                onMouseLeave={() => setOpenSupport(false)}
-                align="end"
-                side="right"
-                className="p-1"
-              >
+              <DropdownMenuContent align="start" className="p-1">
                 {INFISICAL_SUPPORT_OPTIONS.map(([icon, text, url]) => (
                   <DropdownMenuItem key={url as string}>
                     <a
@@ -449,28 +424,17 @@ export const MinimizedOrgSidebar = () => {
                 </button>
               </Tooltip>
             )}
-            <DropdownMenu open={openUser} onOpenChange={setOpenUser}>
-              <DropdownMenuTrigger
-                onMouseEnter={() => setOpenUser(true)}
-                onMouseLeave={() => setOpenUser(false)}
-                className="w-full"
-                asChild
-              >
+            <DropdownMenu>
+              <DropdownMenuTrigger className="w-full" asChild>
                 <div>
                   <MenuIconButton icon="user">User</MenuIconButton>
                 </div>
               </DropdownMenuTrigger>
-              <DropdownMenuContent
-                onMouseEnter={() => setOpenUser(true)}
-                onMouseLeave={() => setOpenUser(false)}
-                side="right"
-                align="end"
-                className="p-1"
-              >
-                <div className="cursor-default px-1 py-1">
-                  <div className="flex w-full items-center justify-center rounded-md border border-mineshaft-600 bg-gradient-to-tr from-primary-500/10 to-mineshaft-800 p-1 px-2 transition-all duration-150">
-                    <div className="p-1 pr-3">
-                      <FontAwesomeIcon icon={faUser} className="text-xl text-mineshaft-400" />
+              <DropdownMenuContent align="start" className="p-1">
+                <div className="px-2 py-1">
+                  <div className="flex w-full items-center justify-center rounded-md border border-mineshaft-600 p-1 transition-all duration-150 hover:bg-mineshaft-700">
+                    <div className="p-2">
+                      <FontAwesomeIcon icon={faUser} className="text-mineshaft-400" />
                     </div>
                     <div className="flex flex-grow flex-col text-white">
                       <div className="max-w-36 truncate text-ellipsis text-sm font-medium capitalize">
@@ -518,11 +482,11 @@ export const MinimizedOrgSidebar = () => {
                     </DropdownMenuItem>
                   </Link>
                 )}
-                <div className="mt-1 border-t border-mineshaft-600 pt-1">
-                  <Link to="/organization/admin">
-                    <DropdownMenuItem>Organization Admin Console</DropdownMenuItem>
-                  </Link>
-                </div>
+                <Link to="/organization/admin">
+                  <DropdownMenuItem className="mt-1 border-t border-mineshaft-600">
+                    Organization Admin Console
+                  </DropdownMenuItem>
+                </Link>
                 <div className="mt-1 h-1 border-t border-mineshaft-600" />
                 <DropdownMenuItem onClick={logOutUser} icon={<FontAwesomeIcon icon={faSignOut} />}>
                   Log Out

frontend/src/pages/organization/AutomatedSecurityPage/AutomatedSecurityPage.tsx

@@ -0,0 +1,103 @@
+import { Helmet } from "react-helmet";
+
+import { createNotification } from "@app/components/notifications";
+import {
+  Button,
+  PageHeader,
+  Table,
+  TableContainer,
+  TBody,
+  Td,
+  Th,
+  THead,
+  Tr
+} from "@app/components/v2";
+import { useOrganization } from "@app/context";
+import {
+  useGetAutomatedSecurityReports,
+  usePatchSecurityReportStatus
+} from "@app/hooks/api/automated-security";
+
+export const AutomatedSecurityPage = () => {
+  const { currentOrg } = useOrganization();
+  const { data: reportEntries } = useGetAutomatedSecurityReports(currentOrg.id);
+  const { mutateAsync: patchSecurityReportStatus } = usePatchSecurityReportStatus(currentOrg.id);
+
+  return (
+    <div className="h-full bg-bunker-800">
+      <Helmet>
+        <title>Infisical | Automated Security</title>
+        <link rel="icon" href="/infisical.ico" />
+        <meta property="og:image" content="/images/message.png" />
+      </Helmet>
+      <div className="flex h-full w-full justify-center bg-bunker-800 text-white">
+        <div className="w-full max-w-7xl">
+          <PageHeader
+            title="Automated Security"
+            description="Your organization's reliable AI security guard"
+          />
+          <TableContainer>
+            <Table>
+              <THead>
+                <Tr>
+                  <Th>Identity ID</Th>
+                  <Th>Name</Th>
+                  <Th>Event</Th>
+                  <Th>Remarks</Th>
+                  <Th>Severity</Th>
+                  <Th />
+                </Tr>
+              </THead>
+              <TBody>
+                {(reportEntries ?? []).map((entry) => (
+                  <Tr>
+                    <Td>{entry.userId}</Td>
+                    <Td>{entry.name}</Td>
+                    <Td>{JSON.stringify(entry.event, null, 2)}</Td>
+                    <Td>{entry.remarks}</Td>
+                    <Td>{entry.severity}</Td>
+                    <Td>
+                      <Button
+                        className="mb-4 w-[5rem]"
+                        onClick={async () => {
+                          await patchSecurityReportStatus({
+                            id: entry.id,
+                            status: "resolved"
+                          });
+
+                          createNotification({
+                            type: "success",
+                            text: "Successfully resolved security report"
+                          });
+                        }}
+                      >
+                        Resolve
+                      </Button>
+                      <Button
+                        colorSchema="secondary"
+                        className="w-[5rem]"
+                        onClick={async () => {
+                          await patchSecurityReportStatus({
+                            id: entry.id,
+                            status: "ignored"
+                          });
+
+                          createNotification({
+                            type: "success",
+                            text: "Successfully ignored security report"
+                          });
+                        }}
+                      >
+                        Ignore
+                      </Button>
+                    </Td>
+                  </Tr>
+                ))}
+              </TBody>
+            </Table>
+          </TableContainer>
+        </div>
+      </div>
+    </div>
+  );
+};

frontend/src/pages/organization/AutomatedSecurityPage/route.tsx

@@ -0,0 +1,23 @@
+import { faHome } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { createFileRoute, linkOptions } from "@tanstack/react-router";
+
+import { AutomatedSecurityPage } from "./AutomatedSecurityPage";
+
+export const Route = createFileRoute(
+  "/_authenticate/_inject-org-details/_org-layout/organization/automated-security"
+)({
+  component: AutomatedSecurityPage,
+  context: () => ({
+    breadcrumbs: [
+      {
+        label: "Home",
+        icon: () => <FontAwesomeIcon icon={faHome} />,
+        link: linkOptions({ to: "/organization/secret-manager/overview" })
+      },
+      {
+        label: "Automated Security Page"
+      }
+    ]
+  })
+});

frontend/src/pages/public/ShareSecretPage/components/ShareSecretForm.tsx

@@ -120,7 +120,7 @@ export const ShareSecretForm = ({ isPublic, value }: Props) => {
               isError={Boolean(error)}
               errorText={error?.message}
             >
-              <Input {...field} placeholder="API Key" type="text" autoComplete="off" autoCorrect="off" spellCheck="false" />
+              <Input {...field} placeholder="API Key" type="text" />
             </FormControl>
           )}
         />
@@ -155,7 +155,7 @@ export const ShareSecretForm = ({ isPublic, value }: Props) => {
             errorText={error?.message}
             isOptional
           >
-            <Input {...field} placeholder="Password" type="password" autoComplete="new-password" autoCorrect="off" spellCheck="false" aria-autocomplete="none" data-form-type="other" />
+            <Input {...field} placeholder="Password" type="password" />
           </FormControl>
         )}
       />

frontend/src/pages/secret-manager/SecretDashboardPage/components/PitDrawer/PitDrawer.tsx

@@ -59,12 +59,7 @@ export const PitDrawer = ({
                   onClick={() => onSelectSnapshot(id)}
                 >
                   <div className="flex w-full justify-between">
-                    <div>
-                      {(() => {
-                        const distance = formatDistance(new Date(createdAt), new Date());
-                        return distance.charAt(0).toUpperCase() + distance.slice(1) + " ago";
-                      })()}
-                    </div>
+                    <div>{formatDistance(new Date(createdAt), new Date())}</div>
                     <div>{getButtonLabel(i === 0 && index === 0, snapshotId === id)}</div>
                   </div>
                 </Button>
@@ -75,7 +70,7 @@ export const PitDrawer = ({
         <Button
           className="mt-8 px-4 py-3 text-sm"
           isFullWidth
-          variant="outline_bg"
+          variant="star"
           isLoading={isFetchingNextPage}
           isDisabled={isFetchingNextPage || !hasNextPage}
           onClick={fetchNextPage}

frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx

@@ -1,11 +1,11 @@
 import { Controller, useFieldArray, useForm } from "react-hook-form";
 import { subject } from "@casl/ability";
-import { faCircleQuestion, faEye } from "@fortawesome/free-regular-svg-icons";
+import { faCircleQuestion } from "@fortawesome/free-regular-svg-icons";
 import {
-  faArrowRotateRight,
   faCheckCircle,
+  faCircle,
+  faCircleDot,
   faClock,
-  faEyeSlash,
   faPlus,
   faShare,
   faTag,
@@ -236,102 +236,44 @@ export const SecretDetailSidebar = ({
         }}
         isOpen={isOpen}
       >
-        <DrawerContent title={`Secret – ${secret?.key}`} className="thin-scrollbar">
+        <DrawerContent title="Secret">
           <form onSubmit={handleSubmit(handleFormSubmit)} className="h-full">
             <div className="flex h-full flex-col">
-              <div className="flex flex-row">
-                <div className="w-full">
-                  <ProjectPermissionCan
-                    I={ProjectPermissionActions.Edit}
-                    a={subject(ProjectPermissionSub.Secrets, {
-                      environment,
-                      secretPath,
-                      secretName: secretKey,
-                      secretTags: selectTagSlugs
-                    })}
-                  >
-                    {(isAllowed) => (
-                      <Controller
-                        name="value"
-                        key="secret-value"
-                        control={control}
-                        render={({ field }) => (
-                          <FormControl label="Value">
-                            <InfisicalSecretInput
-                              isReadOnly={isReadOnly}
-                              environment={environment}
-                              secretPath={secretPath}
-                              key="secret-value"
-                              isDisabled={isOverridden || !isAllowed}
-                              containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800 px-2 py-1.5"
-                              {...field}
-                              autoFocus={false}
-                            />
-                          </FormControl>
-                        )}
-                      />
-                    )}
-                  </ProjectPermissionCan>
-                </div>
-                <div className="ml-1 mt-1.5 flex items-center">
-                  <Button
-                    className="w-full px-2 py-[0.43rem] font-normal"
-                    variant="outline_bg"
-                    leftIcon={<FontAwesomeIcon icon={faShare} />}
-                    onClick={() => {
-                      const value = secret?.valueOverride ?? secret?.value;
-                      if (value) {
-                        handleSecretShare(value);
-                      }
-                    }}
-                  >
-                    Share
-                  </Button>
-                </div>
-              </div>
-              <div className="mb-2 rounded border border-mineshaft-600 bg-mineshaft-900 p-4 px-0 pb-0">
-                <div className="mb-4 px-4">
+              <FormControl label="Key">
+                <Input isDisabled {...register("key")} />
+              </FormControl>
+              <ProjectPermissionCan
+                I={ProjectPermissionActions.Edit}
+                a={subject(ProjectPermissionSub.Secrets, {
+                  environment,
+                  secretPath,
+                  secretName: secretKey,
+                  secretTags: selectTagSlugs
+                })}
+              >
+                {(isAllowed) => (
                   <Controller
+                    name="value"
+                    key="secret-value"
                     control={control}
-                    name="skipMultilineEncoding"
-                    render={({ field: { value, onChange, onBlur } }) => (
-                      <ProjectPermissionCan
-                        I={ProjectPermissionActions.Edit}
-                        a={subject(ProjectPermissionSub.Secrets, {
-                          environment,
-                          secretPath,
-                          secretName: secretKey,
-                          secretTags: selectTagSlugs
-                        })}
-                      >
-                        {(isAllowed) => (
-                          <div className="flex items-center justify-between">
-                            <span className="w-max text-sm text-mineshaft-300">
-                              Multi-line encoding
-                              <Tooltip
-                                content="When enabled, multiline secrets will be handled by escaping newlines and enclosing the entire value in double quotes."
-                                className="z-[100]"
-                              >
-                                <FontAwesomeIcon icon={faCircleQuestion} className="ml-2" />
-                              </Tooltip>
-                            </span>
-                            <Switch
-                              id="skipmultiencoding-option"
-                              onCheckedChange={(isChecked) => onChange(isChecked)}
-                              isChecked={value}
-                              onBlur={onBlur}
-                              isDisabled={!isAllowed}
-                              className="items-center justify-between"
-                            />
-                          </div>
-                        )}
-                      </ProjectPermissionCan>
+                    render={({ field }) => (
+                      <FormControl label="Value">
+                        <InfisicalSecretInput
+                          isReadOnly={isReadOnly}
+                          environment={environment}
+                          secretPath={secretPath}
+                          key="secret-value"
+                          isDisabled={isOverridden || !isAllowed}
+                          containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800  px-2 py-1.5"
+                          {...field}
+                          autoFocus={false}
+                        />
+                      </FormControl>
                     )}
                   />
-                </div>
-                <div
-                  className={`mb-4 w-full border-t border-mineshaft-600 ${isOverridden ? "block" : "hidden"}`}
-                />
+                )}
+              </ProjectPermissionCan>
+              <div className="mb-2 border-b border-mineshaft-600 pb-4">
                 <ProjectPermissionCan
                   I={ProjectPermissionActions.Edit}
                   a={subject(ProjectPermissionSub.Secrets, {
@@ -342,243 +284,194 @@ export const SecretDetailSidebar = ({
                   })}
                 >
                   {(isAllowed) => (
-                    <div className="flex items-center justify-between px-4 pb-4">
-                      <span className="w-max text-sm text-mineshaft-300">
-                        Override with a personal value
-                        <Tooltip
-                          content="Override the secret value with a personal value that does not get shared with other users and machines."
-                          className="z-[100]"
-                        >
-                          <FontAwesomeIcon icon={faCircleQuestion} className="ml-2" />
-                        </Tooltip>
-                      </span>
-                      <Switch
-                        isDisabled={!isAllowed}
-                        id="personal-override"
-                        onCheckedChange={handleOverrideClick}
-                        isChecked={isOverridden}
-                        className="justify-start"
-                      />
-                    </div>
+                    <Switch
+                      isDisabled={!isAllowed}
+                      id="personal-override"
+                      onCheckedChange={handleOverrideClick}
+                      isChecked={isOverridden}
+                    >
+                      Override with a personal value
+                    </Switch>
                   )}
                 </ProjectPermissionCan>
-                {isOverridden && (
-                  <Controller
-                    name="valueOverride"
-                    control={control}
-                    render={({ field }) => (
-                      <FormControl label="Override Value" className="px-4">
-                        <InfisicalSecretInput
-                          isReadOnly={isReadOnly}
-                          environment={environment}
-                          secretPath={secretPath}
-                          containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800 px-2 py-1.5"
-                          {...field}
-                        />
-                      </FormControl>
-                    )}
-                  />
-                )}
               </div>
-              <div className="mb-4 mt-2 flex flex-col rounded-md border border-mineshaft-600 bg-mineshaft-900 p-4 px-0 pb-0">
-                <div
-                  className={`flex justify-between px-4 text-mineshaft-100 ${tagFields.fields.length > 0 ? "flex-col" : "flex-row"}`}
-                >
-                  <div
-                    className={`text-sm text-mineshaft-300 ${tagFields.fields.length > 0 ? "mb-2" : "mt-0.5"}`}
-                  >
-                    Tags
-                  </div>
-                  <div>
-                    <FormControl>
-                      <div
-                        className={`grid auto-cols-min grid-flow-col gap-2 overflow-hidden ${tagFields.fields.length > 0 ? "pt-2" : ""}`}
-                      >
-                        {tagFields.fields.map(({ tagColor, id: formId, slug, id }) => (
-                          <Tag
-                            className="flex w-min items-center space-x-2"
-                            key={formId}
-                            onClose={() => {
-                              if (cannotEditSecret) {
-                                createNotification({ type: "error", text: "Access denied" });
-                                return;
-                              }
-                              const tag = tags?.find(({ id: tagId }) => id === tagId);
-                              if (tag) handleTagSelect(tag);
-                            }}
-                          >
-                            <div
-                              className="h-3 w-3 rounded-full"
-                              style={{ backgroundColor: tagColor || "#bec2c8" }}
-                            />
-                            <div className="text-sm">{slug}</div>
-                          </Tag>
-                        ))}
-                        <DropdownMenu>
-                          <ProjectPermissionCan
-                            I={ProjectPermissionActions.Edit}
-                            a={subject(ProjectPermissionSub.Secrets, {
-                              environment,
-                              secretPath,
-                              secretName: secretKey,
-                              secretTags: selectTagSlugs
-                            })}
-                          >
-                            {(isAllowed) => (
-                              <DropdownMenuTrigger asChild>
-                                <IconButton
-                                  ariaLabel="add"
-                                  variant="outline_bg"
-                                  size="xs"
-                                  className="rounded-md"
-                                  isDisabled={!isAllowed}
-                                >
-                                  <FontAwesomeIcon icon={faPlus} />
-                                </IconButton>
-                              </DropdownMenuTrigger>
-                            )}
-                          </ProjectPermissionCan>
-                          <DropdownMenuContent align="start" side="right" className="z-[100]">
-                            <DropdownMenuLabel className="pl-2">
-                              Add tags to this secret
-                            </DropdownMenuLabel>
-                            {tags.map((tag) => {
-                              const { id: tagId, slug, color } = tag;
-
-                              const isSelected = selectedTagsGroupById?.[tagId];
-                              return (
-                                <DropdownMenuItem
-                                  onClick={() => handleTagSelect(tag)}
-                                  key={tagId}
-                                  icon={isSelected && <FontAwesomeIcon icon={faCheckCircle} />}
-                                  iconPos="right"
-                                >
-                                  <div className="flex items-center">
-                                    <div
-                                      className="mr-2 h-2 w-2 rounded-full"
-                                      style={{ background: color || "#bec2c8" }}
-                                    />
-                                    {slug}
-                                  </div>
-                                </DropdownMenuItem>
-                              );
-                            })}
-                            <ProjectPermissionCan
-                              I={ProjectPermissionActions.Create}
-                              a={ProjectPermissionSub.Tags}
-                            >
-                              {(isAllowed) => (
-                                <div className="p-2">
-                                  <Button
-                                    size="xs"
-                                    className="w-full"
-                                    colorSchema="primary"
-                                    variant="outline_bg"
-                                    leftIcon={<FontAwesomeIcon icon={faTag} />}
-                                    onClick={onCreateTag}
-                                    isDisabled={!isAllowed}
-                                  >
-                                    Create a tag
-                                  </Button>
-                                </div>
-                              )}
-                            </ProjectPermissionCan>
-                          </DropdownMenuContent>
-                        </DropdownMenu>
-                      </div>
+              {isOverridden && (
+                <Controller
+                  name="valueOverride"
+                  control={control}
+                  render={({ field }) => (
+                    <FormControl label="Value Override">
+                      <InfisicalSecretInput
+                        isReadOnly={isReadOnly}
+                        environment={environment}
+                        secretPath={secretPath}
+                        containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800  px-2 py-1.5"
+                        {...field}
+                      />
                     </FormControl>
-                  </div>
-                </div>
-                <div
-                  className={`mb-4 w-full border-t border-mineshaft-600 ${tagFields.fields.length > 0 || metadataFormFields.fields.length > 0 ? "block" : "hidden"}`}
+                  )}
                 />
-
-                <div
-                  className={`flex justify-between px-4 text-mineshaft-100 ${metadataFormFields.fields.length > 0 ? "flex-col" : "flex-row"}`}
-                >
-                  <div
-                    className={`text-sm text-mineshaft-300 ${metadataFormFields.fields.length > 0 ? "mb-2" : "mt-0.5"}`}
-                  >
-                    Metadata
-                  </div>
-                  <FormControl>
-                    <div className="flex flex-col space-y-2">
-                      {metadataFormFields.fields.map(({ id: metadataFieldId }, i) => (
-                        <div key={metadataFieldId} className="flex items-end space-x-2">
-                          <div className="flex-grow">
-                            {i === 0 && <span className="text-xs text-mineshaft-400">Key</span>}
-                            <Controller
-                              control={control}
-                              name={`secretMetadata.${i}.key`}
-                              render={({ field, fieldState: { error } }) => (
-                                <FormControl
-                                  isError={Boolean(error?.message)}
-                                  errorText={error?.message}
-                                  className="mb-0"
-                                >
-                                  <Input {...field} className="max-h-8" />
-                                </FormControl>
-                              )}
-                            />
-                          </div>
-                          <div className="flex-grow">
-                            {i === 0 && (
-                              <FormLabel
-                                label="Value"
-                                className="text-xs text-mineshaft-400"
-                                isOptional
-                              />
-                            )}
-                            <Controller
-                              control={control}
-                              name={`secretMetadata.${i}.value`}
-                              render={({ field, fieldState: { error } }) => (
-                                <FormControl
-                                  isError={Boolean(error?.message)}
-                                  errorText={error?.message}
-                                  className="mb-0"
-                                >
-                                  <Input {...field} className="max-h-8" />
-                                </FormControl>
-                              )}
-                            />
-                          </div>
-                          <IconButton
-                            ariaLabel="delete key"
-                            className="bottom-0.5 max-h-8"
-                            variant="outline_bg"
-                            onClick={() => metadataFormFields.remove(i)}
-                          >
-                            <FontAwesomeIcon icon={faTrash} />
-                          </IconButton>
-                        </div>
-                      ))}
-                      <div className={`${metadataFormFields.fields.length > 0 ? "pt-2" : ""}`}>
-                        <IconButton
-                          ariaLabel="Add Key"
-                          variant="outline_bg"
-                          size="xs"
-                          className="rounded-md"
-                          onClick={() => metadataFormFields.append({ key: "", value: "" })}
-                        >
-                          <FontAwesomeIcon icon={faPlus} />
-                        </IconButton>
+              )}
+              <FormControl label="Metadata">
+                <div className="flex flex-col space-y-2">
+                  {metadataFormFields.fields.map(({ id: metadataFieldId }, i) => (
+                    <div key={metadataFieldId} className="flex items-end space-x-2">
+                      <div className="flex-grow">
+                        {i === 0 && <span className="text-xs text-mineshaft-400">Key</span>}
+                        <Controller
+                          control={control}
+                          name={`secretMetadata.${i}.key`}
+                          render={({ field, fieldState: { error } }) => (
+                            <FormControl
+                              isError={Boolean(error?.message)}
+                              errorText={error?.message}
+                              className="mb-0"
+                            >
+                              <Input {...field} className="max-h-8" />
+                            </FormControl>
+                          )}
+                        />
                       </div>
+                      <div className="flex-grow">
+                        {i === 0 && (
+                          <FormLabel
+                            label="Value"
+                            className="text-xs text-mineshaft-400"
+                            isOptional
+                          />
+                        )}
+                        <Controller
+                          control={control}
+                          name={`secretMetadata.${i}.value`}
+                          render={({ field, fieldState: { error } }) => (
+                            <FormControl
+                              isError={Boolean(error?.message)}
+                              errorText={error?.message}
+                              className="mb-0"
+                            >
+                              <Input {...field} className="max-h-8" />
+                            </FormControl>
+                          )}
+                        />
+                      </div>
+                      <IconButton
+                        ariaLabel="delete key"
+                        className="bottom-0.5 max-h-8"
+                        variant="outline_bg"
+                        onClick={() => metadataFormFields.remove(i)}
+                      >
+                        <FontAwesomeIcon icon={faTrash} />
+                      </IconButton>
                     </div>
-                  </FormControl>
+                  ))}
+                  <div className="mt-2">
+                    <Button
+                      leftIcon={<FontAwesomeIcon icon={faPlus} />}
+                      size="xs"
+                      variant="outline_bg"
+                      onClick={() => metadataFormFields.append({ key: "", value: "" })}
+                    >
+                      Add Key
+                    </Button>
+                  </div>
                 </div>
-              </div>
-              <FormControl label="Comments & Notes">
-                <TextArea
-                  className="border border-mineshaft-600 bg-bunker-800 text-sm"
-                  {...register("comment")}
-                  readOnly={isReadOnly}
-                  rows={5}
-                />
               </FormControl>
-              <FormControl>
+              <FormControl label="Tags" className="">
+                <div className="grid auto-cols-min grid-flow-col gap-2 overflow-hidden pt-2">
+                  {tagFields.fields.map(({ tagColor, id: formId, slug, id }) => (
+                    <Tag
+                      className="flex w-min items-center space-x-2"
+                      key={formId}
+                      onClose={() => {
+                        if (cannotEditSecret) {
+                          createNotification({ type: "error", text: "Access denied" });
+                          return;
+                        }
+                        const tag = tags?.find(({ id: tagId }) => id === tagId);
+                        if (tag) handleTagSelect(tag);
+                      }}
+                    >
+                      <div
+                        className="h-3 w-3 rounded-full"
+                        style={{ backgroundColor: tagColor || "#bec2c8" }}
+                      />
+                      <div className="text-sm">{slug}</div>
+                    </Tag>
+                  ))}
+                  <DropdownMenu>
+                    <ProjectPermissionCan
+                      I={ProjectPermissionActions.Edit}
+                      a={subject(ProjectPermissionSub.Secrets, {
+                        environment,
+                        secretPath,
+                        secretName: secretKey,
+                        secretTags: selectTagSlugs
+                      })}
+                    >
+                      {(isAllowed) => (
+                        <DropdownMenuTrigger asChild>
+                          <IconButton
+                            ariaLabel="add"
+                            variant="outline_bg"
+                            size="xs"
+                            className="rounded-md"
+                            isDisabled={!isAllowed}
+                          >
+                            <FontAwesomeIcon icon={faPlus} />
+                          </IconButton>
+                        </DropdownMenuTrigger>
+                      )}
+                    </ProjectPermissionCan>
+                    <DropdownMenuContent align="end" className="z-[100]">
+                      <DropdownMenuLabel>Add tags to this secret</DropdownMenuLabel>
+                      {tags.map((tag) => {
+                        const { id: tagId, slug, color } = tag;
+
+                        const isSelected = selectedTagsGroupById?.[tagId];
+                        return (
+                          <DropdownMenuItem
+                            onClick={() => handleTagSelect(tag)}
+                            key={tagId}
+                            icon={isSelected && <FontAwesomeIcon icon={faCheckCircle} />}
+                            iconPos="right"
+                          >
+                            <div className="flex items-center">
+                              <div
+                                className="mr-2 h-2 w-2 rounded-full"
+                                style={{ background: color || "#bec2c8" }}
+                              />
+                              {slug}
+                            </div>
+                          </DropdownMenuItem>
+                        );
+                      })}
+                      <ProjectPermissionCan
+                        I={ProjectPermissionActions.Create}
+                        a={ProjectPermissionSub.Tags}
+                      >
+                        {(isAllowed) => (
+                          <DropdownMenuItem asChild>
+                            <Button
+                              size="xs"
+                              className="w-full"
+                              colorSchema="primary"
+                              variant="outline_bg"
+                              leftIcon={<FontAwesomeIcon icon={faTag} />}
+                              onClick={onCreateTag}
+                              isDisabled={!isAllowed}
+                            >
+                              Create a tag
+                            </Button>
+                          </DropdownMenuItem>
+                        )}
+                      </ProjectPermissionCan>
+                    </DropdownMenuContent>
+                  </DropdownMenu>
+                </div>
+              </FormControl>
+              <FormControl label="Reminder">
                 {secretReminderRepeatDays && secretReminderRepeatDays > 0 ? (
-                  <div className="flex items-center justify-between px-2">
+                  <div className="ml-1 mt-2 flex items-center justify-between">
                     <div className="flex items-center space-x-2">
                       <FontAwesomeIcon className="text-primary-500" icon={faClock} />
                       <span className="text-sm text-bunker-300">
@@ -597,9 +490,9 @@ export const SecretDetailSidebar = ({
                     </div>
                   </div>
                 ) : (
-                  <div className="ml-1 flex items-center space-x-2">
+                  <div className="ml-1 mt-2 flex items-center space-x-2">
                     <Button
-                      className="w-full px-2 py-2 font-normal"
+                      className="w-full px-2 py-1"
                       variant="outline_bg"
                       leftIcon={<FontAwesomeIcon icon={faClock} />}
                       onClick={() => setCreateReminderFormOpen.on()}
@@ -610,147 +503,92 @@ export const SecretDetailSidebar = ({
                   </div>
                 )}
               </FormControl>
-              <div className="mb-4flex-grow dark cursor-default text-sm text-bunker-300">
-                <div className="mb-2 pl-1">Version History</div>
-                <div className="thin-scrollbar flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 p-4 dark:[color-scheme:dark]">
-                  {secretVersion?.map(({ createdAt, secretValue, version, id }) => (
-                    <div className="flex flex-row">
-                      <div key={id} className="flex w-full flex-col space-y-1">
-                        <div className="flex items-center">
-                          <div className="w-10">
-                            <div className="w-fit rounded-md border border-mineshaft-600 bg-mineshaft-700 px-1 text-sm text-mineshaft-300">
-                              v{version}
-                            </div>
-                          </div>
-                          <div>{format(new Date(createdAt), "Pp")}</div>
-                        </div>
-                        <div className="flex w-full cursor-default">
-                          <div className="relative w-10">
-                            <div className="absolute bottom-0 left-3 top-0 mt-0.5 border-l border-mineshaft-400/60" />
-                          </div>
-                          <div className="flex flex-row">
-                            <div className="h-min w-fit rounded-sm bg-primary-500/10 px-1 text-primary-300/70">
-                              Value:
-                            </div>
-                            <div className="group break-all pl-1 font-mono">
-                              <div className="relative hidden cursor-pointer transition-all duration-200 group-[.show-value]:inline">
-                                <button
-                                  type="button"
-                                  className="select-none"
-                                  onClick={(e) => {
-                                    navigator.clipboard.writeText(secretValue || "");
-                                    const target = e.currentTarget;
-                                    target.style.borderBottom = "1px dashed";
-                                    target.style.paddingBottom = "-1px";
-
-                                    // Create and insert popup
-                                    const popup = document.createElement("div");
-                                    popup.className =
-                                      "w-16 flex justify-center absolute top-6 left-0 text-xs text-primary-100 bg-mineshaft-800 px-1 py-0.5 rounded-md border border-primary-500/50";
-                                    popup.textContent = "Copied!";
-                                    target.parentElement?.appendChild(popup);
-
-                                    // Remove popup and border after delay
-                                    setTimeout(() => {
-                                      popup.remove();
-                                      target.style.borderBottom = "none";
-                                    }, 3000);
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
-                                      navigator.clipboard.writeText(secretValue || "");
-                                      const target = e.currentTarget;
-                                      target.style.borderBottom = "1px dashed";
-                                      target.style.paddingBottom = "-1px";
-
-                                      // Create and insert popup
-                                      const popup = document.createElement("div");
-                                      popup.className =
-                                        "w-16 flex justify-center absolute top-6 left-0 text-xs text-primary-100 bg-mineshaft-800 px-1 py-0.5 rounded-md border border-primary-500/50";
-                                      popup.textContent = "Copied!";
-                                      target.parentElement?.appendChild(popup);
-
-                                      // Remove popup and border after delay
-                                      setTimeout(() => {
-                                        popup.remove();
-                                        target.style.borderBottom = "none";
-                                      }, 3000);
-                                    }
-                                  }}
-                                >
-                                  {secretValue}
-                                </button>
-                                <button
-                                  type="button"
-                                  className="ml-1 cursor-pointer"
-                                  onClick={(e) => {
-                                    e.stopPropagation();
-                                    e.currentTarget
-                                      .closest(".group")
-                                      ?.classList.remove("show-value");
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
-                                      e.stopPropagation();
-                                      e.currentTarget
-                                        .closest(".group")
-                                        ?.classList.remove("show-value");
-                                    }
-                                  }}
-                                >
-                                  <FontAwesomeIcon icon={faEyeSlash} />
-                                </button>
-                              </div>
-                              <span className="group-[.show-value]:hidden">
-                                {secretValue?.replace(/./g, "*")}
-                                <button
-                                  type="button"
-                                  className="ml-1 cursor-pointer"
-                                  onClick={(e) => {
-                                    e.currentTarget.closest(".group")?.classList.add("show-value");
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
-                                      e.currentTarget
-                                        .closest(".group")
-                                        ?.classList.add("show-value");
-                                    }
-                                  }}
-                                >
-                                  <FontAwesomeIcon icon={faEye} />
-                                </button>
-                              </span>
-                            </div>
-                          </div>
-                        </div>
-                      </div>
-                      <div
-                        className={`flex items-center justify-center ${version === secretVersion.length ? "hidden" : ""}`}
-                      >
-                        <Tooltip content="Restore Secret Value">
-                          <IconButton
-                            ariaLabel="Restore"
-                            variant="outline_bg"
-                            size="sm"
-                            className="h-8 w-8 rounded-md"
-                            onClick={() => setValue("value", secretValue)}
+              <FormControl label="Comments & Notes">
+                <TextArea
+                  className="border border-mineshaft-600 text-sm"
+                  {...register("comment")}
+                  readOnly={isReadOnly}
+                  rows={5}
+                />
+              </FormControl>
+              <div className="my-2 mb-4 border-b border-mineshaft-600 pb-4">
+                <Controller
+                  control={control}
+                  name="skipMultilineEncoding"
+                  render={({ field: { value, onChange, onBlur } }) => (
+                    <ProjectPermissionCan
+                      I={ProjectPermissionActions.Edit}
+                      a={subject(ProjectPermissionSub.Secrets, {
+                        environment,
+                        secretPath,
+                        secretName: secretKey,
+                        secretTags: selectTagSlugs
+                      })}
+                    >
+                      {(isAllowed) => (
+                        <Switch
+                          id="skipmultiencoding-option"
+                          onCheckedChange={(isChecked) => onChange(isChecked)}
+                          isChecked={value}
+                          onBlur={onBlur}
+                          isDisabled={!isAllowed}
+                          className="items-center"
+                        >
+                          Multi line encoding
+                          <Tooltip
+                            content="When enabled, multiline secrets will be handled by escaping newlines and enclosing the entire value in double quotes."
+                            className="z-[100]"
                           >
-                            <FontAwesomeIcon icon={faArrowRotateRight} />
-                          </IconButton>
-                        </Tooltip>
+                            <FontAwesomeIcon icon={faCircleQuestion} className="ml-1" size="sm" />
+                          </Tooltip>
+                        </Switch>
+                      )}
+                    </ProjectPermissionCan>
+                  )}
+                />
+              </div>
+              <div className="ml-1 flex items-center space-x-4">
+                <Button
+                  className="w-full px-2 py-1"
+                  variant="outline_bg"
+                  leftIcon={<FontAwesomeIcon icon={faShare} />}
+                  onClick={() => {
+                    const value = secret?.valueOverride ?? secret?.value;
+                    if (value) {
+                      handleSecretShare(value);
+                    }
+                  }}
+                >
+                  Share Secret
+                </Button>
+              </div>
+              <div className="dark mb-4 mt-4 flex-grow text-sm text-bunker-300">
+                <div className="mb-2">Version History</div>
+                <div className="flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-bunker-800 p-2 dark:[color-scheme:dark]">
+                  {secretVersion?.map(({ createdAt, secretValue, id }, i) => (
+                    <div key={id} className="flex flex-col space-y-1">
+                      <div className="flex items-center space-x-2">
+                        <div>
+                          <FontAwesomeIcon icon={i === 0 ? faCircleDot : faCircle} size="sm" />
+                        </div>
+                        <div>{format(new Date(createdAt), "Pp")}</div>
+                      </div>
+                      <div className="ml-1.5 flex items-center space-x-2 border-l border-bunker-300 pl-4">
+                        <div className="self-start rounded-sm bg-primary-500/30 px-1">Value:</div>
+                        <div className="break-all font-mono">{secretValue}</div>
                       </div>
                     </div>
                   ))}
                 </div>
               </div>
               <div className="dark mb-4 flex-grow text-sm text-bunker-300">
-                <div className="mb-2 mt-4">
+                <div className="mb-2">
                   Access List
                   <Tooltip
                     content="Lists all users, machine identities, and groups that have been granted any permission level (read, create, edit, or delete) for this secret."
                     className="z-[100]"
                   >
-                    <FontAwesomeIcon icon={faCircleQuestion} className="ml-2" />
+                    <FontAwesomeIcon icon={faCircleQuestion} className="ml-1" size="sm" />
                   </Tooltip>
                 </div>
                 {isPending && (
@@ -770,22 +608,14 @@ export const SecretDetailSidebar = ({
                   </Button>
                 )}
                 {!isPending && secretAccessList && (
-                  <div className="mb-4 flex max-h-72 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 p-4 dark:[color-scheme:dark]">
+                  <div className="flex max-h-72 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-bunker-800 p-2 dark:[color-scheme:dark]">
                     {secretAccessList.users.length > 0 && (
                       <div className="pb-3">
                         <div className="mb-2 font-bold">Users</div>
                         <div className="flex flex-wrap gap-2">
                           {secretAccessList.users.map((user) => (
-                            <div className="rounded-md bg-bunker-500">
-                              <Tooltip
-                                content={user.allowedActions
-                                  .map(
-                                    (action) =>
-                                      action.charAt(0).toUpperCase() + action.slice(1).toLowerCase()
-                                  )
-                                  .join(", ")}
-                                className="z-[100]"
-                              >
+                            <div className="rounded-md bg-bunker-500 px-1">
+                              <Tooltip content={user.allowedActions.join(", ")} className="z-[100]">
                                 <Link
                                   to={
                                     `/${ProjectType.SecretManager}/$projectId/members/$membershipId` as const
@@ -794,7 +624,7 @@ export const SecretDetailSidebar = ({
                                     projectId: currentWorkspace.id,
                                     membershipId: user.membershipId
                                   }}
-                                  className="text-secondary/80 rounded-md border border-mineshaft-600 bg-mineshaft-700 px-1 py-0.5 text-sm hover:text-primary"
+                                  className="text-secondary/80 text-sm hover:text-primary"
                                 >
                                   {user.name}
                                 </Link>
@@ -809,14 +639,9 @@ export const SecretDetailSidebar = ({
                         <div className="mb-2 font-bold">Identities</div>
                         <div className="flex flex-wrap gap-2">
                           {secretAccessList.identities.map((identity) => (
-                            <div className="rounded-md bg-bunker-500">
+                            <div className="rounded-md bg-bunker-500 px-1">
                               <Tooltip
-                                content={identity.allowedActions
-                                  .map(
-                                    (action) =>
-                                      action.charAt(0).toUpperCase() + action.slice(1).toLowerCase()
-                                  )
-                                  .join(", ")}
+                                content={identity.allowedActions.join(", ")}
                                 className="z-[100]"
                               >
                                 <Link
@@ -827,7 +652,7 @@ export const SecretDetailSidebar = ({
                                     projectId: currentWorkspace.id,
                                     identityId: identity.id
                                   }}
-                                  className="text-secondary/80 rounded-md border border-mineshaft-600 bg-mineshaft-700 px-1 py-0.5 text-sm hover:text-primary"
+                                  className="text-secondary/80 text-sm hover:text-primary"
                                 >
                                   {identity.name}
                                 </Link>
@@ -842,14 +667,9 @@ export const SecretDetailSidebar = ({
                         <div className="mb-2 font-bold">Groups</div>
                         <div className="flex flex-wrap gap-2">
                           {secretAccessList.groups.map((group) => (
-                            <div className="rounded-md bg-bunker-500">
+                            <div className="rounded-md bg-bunker-500 px-1">
                               <Tooltip
-                                content={group.allowedActions
-                                  .map(
-                                    (action) =>
-                                      action.charAt(0).toUpperCase() + action.slice(1).toLowerCase()
-                                  )
-                                  .join(", ")}
+                                content={group.allowedActions.join(", ")}
                                 className="z-[100]"
                               >
                                 <Link
@@ -857,7 +677,7 @@ export const SecretDetailSidebar = ({
                                   params={{
                                     groupId: group.id
                                   }}
-                                  className="text-secondary/80 rounded-md border border-mineshaft-600 bg-mineshaft-700 px-1 py-0.5 text-sm hover:text-primary"
+                                  className="text-secondary/80 text-sm hover:text-primary"
                                 >
                                   {group.name}
                                 </Link>
@@ -871,7 +691,7 @@ export const SecretDetailSidebar = ({
                 )}
               </div>
               <div className="flex flex-col space-y-4">
-                <div className="mb-4 flex items-center space-x-4">
+                <div className="mb-2 flex items-center space-x-4">
                   <ProjectPermissionCan
                     I={ProjectPermissionActions.Edit}
                     a={subject(ProjectPermissionSub.Secrets, {
@@ -885,7 +705,6 @@ export const SecretDetailSidebar = ({
                       <Button
                         isFullWidth
                         type="submit"
-                        variant="outline_bg"
                         isDisabled={isSubmitting || !isDirty || !isAllowed}
                         isLoading={isSubmitting}
                       >
@@ -903,17 +722,9 @@ export const SecretDetailSidebar = ({
                     })}
                   >
                     {(isAllowed) => (
-                      <IconButton
-                        colorSchema="danger"
-                        ariaLabel="Delete Secret"
-                        className="border border-mineshaft-600 bg-mineshaft-700 hover:border-red-500/70 hover:bg-red-600/20"
-                        isDisabled={!isAllowed}
-                        onClick={onDeleteSecret}
-                      >
-                        <Tooltip content="Delete Secret">
-                          <FontAwesomeIcon icon={faTrash} />
-                        </Tooltip>
-                      </IconButton>
+                      <Button colorSchema="danger" isDisabled={!isAllowed} onClick={onDeleteSecret}>
+                        Delete
+                      </Button>
                     )}
                   </ProjectPermissionCan>
                 </div>

frontend/src/routeTree.gen.ts

@@ -44,6 +44,7 @@ import { Route as organizationSettingsPageRouteImport } from './pages/organizati
 import { Route as organizationSecretSharingPageRouteImport } from './pages/organization/SecretSharingPage/route'
 import { Route as organizationSecretScanningPageRouteImport } from './pages/organization/SecretScanningPage/route'
 import { Route as organizationBillingPageRouteImport } from './pages/organization/BillingPage/route'
+import { Route as organizationAutomatedSecurityPageRouteImport } from './pages/organization/AutomatedSecurityPage/route'
 import { Route as organizationAuditLogsPageRouteImport } from './pages/organization/AuditLogsPage/route'
 import { Route as organizationAdminPageRouteImport } from './pages/organization/AdminPage/route'
 import { Route as organizationAccessManagementPageRouteImport } from './pages/organization/AccessManagementPage/route'
@@ -508,6 +509,14 @@ const organizationBillingPageRouteRoute =
       AuthenticateInjectOrgDetailsOrgLayoutOrganizationRoute,
   } as any)
 
+const organizationAutomatedSecurityPageRouteRoute =
+  organizationAutomatedSecurityPageRouteImport.update({
+    id: '/automated-security',
+    path: '/automated-security',
+    getParentRoute: () =>
+      AuthenticateInjectOrgDetailsOrgLayoutOrganizationRoute,
+  } as any)
+
 const organizationAuditLogsPageRouteRoute =
   organizationAuditLogsPageRouteImport.update({
     id: '/audit-logs',
@@ -1837,6 +1846,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof organizationAuditLogsPageRouteImport
       parentRoute: typeof AuthenticateInjectOrgDetailsOrgLayoutOrganizationImport
     }
+    '/_authenticate/_inject-org-details/_org-layout/organization/automated-security': {
+      id: '/_authenticate/_inject-org-details/_org-layout/organization/automated-security'
+      path: '/automated-security'
+      fullPath: '/organization/automated-security'
+      preLoaderRoute: typeof organizationAutomatedSecurityPageRouteImport
+      parentRoute: typeof AuthenticateInjectOrgDetailsOrgLayoutOrganizationImport
+    }
     '/_authenticate/_inject-org-details/_org-layout/organization/billing': {
       id: '/_authenticate/_inject-org-details/_org-layout/organization/billing'
       path: '/billing'
@@ -2904,6 +2920,7 @@ interface AuthenticateInjectOrgDetailsOrgLayoutOrganizationRouteChildren {
   organizationAccessManagementPageRouteRoute: typeof organizationAccessManagementPageRouteRoute
   organizationAdminPageRouteRoute: typeof organizationAdminPageRouteRoute
   organizationAuditLogsPageRouteRoute: typeof organizationAuditLogsPageRouteRoute
+  organizationAutomatedSecurityPageRouteRoute: typeof organizationAutomatedSecurityPageRouteRoute
   organizationBillingPageRouteRoute: typeof organizationBillingPageRouteRoute
   organizationSecretScanningPageRouteRoute: typeof organizationSecretScanningPageRouteRoute
   organizationSecretSharingPageRouteRoute: typeof organizationSecretSharingPageRouteRoute
@@ -2925,6 +2942,8 @@ const AuthenticateInjectOrgDetailsOrgLayoutOrganizationRouteChildren: Authentica
       organizationAccessManagementPageRouteRoute,
     organizationAdminPageRouteRoute: organizationAdminPageRouteRoute,
     organizationAuditLogsPageRouteRoute: organizationAuditLogsPageRouteRoute,
+    organizationAutomatedSecurityPageRouteRoute:
+      organizationAutomatedSecurityPageRouteRoute,
     organizationBillingPageRouteRoute: organizationBillingPageRouteRoute,
     organizationSecretScanningPageRouteRoute:
       organizationSecretScanningPageRouteRoute,
@@ -3601,6 +3620,7 @@ export interface FileRoutesByFullPath {
   '/organization/access-management': typeof organizationAccessManagementPageRouteRoute
   '/organization/admin': typeof organizationAdminPageRouteRoute
   '/organization/audit-logs': typeof organizationAuditLogsPageRouteRoute
+  '/organization/automated-security': typeof organizationAutomatedSecurityPageRouteRoute
   '/organization/billing': typeof organizationBillingPageRouteRoute
   '/organization/secret-scanning': typeof organizationSecretScanningPageRouteRoute
   '/organization/secret-sharing': typeof organizationSecretSharingPageRouteRoute
@@ -3771,6 +3791,7 @@ export interface FileRoutesByTo {
   '/organization/access-management': typeof organizationAccessManagementPageRouteRoute
   '/organization/admin': typeof organizationAdminPageRouteRoute
   '/organization/audit-logs': typeof organizationAuditLogsPageRouteRoute
+  '/organization/automated-security': typeof organizationAutomatedSecurityPageRouteRoute
   '/organization/billing': typeof organizationBillingPageRouteRoute
   '/organization/secret-scanning': typeof organizationSecretScanningPageRouteRoute
   '/organization/secret-sharing': typeof organizationSecretSharingPageRouteRoute
@@ -3949,6 +3970,7 @@ export interface FileRoutesById {
   '/_authenticate/_inject-org-details/_org-layout/organization/access-management': typeof organizationAccessManagementPageRouteRoute
   '/_authenticate/_inject-org-details/_org-layout/organization/admin': typeof organizationAdminPageRouteRoute
   '/_authenticate/_inject-org-details/_org-layout/organization/audit-logs': typeof organizationAuditLogsPageRouteRoute
+  '/_authenticate/_inject-org-details/_org-layout/organization/automated-security': typeof organizationAutomatedSecurityPageRouteRoute
   '/_authenticate/_inject-org-details/_org-layout/organization/billing': typeof organizationBillingPageRouteRoute
   '/_authenticate/_inject-org-details/_org-layout/organization/secret-scanning': typeof organizationSecretScanningPageRouteRoute
   '/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing': typeof organizationSecretSharingPageRouteRoute
@@ -4129,6 +4151,7 @@ export interface FileRouteTypes {
     | '/organization/access-management'
     | '/organization/admin'
     | '/organization/audit-logs'
+    | '/organization/automated-security'
     | '/organization/billing'
     | '/organization/secret-scanning'
     | '/organization/secret-sharing'
@@ -4298,6 +4321,7 @@ export interface FileRouteTypes {
     | '/organization/access-management'
     | '/organization/admin'
     | '/organization/audit-logs'
+    | '/organization/automated-security'
     | '/organization/billing'
     | '/organization/secret-scanning'
     | '/organization/secret-sharing'
@@ -4474,6 +4498,7 @@ export interface FileRouteTypes {
     | '/_authenticate/_inject-org-details/_org-layout/organization/access-management'
     | '/_authenticate/_inject-org-details/_org-layout/organization/admin'
     | '/_authenticate/_inject-org-details/_org-layout/organization/audit-logs'
+    | '/_authenticate/_inject-org-details/_org-layout/organization/automated-security'
     | '/_authenticate/_inject-org-details/_org-layout/organization/billing'
     | '/_authenticate/_inject-org-details/_org-layout/organization/secret-scanning'
     | '/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing'
@@ -4843,6 +4868,7 @@ export const routeTree = rootRoute
         "/_authenticate/_inject-org-details/_org-layout/organization/access-management",
         "/_authenticate/_inject-org-details/_org-layout/organization/admin",
         "/_authenticate/_inject-org-details/_org-layout/organization/audit-logs",
+        "/_authenticate/_inject-org-details/_org-layout/organization/automated-security",
         "/_authenticate/_inject-org-details/_org-layout/organization/billing",
         "/_authenticate/_inject-org-details/_org-layout/organization/secret-scanning",
         "/_authenticate/_inject-org-details/_org-layout/organization/secret-sharing",
@@ -4881,6 +4907,10 @@ export const routeTree = rootRoute
       "filePath": "organization/AuditLogsPage/route.tsx",
       "parent": "/_authenticate/_inject-org-details/_org-layout/organization"
     },
+    "/_authenticate/_inject-org-details/_org-layout/organization/automated-security": {
+      "filePath": "organization/AutomatedSecurityPage/route.tsx",
+      "parent": "/_authenticate/_inject-org-details/_org-layout/organization"
+    },
     "/_authenticate/_inject-org-details/_org-layout/organization/billing": {
       "filePath": "organization/BillingPage/route.tsx",
       "parent": "/_authenticate/_inject-org-details/_org-layout/organization"

frontend/src/routes.ts

@@ -15,6 +15,7 @@ const organizationRoutes = route("/organization", [
   route("/access-management", "organization/AccessManagementPage/route.tsx"),
   route("/admin", "organization/AdminPage/route.tsx"),
   route("/audit-logs", "organization/AuditLogsPage/route.tsx"),
+  route("/automated-security", "organization/AutomatedSecurityPage/route.tsx"),
   route("/billing", "organization/BillingPage/route.tsx"),
   route("/secret-sharing", "organization/SecretSharingPage/route.tsx"),
   route("/settings", "organization/SettingsPage/route.tsx"),